impalex
FYI: I made rotating knockd codes
Hi,
I got interested in port knocking recently and made a pair of client and server script to avoid reusing the same sequences.
It's called Knockd Rotator and basically there is a time based formula to derive a knock sequence and the server side script just edits knockd's config and restarts it. The same sequence is generated on the client side when called. It supports any time window you want and supports arbitrary service (for example you can generate a time based sequence for "my_ssh" or "home_asssistant_reboot" or "ntfy_me_the_logs" or whatever).
It can be used on android by simply putting the script + 2 env variable in termux and executing it.
It was just something I made for me but as I'm surprised that there is nothing between "basic insecure port knocking" and "secure but implemented nowhere SPA", I'm thinking it could be of interest to some people so here it is.
The code to generate the sequence is pure shell so it shouldn't pose much issue to implement.
Are you interested? I don't know any Kotlin so can't do a PR sadly.
I've seen a few variations of sequence rotation before. This is another one.
The problem is that each one has its own logic and there is no universally accepted approach to implementing this. It doesn't make sense to implement some single variant. I have to come up with some universal solution. And this will not be an easy task. There is no support for dynamic sequences in the application.
The next point is that I haven't seen the need for it so far. Real users have not asked for it. There is little sense in doing something nobody needs.
I will leave the issue open in case someone has such requests. Or I will be too bored and have enough time.
Thanks for the answer. I was not able to find other good sequence rotation scripts at the time but I'm well aware that my idea is nothing ground breaking.
Notable features of my implet though is that it had to be easy to add more services (e.g. one for ssh, one for rss, etc), had to work without having to reach out to the server to fetch a list of sequences (that's the point!), and had to work despite having numerous clients (I want my phone and laptop to be able to knock without needing to sync anything).
Anyway, I totally get the point of view that it's awkward to implement something non standard and niche. But I have to say that in my view: the lack of usability of those ad hoc scripts is what's keeping them from being standardized.
That's partly why I made sure to use a pure shell script on the client side: although it was an ad hoc script I want it to be usable by others no matter there setup.
Your android app seems to be the only good FOSS app for port knocking so naturally I had to notify you. I'm sure that if you decided to include one of the sequence rotation setup then it would greatly increase the chances of it being standardized.
My point is: yes practically nobody uses sequence rotation but I'm betting that more people would use it if knockonports (the only good port knocking foss android client) implemented it. Sure I volunteer my own project but it's fine if you pick another rotation method of course.
Also, I don't want to sound pushy (!) but you made me curious:
I have to come up with some universal solution. And this will not be an easy task. There is no support for dynamic sequences in the application.
I would have say that my algorithm is easy and universal. So I'm super curious to know why you think it's no easy? And if you have criticism about my algorithm I'm very interested too!
I would not call the algorithm universal. It is quite a deterministic algorithm for generating sequences. There are a lot of questions in terms of implementation. I can't just put the script somewhere and call it. The application has no permissions for such actions, it's not Termux. And I will not extend the application's permissions without a good reason. Moreover, other applications will handle the task of "just calling a script" better - Termux, Tasker, Macrodroid, etc. Another option is to "embed" the script in the application itself, but then I have to bring the Python runtime with it, which is not the best idea. The third option is to implement your algorithm in the application itself, which in my opinion is the most adequate option. But with all these options the question arises - what if you want to change the algorithm of sequence generation? What to do in such a case? Then there is the issue of interface. For now I don't have any ideas how to integrate such sequences into the application so that they don't look alien. I'll have to think about it.
Okay. I'll keep your request in mind, I promise to think about it.
Thanks.
For me the only option that seems acceptable was to rewrite my algorithm into your app, not to "import it" or anything like that. So on this we can agree.
Would it be easier somewhat if I converted the python client script to a shell script? I planned on doing one anyway. (update: I'm pushing one right now as we speak. )
Regarding the UI: I fully agree that it's never trivial to add a feature like that and can't help as visual taste are very personal.
But with all these options the question arises - what if you want to change the algorithm of sequence generation? What to do in such a case?
Couple of things, in no particular order:
- I versioned the script on purpose to reduce the risk by making it clear to the user which version they are using. In the absolutely unlikely scenario that I made breaking changes, you could still mention that it's compatible with version X. Not ideal I agree but not that bad either. And your app would remain fully functional regarding the current set of features.
- If I made a change and you disagree: my code will always be accessible anyway. If I made a change for security reason: it would make sense that you do so too, although I understand that it is inconvenient for you it still can't be less secure than reusing the same code every time no?
- In any case you could call it "experimental" and opt in. To me that's usually how it's done.
- If you want I can make a new repo or release specifically to explicitly mention compatibility with knockonports. Or you could fork or whatever. Just tell me what would make you confortable. Maybe create another repo and archive it to prove it's stable?
- I've been using it for a few weeks now and have no complaint. The algorithm is not complex and pretty straightforward so I doubt there is much area for catastrophic failure. And were it to happen, I can't see how it could be worst than non rotating sequences.
- Of course you can take all the time you want to think about if you think my implementation is flawed.
Okay. I'll keep your request in mind, I promise to think about it.
Thanks a lot. Don't hesitate if you have any question about any of this.
Would it be easier somewhat if I converted the python client script to a shell script? I planned on doing one anyway. (update: I'm pushing one right now as we speak. )
In any case, I can't directly use your code, so the first two options are definitely out. You use GPLv3, I use Apache 2.0. Including your code in my project would force me to change the license. So my own implementation is the only option available. However, this is not a problem, the algorithm is quite simple.
I'm totally on board with changing my license for you! Ideally I would just waive my GPLv3 specific rights to you but that might not be a thing. Do you want me to use Apache 2.0?
PS: if you are going to write your own implem anyway I have a preference for keeping GPLv3 but really that's up to you.