On Aug 01, 2012, Johannes Lavre wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello i installed the new C version of fwknop and it works with > rijndael. But when i enable gpg authentication the server fails to > read the spa packet. When i run the test suite it passes all tests > except the gpg tests. But instead of failing it just hangs forever. I > have libgpgme support and libgpgme-error support. Also i have selinux > disabled. My flavor distro is Centos 6.3 that i run the new fwknop > server on. For now rolling fwknop with the perl depencies. Is this > issue Centos related?
In fwknop-2.0.2-pre2, there is a new "GPG_ALLOW_NO_PW" option for the access.conf file, and there are a bunch of new gpg tests that I suspect will now pass. These tests run against local copies of the test suite gpg keys that have passwords removed: http://www.cipherdyne.org/fwknop/download/fwknop-2.0.2-pre2.tar.gz I suspect that things will work if you remove the password from the server-side gpg key in /root/.gnupg. This sounds like a bad idea, but once again I think this link is important: http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment The statement "don't use passphrases as there is usually no way to store it more securely than on the secret keyring itself" sums it up. If an attacker compromises the system where fwknopd is running, both the private key and the passphrase are available, so does a passhprase provide any additional protection? I think not, though I'd love to hear a counter argument. On the client side, the pinentry thing shouldn't be a problem if you are used to typing the gpg signing passphrase at the prompt. For the server side, the instructions for removing the passphrase are at the link above. Thanks, --Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJQGYzqAAoJENPH76mjqKg1JH0H/0F4Ad1ZQDpxZSyi+vC+CK7e > 93d9FPbyd+HTJ7QmTpYT2x7AEEBv4kjEQi0uCqbC2QJP+O7SgtO7oh+xA3KF4KOG > kOUf71+Vf7X+9Bodn3Dv3fq7vyLNdn9hjOlUkdm5aFgfT2HfQykYdK+zcXb5z/yC > cbIiyOXw2nkHVobZ+iWxPAeuC45lzxM54dJmSZhqN1YfoIzbcqZ4cG0Oqg+VxuYM > zNvYAB2oz1NskFWxt4aSQY17fvMh5Gxf0h/X4O3qbYmHt79dcoJcixTJZCuaNlOJ > 17lKck+1j1FdXgRwWwgi6YwVmClG/OjAdWgk+Z1gM4w9znPJO76useLxpzg3+Ig= > =cPF2 > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
