Hello,
In trying to get fwknopd to work with gpg keys I come across a situation
where it looks like fwknopd receives a valid packet but never inserts an
iptables rule to allow access. It seems like fwknopd is waiting for
gpg/gpg-agent/pinentry to return. I'd like to understand if this
behavior is due to some misconfiguration of my server, configuration, or
how I'm using fwknopd. Here is some verbose goodness:
I started fwknopd 2.0 with -v for extra goodness. Here is what is in
/var/log/messages:
Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd
Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD:
'/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD:
'(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t
filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
Apr 26 15:41:55 server fwknopd[18346]: create_fw_chains() CMD:
'/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
Apr 26 15:41:55 server fwknopd[18346]: add_jump_rule() CMD:
'/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
Apr 26 15:41:55 server fwknopd[18346]: Added jump rule from chain: INPUT
to chain: FWKNOP_INPUT
Apr 26 15:41:55 server fwknopd[18346]: PCAP filter is: udp port 62201
Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd main event loop.
Apr 26 15:42:48 server kernel: Dump tcp: IN=eth0 OUT=
MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=50.116.66.240
DST=50.115.119.68 LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=60775 PROTO=TCP
SPT=80 DPT=1234 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Apr 26 15:43:07 server kernel: Dump udp: IN=eth0 OUT=
MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=174.52.254.248
DST=50.115.119.68 LEN=1030 TOS=0x00 PREC=0x00 TTL=49 ID=10051 DF
PROTO=UDP SPT=43878 DPT=62201 LEN=1010
Apr 26 15:43:07 server fwknopd[18346]: (stanza #1) SPA Packet from IP:
174.52.254.248 received with access source match
After that last message, there are no more. Here's what I see from the
cmdline:
# ps auxw --forest | grep -A5 [f]wknopd
root 18346 0.0 0.0 17628 3712 ? Ss 15:41 0:00 fwknopd -v
root 18371 0.0 0.0 24648 1628 ? SL 15:43 0:00 gpg
--enable-special-filenames --no-sk-comment --homedir /root/.gnupg
--status-fd 4 --no-tty --charset utf8 --enable-progress-filter
--command-fd 5 --decrypt --output - -- -&9
root 18373 0.0 0.0 13164 980 ? SL 15:43 0:00 \_
gpg-agent --server
root 18374 0.0 0.0 8548 780 ? SL 15:43 0:00 \_
pinentry
According to strace and lsof, pinentry is trying to read from file
handle 0 which is a pipe:
# strace -fp 18374
Process 18374 attached - interrupt to quit
read(0, ^C <unfinished ...>
Process 18374 detached
# lsof -p 18374 | awk '$4 ~/0/ {print $0}'
pinentry 18374 root 0r FIFO 0,6 0t0 574833 pipe
Strace shows gpg-agent trying to read from filehandle 8 however I don't
see one with lsof:
# strace -fp 18373
Process 18373 attached - interrupt to quit
select(8, [3 7], [], [], NULL^C <unfinished ...>
Process 18373 detached
# lsof -p 18373 | awk '$4 ~/8/ {print $0}'
#
It looks like gpg is trying to read from a pipe as well:
# strace -fp 18371
Process 18371 attached - interrupt to quit
read(9, ^C <unfinished ...>
Process 18371 detached
# lsof -p 18371 | awk '$4 ~ /9/ {print $0}'
gpg 18371 root 9r FIFO 0,6 0t0 577265 pipe
At this point fwknopd seems to be looping however it doesn't respond to
any additional authentication packets that I send it's way. Here is a
strace of fwknopd as I send another authentication packet to the server:
# strace -fp 18346
Process 18346 attached - interrupt to quit
select(8, [2 7], [], NULL, {0, 216681}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout)
Fwknopd doesn't respond to the -K option as I'd expect. If I kill -15
the pinentry/gpg-agent/gpg, then fwknopd puts this inside /var/log/messages:
Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) Error creating fko
context: Decryption operation failed
Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) - GPG ERROR: No data
I have seen it sometimes say this:
Apr 26 15:58:01 server fwknopd[18346]: (stanza #1) - GPG ERROR: Bad
passphrase
despite my access.conf having this line:
GPG_DECRYPT_PW:<space><passphrase>;
At this point fwknopd will process new authentication packets so long as
I don't use gpg. Here's what a strace then looks like:
# strace -fp 18346 2>&1 | head -10
Process 18346 attached - interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 0
poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout)
nanosleep({0, 10000000}, NULL) = 0
poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout)
nanosleep({0, 10000000}, NULL) = 0
poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout)
nanosleep({0, 10000000}, NULL) = 0
poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout)
nanosleep({0, 10000000}, NULL) = 0
Are there any suggestions as to what my next steps should be to get this
working properly?
-- Morgan
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
