S-port-knock manual

This plain ∞ groff(1) HTML output has only been fixed slightly — i am sorry for false list indentions etc.!

S-port-knock [v0.8.1, 2024-07-19] — simple port knock

SYNOPSIS

s-port-knock

DESCRIPTION

A simple port knock implementation. It requires modern implementations of openssl(1) and ssh-keygen(1), and also a suitable sh(1). Please run s-port-knock.sh as above for a usage summary, and the EXAMPLE below.

BIG FAT WARNING

This software MUST be protected by suitable firewall rules! Any network packet sent to it causes a sh(1)ell script to run! For example the author uses this Linux firewall rule which effectively allows only one packet per source address per minute (and causes a hour-long block otherwise).

# port_knock: input only server
if fwcore_has_i port_knock; then
: ${FWCORE_PORT_KNOCK:?port_knock needs FWCORE_PORT_KNOCK}
if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
add_rule -p udp --dport ${port} \
-m recent --name port_knock --set \
-m recent --name port_knock \
--rcheck --seconds 60 --reap --hitcount 2 \
-m recent --name alien_super --set -j DROP
add_rule -p udp --dport ${port} -j f_m1
fi
fi

EXAMPLE

On servers:

. If the packets seems sane,
. the OpenSSL private key is used to decrypt the random key,
. the random key is used to decrypt the signature,
. the "ssh-keygen -Y" mechanism is used to find a principal for the
signature in the "allowed signers" file.
. (If a $MAGIC string is required, the signature is also verified.)

. On any stage a failure causes the act_block() action,
. upon overall success the act_allow() action is applied.

# cd /tmp/
# $CC -o zt s-port-knock-bin.c

# head -n1 ˜/.ssh/authorized_keys > .Zpub1
# { printf ’uid1 ’; cat .Zpub1; } > .Zsigs
# echo MAGIC= > .Z.rc

# ./s-port-knock.sh create-server-key .Zk
# PORT_KNOCK_BIN=./zt \
PORT_KNOCK_SHELL=/bin/bash PORT_KNOCK_RC=./.Z.rc \
./s-port-knock.sh start-server -v 10000 s-port-knock.sh \
.Zk-pri.pem .Zsigs

On clients:

. Creates a signature for a SSH public key via "ssh-keygen -Y",
. (if a $MAGIC string is required, includes that in the signature),
. encrypts that with a random key,
. and encrypts the random key for a dedicated target server via an
(its) OpenSSL public key,
. sends the resulting packet to that server,
. invokes the $PORT_KNOCK_RC act_sent() hook; if that does not return 0,
the packet is sent again, etc.

# cd /tmp/
# PORT_KNOCK_BIN=./zt \
PORT_KNOCK_RC=./.Z.rc \
./s-port-knock.sh knock localhost 10000 .Zk-pub.pem .Zpub1

SEE ALSO

openssl(1), ssh-keygen(1).

AUTHORS

Steffen Nurpmeso <steffen@sdaoden.eu>.