'Re: [Fwknop-discuss] GnuPG Authorisation does not work'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwknop-discuss
Subject:    Re: [Fwknop-discuss] GnuPG Authorisation does not work
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2008-08-13 0:29:39
Message-ID: 20080813002939.GA27653 () cipherdyne ! org
[Download RAW message or body]

On Aug 12, 2008, Micha Holzmann wrote:

> Quoting Michael Rash:
> > On Aug 11, 2008, Micha Holzmann wrote:
> > 
> > > Hello,
> > > 
> > > i setup fwknop for gnupg authorisation as mentioned in the howto on:
> > > 
> > > http://cipherdyne.org/fwknop/docs/gpghowto.html
> > > 
> > > 
> > > I took care about the fact, that the key must not be longer than 2048
> > > bits. Especially the server key suits this needs.
> > > 
> > > My productive key for mail and others is also 2048 bits.
> > > 
> > > Now at first try i got this message:
> > > 
> > > 
> > > [*] Message length is too long (1746 bytes), must be less than 1500 bytes at \
> > > /home/mh802/bin/fwknop line 858. 
> > > 
> > > What have i done wrong or missing?
> > 
> > Hmm, that is interesting.  Is this for normal authentication, or for the
> > command mode?
> 
> > You could try changing each instance of the value "1500" to something
> > higher in both the fwknop client and in the fwknopd server in order to
> > see if things would work.  (Sorry, this isn't a config option right now,
> > but I will fix that.)  Here is a quick command to change the value to,
> > say, 2000 for example:
> > 
> > [client]# perl -p -i -e 's|1500|2000|' /usr/bin/fwknop
> > [server]# perl -p -i -e 's|1500|2000|' /usr/sbin/fwknopd
> 
> it is the normal authentication. This was the command i issued:
> 
> fwknop -A tcp/22 --gpg-recip 0xABC1234A --gpg-sign 0xABC1234F -a xxx.xxx.xxx.x -D \
> xxxxx.xxxx.xx. 
> [+] Starting fwknop client (SPA mode)...
> [+] Resolving hostname: xxxxx.xxxx.xx.
> [+] Enter the GnuPG password for signing key: 0xABC1234F
> 
> GnuPG signing password:
> 
> [+] Building encrypted Single Packet Authorization (SPA) message...
> [+] Packet fields:
> 
> Random data:    5185143189310147
> Username:       xxxxx
> Timestamp:      1218524225
> Version:        1.9.6
> Type:           1 (access mode)
> Access:         xxx.xxx.xxx.x,tcp/22
> SHA256 digest:  iJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrs
> [*] Message length is too long (1745 bytes), must be less than 1500 bytes at \
> /home/xxxxx/bin/fwknop line 858. 
> 
> But it does still not work.

Hi Mike -

Can you run the fwknop test suite and send me the anonymized output?
I'm hoping the test suite can collect some specifics that may shed light
on this issue.  Just do:

# cd fwknop-1.9.6/test
# ./fwknop_test.pl

Now, to remove hostnames, etc. and create the fwknop_test.tar.gz tarball:

# ./fwknop_test.pl -P

Then, can you send me the fwknop_test.tar.gz file?

All tests are run over the loopback interface.  Also, which version of
gpg are you running?  The fwknop_test.pl script issues several tests for
SPA packets encrypted with 2048-bit gpg keys.

> On the server side on /var/log/fwknop/errs i found:
> fwknopd.die:
> Tue Aug 12 09:10:59 2008 fwknopd v1.9.6 (file rev: 1174) pid: 31757 Ciphertext does \
> not begin with a valid header for 'salt' header mode at /usr/sbin/fwknopd line 2306 \
>  and
> 
> fwknopd.warn:
> Tue Aug 12 09:10:59 2008 fwknopd v1.9.6 (file rev: 1174) pid: 31757 Premature end \
> of base64 data at /usr/sbin/fwknopd line 2224.

Thanks for catching these errors - they will be fixed in the 1.9.7
release.

Thanks,

--Mike


> Mike
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic