Thread: [Fwknop-discuss] Multiple OTP lists
Brought to you by:
mbr
From: Spezifikum <in...@sp...> - 2011-02-28 14:57:57
|
Hi, i read about fwknop in the german it magazine iX (03/2011). It seems like a perfect fit for my use case here, but i need something like multiple otp lists, one per user. I know that allowing multiple users manipulating the firewall is a bit strange, but it is the best solution i came across so far. Currently i am using a website (PHP) written to accomplish that task, but port knocking would be much better and easier to maintain. In a school environment i need to grant internet-acces (http(s), ftp, pop, imap, sftp) on demand to a group of computers. Currently the teacher opens the web-page, logs in with his name and an otp which is stored in a database, one table per user, and grants inet access to one room. In the background a php script calls a script which manipulates the firewall. The script is setuid-root by the way (with a wrapper of course). Technically this works like charm, but i do not like setuid root executes shell-scripts by php-pages. What i would need to do is to make fwknop look up the knock sequence or a part of it in a database, be it an internal or external like mysql. Let's say the user/teacher Joe has the number 0001 assigned then the sequence 0001 7331 0001 1234 1234 would execute the start command if the number "7331" is the next unused number in the table "0001". Another way would be to create one set of entries per user in the config file, where one set consists of two entries per group of computer. That would currently result in 80 * 2 * 8 entries. Could anybody help me and tell me a) if that is possible in a sense that it doesn't conflict with fwknop's design? b) and where in the sources of the perl version the changes would have to be done? Thanks a lot Malte Müller |
From: Spezifikum <in...@sp...> - 2011-03-01 09:21:11
|
Hi, i got a reply who suggests using pgp authentication. That is a wonderfull idea. Many teachers have android-smartphones and one could build a very easy to use solution based upon the "something you have" (private key) pattern. Alas it will not work here. Quite often the teachers will give the pupils the possibility to switch on internet acces by their own. Thats why i have otp-lists. The pupils get one number of the list. If i switch to private/public keys they would simple get the keys :-( I wouldn't say, that the idea of pgp is dead, but if is use that path, it would take a bit more effort, maybe i could use smartcards or something like that to store the key. Momentarily that is a too big project. So, any suggestions on how to use multiple otp? Thanks a lot Malte Müller Am 28.2.2011 15:36, schrieb Spezifikum: > Hi, > i read about fwknop in the german it magazine iX (03/2011). It seems > like a perfect fit for my use case here, but i need something like > multiple otp lists, one per user. I know that allowing multiple users > manipulating the firewall is a bit strange, but it is the best solution > i came across so far. Currently i am using a website (PHP) written to > accomplish that task, but port knocking would be much better and easier > to maintain. > In a school environment i need to grant internet-acces (http(s), ftp, > pop, imap, sftp) on demand to a group of computers. Currently the > teacher opens the web-page, logs in with his name and an otp which is > stored in a database, one table per user, and grants inet access to one > room. In the background a php script calls a script which manipulates > the firewall. The script is setuid-root by the way (with a wrapper of > course). Technically this works like charm, but i do not like setuid > root executes shell-scripts by php-pages. > What i would need to do is to make fwknop look up the knock sequence or > a part of it in a database, be it an internal or external like mysql. > Let's say the user/teacher Joe has the number 0001 assigned then the > sequence 0001 7331 0001 1234 1234 would execute the start command if the > number "7331" is the next unused number in the table "0001". > Another way would be to create one set of entries per user in the config > file, where one set consists of two entries per group of computer. That > would currently result in 80 * 2 * 8 entries. > Could anybody help me and tell me > a) if that is possible in a sense that it doesn't conflict with fwknop's > design? > b) and where in the sources of the perl version the changes would have > to be done? > > Thanks a lot > Malte Müller |
From: Michael R. <mb...@ci...> - 2011-03-03 12:53:26
|
On Mar 01, 2011, Spezifikum wrote: > Hi, > i got a reply who suggests using pgp authentication. That is a > wonderfull idea. Many teachers have android-smartphones and one could > build a very easy to use solution based upon the "something you have" > (private key) pattern. > Alas it will not work here. Quite often the teachers will give the > pupils the possibility to switch on internet acces by their own. Thats > why i have otp-lists. The pupils get one number of the list. If i switch > to private/public keys they would simple get the keys :-( > I wouldn't say, that the idea of pgp is dead, but if is use that path, > it would take a bit more effort, maybe i could use smartcards or > something like that to store the key. Momentarily that is a too big project. > So, any suggestions on how to use multiple otp? Max usages per key (possibly set to 1) could accomplish this I think per my previous note, but it would need to be implemented. It is not a trivial feature though, since tracking would have to be done per valid SPA packet and it would have to survive restarts of fwknopd and system reboots as well. I'm not sure this is a compelling feature, but I would be interested in what others think. Thanks, --Mike > Thanks a lot > Malte Müller > > Am 28.2.2011 15:36, schrieb Spezifikum: > > Hi, > > i read about fwknop in the german it magazine iX (03/2011). It seems > > like a perfect fit for my use case here, but i need something like > > multiple otp lists, one per user. I know that allowing multiple users > > manipulating the firewall is a bit strange, but it is the best solution > > i came across so far. Currently i am using a website (PHP) written to > > accomplish that task, but port knocking would be much better and easier > > to maintain. > > In a school environment i need to grant internet-acces (http(s), ftp, > > pop, imap, sftp) on demand to a group of computers. Currently the > > teacher opens the web-page, logs in with his name and an otp which is > > stored in a database, one table per user, and grants inet access to one > > room. In the background a php script calls a script which manipulates > > the firewall. The script is setuid-root by the way (with a wrapper of > > course). Technically this works like charm, but i do not like setuid > > root executes shell-scripts by php-pages. > > What i would need to do is to make fwknop look up the knock sequence or > > a part of it in a database, be it an internal or external like mysql. > > Let's say the user/teacher Joe has the number 0001 assigned then the > > sequence 0001 7331 0001 1234 1234 would execute the start command if the > > number "7331" is the next unused number in the table "0001". > > Another way would be to create one set of entries per user in the config > > file, where one set consists of two entries per group of computer. That > > would currently result in 80 * 2 * 8 entries. > > Could anybody help me and tell me > > a) if that is possible in a sense that it doesn't conflict with fwknop's > > design? > > b) and where in the sources of the perl version the changes would have > > to be done? > > > > Thanks a lot > > Malte Müller > > > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT data > generated by your applications, servers and devices whether physical, virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Michael R. <mb...@ci...> - 2011-03-03 12:50:22
|
On Feb 28, 2011, Spezifikum wrote: > Hi, Hello Malte, > i read about fwknop in the german it magazine iX (03/2011). It seems > like a perfect fit for my use case here, but i need something like > multiple otp lists, one per user. I know that allowing multiple users > manipulating the firewall is a bit strange, but it is the best solution > i came across so far. Currently i am using a website (PHP) written to > accomplish that task, but port knocking would be much better and easier > to maintain. Is there any chance that an English translation exists for the iX magazine article? It appears to me that there isn't an electronic version available via the magazine website. Do you mean port knocking, or Single Packet Authorization? The port knocking mode in fwknop is deprecated in favor of the much more robust SPA mode. > In a school environment i need to grant internet-acces (http(s), ftp, > pop, imap, sftp) on demand to a group of computers. Currently the > teacher opens the web-page, logs in with his name and an otp which is > stored in a database, one table per user, and grants inet access to one > room. In the background a php script calls a script which manipulates > the firewall. The script is setuid-root by the way (with a wrapper of > course). Technically this works like charm, but i do not like setuid > root executes shell-scripts by php-pages. Since you are using a table of one time passwords, this implies that a user has multiple OTP's, and therefore this would be equivalent in the fwknop world to assigning a maximize usage number to each SPA key. (On the wire in SPA mode fwknop already has strong protection against replay attacks, which is one of the primary reasons to use OTP's anyway - i.e. they aren't needed in the SPA world.) Support doesn't currently exist to limit the number of usages of a key, but potentially could be added. I would need to think about this a bit more. > What i would need to do is to make fwknop look up the knock sequence or > a part of it in a database, be it an internal or external like mysql. > Let's say the user/teacher Joe has the number 0001 assigned then the > sequence 0001 7331 0001 1234 1234 would execute the start command if the > number "7331" is the next unused number in the table "0001". > Another way would be to create one set of entries per user in the config > file, where one set consists of two entries per group of computer. That > would currently result in 80 * 2 * 8 entries. > Could anybody help me and tell me > a) if that is possible in a sense that it doesn't conflict with fwknop's > design? The architecture is very different. For one thing, your users would have to download and run the fwknop client on their local systems instead of interacting with a web page. Or, some development could be done on a web proxy that would execute the fwknop command on behalf of a user - this has been on the fwknop todo list for a while. Either way, SPA would be used instead of port knocking. > b) and where in the sources of the perl version the changes would have > to be done? I would recommend that all modifications be made against the C version of fwknop first as this is where the primary development effort is. To implmenent the usage limits per key feature, modifications would need to be made in the fwknopd server (see the server/ directory in the C sources). Thanks, --Mike > Thanks a lot > Malte Müller |