[clug] mc-root anyone?

Fri Jun 19 07:33:35 GMT 2009

On Fri, Jun 19, 2009 at 1:21 PM, Daniel Pittman<daniel at rimspace.net> wrote:
> You would do just as well using another, more standard, protocol to exchange a
> password with the client before opening your firewall; "port knocking" is
> absolutely no more secure than anything else, and is less widely used, so less
> widely tested.

What is a secure protocol to use to control firewall rules? Upnp or
something? Note i am not using it as a form of security by itself,
just as a way of hiding the ssh port so its not visible to the general
internet - once the port is opened you still need to auth via ssh
public key.  I use some common ports which are normally allowed by
outbound firewalls like port 80 or 443. I suppose you can extend the
idea to write a cgi script which opens up the port so you can auth to
your web server (if its on the fw) and pop the ssh port open - has the
same effect.

knockd is very well tested, and very small indeed (lines of code) -
considering how simple the whole program is (i looked at the code) its
pretty unlikely to have bugs. All it does is look at the traffic using
raw sockets (i.e. it doesnt listen to any connections itself) and
count up the sequence. I suggest it is fairly well used (dont have
actual usage figures though).

> Something like authpf (ssh based, non-Linux) or an HTTPS secured page
> exchanging username and password would be a better choice.

Again looking the lines of code in ssh or openssl its quite
significant and the protocols are fairly complex. Its far more secure
to have a simple knockd in front any of the complex protocols as the
hacker needs to get past first base even to launch any kind of ssh or
ssl attacks. Its basically a multilayered approach with the first
layer moderately secure but really simple - then the hacker needs to
attack SSH - thats the next layer and is much tougher.

> You could use the ProxyCommand stuff to tunnel for you, using something like:
>
>    ProxyCommand ~/bin/ssh-proxy %h %p
>
>    ~/bin/ssh-proxy:
>    #!/bin/sh
>    /usr/bin/knock # or whatever
>    /usr/bin/nc "$1" "$2"

Thanks to you and to earlier posters for explaining this idea. I
wanted to avoid writing a shell script so I used this in the end:

ProxyCommand bash -i "knock .....; nc %h %p"

Works great, thanks.

> You lose the direct IP to ssh key binding check, thanks to the proxy command,
> but you gain the ability to do more complicated things to establish the
> connection.

Yeah i had not thought of that side effect - thanks for bringing it
up.  It might not be a big problem because I think the hostname to key
mapping will still be the same. Its like connecting to a host behind
dynamic IP.

Thanks,
Michael.