fwknop icon indicating copy to clipboard operation
fwknop copied to clipboard

Published 20 hours ago verified publisher icon mrash

Fwknop don't recognize gpg key

Open lyz-code opened this issue 6 years ago • 2 comments

Hi, fwknop-server doesn't recognize the specified access gpg key.

The client gpg key is the following:

$ gpg --fingerprint --fingerprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803
pub   rsa4096 2018-01-25 [SCEA] [expires: 2019-01-20]
      XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX 5201 9803
uid           [ultimate] Fwknop-client gpg key for myip <myuser@myip>
sub   rsa4096 2018-01-25 [SEA] [expires: 2019-01-20]
      YYYY YYYY YYYY YYYY YYYY  YYYY YYYY YYYY F17F FF6D

The server access.conf has this section:

GPG_REMOTE_ID      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803

But when I send the packet it seems to be signed with the subkey because I get the following error in syslog

Jan 26 19:40:38 hostname fwknopd[18306]: (stanza #1) SPA Packet from IP: myip received with access source match
Jan 26 19:40:38 hostname fwknopd[18306]: [myip] (stanza #1) Incoming SPA data signed by 'F17FFF6D' (fingerprint 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYF17FFF6D').
Jan 26 19:40:38 hostname fwknopd[18306]: [myip] (stanza #1) Incoming SPA packet signed by ID: F17FFF6D, but that ID is not in the GPG_REMOTE_ID list.

It doesn't work even if I set the access.conf section as:

GPG_REMOTE_ID      YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYF17FFF6D

The only way it works is setting it this way

GPG_REMOTE_ID      F17FFF6D

I'm doing an ansible role to install and configure fwknop and it generates the gpg keys, so it's not easy (without ugly messy shell instruction) to extract the string that works from the original.

gpg correctly recognizes the key, and the subkey with XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803, so there are two questions:

  • Shouldn't fwknop recognize the subkey with the key?
  • Shouldn't fwknop recognize a key with the long format?

Thank you

lyz-code avatar Jan 26 '18 21:01 lyz-code

Hello, I was also affected by the issue. While on the side of the user the fix is trivial (once you know that the long format misinterpretation is the reason why fwknop does not accepts your SPAs!), it is not evident what the problem may be when it surfaces. I'm in doubt whether it's correct to always truncate the fingerprint.

luigicalligaris avatar Mar 12 '19 04:03 luigicalligaris

It shouldn't be, the long format is always safer

lyz-code avatar Mar 12 '19 17:03 lyz-code