[Fwknop-discuss] fwknopd gpg prompt
Brought to you by:
mbr
From: Morgan S. <moo...@gm...> - 2012-04-26 22:02:09
|
Hello, In trying to get fwknopd to work with gpg keys I come across a situation where it looks like fwknopd receives a valid packet but never inserts an iptables rule to allow access. It seems like fwknopd is waiting for gpg/gpg-agent/pinentry to return. I'd like to understand if this behavior is due to some misconfiguration of my server, configuration, or how I'm using fwknopd. Here is some verbose goodness: I started fwknopd 2.0 with -v for extra goodness. Here is what is in /var/log/messages: Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: ) Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: ) Apr 26 15:41:55 server fwknopd[18346]: create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: ) Apr 26 15:41:55 server fwknopd[18346]: add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: ) Apr 26 15:41:55 server fwknopd[18346]: Added jump rule from chain: INPUT to chain: FWKNOP_INPUT Apr 26 15:41:55 server fwknopd[18346]: PCAP filter is: udp port 62201 Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd main event loop. Apr 26 15:42:48 server kernel: Dump tcp: IN=eth0 OUT= MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=50.116.66.240 DST=50.115.119.68 LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=60775 PROTO=TCP SPT=80 DPT=1234 WINDOW=16384 RES=0x00 ACK SYN URGP=0 Apr 26 15:43:07 server kernel: Dump udp: IN=eth0 OUT= MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=174.52.254.248 DST=50.115.119.68 LEN=1030 TOS=0x00 PREC=0x00 TTL=49 ID=10051 DF PROTO=UDP SPT=43878 DPT=62201 LEN=1010 Apr 26 15:43:07 server fwknopd[18346]: (stanza #1) SPA Packet from IP: 174.52.254.248 received with access source match After that last message, there are no more. Here's what I see from the cmdline: # ps auxw --forest | grep -A5 [f]wknopd root 18346 0.0 0.0 17628 3712 ? Ss 15:41 0:00 fwknopd -v root 18371 0.0 0.0 24648 1628 ? SL 15:43 0:00 gpg --enable-special-filenames --no-sk-comment --homedir /root/.gnupg --status-fd 4 --no-tty --charset utf8 --enable-progress-filter --command-fd 5 --decrypt --output - -- -&9 root 18373 0.0 0.0 13164 980 ? SL 15:43 0:00 \_ gpg-agent --server root 18374 0.0 0.0 8548 780 ? SL 15:43 0:00 \_ pinentry According to strace and lsof, pinentry is trying to read from file handle 0 which is a pipe: # strace -fp 18374 Process 18374 attached - interrupt to quit read(0, ^C <unfinished ...> Process 18374 detached # lsof -p 18374 | awk '$4 ~/0/ {print $0}' pinentry 18374 root 0r FIFO 0,6 0t0 574833 pipe Strace shows gpg-agent trying to read from filehandle 8 however I don't see one with lsof: # strace -fp 18373 Process 18373 attached - interrupt to quit select(8, [3 7], [], [], NULL^C <unfinished ...> Process 18373 detached # lsof -p 18373 | awk '$4 ~/8/ {print $0}' # It looks like gpg is trying to read from a pipe as well: # strace -fp 18371 Process 18371 attached - interrupt to quit read(9, ^C <unfinished ...> Process 18371 detached # lsof -p 18371 | awk '$4 ~ /9/ {print $0}' gpg 18371 root 9r FIFO 0,6 0t0 577265 pipe At this point fwknopd seems to be looping however it doesn't respond to any additional authentication packets that I send it's way. Here is a strace of fwknopd as I send another authentication packet to the server: # strace -fp 18346 Process 18346 attached - interrupt to quit select(8, [2 7], [], NULL, {0, 216681}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) Fwknopd doesn't respond to the -K option as I'd expect. If I kill -15 the pinentry/gpg-agent/gpg, then fwknopd puts this inside /var/log/messages: Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) Error creating fko context: Decryption operation failed Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) - GPG ERROR: No data I have seen it sometimes say this: Apr 26 15:58:01 server fwknopd[18346]: (stanza #1) - GPG ERROR: Bad passphrase despite my access.conf having this line: GPG_DECRYPT_PW:<space><passphrase>; At this point fwknopd will process new authentication packets so long as I don't use gpg. Here's what a strace then looks like: # strace -fp 18346 2>&1 | head -10 Process 18346 attached - interrupt to quit restart_syscall(<... resuming interrupted call ...>) = 0 poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) nanosleep({0, 10000000}, NULL) = 0 poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) nanosleep({0, 10000000}, NULL) = 0 poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) nanosleep({0, 10000000}, NULL) = 0 poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) nanosleep({0, 10000000}, NULL) = 0 Are there any suggestions as to what my next steps should be to get this working properly? -- Morgan |