Re: [Fwknop-discuss] GPG_REMOTE_ID Directive in access.conf is ignored in fwknop v1.0
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2006-12-08 20:38:42
|
Hi Leland - Thanks for tracking this down. I'll release a new version in a few days with your fix, and add you to the credits file. -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F On Dec 06, 2006, Leland Weathers wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > The GPG_REMOTE_ID directive in the access.conf file is being ignored > due to an extra conditional that matches any successful signature. The > end result is that any public key that is on the tested keychain will > match any GPG rule without the ability to match a single or set GPG > key(s). A fix is below. > > Leland Weathers > > > The fix is as follows: > - --- fwknopd.orig 2006-11-05 20:24:41.000000000 -0600 > +++ fwknopd 2006-12-06 18:16:19.000000000 -0600 > @@ -1588,18 +1588,19 @@ > if ($key_id =~ /^0x(\w+)/) { > $key_id = $1; > } > - - if ($err =~ /Signature\s+made.*ID\s+$key_id/) { > + if ($key_id eq 'ANY') { > + if ($err =~ /Good\s+signature/i) { > + $found_sig = 1; > + $gpg_sign_id = $key_id; > + last ERR; > + } > + } elsif ($err =~ /Signature\s+made.*ID\s+$key_id$/) { > print STDERR "[+] GnuPG signature made with ", > "required $key_id\n" if $debug; > $found_sig = 1; > $gpg_sign_id = $key_id; > last ERR; > } > - - if ($err =~ /Good\s+signature/i) { > - - $found_sig = 1; > - - $gpg_sign_id = $key_id; > - - last ERR; > - - } > } > } > } > - --- access.conf.orig 2006-07-16 22:27:23.000000000 -0500 > +++ access.conf 2006-12-06 17:51:46.000000000 -0600 > @@ -54,7 +54,8 @@ > # server functions; it should not a valuable GPG key that is used for > # things like personal email encryption. See the fwknop man page for > # examples of how to use the GPG encryption method from the fwknop > - -# command line on the client side. > +# command line on the client side. To match any GPG key, set > GPG_REMOTE_ID > +# to ANY > # > # SOURCE: ANY; > # OPEN_PORTS: tcp/22; > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > > iD8DBQFFd2EVerrJ8R0n4A8RCHvAAJ96b56KrXy0yJpXfo2j+MuQ4VyPtgCfS1E9 > qIV1y0h7K+P0bcZKNb3U+Lc= > =iLBT > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |