Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fwknop don't recognize gpg key #263

Open
lyz-code opened this issue Jan 26, 2018 · 2 comments
Open

Fwknop don't recognize gpg key #263

lyz-code opened this issue Jan 26, 2018 · 2 comments

Comments

@lyz-code
Copy link

lyz-code commented Jan 26, 2018
edited
Loading

Hi, fwknop-server doesn't recognize the specified access gpg key.

The client gpg key is the following:

$ gpg --fingerprint --fingerprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803
pub   rsa4096 2018-01-25 [SCEA] [expires: 2019-01-20]
      XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX 5201 9803
uid           [ultimate] Fwknop-client gpg key for myip <myuser@myip>
sub   rsa4096 2018-01-25 [SEA] [expires: 2019-01-20]
      YYYY YYYY YYYY YYYY YYYY  YYYY YYYY YYYY F17F FF6D

The server access.conf has this section:

GPG_REMOTE_ID      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803

But when I send the packet it seems to be signed with the subkey because I get
the following error in syslog

Jan 26 19:40:38 hostname fwknopd[18306]: (stanza #1) SPA Packet from IP: myip received with access source match
Jan 26 19:40:38 hostname fwknopd[18306]: [myip] (stanza #1) Incoming SPA data signed by 'F17FFF6D' (fingerprint 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYF17FFF6D').
Jan 26 19:40:38 hostname fwknopd[18306]: [myip] (stanza #1) Incoming SPA packet signed by ID: F17FFF6D, but that ID is not in the GPG_REMOTE_ID list.

It doesn't work even if I set the access.conf section as:

GPG_REMOTE_ID      YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYF17FFF6D

The only way it works is setting it this way

GPG_REMOTE_ID      F17FFF6D

I'm doing an ansible role to install and configure fwknop and it generates the
gpg keys, so it's not easy (without ugly messy shell instruction) to extract
the string that works from the original.

gpg correctly recognizes the key, and the subkey with XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52019803, so there are two questions:

  • Shouldn't fwknop recognize the subkey with the key?
  • Shouldn't fwknop recognize a key with the long format?

Thank you
@luigicalligaris
Copy link

luigicalligaris commented Mar 12, 2019
edited
Loading

Hello, I was also affected by the issue. While on the side of the user the fix is trivial (once you know that the long format misinterpretation is the reason why fwknop does not accepts your SPAs!), it is not evident what the problem may be when it surfaces. I'm in doubt whether it's correct to always truncate the fingerprint.

@lyz-code
Copy link
Author

It shouldn't be, the long format is always safer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luigicalligaris @lyz-code