[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] Thoughts on usability
From: Michael Rash <mbr () cipherdyne ! org>
Date: 2015-05-18 13:00:05
Message-ID: 322A2273-B4AA-491D-AB30-AC83FE9AEFA0 () cipherdyne ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> On May 18, 2015, at 12:07 AM, Jonathan Bennett <jbscience87@gmail.com> wrote:
>
> After not too much trouble, I have this working:
> http://incomsystems.biz/fwknop-interface-qr.png
Quick response, That is awesome.
>
> It only looks for the 4 kinds of keys, and just encodes what it finds in the form \
> of "LABEL:keytext LABEL:keytext".
> I imagine it working like this. Open the android app, and find an option to add new \
> connection. In that dialogue, there is an option for qr code. The camera is \
> enabled, and once a qr code is read, it populates the right fields on the dialogue. \
> The rest of the needed fields are filled in by hand, and the connection can be \
> saved. Then, all a user has to do is open the app, hit the connection, and the \
> knock is sent, then he has 60 seconds to start ConnectBot, or even ssh from another \
> device if needed.
Sounds good.
>
> Android app development is not something I have ever done, so if I get a chance to \
> work on it, it will come slowly. I would like to make this work, though. If \
> somebody else wants to do the Android side, I'll gladly help test and give \
> feedback.
I need to ramp up on this as soon as I can, and for the iPhone too. More soon.
Mike
> ~Jonathan Bennett
>
> > On Sat, May 16, 2015 at 8:41 PM, Michael Rash <michael.rash@gmail.com> wrote:
> >
> >
> > > On Sat, May 16, 2015 at 1:49 PM, Jonathan Bennett <jbscience87@gmail.com> \
> > > wrote: TL;DR: using qr codes to add keys to the android app.
> >
> > Now that would be a really cool feature. Copying symmetric keys around has always \
> > been an issue (obviously not just for fwknop, and this one reason fwknop supports \
> > GPG keys), so I think as long as people generally access the Luci interface via \
> > SSL/TLS (?) this would be reasonably secure and be a big boost to useability for \
> > mobile users.
> > >
> > > Fwknop/fwknopd is a very clever project. I've thought highly of it since first \
> > > learning about the novel approach to doing port knocking in a more secure \
> > > manner. There is one issue, though. It's hard to use. I'm not afraid of the \
> > > command line, and yes, it's quite possible to script the use of fwknop to open \
> > > ports. I've been thinking about usability and noob-friendlyness in the past \
> > > days, especially in regards to fwknop/d
> >
> > Completely agree that usability is lacking. Lately I've been spending most of my \
> > time on code coverage, fuzzing, etc. to try and ensure a high degree of security, \
> > but usability needs to be ramped up too. I think your Luci interface is huge in \
> > this area, and fwknop needs more efforts like this.
> > >
> > > There is a danger in trying to maximize usability. It's possible to sacrifice \
> > > freedom and or usefulness for usability. I am very much against this trade-off.
> >
> > Agreed - fwknop has always maximized config options and capabilities I suppose, \
> > and this has come to some degree at the expense of usability. So far, the biggest \
> > contribution to usability has been Frank Joncourt's addition of the ~/.fwknoprc \
> > file so that people can easily reference consistent command line options from the \
> > client just with by naming the SPA destination with "-n <server>". This was a \
> > great addition, and we can do more like this.
> > >
> > > With the new Luci module for openwrt, I feel like there is now an easy to use \
> > > option for configuring fwknopd on a router. For a home user that simply wants \
> > > to protect port 22 without locking himself out of his network, this is perfect. \
> > > I've intentionally avoided making this interface too simple. It's easy to get \
> > > started, but you can do everything from luci that you can do with the command \
> > > line interface, in regards to fwknopd.
> >
> > Very cool. This is definitely the first major step towards better useability on \
> > the server side of things.
> > >
> > > When I'm away from my desktop, for better or worse, I access the internet \
> > > through an android phone, an android tablet, or occasionally a customer's \
> > > desktop. Using the fwknop client from my android tablet isn't much of an \
> > > option. Yes, I could compile the binary and make it run in the android \
> > > terminal, etc, but that is a big hurdle to a typical user, and quite a pain, \
> > > even to those of us who can do it.
> > > I took a closer look at the android app today, and it has some great potential. \
> > > It also has, in my opinion, some issues. The lack of base64 key support is a \
> > > big one, and that is a known weakness that is planned to be addressed. Another \
> > > problem is the fact it tends to hang on launch, waiting to verify external ip. \
> > > Again, planned to be addressed.
> > > Once base64 is supported, typing both keys in every time one wants to open a \
> > > port is a bit crazy. This is easily fixed by making the keys savable. But on \
> > > further thought, it's a bit crazy to type the keys in even once.
> > > So, this leads me to a couple ideas, somewhat inspired by how openvpn connect \
> > > works. The first is a text file that contains both keys, and *maybe* the ip \
> > > address/hostname to connect to. I believe we could make openwrt generate this \
> > > file, and make it available from the luci interface. The end user would then \
> > > just install the fwknop android app, open the luci interface on the phone, and \
> > > grab the file. It could open automatically in the fwknop app, and add the keys \
> > > as a connection option. This format could be useful for the cli interface, too. \
> > >
> >
> > If the Android client could be made to essentially handle the ~/.fwknoprc file \
> > like the normal client, then on openwrt the Luci interface could just drive the \
> > client with '--key-gen --use-hmac --save-rc-stanza ...'. I guess this assumes the \
> > client is installed on openwrt as well. If there is a more natural style of file \
> > on Android for this type of data (xml maybe?) then the fwknop client could be \
> > updated to produce this format too, although a quick python wrapper around the \
> > existing ~/.fwknoprc format would probably be easier/faster.
> > >
> > > The second, slightly more outlandish option is to embed a qr code in the luci \
> > > interface. Add a qr scanning feature to the android app, and just scan the qr \
> > > code to add the keys. This *could* be the ultimate in usability. It wouldn't be \
> > > forced on anyone, but it could be there as an option. I personally think this \
> > > could be a really slick feature.
> > > It seems like either idea would be feasible. Any thoughts or ideas are welcome. \
> > > I might try to dive into the android code soonish, at least to get a handle on \
> > > what all is going on there.
> >
> > I think both ideas are excellent. The QR feature is definitely really slick.
> >
> > --Mike
> >
> >
> > >
> > > ~Jonathan Bennett
> >
> >
> > ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > Fwknop-discuss mailing list
> > Fwknop-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On May 18, 2015, at \
12:07 AM, Jonathan Bennett <<a \
href="mailto:jbscience87@gmail.com">jbscience87@gmail.com</a>> \
wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">After not too much \
trouble, I have this working: <div><a \
href="http://incomsystems.biz/fwknop-interface-qr.png">http://incomsystems.biz/fwknop-interface-qr.png</a><br></div></div></div></blockquote><div><br></div>Quick \
response, That is awesome. <div><br><blockquote type="cite"><div><div \
dir="ltr"><div><br></div><div>It only looks for the 4 kinds of keys, and just encodes \
what it finds in the form of "LABEL:keytext \
LABEL:keytext". </div><div><br></div><div>I imagine it working like this. Open \
the android app, and find an option to add new connection. In that dialogue, there is \
an option for qr code. The camera is enabled, and once a qr code is read, it \
populates the right fields on the dialogue. The rest of the needed fields are filled \
in by hand, and the connection can be saved. Then, all a user has to do is open the \
app, hit the connection, and the knock is sent, then he has 60 seconds to start \
ConnectBot, or even ssh from another device if \
needed.</div></div></div></blockquote><div><br></div>Sounds \
good.</div><div><br><blockquote type="cite"><div><div \
dir="ltr"><div><br></div><div>Android app development is not something I have ever \
done, so if I get a chance to work on it, it will come slowly. I would like to make \
this work, though. If somebody else wants to do the Android side, I'll gladly help \
test and give feedback.</div><div><br></div></div></div></blockquote><div><br></div><div>I \
need to ramp up on this as soon as I can, and for the iPhone too. More \
soon.</div><div><br></div><div>Mike</div><br><blockquote type="cite"><div><div \
dir="ltr"><div>~Jonathan Bennett</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Sat, May 16, 2015 at 8:41 PM, Michael Rash <span \
dir="ltr"><<a href="mailto:michael.rash@gmail.com" \
target="_blank">michael.rash@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div \
class="gmail_quote"><span class="">On Sat, May 16, 2015 at 1:49 PM, Jonathan Bennett \
<span dir="ltr"><<a href="mailto:jbscience87@gmail.com" \
target="_blank">jbscience87@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>TL;DR: using qr codes to add keys to the \
android app.</div></div></blockquote><div><br></div></span><div>Now that would be a \
really cool feature. Copying symmetric keys around has always been an issue \
(obviously not just for fwknop, and this one reason fwknop supports GPG keys), so I \
think as long as people generally access the Luci interface via SSL/TLS (?) this \
would be reasonably secure and be a big boost to useability for mobile \
users.<br></div><span class=""><div> </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div><br></div>Fwknop/fwknopd is a very clever project. I've thought highly \
of it since first learning about the novel approach to doing port knocking in a more \
secure manner. There is one issue, though. It's hard to use. I'm not afraid of the \
command line, and yes, it's quite possible to script the use of fwknop to open ports. \
I've been thinking about usability and noob-friendlyness in the past days, especially \
in regards to fwknop/d</div></blockquote><div><br></div></span><div>Completely agree \
that usability is lacking. Lately I've been spending most of my time on code \
coverage, fuzzing, etc. to try and ensure a high degree of security, but usability \
needs to be ramped up too. I think your Luci interface is huge in this area, and \
fwknop needs more efforts like this. <br> <br></div><span class=""><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>There is a danger in \
trying to maximize usability. It's possible to sacrifice freedom and or usefulness \
for usability. I am very much against this \
trade-off.<br></div></div></blockquote><div><br></div></span><div>Agreed - fwknop has \
always maximized config options and capabilities I suppose, and this has come to some \
degree at the expense of usability. So far, the biggest contribution to usability has \
been Frank Joncourt's addition of the ~/.fwknoprc file so that people can easily \
reference consistent command line options from the client just with by naming the SPA \
destination with "-n <server>". This was a great addition, and we can do more \
like this.<br></div><span class=""><div> </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div><div><br></div><div>With the new Luci module for openwrt, I feel like \
there is now an easy to use option for configuring fwknopd on a router. For a home \
user that simply wants to protect port 22 without locking himself out of his network, \
this is perfect. I've intentionally avoided making this interface too simple. It's \
easy to get started, but you can do everything from luci that you can do with the \
command line interface, in regards to \
fwknopd.</div></div></div></blockquote><div><br></div></span><div>Very cool. This is \
definitely the first major step towards better useability on the server side of \
things.<br></div><span class=""><div> </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div><div><br></div><div>When I'm away from my desktop, for better or \
worse, I access the internet through an android phone, an android tablet, or \
occasionally a customer's desktop. Using the fwknop client from my android tablet \
isn't much of an option. Yes, I could compile the binary and make it run in the \
android terminal, etc, but that is a big hurdle to a typical user, and quite a pain, \
even to those of us who can do it.</div><div><br></div><div>I took a closer look at \
the android app today, and it has some great potential. It also has, in my opinion, \
some issues. The lack of base64 key support is a big one, and that is a known \
weakness that is planned to be addressed. Another problem is the fact it tends to \
hang on launch, waiting to verify external ip. Again, planned to be \
addressed.</div><div><br></div><div>Once base64 is supported, typing both keys in \
every time one wants to open a port is a bit crazy. This is easily fixed by making \
the keys savable. But on further thought, it's a bit crazy to type the keys in even \
once.</div><div><br></div><div>So, this leads me to a couple ideas, somewhat inspired \
by how openvpn connect works. The first is a text file that contains both keys, and \
*maybe* the ip address/hostname to connect to. I believe we could make openwrt \
generate this file, and make it available from the luci interface. The end user would \
then just install the fwknop android app, open the luci interface on the phone, and \
grab the file. It could open automatically in the fwknop app, and add the keys as a \
connection option. This format could be useful for the cli interface, \
too. </div></div></div></blockquote><div><br></div></span><div>If the Android \
client could be made to essentially handle the ~/.fwknoprc file like the normal \
client, then on openwrt the Luci interface could just drive the client with \
'--key-gen --use-hmac --save-rc-stanza ...'. I guess this assumes the client is \
installed on openwrt as well. If there is a more natural style of file on Android for \
this type of data (xml maybe?) then the fwknop client could be updated to produce \
this format too, although a quick python wrapper around the existing ~/.fwknoprc \
format would probably be easier/faster.<br></div><span \
class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div><div><br></div><div>The second, slightly more outlandish option is to \
embed a qr code in the luci interface. Add a qr scanning feature to the android app, \
and just scan the qr code to add the keys. This *could* be the ultimate in usability. \
It wouldn't be forced on anyone, but it could be there as an option. I personally \
think this could be a really slick feature.</div></div><div><br></div><div>It seems \
like either idea would be feasible. Any thoughts or ideas are welcome. I might try to \
dive into the android code soonish, at least to get a handle on what all is going on \
there.</div></div></blockquote><div><br></div></span><div>I think both ideas are \
excellent. The QR feature is definitely really \
slick.<br><br></div><div>--Mike<br></div><div><br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><span><font \
color="#888888"><div><br></div><div>~Jonathan Bennett</div></font></span></div> <br>
<br></blockquote></div><br></div></div>
<br>------------------------------------------------------------------------------<br>
One dashboard for servers and applications across Physical-Virtual-Cloud<br>
Widest out-of-the-box monitoring support with 50+ applications<br>
Performance metrics, stats and reports that give you Actionable Insights<br>
Deep dive visibility with transaction tracing using APM Insight.<br>
<a href="http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" \
target="_blank">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a><br>_______________________________________________<br>
Fwknop-discuss mailing list<br>
<a href="mailto:Fwknop-discuss@lists.sourceforge.net">Fwknop-discuss@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/fwknop-discuss</a><br> \
<br></blockquote></div><br></div> </div></blockquote><blockquote \
type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>One \
dashboard for servers and applications across Physical-Virtual-Cloud \
</span><br><span>Widest out-of-the-box monitoring support with 50+ \
applications</span><br><span>Performance metrics, stats and reports that give you \
Actionable Insights</span><br><span>Deep dive visibility with transaction tracing \
using APM Insight.</span><br><span><a \
href="http://ad.doubleclick.net/ddm/clk/290420510;117567292;y">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a></span></div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Fwknop-discuss \
mailing list</span><br><span><a \
href="mailto:Fwknop-discuss@lists.sourceforge.net">Fwknop-discuss@lists.sourceforge.net</a></span><br><span><a \
href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss">https://lists.sourc \
eforge.net/lists/listinfo/fwknop-discuss</a></span><br></div></blockquote></div></body></html>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic