On Jun 04, 2008, Jean-Denis Girard wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Today I decided to test fwknop. I downloaded fwknop-1.9.4-1.src.rpm and
> tried to build the binary rpm it on two Mandriva systems: 2008.1
> (x86_64) and cooker (i586). Both system have perl-5.10.0, so I was hit
> by the Class-MethodMaker problem already pointed to in the list
> archives. I upgraded Class-MethodMaker to latest version (2.11) and was
> able to build binary rpms for both systems.
I'm going to release fwknop-1.9.5 within the next two days to resolve
this issue since it affects several users.
> I made tests between those two systems, using the secret key method: it
> was really easy to set up and runs fine.
Glad to hear that it's working.
> Then I decided to try GnuPG keys method, following the howto at
> gpghowto.html, but I had hard time making it work. What confused me very
> much was the logs from fwknopd: first line says "good signature..." (in
> french), and then not signed on the second line !
> Wed Jun 4 15:50:35 2008 gpg: Bonne signature de « Jean-Denis Girard
> (SysNux) <jd.girard@...> »
> Wed Jun 4 15:50:35 2008 [-] GnuPG message not signed by any required
> key ID.
> Peaking at fwknopd code, I found the problem was related to (french)
> locale. It also seems to be a known issue, that was quickly resolved by
> running fwknopd under LC_ALL=C environment. I then added the following
> line to /etc/init.d/fwknop: export LC_ALL=C, and it now works
> flawlessly. I think this should be put by default in the initscript.
> Maybe this is just related to the rpm install.
That is a good suggestion since fwknopd makes the assumption about
English output from the gpg process. Instead of setting LC_ALL in the
init script, I will probably make this a config option that will be
enabled by default (to allow the user to turn it off if they really want
> Then I wanted to get rid of the GnuPG passphrase for easy automation,
> but it seems that fwknop always prompts for a password. I used the
> - --get-key option to make unattended operation, but maybe there should be
> another option --gpg-no-pass. Or maybe I missed something...
Hmm, did you provide a file path to the --get-key option? Here is a
sample of some output with this option:
[mbr@... ~]$ fwknop -A tcp/22 --gpg-sign ABCD1234 --gpg-recip
DEFG5678 -R -D fwserver --Server-port 62202 --get-key /home/mbr/gpg.pw
[+] Starting fwknop client (SPA mode)...
[+] Resolving hostname: fwserver
Resolving external IP via: http://www.whatismyip.org/
Got external address: 220.127.116.11
[*] Could not read encryption key for 18.104.22.168 from /home/mbr/gpg.pw
fwknop expects the format "22.214.171.124: <KEY>
in file: /home/mbr/gpg.pw
After putting the gpg password and IP address within the
/home/mbr/gpg.pw file, the fwknop client reads it and sends the SPA
$ cat > gpg.pw
> I hope this is useful.
Yes indeed, thanks,
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
> Thanks for this great open source software,
> - --
> Jean-Denis Girard
> SysNux Systèmes Linux en Polynésie française
> http://www.sysnux.pf/ Tél: +689 50 10 40 / GSM: +689 79 75 27
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> Fwknop-discuss mailing list