Re: [Fwknop-discuss] GPG_REMOTE_ID Directive in access.conf is ignored in fwknop v1.0

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Leland -

Thanks for tracking this down.  I'll release a new version in a few days
with your fix, and add you to the credits file.

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

On Dec 06, 2006, Leland Weathers wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>  
> The GPG_REMOTE_ID directive in the access.conf file is being ignored
> due to an extra conditional that matches any successful signature. The
> end result is that any public key that is on the tested keychain will
> match any GPG rule without the ability to match a single or set GPG
> key(s). A fix is below.
> 
> Leland Weathers
> 
> 
> The fix is as follows:
> - --- fwknopd.orig        2006-11-05 20:24:41.000000000 -0600
> +++ fwknopd     2006-12-06 18:16:19.000000000 -0600
> @@ -1588,18 +1588,19 @@
>                  if ($key_id =~ /^0x(\w+)/) {
>                      $key_id = $1;
>                  }
> - -                if ($err =~ /Signature\s+made.*ID\s+$key_id/) {
> +                if ($key_id eq 'ANY') {
> +                    if ($err =~ /Good\s+signature/i) {
> +                        $found_sig   = 1;
> +                        $gpg_sign_id = $key_id;
> +                        last ERR;
> +                    }
> +                } elsif ($err =~ /Signature\s+made.*ID\s+$key_id$/) {
>                      print STDERR "[+] GnuPG signature made with ",
>                          "required $key_id\n" if $debug;
>                      $found_sig   = 1;
>                      $gpg_sign_id = $key_id;
>                      last ERR;
>                  }
> - -                if ($err =~ /Good\s+signature/i) {
> - -                    $found_sig   = 1;
> - -                    $gpg_sign_id = $key_id;
> - -                    last ERR;
> - -                }
>              }
>          }
>      }
> - --- access.conf.orig    2006-07-16 22:27:23.000000000 -0500
> +++ access.conf 2006-12-06 17:51:46.000000000 -0600
> @@ -54,7 +54,8 @@
>  #    server functions; it should not a valuable GPG key that is used for
>  #    things like personal email encryption. See the fwknop man page for
>  #    examples of how to use the GPG encryption method from the fwknop
> - -#    command line on the client side.
> +#    command line on the client side. To match any GPG key, set
> GPG_REMOTE_ID
> +#    to ANY
>  #
>  #   SOURCE: ANY;
>  #   OPEN_PORTS: tcp/22;
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
>  
> iD8DBQFFd2EVerrJ8R0n4A8RCHvAAJ96b56KrXy0yJpXfo2j+MuQ4VyPtgCfS1E9
> qIV1y0h7K+P0bcZKNb3U+Lc=
> =iLBT
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Fwknop-discuss mailing list
> Fwk...@li...
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss