[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port Knocking on openBSD?
- To: "'Magnus Bodin'" <magnus@bodin.org>, <misc@openbsd.org>
- Subject: Re: Port Knocking on openBSD?
- From: "Dom De Vitto" <dom@DeVitto.com>
- Date: Sun, 8 Feb 2004 20:03:49 -0000
- Organization: Secure Technologies Ltd.
- Thread-Index: AcPuTqpjeqMOec4gQ4WRbpIIYGYFnQALyC0g
Bzzzzt.
Q. What listening for these messages?
A. A program.
Q. Does this program run as root?
A. Yup.
Q. Do programs have bugs?
A. Yup.
Q. What happens if it's got a weird overflow or shell expansion bug?
A. Bad things.
Q. What happens if it can be tricked into putting bad stuff into
your pf.conf?
A. Bad things.
Q. Do you want root doing bad things on your firewall?
A. Nope! That was the idea in the first place!
Q. What do you trust more, the portknocker, or OpenSSH?
A. [obvious]
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel. 07855 805 271
http://www.devitto.com mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today? Same as every day.... Windows Update.
-----Original Message-----
From: Magnus Bodin [mailto:magnus@bodin.org]
Sent: Sunday, February 08, 2004 1:51 PM
To: Dom De Vitto
Cc: misc@openbsd.org
Subject: Re: Port Knocking on openBSD?
On Sun, Feb 08, 2004 at 10:32:39AM -0000, Dom De Vitto wrote:
> Key point Henning realised, we didn't.
>
> Layers are good, but the portknocking is an inner layer:
> - is it priv-sep'd ? No (I'm guessing), so an exploit *could* give root.
"portknocking" is not an interactive protocol per se. It is listening to
filtered packets and if a well defined packet content flies by or in the
original port knocking scheme, a specific order of probes occurs, then a
pf-table is populated to give access to a specific port.
If such a program crashes you could not give root. Or any shell.
A sigificant risk would be that someone may DoS the "portknocking service".
Other speculations about having userid and ssh credentials in the
portknocking packets is just dumb of course. What should be used is one time
passwords or similar that cannot be reused or guessed.
It should in addition be run on a transparent bridge, making it just a
gatekeeper. And thus making it a true layer.
"Portknocking" is of course just the most obscure and "less secure" way of
convincing the gatekeeper that you are allowed over the brigde. Other
offline ways is one-time-passwords sent to a specific GSM-number hooked up
to the bridge, touch-tone gateways, etc.
--
magnus, http://x42.com