DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added fwknop.man.asciidoc to docs and fwknop.8 man page to client (derived from fwknop.man.asciidoc).

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@136 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart
2009-09-03 03:25:35 +00:00
parent 10c0aabe38
commit f0fa45cec2
6 changed files with 950 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
client/Makefile.am
View File

@@ -6,3 +6,5 @@ fwknop_SOURCES = fwknop.c fwknop.h config_init.c config_init.h \
fwknop_LDADD = $(top_builddir)/lib/libfko.la
fwknop_CPPFLAGS = -I $(top_srcdir)/lib -I $(top_srcdir)/common
dist_man_MANS = fwknop.8

116
client/config_init.c
View File

@@ -263,7 +263,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
options->fw_timeout = -1;
while ((cmd_arg = getopt_long(argc, argv,
"a:A:bB:C:D:f:gG:hIm:nN:p:P:qQ:rRsS:Tu:U:vV", cmd_opts, &index)) != -1) {
"a:A:bB:C:D:f:gG:hm:nN:p:P:qQ:rRsS:Tu:U:vV", cmd_opts, &index)) != -1) {
switch(cmd_arg) {
case 'a':
@@ -453,67 +453,67 @@ usage(void)
fprintf(stderr, "\n%s client version %s\n%s\n\n", MY_NAME, MY_VERSION, MY_DESC);
fprintf(stderr,
"Usage: fwknop -A <port list> [-s|-R|-a] -D <spa_server> [options]\n\n"
" -h, --help - Print this usage message and exit.\n"
" -c, --config-file - Specify an alternate configuration file.\n"
" -A, --access - Provide a list of ports/protocols to open\n"
" on the server.\n"
" -B, --save-packet - Save the generated packet data to the\n"
" specified file.\n"
" -a, --allow-ip - Specify IP address to allow within the SPA\n"
" packet.\n"
" -D, --destination - Specify the IP address of the fwknop server.\n"
" -N, --nat-access - Gain NAT access to an internal service\n"
" protected by the fwknop server.\n"
" -p, --server-port - Set the destination port for outgoing SPA\n"
" packet.\n"
" -P, --server-proto - Set the protocol (udp, tcp, tcpraw, icmp) for\n"
" the outgoing SPA packet. Note: The 'tcpraw'\n"
" and 'icmp' modes use raw sockets and thus\n"
" require root access to run.\n"
" -s, --source-ip - Tell the fwknopd server to accept whatever\n"
" source IP the SPA packet has as the IP that\n"
" needs access (not recommended, and the\n"
" fwknopd server can ignore such requests).\n"
" -S, --source-port - Set the source port for outgoing SPA packet.\n"
" -Q, --spoof-source - Set the source IP for outgoing SPA packet.\n"
" -R, --resolve-ip-http - Resolve the external network IP by\n"
" connecting to the URL:\n"
" -h, --help Print this usage message and exit.\n"
" -c, --config-file Specify an alternate configuration file.\n"
" -A, --access Provide a list of ports/protocols to open\n"
" on the server.\n"
" -B, --save-packet Save the generated packet data to the\n"
" specified file.\n"
" -a, --allow-ip Specify IP address to allow within the SPA\n"
" packet.\n"
" -D, --destination Specify the IP address of the fwknop server.\n"
" -N, --nat-access Gain NAT access to an internal service\n"
" protected by the fwknop server.\n"
" -p, --server-port Set the destination port for outgoing SPA\n"
" packet.\n"
" -P, --server-proto Set the protocol (udp, tcp, tcpraw, icmp) for\n"
" the outgoing SPA packet. Note: The 'tcpraw'\n"
" and 'icmp' modes use raw sockets and thus\n"
" require root access to run.\n"
" -s, --source-ip Tell the fwknopd server to accept whatever\n"
" source IP the SPA packet has as the IP that\n"
" needs access (not recommended, and the\n"
" fwknopd server can ignore such requests).\n"
" -S, --source-port Set the source port for outgoing SPA packet.\n"
" -Q, --spoof-source Set the source IP for outgoing SPA packet.\n"
" -R, --resolve-ip-http Resolve the external network IP by\n"
" connecting to the URL:\n"
" http://"
HTTP_RESOLVE_HOST
HTTP_RESOLVE_URL
"\n"
" -u, --user-agent - Set the HTTP User-Agent for resolving the\n"
" external IP via -R, or for sending SPA\n"
" packets over HTTP.\n"
" -U, --spoof-user - Set the username within outgoing SPA packet.\n"
" -q, --quiet - Perform fwknop functions quietly.\n"
" -G, --get-key - Load an encryption key/password from a file.\n"
" -r, --rand-port - Send the SPA packet over a randomly assigned\n"
" port (requires a broader pcap filter on the\n"
" server side than the default of udp 62201).\n"
" -T, --test - Build the SPA packet but do not send it over\n"
" the network.\n"
" -v, --verbose - Set verbose mode.\n"
" -V, --version - Print version number.\n"
" -m, --digest-type - Speciy the message digest algorithm to use.\n"
" (md5, sha1, or sha256 (default)).\n"
" -f, --fw-timeout - Specify SPA server firewall timeout from the\n"
" client side.\n"
" --gpg-encryption - Use GPG encyrption (default is Rijndael).\n"
" --gpg-recipient-key - Specify the recipient GPG key name or ID.\n"
" --gpg-signer-key - Specify the signer's GPG key name or ID.\n"
" --gpg-home-dir - Specify the GPG home directory.\n"
" --gpg-agent - Use GPG agent if available.\n"
" --nat-local - Access a local service via a forwarded port\n"
" on the fwknopd server system.\n"
" --nat-port - Specify the port to forward to access a\n"
" service via NAT.\n"
" --nat-rand-port - Have the fwknop client assign a random port\n"
" for NAT access.\n"
" --show-last - Show the last fwknop command line arguments.\n"
" --time-offset-plus - Add time to outgoing SPA packet timestamp.\n"
" --time-offset-minus - Subtract time from outgoing SPA packet\n"
" timestamp.\n"
" -u, --user-agent Set the HTTP User-Agent for resolving the\n"
" external IP via -R, or for sending SPA\n"
" packets over HTTP.\n"
" -U, --spoof-user Set the username within outgoing SPA packet.\n"
" -q, --quiet Perform fwknop functions quietly.\n"
" -G, --get-key Load an encryption key/password from a file.\n"
" -r, --rand-port Send the SPA packet over a randomly assigned\n"
" port (requires a broader pcap filter on the\n"
" server side than the default of udp 62201).\n"
" -T, --test Build the SPA packet but do not send it over\n"
" the network.\n"
" -v, --verbose Set verbose mode.\n"
" -V, --version Print version number.\n"
" -m, --digest-type Speciy the message digest algorithm to use.\n"
" (md5, sha1, or sha256 (default)).\n"
" -f, --fw-timeout Specify SPA server firewall timeout from the\n"
" client side.\n"
" --gpg-encryption Use GPG encyrption (default is Rijndael).\n"
" --gpg-recipient-key Specify the recipient GPG key name or ID.\n"
" --gpg-signer-key Specify the signer's GPG key name or ID.\n"
" --gpg-home-dir Specify the GPG home directory.\n"
" --gpg-agent Use GPG agent if available.\n"
" --nat-local Access a local service via a forwarded port\n"
" on the fwknopd server system.\n"
" --nat-port Specify the port to forward to access a\n"
" service via NAT.\n"
" --nat-rand-port Have the fwknop client assign a random port\n"
" for NAT access.\n"
" --show-last Show the last fwknop command line arguments.\n"
" --time-offset-plus Add time to outgoing SPA packet timestamp.\n"
" --time-offset-minus Subtract time from outgoing SPA packet\n"
" timestamp.\n"
"\n"
);

458
client/fwknop.8 Normal file
View File

@@ -0,0 +1,458 @@
'\" t
.\" Title: fwknop
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.74.3 <http://docbook.sf.net/>
.\" Date: 09/02/2009
.\" Manual:
.\" Source:
.\" Language: English
.\"
.TH "FWKNOP" "8" "09/02/2009" "" ""
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
fwknop \- Firewall Knock Operator
.SH "SYNOPSIS"
.sp
\fBfwknop\fR \fB\-A\fR <\fIproto/ports\fR> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\fIhost\fR> [\fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for Linux systems running iptables, and for Mac OS X and FreeBSD systems running ipfw\&. This mechanism requires only a single encrypted and non\-replayed packet to communicate various pieces of information including desired access through an iptables or ipfw policy\&. The main application of this program is to use iptables or ipfw in a default\-drop stance to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&.
.sp
An authorization server \fBfwknopd\fR passively monitors authorization packets via \fIlibpcap\fR and hence there is no "server" to which to connect in the traditional sense\&. Any service protected by \fBfwknop\fR is inaccessible (by using \fIiptables\fR or \fIipfw\fR to intercept packets within the kernel) before authenticating; anyone scanning for the service will not be able to detect that it is even listening\&. Single Packet Authorization offers many advantages over port knocking, including non\-replayability of SPA packets, ability to use asymmetric ciphers (such as Elgamal), and SPA cannot be broken by simply spoofing packets to duplicate ports within the knock sequence on the server to break port knocking authentication\&.
.sp
SPA packets can easily be spoofed as well (this is a good thing in this context), and this makes it possible to make it appear as though, say, www\&.yahoo\&.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated IP\&. Although the default data collection method in Single Packet Authorization mode is to use libpcap to sniff packets off the wire, \fBfwknop\fR can also read packets out of a file that is written by the iptables ulogd pcap writer (or a separate sniffer process that is writing packet data to a file)\&.
.sp
Authorization packets are either encrypted with the \fIRijndael\fR block cipher or via \fIGnuPG\fR and associated asymmetric ciphers\&. If the symmetric encryption method is chosen, then the encryption key is shared between the client and server (see the \fI/etc/fwknop/access\&.conf\fR file)\&. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings\&. SPA packets generated by fwknop running as a client adhere to the following format (before they are encrypted):
.sp
.if n \{\
.RS 4
.\}
.nf
random number (16 bytes)
username
timestamp
software version
mode (command mode (0) or access mode (1))
if command mode => command to execute
else access mode => IP,proto,port
message digest (SHA256 / SHA1 / MD5)
.fi
.if n \{\
.RE
.\}
.sp
Each of the above fields are separated by a \(lq:\(rq character due to the variable length of several of the fields, and those that might contain \(lq:\(rq characters are base64 encoded\&. The message digest (\fBSHA256\fR by default in all versions of \fBfwknop\fR greater than 1\&.9\&.1) allows the server to check message integrity after decryption, and the 16 bytes of random data ensures (with high probability) that no two messages are identical\&. This ensures that replay attacks are not possible against \fBfwknop\fR\&.
.sp
For each packet coming from an \fBfwknop\fR client, the \fBfwknopd\fR server caches the \fBSHA256\fR digest calculated over the entire packet and compares against previous packet digests in order to detect attempted replay attacks\&. The digest cache file is located at \fI/var/log/fwknop/digest\&.cache\fR and is not rotated so that the detection of duplicate SPA messages is maximized\&. Both syslog and email alerts are generated if a replay is detected (although this can be tuned via the \fBALERTING_METHODS\fR variable in the \fI/etc/fwknop/fwknop\&.conf\fR file)\&. By default, the \fBfwknop\fR client sends authorization packets over UDP port 62201, but this can be altered with the \fB\-\-Server\-port\fR argument\&. The server must first be configured to acquire the SPA data on the changed protocol\-port\&. Also, \fBfwknop\fR can send the SPA packet over a random port via the \fB\-\-rand\-port\fR argument\&. See \fIfwknopd(8)\fR for further details\&. See the \fBEXAMPLES\fR section for example invocations of the \fBfwknop\fR client\&.
.SH "REQUIRED ARGUMENTS"
.PP
\fB\-D, \-\-destination\fR=\fI<IP\-address>\fR
.RS 4
Direct the
\fBfwknop\fR
client to authenticate with the
\fBfwknopd\fR
daemon/service at the destination address <IP>\&. The connection mode is discovered by the
\fBfwknopd\fR
daemon/service when it decrypts and parses the authentication packet\&.
.RE
.PP
\fB\-A, \-\-access\fR=\fI<port list>\fR
.RS 4
Provide a list of ports and protocols to access on a remote computer running
\fBfwknopd\fR\&. The format of this list is \(lq<proto>/<port>\&...<proto>/<port>\(rq, e\&.g\&. \(lqtcp/22,udp/53\(rq\&.
\fBNOTE:\fR
The vast majority of usages for
\fBfwknop\fR
require the
\fB\-A\fR
argument, but sending full commands with the
\fB\-\-Server\-cmd\fR
argument via an SPA packet to be executed by
\fBfwknopd\fR
does not require this argument\&.
.RE
.PP
\fB\-R|\-a|\-s\fR
.RS 4
One of these options (see below) is required to tell the remote
\fBfwknopd\fR
daemon what IP should be let through the local firewall\&. It is recommend to use the
\fB\-R\fR
or
\fB\-a\fR
options instead of
\fB\-s\fR
in order to harden SPA communications against possible MITM attacks\&.
.RE
.SH "GENERAL OPTIONS"
.PP
\fB\-h, \-\-help\fR
.RS 4
Print a usage summary message and exit\&.
.RE
.PP
\fB\-B, \-\-save\-packet\fR=\fI<file>\fR
.RS 4
Instruct the
\fBfwknop\fR
client to write a newly created SPA packet out to the specified file so that it can be examined off\-line\&.
.RE
.PP
\fB\-G, \-\-get\-key\fR=\fI<file>\fR
.RS 4
Load an encryption key/password from the specified file\&.
.RE
.PP
\fB\-\-show\-last\fR
.RS 4
Display the last command\-line arguments used by
\fBfwknop\fR\&.
.RE
.PP
\fB\-q, \-\-quiet\fR
.RS 4
Perform
\fBfwknop\fR
functions quietly (suppress informational output)\&.
.RE
.PP
\fB\-T, \-\-test\fR
.RS 4
Test mode\&. Generate the SPA packet data, but do not send it\&. Instead, print a break\-down of the SPA data fields, then run the data through the decryption and decoding process and print the break\-down again\&. This is primarily a debugging feature\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run the
\fBfwknop\fR
client in verbose mode\&.
.RE
.PP
\fB\-V, \-\-Version\fR
.RS 4
Display version information and exit\&.
.RE
.SH "SPA OPTIONS"
.PP
\fB\-a, \-\-allow\-ip\fR=\fI<IP\-address>\fR
.RS 4
Specify IP address that should be permitted through the destination
\fBfwknopd\fR
server firewall (this IP is encrypted within the SPA packet itself)\&. This is useful to prevent a
\fIMan\-In\-The\-Middle\fR
(MTIM) attack where an SPA packet can be intercepted enroute and sent from a different IP than the original\&. Hence, if the
\fBfwknopd\fR
server trusts the source address on the SPA packet IP header then the attacker gains access\&. The
\fB\-a\fR
option puts the source address within the encrypted SPA packet, and so thwarts this attack\&. The
\fB\-a\fR
option is also useful to specify the IP that will be granted access when the SPA packet itself is spoofed with the
\fB\-\-spoof\-src\fR
option\&. Another related option is
\fB\-R\fR
(see below) which instructs the
\fBfwknop\fR
client to automatically resolve the externally routable IP address the local system is connected to by querying the
\fIhttp://www\&.whatismyip\&.com\fR
website\&.
.RE
.PP
\fB\-g, \-\-gpg\-encryption\fR
.RS 4
Use GPG encryption on the SPA packet (default if not specified is Rijndael)\&.
\fBNote:\fR
Use of this option will require the specification of a GPG recipient (see
\fB\-\-gpg\-recipient\fR
along with other GPG\-related options below)\&.
.RE
.PP
\fB\-m, \-\-digest\-type\fR=\fI<digest>\fR
.RS 4
Specify the message digest algorithm to use in the SPA data\&. Choices are:
\fBmd5\fR,
\fBsha1\fR,
\fBsha256\fR
(the default),
\fBsha384\fR, and
\fBsha512\fR\&.
.RE
.PP
\fB\-N, \-\-nat\-access\fR=\fI<internalIP:forwardPort>\fR
.RS 4
The
\fBfwknopd\fR
server offers the ability to provide SPA access through an iptables firewall to an internal service by interfacing with the iptables NAT capabilities\&. So, if the
\fBfwknopd\fR
server is protecting an internal network on an RFC\-1918 address space, an external
\fBfwknop\fR
client can request that the server port forward an external port to an internal IP, i\&.e\&. \(lq\-\-NAT\-access 192\&.168\&.10\&.2:55000\(rq\&. In this case, access will be granted to 192\&.168\&.10\&.2 via port 55000 to whatever service is requested via the
\fB\-\-access\fR
argument (usually tcp/22)\&. Hence, after sending such an SPA packet, one would then do \(lqssh \-p 55000 user@host\(rq and the connection would be forwarded on through to the internal 192\&.168\&.10\&.2 system automatically\&. Note that the port \(lq55000\(rq can be randomly generated via the
\fB\-\-nat\-rand\-port\fR
argument (described later)\&.
.RE
.PP
\fB\-\-nat\-local\fR
.RS 4
On the
\fBfwknopd\fR
server, a NAT operation can apply to the local system instead of being forwarded through the system\&. That is, for iptables firewalls, a connection to, say, port 55,000 can be translated to port 22 on the local system\&. By making use of the
\fB\-\-nat\-local\fR
argument, the
\fBfwknop\fR
client can be made to request such access\&. This means that any external attacker would only see a connection over port 55,000 instead of the expected port 22 after the SPA packet is sent\&.
.RE
.PP
\fB\-\-nat\-rand\-port\fR
.RS 4
Usually
\fBfwknop\fR
is used to request access to a specific port such as tcp/22 on a system running
\fBfwknopd\fR\&. However, by using the
\fB\-\-nat\-rand\-port\fR
argument, it is possible to request access to a particular service (again, such as tcp/22), but have this access granted via a random translated port\&. That is, once the
\fBfwknop\fR
client has been executed in this mode and the random port selected by
\fBfwknop\fR
is displayed, the destination port used by the follow\-on client must be changed to match this random port\&. For SSH, this is accomplished via the
\fB\-p\fR
argument\&. See the
\fB\-\-nat\-local\fR
and
\fB\-\-nat\-access\fR
command line arguments to
\fBfwknop\fR
for additional details on gaining access to services via a NAT operation\&.
.RE
.PP
\fB\-p, \-\-server\-port\fR=\fI<port>\fR
.RS 4
Specify the port number where
\fBfwknopd\fR
accepts packets via libpcap or ulogd pcap writer\&. By default
\fBfwknopd\fR
looks for authorization packets over UDP port 62201\&.
.RE
.PP
\fB\-P, \-\-server\-proto\fR=\fI<protocol>\fR
.RS 4
Set the protocol (udp, tcp, tcpraw, icmp) for the outgoing SPA packet\&. Note: The
\fBtcpraw\fR
and
\fBicmp\fR
modes use raw sockets and thus require root access to run\&. Also note: The
\fBtcp\fR
mode expects to establish a TCP connection to the server before sending the SPA packet\&. This is not normally done, but is useful for compatibility with the Tor for strong anonymity; see
\fIhttp://tor\&.eff\&.org/\fR\&. In this case, the
\fBfwknopd\fR
server uses the
\fBfwknop_serv\fR
daemon to listen on a TCP port (62201 by default)\&.
.RE
.PP
\fB\-Q, \-\-spoof\-src\fR=\fI<IP>\fR
.RS 4
Spoof the source address from which the
\fBfwknop\fR
client sends SPA packets\&. This requires root on the client side access since a raw socket is required to accomplish this\&. Note that the
\fB\-\-spoof\-user\fR
argument can be given in this mode in order to pass any
\fBREQUIRE_USERNAME\fR
keyword that might be specified in
\fI/etc/fwknop/access\&.conf\fR\&.
.RE
.PP
\fB\-r, \-\-rand\-port\fR
.RS 4
Instruct the
\fBfwknop\fR
client to send an SPA packet over a random destination port between 10,000 and 65535\&. The
\fBfwknopd\fR
server must use a
\fBPCAP_FILTER\fR
variable that is configured to accept such packets\&. For example, the
\fBPCAP_FILTER\fR
variable could be set to: \(lqudp dst portrange 10000\-65535\(rq\&.
.RE
.PP
\fB\-R, \-\-resolve\-ip\-http\fR
.RS 4
This is an important option, and instructs the
\fBfwknop\fR
client and the
\fBfwknopd\fR
daemon/service to query
\fIhttp://www\&.whatismyip\&.com\fR
to determine the IP address that should be allowed through the iptables policy at the remote fwknopd server side\&. This is useful if the
\fBfwknop\fR
client is being used on a system that is behind an obscure NAT address\&.
.RE
.PP
\fB\-s, \-\-source\-ip\fR
.RS 4
Instruct the
\fBfwknop\fR
client to form an SPA packet that contains the special\-case IP address \(lq0\&.0\&.0\&.0\(rq which will inform the destination
\fBfwknopd\fR
SPA server to use the source IP address from which the SPA packet originates as the IP that will be allowed through upon modification of the firewall ruleset\&. This option is useful if the
\fBfwknop\fR
client is deployed on a machine that is behind a NAT device\&. The permit\-address options
\fB\-s\fR
(default),
\fB\-R\fR
and
\fB\-a\fR
are mutually exclusive\&.
.RE
.PP
\fB\-\-time\-offset\-plus\fR=\fI<time>\fR
.RS 4
By default, the
\fBfwknopd\fR
daemon on the server side enforces time synchronization between the clocks running on client and server systems\&. The
\fBfwknop\fR
client places the local time within each SPA packet as a time stamp to be validated by the fwknopd server after decryption\&. However, in some circumstances, if the clocks are out of sync and the user on the client system does not have the required access to change the local clock setting, it can be difficult to construct and SPA packet with a time stamp the server will accept\&. In this situation, the
\fB\-\-time\-offset\-plus\fR
option can allow the user to specify an offset (e\&.g\&. \(lq60sec\(rq \(lq60min\(rq \(lq2days\(rq etc\&.) that is added to the local time\&.
.RE
.PP
\fB\-\-time\-offset\-minus\fR=\fI<time>\fR
.RS 4
This is similar to the
\fB\-\-time\-offset\-plus\fR
option (see above), but subtracts the specified time offset instead of adding it to the local time stamp\&.
.RE
.PP
\fB\-u, \-\-user\-agent\fR=\fI<user\-agent\-string>\fR
.RS 4
Set the HTTP User\-Agent for resolving the external IP via
\fB\-R\fR, or for sending SPA packets over HTTP\&.
.RE
.PP
\fB\-U, \-\-spoof\-user\fR=\fI<user>\fR
.RS 4
Specify the username that is included within SPA packet\&. This allows the
\fBfwknop\fR
client to satisfy any non\-root
\fBREQUIRE_USERNAME\fR
keyword on the fwknopd server (\fB\-\-spoof\-src\fR
mode requires that the
\fBfwknop\fR
client is executed as root)\&.
.RE
.SH "GPG-RELATED OPTIONS"
.PP
\fB\-\-gpg\-agent\fR
.RS 4
Instruct
\fBfwknop\fR
to acquire GnuPG key password from a running gpg\-agent instance (if available)\&.
.RE
.PP
\fB\-\-gpg\-home\-dir\fR=\fI<dir>\fR
.RS 4
Specify the path to the GnuPG directory; normally this path is derived from the home directory of the user that is running the
\fBfwknop\fR
client\&. This is useful when a \(lqroot\(rq user wishes to log into a remote machine whose sshd daemon/service does not permit root login\&.
.RE
.PP
\fB\-\-gpg\-recipient\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lq1234ABCD\(rq (see the output of "gpg\-\-list\-keys") or the key name (associated email address) of the recipient of the Single Packet Authorization message\&. This key is imported by the
\fBfwknopd\fR
server and the associated private key is used to decrypt the SPA packet\&. The recipient\(cqs key must first be imported into the client GnuPG key ring\&.
.RE
.PP
\fB\-\-gpg\-signer\-key\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lqABCD1234\(rq (see the output of \(lqgpg \-\-list\-keys\(rq) or the key name to use when signing the SPA message\&. The user is prompted for the associated GnuPG password to create the signature\&. This adds a cryptographically strong mechanism to allow the
\fBfwknopd\fR
daemon on the remote server to authenticate who created the SPA message\&.
.RE
.SH "ENVIRONMENT"
.sp
\fBGPG_AGENT_INFO\fR (only used in \fB\-\-gpg\-agent\fR mode)\&.
.SH "EXAMPLES"
.sp
The following examples illustrate the command line arguments that could be supplied to the fwknop client in a few situations:
.SS "Access mode examples"
.sp
Packet contents printed to stdout at the fwknop client when creating an \(lqaccess mode\(rq SPA packet:
.sp
.if n \{\
.RS 4
.\}
.nf
Random data: 6565240948266426
Username: mbr
Timestamp: 1203863233
Version: 1\&.9\&.2
Type: 1 (access mode)
Access: 127\&.0\&.0\&.2,tcp/22
SHA256 sum: gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
.fi
.if n \{\
.RE
.\}
.sp
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10\&.0\&.0\&.123 from the IP 192\&.168\&.10\&.4:
.sp
\fB$ fwknop \-A "tcp/22,udp/53" \-a 192\&.168\&.10\&.4 \-D 10\&.0\&.0\&.123\fR
.sp
Same as above example, but gain access from whatever source IP is seen by the fwknop server (useful if the fwknop client is behind a NAT device):
.sp
\fB$ fwknop \-A "tcp/22,udp/53" \-s \-D 10\&.0\&.0\&.123\fR
.sp
Same as above example, but use the IP identification website \fIhttp://www\&.whatismyip\&.com\fR to derive the client IP address\&. This is a safer method of acquiring the client IP address than using the \fB\-s\fR option because the source IP is put within the encrypted packet instead of having the \fBfwknopd\fR daemon grant the requested access from whatever IP address the SPA packet originates:
.sp
\fB$ fwknop \-A "tcp/22,udp/53" \-R \-D 10\&.0\&.0\&.123\fR
.sp
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10\&.0\&.0\&.123, and use GnuPG keys to encrypt and decrypt:
.sp
\fB$ fwknop \-A "tcp/22,udp/53" \-\-gpg\-sign ABCD1234 \-\-gpg\-\-recipient 1234ABCD \-R \-D 10\&.0\&.0\&.123\fR
.sp
Instruct the fwknop server running at 10\&.0\&.0\&.123 to allow 172\&.16\&.5\&.4 to connect to TCP/22, but spoof the authorization packet from an IP associated with www\&.yahoo\&.com:
.sp
\fB# fwknop \-\-Spoof\-src \(cqwww\&.yahoo\&.com\(cq \-A tcp/22 \-a 172\&.16\&.5\&.4 \-D 10\&.0\&.0\&.123\fR
.SH "DEPENDENCIES"
.sp
\fBfwknop\fR requires \fIlibfko\fR (which is normally included with both source and binary distributions\&.
.sp
For GPG functionality, GnuPG must also be correctly installed and configured\&.
.sp
To take advantage of all of the authentication and access management features of the \fBfwknopd\fR daemon/service a functioning iptables firewall is required on the underlying operating system\&.
.SH "DIAGNOSTICS"
.sp
fwknop can be run with the \fB\-T\fR (or \fB\-\-test\fR) command line option\&. This will have \fBfwkop\fR simply create and print the SPA packet information, then run it through a decrypt/decode cycle and print it again\&.
.SH "SEE ALSO"
.sp
fwknopd(8), iptables(8), gpg(1), gpg\-agent(1), libfko documentation\&.
.sp
More information on Single Packet Authorization can be found in the paper \(lqSingle Packet Authorization with fwknop\(rq available at \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/SPA\&.html\fR\&.
.SH "AUTHOR"
.sp
Damien Stuart <dstuart@dstuart\&.org>
.br
Michael Rash <mbr@cipherdyne\&.org>
.sp
.SH "CONTRIBUTORS"
.sp
This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/contributors\&.html\fR to view the online list of contributors\&.
.sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005 (see: \fIhttp://www\&.nmrc\&.org\fR)\&.
.SH "BUGS"
.sp
Send bug reports to dstuart@dstuart\&.org\&. Suggestions and/or comments are always welcome as well\&.
.SH "DISTRIBUTION"
.sp
\fBfwknop\fR is distributed under the GNU General Public License (GPL), and the latest version may be downloaded from \fIhttp://www\&.cipherdyne\&.org\fR\&.

2
doc/Makefile.am
View File

@@ -2,3 +2,5 @@ CLEANFILES = libfko.info
info_TEXINFOS = libfko.texi
libfko_TEXINFOS = gpl-2.0.texi
EXTRA_DIST = fwknop.man.asciidoc

426
doc/fwknop.man.asciidoc Normal file
View File

@@ -0,0 +1,426 @@
FWKNOP(8)
=========
NAME
----
fwknop - Firewall Knock Operator
SYNOPSIS
--------
*fwknop* *-A* <'proto/ports'> *-R*|*-a*|*-s -D* <'host'> ['options']
DESCRIPTION
-----------
*fwknop* implements an authorization scheme known as Single Packet
Authorization (SPA) for Linux systems running iptables, and for Mac OS X
and FreeBSD systems running ipfw. This mechanism requires only a single
encrypted and non-replayed packet to communicate various pieces of
information including desired access through an iptables or ipfw policy.
The main application of this program is to use iptables or ipfw in a
default-drop stance to protect services such as 'SSH' with an additional
layer of security in order to make the exploitation of vulnerabilities
(both 0-day and unpatched code) much more difficult.
An authorization server *fwknopd* passively monitors authorization packets
via 'libpcap' and hence there is no "server" to which to connect in the
traditional sense. Any service protected by *fwknop* is inaccessible (by
using 'iptables' or 'ipfw' to intercept packets within the kernel) before
authenticating; anyone scanning for the service will not be able to detect
that it is even listening. Single Packet Authorization offers many
advantages over port knocking, including non-replayability of SPA packets,
ability to use asymmetric ciphers (such as Elgamal), and SPA cannot be
broken by simply spoofing packets to duplicate ports within the knock
sequence on the server to break port knocking authentication.
SPA packets can easily be spoofed as well (this is a good thing in this
context), and this makes it possible to make it appear as though, say,
www.yahoo.com is trying to authenticate to a target system but in reality
the actual connection will come from a seemingly unrelated IP. Although
the default data collection method in Single Packet Authorization mode is
to use libpcap to sniff packets off the wire, *fwknop* can also read packets
out of a file that is written by the iptables ulogd pcap writer (or a
separate sniffer process that is writing packet data to a file).
Authorization packets are either encrypted with the 'Rijndael' block cipher
or via 'GnuPG' and associated asymmetric ciphers. If the symmetric encryption
method is chosen, then the encryption key is shared between the client and
server (see the '/etc/fwknop/access.conf' file). If the GnuPG method is
chosen, then the encryption keys are derived from GnuPG key rings. SPA
packets generated by fwknop running as a client adhere to the following
format (before they are encrypted):
..........................
random number (16 bytes)
username
timestamp
software version
mode (command mode (0) or access mode (1))
if command mode => command to execute
else access mode => IP,proto,port
message digest (SHA256 / SHA1 / MD5)
..........................
Each of the above fields are separated by a ``+:+'' character due to the
variable length of several of the fields, and those that might contain
``+:+'' characters are base64 encoded. The message digest (*SHA256* by
default in all versions of *fwknop* greater than 1.9.1) allows the server
to check message integrity after decryption, and the 16 bytes of random data
ensures (with high probability) that no two messages are identical. This
ensures that replay attacks are not possible against *fwknop*.
For each packet coming from an *fwknop* client, the *fwknopd* server caches
the *SHA256* digest calculated over the entire packet and compares against
previous packet digests in order to detect attempted replay attacks. The
digest cache file is located at '/var/log/fwknop/digest.cache' and is not
rotated so that the detection of duplicate SPA messages is maximized. Both
syslog and email alerts are generated if a replay is detected (although this
can be tuned via the *ALERTING_METHODS* variable in the
'/etc/fwknop/fwknop.conf' file). By default, the *fwknop* client sends
authorization packets over UDP port 62201, but this can be altered with the
*--Server-port* argument. The server must first be configured to acquire the
SPA data on the changed protocol-port. Also, *fwknop* can send the SPA packet
over a random port via the *--rand-port* argument. See 'fwknopd(8)' for
further details. See the *EXAMPLES* section for example invocations of the
*fwknop* client.
REQUIRED ARGUMENTS
------------------
*-D, --destination*='<IP-address>'::
Direct the *fwknop* client to authenticate with the *fwknopd*
daemon/service at the destination address <IP>. The connection mode
is discovered by the *fwknopd* daemon/service when it decrypts and
parses the authentication packet.
*-A, --access*='<port list>'::
Provide a list of ports and protocols to access on a remote computer
running *fwknopd*. The format of this list is
``+<proto>/<port>...<proto>/<port>+'', e.g. ``tcp/22,udp/53''. *NOTE:*
The vast majority of usages for *fwknop* require the *-A* argument, but
sending full commands with the *--Server-cmd* argument via an SPA
packet to be executed by *fwknopd* does not require this argument.
*-R|-a|-s*::
One of these options (see below) is required to tell the remote
*fwknopd* daemon what IP should be let through the local firewall. It
is recommend to use the *-R* or *-a* options instead of *-s* in order
to harden SPA communications against possible MITM attacks.
GENERAL OPTIONS
---------------
*-h, --help*::
Print a usage summary message and exit.
*-B, --save-packet*='<file>'::
Instruct the *fwknop* client to write a newly created SPA packet out
to the specified file so that it can be examined off-line.
*-G, --get-key*='<file>'::
Load an encryption key/password from the specified file.
*--show-last*::
Display the last command-line arguments used by *fwknop*.
*-q, --quiet*::
Perform *fwknop* functions quietly (suppress informational output).
*-T, --test*::
Test mode. Generate the SPA packet data, but do not send it. Instead,
print a break-down of the SPA data fields, then run the data through
the decryption and decoding process and print the break-down again.
This is primarily a debugging feature.
*-v, --verbose*::
Run the *fwknop* client in verbose mode.
*-V, --Version*::
Display version information and exit.
SPA OPTIONS
-----------
*-a, --allow-ip*='<IP-address>'::
Specify IP address that should be permitted through the destination
*fwknopd* server firewall (this IP is encrypted within the SPA packet
itself). This is useful to prevent a 'Man-In-The-Middle' (MTIM) attack
where an SPA packet can be intercepted enroute and sent from a
different IP than the original. Hence, if the *fwknopd* server trusts
the source address on the SPA packet IP header then the attacker
gains access. The *-a* option puts the source address within the
encrypted SPA packet, and so thwarts this attack. The *-a* option
is also useful to specify the IP that will be granted access when the
SPA packet itself is spoofed with the *--spoof-src* option. Another
related option is *-R* (see below) which instructs the *fwknop* client
to automatically resolve the externally routable IP address the local
system is connected to by querying the 'http://www.whatismyip.com'
website.
*-g, --gpg-encryption*::
Use GPG encryption on the SPA packet (default if not specified is
Rijndael). *Note:* Use of this option will require the specification of
a GPG recipient (see *--gpg-recipient* along with other GPG-related
options below).
*-m, --digest-type*='<digest>'::
Specify the message digest algorithm to use in the SPA data. Choices
are: *md5*, *sha1*, *sha256* (the default), *sha384*, and *sha512*.
*-N, --nat-access*='<internalIP:forwardPort>'::
The *fwknopd* server offers the ability to provide SPA access through
an iptables firewall to an internal service by interfacing with the
iptables NAT capabilities. So, if the *fwknopd* server is protecting
an internal network on an RFC-1918 address space, an external *fwknop*
client can request that the server port forward an external port to an
internal IP, i.e. ``+--NAT-access 192.168.10.2:55000+''. In this case,
access will be granted to 192.168.10.2 via port 55000 to whatever
service is requested via the *--access* argument (usually tcp/22).
Hence, after sending such an SPA packet, one would then do
``ssh -p 55000 user@host'' and the connection would be forwarded on
through to the internal 192.168.10.2 system automatically. Note that
the port ``55000'' can be randomly generated via the *--nat-rand-port*
argument (described later).
*--nat-local*::
On the *fwknopd* server, a NAT operation can apply to the local system
instead of being forwarded through the system. That is, for iptables
firewalls, a connection to, say, port 55,000 can be translated to port
22 on the local system. By making use of the *--nat-local* argument,
the *fwknop* client can be made to request such access. This means
that any external attacker would only see a connection over port 55,000
instead of the expected port 22 after the SPA packet is sent.
*--nat-rand-port*::
Usually *fwknop* is used to request access to a specific port such as
tcp/22 on a system running *fwknopd*. However, by using the
*--nat-rand-port* argument, it is possible to request access to a
particular service (again, such as tcp/22), but have this access
granted via a random translated port. That is, once the *fwknop*
client has been executed in this mode and the random port selected
by *fwknop* is displayed, the destination port used by the follow-on
client must be changed to match this random port. For SSH, this is
accomplished via the *-p* argument. See the *--nat-local* and
*--nat-access* command line arguments to *fwknop* for additional
details on gaining access to services via a NAT operation.
*-p, --server-port*='<port>'::
Specify the port number where *fwknopd* accepts packets via libpcap or
ulogd pcap writer. By default *fwknopd* looks for authorization packets
over UDP port 62201.
*-P, --server-proto*='<protocol>'::
Set the protocol (udp, tcp, tcpraw, icmp) for the outgoing SPA packet.
Note: The *tcpraw* and *icmp* modes use raw sockets and thus require
root access to run. Also note: The *tcp* mode expects to establish a
TCP connection to the server before sending the SPA packet. This is
not normally done, but is useful for compatibility with the Tor for
strong anonymity; see 'http://tor.eff.org/'. In this case, the
*fwknopd* server uses the *fwknop_serv* daemon to listen on a TCP
port (62201 by default).
*-Q, --spoof-src*='<IP>'::
Spoof the source address from which the *fwknop* client sends SPA
packets. This requires root on the client side access since a raw
socket is required to accomplish this. Note that the *--spoof-user*
argument can be given in this mode in order to pass any *REQUIRE_USERNAME*
keyword that might be specified in '/etc/fwknop/access.conf'.
*-r, --rand-port*::
Instruct the *fwknop* client to send an SPA packet over a random
destination port between 10,000 and 65535. The *fwknopd* server must
use a *PCAP_FILTER* variable that is configured to accept such packets.
For example, the *PCAP_FILTER* variable could be set to: ``+udp dst
portrange 10000-65535+''.
*-R, --resolve-ip-http*::
This is an important option, and instructs the *fwknop* client and
the *fwknopd* daemon/service to query 'http://www.whatismyip.com' to
determine the IP address that should be allowed through the iptables
policy at the remote fwknopd server side. This is useful if the
*fwknop* client is being used on a system that is behind an obscure
NAT address.
*-s, --source-ip*::
Instruct the *fwknop* client to form an SPA packet that contains the
special-case IP address ``+0.0.0.0+'' which will inform the destination
*fwknopd* SPA server to use the source IP address from which the
SPA packet originates as the IP that will be allowed through upon
modification of the firewall ruleset. This option is useful if the
*fwknop* client is deployed on a machine that is behind a NAT device.
The permit-address options *-s* (default), *-R* and *-a* are mutually
exclusive.
*--time-offset-plus*='<time>'::
By default, the *fwknopd* daemon on the server side enforces time
synchronization between the clocks running on client and server
systems. The *fwknop* client places the local time within each SPA
packet as a time stamp to be validated by the fwknopd server after
decryption. However, in some circumstances, if the clocks are out
of sync and the user on the client system does not have the required
access to change the local clock setting, it can be difficult to
construct and SPA packet with a time stamp the server will accept.
In this situation, the *--time-offset-plus* option can allow the user
to specify an offset (e.g. ``60sec'' ``60min'' ``2days'' etc.) that is
added to the local time.
*--time-offset-minus*='<time>'::
This is similar to the *--time-offset-plus* option (see above), but
subtracts the specified time offset instead of adding it to the local
time stamp.
*-u, --user-agent*='<user-agent-string>'::
Set the HTTP User-Agent for resolving the external IP via *-R*, or for
sending SPA packets over HTTP.
*-U, --spoof-user*='<user>'::
Specify the username that is included within SPA packet. This allows
the *fwknop* client to satisfy any non-root *REQUIRE_USERNAME* keyword
on the fwknopd server (*--spoof-src* mode requires that the *fwknop*
client is executed as root).
GPG-RELATED OPTIONS
-------------------
*--gpg-agent*::
Instruct *fwknop* to acquire GnuPG key password from a running gpg-agent
instance (if available).
*--gpg-home-dir*='<dir>'::
Specify the path to the GnuPG directory; normally this path is derived
from the home directory of the user that is running the *fwknop*
client. This is useful when a ``root'' user wishes to log into a remote
machine whose sshd daemon/service does not permit root login.
*--gpg-recipient*='<key ID or Name>'::
Specify the GnuPG key ID, e.g. ``+1234ABCD+'' (see the output of
"gpg--list-keys") or the key name (associated email address) of the
recipient of the Single Packet Authorization message. This key is
imported by the *fwknopd* server and the associated private key is used
to decrypt the SPA packet. The recipients key must first be imported
into the client GnuPG key ring.
*--gpg-signer-key*='<key ID or Name>'::
Specify the GnuPG key ID, e.g. ``+ABCD1234+'' (see the output of
``+gpg --list-keys+'') or the key name to use when signing the SPA message.
The user is prompted for the associated GnuPG password to create the
signature. This adds a cryptographically strong mechanism to allow
the *fwknopd* daemon on the remote server to authenticate who created
the SPA message.
ENVIRONMENT
-----------
*GPG_AGENT_INFO* (only used in *--gpg-agent* mode).
EXAMPLES
--------
The following examples illustrate the command line arguments that could
be supplied to the fwknop client in a few situations:
Access mode examples
~~~~~~~~~~~~~~~~~~~~
Packet contents printed to stdout at the fwknop client when creating
an ``access mode'' SPA packet:
..........................
Random data: 6565240948266426
Username: mbr
Timestamp: 1203863233
Version: 1.9.2
Type: 1 (access mode)
Access: 127.0.0.2,tcp/22
SHA256 sum: gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
..........................
Use the Single Packet Authorization mode to gain access to
tcp/22 (ssh) and udp/53 running on the system 10.0.0.123 from
the IP 192.168.10.4:
*$ fwknop -A "tcp/22,udp/53" -a 192.168.10.4 -D 10.0.0.123*
Same as above example, but gain access from whatever source IP
is seen by the fwknop server (useful if the fwknop client is
behind a NAT device):
*$ fwknop -A "tcp/22,udp/53" -s -D 10.0.0.123*
Same as above example, but use the IP identification website
'http://www.whatismyip.com' to derive the client IP address. This
is a safer method of acquiring the client IP address than using the
*-s* option because the source IP is put within the encrypted packet
instead of having the *fwknopd* daemon grant the requested access
from whatever IP address the SPA packet originates:
*$ fwknop -A "tcp/22,udp/53" -R -D 10.0.0.123*
Use the Single Packet Authorization mode to gain access to tcp/22
(ssh) and udp/53 running on the system 10.0.0.123, and use GnuPG keys
to encrypt and decrypt:
*$ fwknop -A "tcp/22,udp/53" --gpg-sign ABCD1234 --gpg--recipient
1234ABCD -R -D 10.0.0.123*
Instruct the fwknop server running at 10.0.0.123 to allow 172.16.5.4
to connect to TCP/22, but spoof the authorization packet from an IP
associated with www.yahoo.com:
*# fwknop --Spoof-src www.yahoo.com -A tcp/22 -a 172.16.5.4 -D
10.0.0.123*
DEPENDENCIES
------------
*fwknop* requires 'libfko' (which is normally included with both source and
binary distributions.
For GPG functionality, GnuPG must also be correctly installed and configured.
To take advantage of all of the authentication and access management
features of the *fwknopd* daemon/service a functioning iptables firewall
is required on the underlying operating system.
DIAGNOSTICS
-----------
fwknop can be run with the *-T* (or *--test*) command line option.
This will have *fwkop* simply create and print the SPA packet information,
then run it through a decrypt/decode cycle and print it again.
SEE ALSO
--------
fwknopd(8), iptables(8), gpg(1), gpg-agent(1), libfko documentation.
More information on Single Packet Authorization can be found in the paper
``Single Packet Authorization with fwknop'' available at
'http://www.cipherdyne.org/fwknop/docs/SPA.html'.
AUTHOR
------
Damien Stuart <dstuart@dstuart.org>
Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS
------------
This ``C'' version of fwknop was derived from the original Perl-based version
on which many people who are active in the open source community have
contributed. See the CREDITS file in the fwknop sources, or visit
'http://www.cipherdyne.org/fwknop/docs/contributors.html' to view the online
list of contributors.
The phrase ``Single Packet Authorization'' was coined by MadHat and Simple
Nomad at the BlackHat Briefings of 2005 (see: 'http://www.nmrc.org').
BUGS
----
Send bug reports to dstuart@dstuart.org. Suggestions and/or comments
are always welcome as well.
DISTRIBUTION
------------
*fwknop* is distributed under the GNU General Public License (GPL), and
the latest version may be downloaded from 'http://www.cipherdyne.org'.

4
doc/libfko.texi
View File

@@ -273,10 +273,12 @@ readability and the username, message, nat_access, and server_auth fields
are not base64-encoded):
@sp 1
@cartouche
@example
8307540982176539:juser:1230665172:1.1.10:1:0.0.0.0,tcp/22:192.168.1.2,22:
crypt,mypw:120:xswj8V0zMR7/7MV9pQRarSKWG1l9Zfjv+kbXaKrJ+RA
@end example
@end cartouche
@sp 1
For most of the fields, you need not be too concerned about the format as
@@ -673,11 +675,13 @@ and @code{digest_type}, these defaults may be sufficient.
The functions used to set the various @acronym{SPA} data fields and
parameters are described in detail in @ref{Setting SPA Data}.
@cartouche
@noindent
@strong{Note}: Attempts to call any ``@code{fko_}'' function on a context that
has not been initialized can have undefined consequences. Libfko will attempt
to recover, and if succussful, will return a status of
@code{FKO_ERROR_CTX_NOT_INITIALIZED}.
@end cartouche
A common @acronym{SPA} message is a simple access request. This request asks
the fwknop server to create a temporary firewall rule to allow a particular