On Mon, Apr 9, 2018 at 5:10 PM, David Klann <dkl...@grunch.org> wrote:
> -B is supported, but since I'm encrypting with GPG, the contents are
> opaque to me. I don't see a way in the man page or a tool to decode an
> encrypted SPA packet. The contents on the two clients' saved output
> (from -B) are (as I would expect) very different.
>
> In a similar vein, I ran fwknop --test --verbose -n <destination> on
> both clients and compared the output. Other than the expected
> differences (timestamps, random numbers, etc.) the two runs look largely
> similar. The one significant (to me) difference is the FKO version:
> 2.0.2 on the non-working client, and 3.0.0 on the working client.
>
> Hmmmmm... I *thought* I'd done this... I compared the dumped data (with
> --verbose) on the client with the contents of the packet as captured on
> one of the servers VERBOSE 2 in fwknopd.conf. I see now that the packet
> from the failing client is truncated when displayed in the log by the
> server. The packet contents from the working client are identical to the
> VERBOSE output on the server.
>
> It looks like the failing client is sending seventeen *more* characters
> than server is receiving. Just eyeballing it, the two packet contents
> are identical up to the truncation point. I feel like I've run into this
> before in a slightly different context.
>
>
Hi David,
That is interesting. What are the GPG key sizes that you are using?
Anything beyond 2048 bits may produce encrypted SPA data that is too large
to fit within a single (Ethernet) frame. There are tricks to get around
this though, like this one:
https://it-offshore.co.uk/security/85-fwknop-4096-bit-rsa-keys
When the incoming SPA packet from the client is truncated, are you seeing
that within fwknopd output? If you use tcpdump (with a snaplen of zero -
something like 'tcpdump -i eth0 -l -nn -s 0 -X') does the incoming packet
appear to not be truncated but fwknopd says it is?
Thanks,
--Mike
> I'm running the test suite now ...
>
> Thanks!
>
> ~David
>
>
> On 04/09/2018 02:48 PM, sean.gre...@gmail.com wrote:
> > Hey, hadda check😀
> >
> > Have you used the -B on the clients and compared the two generated SPA
> packets? (I think it’s still a valid flag to the command line client) I
> can’t check st the moment as there is a huge power outage in my area.
> >
> > Regards Sean
> >
> >
> >
> > Sent from my iPhone
> >
> >> On 9 Apr 2018, at 18:25, David Klann <dkl...@grunch.org> wrote:
> >>
> >> Good call Sean, and yes -- all four computers are running either ntpd or
> >> the systemd equivalent. Time is synchronized on all of them.
> >>
> >> Thanks for your thought!
> >>
> >> ~David
> >>
> >>
> >>> On 04/09/2018 12:16 PM, sean.gre...@gmail.com wrote:
> >>> Just a really arb squirrel check.... the Arch Linux time is
> synchronised right?
> >>>
> >>> I k ow it’s obvious but had to check.
> >>>
> >>> Regards Sean
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On 9 Apr 2018, at 17:47, David Klann <dkl...@grunch.org> wrote:
> >>>>
> >>>> Greetings!
> >>>>
> >>>> I am a longtime user of fwknop (thanks for your work Michael!), and I
> >>>> have run into a problem that has been vexing me for several months.
> >>>>
> >>>> I have two servers into which I log in via SSH after authorizing with
> >>>> fwknop from two clients. Authorization from the Ubuntu client (Client
> 1)
> >>>> works as expected. Authorization from the Arch Linux-based client
> >>>> (Client 2) fails with both servers.
> >>>>
> >>>> I have compared the contents of the SPA packets at the clients and at
> >>>> the servers, and they appear to arrive correctly at the servers (using
> >>>> verbose fwknop(1) output and tcpdump).
> >>>>
> >>>> Can anyone help with troubleshooting pointers? I'm happy to provide
> more
> >>>> details as needed.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> ~David Klann
> >>>>
> >>>>
> >>>> Here are some version and configuration details:
> >>>>
> >>>> - Server 1: Current gentoo, net-firewall/fwknop version 2.6.9-r1
> >>>>
> >>>> fwknopd --version
> >>>> fwknopd server 2.6.9, compiled for firewall bin: /sbin/iptables
> >>>>
> >>>> - Server 2: Ubuntu 16.04, fwknop-server 2.6.0-2.2
> >>>>
> >>>> sudo fwknopd --version
> >>>> fwknopd server 2.6.0
> >>>>
> >>>> SPA authorization from Client 1 works with both of these servers. SPA
> >>>> authorization from Client 2 *fails* with both servers. Details:
> >>>>
> >>>> - Client 1 (working): Ubuntu 17.10, fwknop-client 2.6.9-1build1
> >>>>
> >>>> fwknop --version
> >>>> fwknop client 2.6.9, FKO protocol version 3.0.0
> >>>>
> >>>> - Client 2 (not working): current Arch Linux, community/fwknop
> 2.6.9-4
> >>>>
> >>>> fwknop --version
> >>>> fwknop client 2.6.9, FKO protocol version 2.0.2
> >>>>
> >>>> Client and server configurations are at the following pastebins:
> >>>> - client 1 .fwknoprc: https://pastebin.com/eNL4Fskp
> >>>> - client 2 .fwknoprc: https://pastebin.com/tN5ryw83
> >>>> - server 1 fwknopd.conf: https://pastebin.com/UgiXHXMV
> >>>> - server 1 access.conf: https://pastebin.com/Jakk07gj
> >>>> - server 2 fwknopd.conf: https://pastebin.com/inxC1S6G
> >>>> - server 2 access.conf: https://pastebin.com/NGRTJqW5
> >>>>
> >>>>
> >>>> ------------------------------------------------------------
> ------------------
> >>>> Check out the vibrant tech community on one of the world's most
> >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >>>> _______________________________________________
> >>>> Fwknop-discuss mailing list
> >>>> Fwknop-discuss@lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
> >>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
