cipherdyne.org

Michael Rash, Security Researcher



Software Release - fwknop-1.0

Digg fwknop-1.0 release fwknop-1.0 release The 1.0 release of fwknop is ready for download. This release marks the production-ready release of Single Packet Authorization technology for Linux systems. Single Packet Authorization is becoming an increasingly important mechanism for protecting services such as SSH, and is basically the successor technology to port knocking. Here is an exerpt from the ChangeLog:
  • Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header file.
  • Bugfix for access hashes accumluating when multiple ports are requested to be opened by a client.
  • Better validation of IPT_AUTO_CHAIN variable so that the from_chain cannot be identical to the to_chain.
  • Bugfix in RPM to install List::MoreUtils.
  • Bugfix so that the MD5 sum for an SPA packet is not examined for each SOURCE block. This fixes a problem where an SPA packet could appear to be replayed if multiple SOURCE blocks are defined in /etc/fwknop/access.conf.
  • Refactored main SPA access loop so that it is clearer how and when SPA clients are granted access.
  • Better handling of GnuPG key identifier strings (they can now contain spaces, and syslog messages wrap the identifiers with double quotes).
  • Added source IP address to command string in the SPA packet so that the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd server.