On Jun 8, 2014, at 11:02 AM, Rabin Yasharzadehe <rabin@isoc.org.il> wrote:

Thank you, that did the trick,

now when i run the knock from the Android app i can unlock the port,
but i see this error message in the log file,

(stanza #1) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL


Do you now have two stanzas in access.conf?  I.e. one with base64 keys and the other without?  That HMAC error would mean that the port should not be opened unless you are gaining access via a second stanza (or iptables really isn't blocking access by default to begin with).




On Sun, Jun 8, 2014 at 4:50 PM, Michael Rash <michael.rash@gmail.com> wrote:

On Sun, Jun 8, 2014 at 8:24 AM, Rabin Yasharzadehe <rabin@isoc.org.il> wrote:
Hello List,

Hello Rabin,
I'm sorry in advance it this is not the right place to ask this question.

- I have setup fwknop on my server,
- And created the keys based on the "Basic Outline" documentation,
[spaclient]$ fwknop -A tcp/22 -a -D myserver.mydomain.my --key-gen --use-hmac --save-rc-stanza
[+] Wrote Rijndael and HMAC keys to rc file: /home/myuser/.fwknoprc
​and now i have this section on my ​.fwknoprc
​ file,

ACCESS                      tcp/22
SPA_SERVER                  myserver.mydomain.my
KEY_BASE64                  some-long-string
HMAC_KEY_BASE64             some-lonnger-string
USE_HMAC                    Y
RESOLVE_IP_HTTP             Y

​when connecting from my laptop with,

​fwknop -n myserver.mydomain.my --verbose ; sleep 2 ; mosh myserver.mydomain.my

It works, and i am able to connect to my server,

but i don't know what to fill in the "Rijndael Key" field in the Android app,
I tried to copy "KEY_BASE64" to it, but it didn't work, i get the message

Error: Error generating SPA
data: Invalid key length

Unfortunately the Android client does not support base64-encoded Rijndael or HMAC keys. To get things working with the current Android client, you will need to use non-base64 keys.  So, on the fwknopd server side, use the following variables (note the lack of the _BASE64 suffix):

KEY                    <some ascii printable string>
HMAC_KEY       <another ascii printable string>

It is likely that the base64-decoded version of the current base64-encoded keys are not printable strings, so the keys will need to be changed (i.e. using the decoded versions manually won't work).  Make the same change in your ~/.fwknoprc file and then test with the client.  Another option is to just add a new stanza to the /etc/fwknop/access.conf file with the new keys just for Android clients, and then you can continue to use the existing keys in your ~/.fwknoprc file at the same time.

I've added a new issue in github to track this, and I hope to get it fixed for the next release:






Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
Fwknop-discuss mailing list

Michael Rash | Founder
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F