fwknop

Table of Contents

1. Description
2. Usage - Configuration options and additional functionality
3. Limitations - OS compatibility, etc.

Description

Install and manage the configuration for fwknop-server.

Usage

# By default, fwknop will just set PCAP_INTF to the
# networking.primary fact.
include fwknop

fwknop::access { 'bob':
  source                    => 'ANY',
  open_ports                => 'tcp/22, tcp/993',
  require_username          => 'bob',
  require_source_address    => true,
  fw_access_timeout_seconds => 30,
  key_base64                => Sensitive('kgohbCga6D5a4YZ0dtbL8SEVbjI1A5KYrRvj0oqcKEk='),
  hmac_key_base64           => Sensitive('Zig9ZYcqj5gYl2S/UpFNp76RlD7SniyN5Ser5WoIKM7zXS28eptWtLcuxCbnh/9R+MjVfUqmqVHqbEyWtHTj4w=='),
}

fwknop::access { 'alice':
  source                    => 'ANY',
  gpg_remote_id             => '7234ABCD',
  gpg_decrypt_id            => 'EBCD1234',
  gpg_allow_no_pw           => true,
  require_source_address    => true,
  require_username          => 'alice',
  fw_access_timeout_seconds => 30,
  hmac_key_base64           => Sensitive('STQ9m03hxj+WXwOpxMuNHQkTAx/EtfAKaXQ3tK8+Azcy2zZpimzRzo4+I53cNZvPJaMBfXjZ9NsB98iOpHY7Tg=='),
}

fwknop::access { 'john':
  source                    => '3.3.3.0/24, 4.4.0.0/16',
  open_ports                => 'tcp/80',
  require_username          => 'john',
  require_source_address    => true,
  fw_access_timeout_seconds => 300,
  key_base64                => Sensitive('bOx25a5kjXf8/TmNQO1IRD3s/E9iLoPaqUbOv8X4VBA='),
  hmac_key_base64           => Sensitive('i0mIhR//1146/T+IMxDVZm1gosNVatvpqpCfkv4X6Xzv4E3SHR6AivCCWk/K/uLDpymyJr95KdEkagfGU4o5yw=='),
}

Limitations

Currently only compatible with latest ubuntu and debian.

Reference

Table of Contents

Classes

Public Classes

• fwknop: fwknop Install fwknop and manage its 2 config files.

Private Classes

• fwknop::config: This class manages fwknopd.conf and the concat resource for access.conf.
• fwknop::install: This class manages the package resource for fwknop-server.
• fwknop::service: This class manages the service resource for fwknop-server.

Defined types

• fwknop::access: fwknop::access Add a stanza to fwknop's access.conf file.

Classes

fwknop

fwknop

Install fwknop and manage its 2 config files.

Examples

include fwknop

Parameters

The following parameters are available in the fwknop class:

• pcap_intf
• enable_pcap_promisc
• pcap_filter
• enable_spa_packet_aging
• max_spa_packet_age_seconds
• enable_digest_persistence
• rules_check_threshold
• enable_ipt_forwarding
• enable_ipt_local_nat
• enable_ipt_snat
• snat_translate_ip
• enable_ipt_output
• max_sniff_bytes
• flush_ipt_at_init
• flush_ipt_at_exit
• exit_at_intf_down
• enable_rule_prepend
• enable_nat_dns
• gpg_home_dir
• gpg_exe
• locale
• enable_spa_over_http
• enable_x_forwarded_for
• enable_tcp_server
• tcpserv_port
• enable_udp_server
• udpserv_port
• pcap_dispatch_count
• pcap_loop_sleep_microseconds
• enable_pcap_any_direction
• syslog_identity
• syslog_facility
• enable_destination_rule
• fwknop_run_dir
• verbose
• package_manage
• service_manage

pcap_intf

Data type: Optional[String]

Define the ethernet interface on which we will sniff packets. Default if not set is the networking.primary fact.

Default value: undef

enable_pcap_promisc

Data type: Optional[Boolean]

If true, put the pcap interface into promiscuous mode. If false, don't. The man page for fwknopd says this is default enabled, but the debian config file says it's default disabled. Good luck.

Default value: undef

pcap_filter

Data type: Optional[Variant[Sensitive[String], String]]

Define the filter used for PCAP modes; we default to udp port 62201. However, if an fwknop client uses the --rand-port option to send the SPA packet over a random port, then this parameter should be updated to something like "udp dst portrange 10000-65535;". Default is "udp port 62201".

Default value: undef

enable_spa_packet_aging

Data type: Optional[Boolean]

This instructs fwknopd to not honor SPA packets that have an old time stamp. The value for "old" is defined by the max_spa_packet_age parameter. If enable_spa_packet_aging is set to false, fwknopd will not use the client time stamp at all.

Default value: undef

max_spa_packet_age_seconds

Data type: Optional[Integer]

Defines the maximum age (in seconds) that an SPA packet will be accepted. This requires that the client system is in relatively close time synchronization with the fwknopd server system (NTP is good). The default age is two minutes.

Default value: undef

enable_digest_persistence

Data type: Optional[Boolean]

Track digest sums associated with previous fwknop process. This allows digest sums to remain persistent across executions of fwknop.

Default value: undef

rules_check_threshold

Data type: Optional[Integer]

Defines the number of times firewall rule expiration times must be checked before a "deep" check is run. This allows fwknopd to remove rules that contain a proper exp even if a third party program added them instead of fwknopd. The default value for this variable is 20, and this typically results in this check being run every two seconds or so. To disable this type of checking altogether, set this variable to zero.

Default value: undef

enable_ipt_forwarding

Data type: Optional[Boolean]

Allow SPA clients to request access to services through an iptables firewall instead of just to it (i.e. access through the FWKNOP_FORWARD chain instead of the INPUT chain).

Default value: undef

enable_ipt_local_nat

Data type: Optional[Boolean]

Allow SPA clients to request access to a local socket via NAT. This still puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is translated via DNAT rules to the real one. So, the user would do "ssh -p " to access the local service (see the --NAT-local and --NAT-rand-port on the fwknop client command line).

Default value: undef

enable_ipt_snat

Data type: Optional[Boolean]

By default, if forwarding access is enabled (see the enable_ipt_forwarding parameter), then fwknop creates DNAT rules for incoming connections, but does not also complement these rules with SNAT rules at the same time. In some situations, internal systems may not have a route back out for the source address of the incoming connection, so it is necessary to also apply SNAT rules so that the internal systems see the IP of the internal interface where fwknopd is running. This functionality is only enabled when enable_ipt_snat is set to true, and by default SNAT rules are built with the MASQUERADE target (since then the internal IP does not have to be defined here in the fwknop.conf file), but if you want fwknopd to use the SNAT target then also define an IP address with the snat_translate_ip parameter.

Default value: undef

snat_translate_ip

Data type: Optional[String]

The IP address to use when enable_ipt_snat is true.

Default value: undef

enable_ipt_output

Data type: Optional[Boolean]

Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful if there are no state tracking rules to allow connection responses out and the OUTPUT chain has a default-drop stance.

Default value: undef

max_sniff_bytes

Data type: Optional[Integer]

Specify the the maximum number of bytes to sniff per frame - 1500 is a good default

Default value: undef

flush_ipt_at_init

Data type: Optional[Boolean]

Flush all existing rules in the fwknop chains at fwknop start time. Defaults to true and it is a recommended setting.

Default value: undef

flush_ipt_at_exit

Data type: Optional[Boolean]

Flush all existing rules in the fwknop chains at fwknop exit time. Defaults to true and it is a recommended setting.

Default value: undef

exit_at_intf_down

Data type: Optional[Boolean]

When fwknopd is sniffing an interface, if the interface is administratively downed or unplugged, fwknopd will cleanly exit and an assumption is made that any process monitoring infrastructure like systemd or upstart will restart it. However, if fwknopd is not being monitored by systemd, upstart, or anything else, this behavior can be disabled with the exit_at_intf_down parameter. If disabled, fwknopd will try to recover when a downed interface comes back up.

Default value: undef

enable_rule_prepend

Data type: Optional[Boolean]

Instead of appending new firewall rules to the bottom of the chain, this option inserts rules at the top of the chain. This causes newly created rules to have precedence over older ones.

Default value: undef

enable_nat_dns

Data type: Optional[Boolean]

Allow fwknopd to resolve hostnames in NAT access messages.

Default value: undef

gpg_home_dir

Data type: Optional[String]

If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory. Note that each access stanza in fwknop access.conf can specify its own GPG directory to override this default.

Default value: undef

gpg_exe

Data type: Optional[String]

Set the default GPG path when GPG is used for SPA encryption and authentication.

Default value: undef

locale

Data type: Optional[String]

Set/override the locale (via the LC_ALL locale category). Leave this entry undefined to have fwknopd honor the default system locale.

Default value: undef

enable_spa_over_http

Data type: Optional[Boolean]

Allow fwknopd to acquire SPA data from HTTP requests (generated with the fwknop client in --HTTP mode). Note that the pcap_filter parameter would need to be updated when this is enabled to sniff traffic over TCP/80 connections.

Default value: undef

enable_x_forwarded_for

Data type: Optional[Boolean]

Allows the use of the X-Forwarded-for header from a captured packet as the Source IP. This can happen when using SPA through an HTTP proxy.

Default value: undef

enable_tcp_server

Data type: Optional[Boolean]

Enable the fwknopd TCP server. This is a "dummy" TCP server that will accept TCP connection requests on the specified tcpserv_port. If set to true, fwknopd will fork off a child process to listen for and accept incoming TCP requests. This server only accepts the request. It does not otherwise communicate. This is only to allow the incoming SPA over TCP packet which is detected via PCAP. The connection is closed after 1 second regardless. Note that fwknopd still only gets its data via pcap, so the filter defined by pcap_filter needs to be updated to include this TCP port.

Default value: undef

tcpserv_port

Data type: Optional[Integer]

The port for the TCP server if enable_tcp_server is true.

Default value: undef

enable_udp_server

Data type: Optional[Boolean]

This is probably similar to enable_tcp_server but UDP.

Default value: undef

udpserv_port

Data type: Optional[Integer]

The port for the UDP server if enable_udp_server is true.

Default value: undef

pcap_dispatch_count

Data type: Optional[Integer]

Sets the number of packets that are processed when the pcap_dispatch() call is made. The default is zero, since this allows fwknopd to process as many packets as possible in the corresponding callback where the SPA handling routine is called for packets that pass a set of prerequisite checks. However, if fwknopd is running on a platform with an old version of libpcap, it may be necessary to change this value to a positive non-zero integer. More information can be found in the pcap_dispatch(3) man page.

Default value: undef

pcap_loop_sleep_microseconds

Data type: Optional[Integer]

Sets the number of microseconds to pass as an argument to usleep() in the pcap loop. The default is 100000 microseconds, or 1/10th of a second.

Default value: undef

enable_pcap_any_direction

Data type: Optional[Boolean]

This parameter controls whether fwknopd is permitted to sniff SPA packets regardless of whether they are received on the sniffing interface or sent from the sniffing interface. In the latter case, this can be useful to have fwknopd sniff SPA packets that are forwarded through a system and destined for a different network. If the sniffing interface is the egress interface for such packets, then this parameter will need to be set to true in order for fwknopd to see them. The default is false so that fwknopd only looks for SPA packets that are received on the sniffing interface (note that this is independent of promiscuous mode).

Default value: undef

syslog_identity

Data type: Optional[String]

Override syslog identity (the defaults are usually ok).

Default value: undef

syslog_facility

Data type: Optional[String]

Override syslog facility (the defaults are usually ok). The syslog_facility parameter can be set to one of LOG_LOCAL{0-7} or LOG_DAEMON (the default).

Default value: undef

enable_destination_rule

Data type: Optional[Boolean]

Controls whether fwknopd will set the destination field on the firewall rule to the destination address specified on the incoming SPA packet. This is useful for interfaces with multiple IP addresses hosting separate services. If enable_ipt_output is set to true, the source field of the firewall rule is set. FORWARD and SNAT rules are not affected however, DNAT rules will also have their destination field set. The default is false, which sets the destination field to 0.0.0.0/0 (any).

Default value: undef

fwknop_run_dir

Data type: Optional[String]

Defaults to /var/run/fwknop

Default value: undef

verbose

Data type: Optional[Integer]

Define the default verbosity level the fwknop server should use. A value of 0 is the default verbosity level. Setting it up to 1 or higher will allow debugging messages to be displayed.

Default value: undef

package_manage

Data type: Boolean

Whether to manage the fwknop-server package. Default true.

Default value: true

service_manage

Data type: Boolean

Whether to manage the fwknop-server service. Default true.

Default value: true

Defined types

fwknop::access

fwknop::access

Add a stanza to fwknop's access.conf file.

Examples

fwknop::access { 'example':
  source                 => 'ANY',
  require_source_address => true,
  key_base64             => Sensitive('Sz80RjpXOlhH2olGuKBUamHKcqyMBsS9BTgLaMugUsg='),
  hmac_key_base64        => Sensitive('c0TOaMJ2aVPdYTh4Aa25Dwxni7PrLo2zLAtBoVwSepkvH6nLcW45Cjb9zaEC2SQd03kaaV+Ckx3FhCh5ohNM5Q=='),
}

Parameters

The following parameters are available in the fwknop::access defined type:

• source
• destination
• open_ports
• restrict_ports
• key
• key_base64
• hmac_key
• hmac_key_base64
• fw_access_timeout_seconds
• include
• include_folder
• encryption_mode
• hmac_digest_type
• access_expire
• access_expire_epoch
• enable_cmd_exec
• cmd_exec_user
• enable_cmd_sudo_exec
• cmd_sudo_exec_user
• cmd_exec_group
• cmd_sudo_exec_group
• cmd_cycle_open
• cmd_cycle_close
• cmd_cycle_timer_seconds
• sudo_exe
• require_username
• require_source_address
• force_nat
• force_snat
• force_masquerade
• forward_all
• disable_dnat
• gpg_decrypt_id
• gpg_decrypt_pw
• gpg_allow_no_pw
• gpg_require_sig
• gpg_disable_sig
• gpg_ignore_sig_verify_error
• gpg_remote_id
• gpg_fingerprint_id
• gpg_home_dir
• gpg_exe
• order

source

Data type: String

This defines the source address from which a SPA packet will be accepted. Every authorization stanza in this file must start with the SOURCE keyword. Networks should be specified in CIDR (e.g. "192.168.10.0/24") notation. Individual IP addresses can be specified as well.

Also, multiple IP's and/or networks can be defined as a comma-separated list (e.g. "192.168.10.0/24,10.1.1.123").

The string "ANY" is also accepted if a valid authorization packet should be honored from any source IP.

Default value: 'ANY'

destination

Data type: Optional[String]

This defines the destination address for which a SPA packet will be accepted. Networks should be specified in CIDR (e.g. "192.168.10.0/24") notation. Individual IP addresses can be specified as well.

Also, multiple IP's and/or networks can be defined as a comma-separated list (e.g. "192.168.10.0/24,10.1.1.123").

The string "ANY" is also accepted if a valid authorization packet should be honored to any destination IP.

Default value: undef

open_ports

Data type: Optional[String]

Define a set of ports and protocols (tcp or udp) that are allowed to be opened if a valid SPA packet is received and its access request matches one of the entries here.

If this entry is not set, then fwknopd will attempt to honor the request specified in the SPA data.

Default value: undef

restrict_ports

Data type: Optional[String]

Define a set of ports and protocols (tcp or udp) that are NOT allowed to be opened even if a valid SPA packet is received.

Default value: undef

key

Data type: Optional[Variant[String, Sensitive[String]]]

Define the key used for decrypting an incoming SPA packet that is using its built-in encryption (e.g. not GPG). This parameter is required for all non-GPG-encrypted SPA packets.

Default value: undef

key_base64

Data type: Optional[Variant[String, Sensitive[String]]]

Same as the key parameter, but specify the symmetric key as a base64 encoded string. This allows non-ascii characters to be included in the base64-decoded key.

Default value: undef

hmac_key

Data type: Optional[Variant[String, Sensitive[String]]]

Specify the HMAC key for authenticated encryption of SPA packets. This supports both Rijndael and GPG encryption modes, and is applied according to the encrypt-then-authenticate model.

Default value: undef

hmac_key_base64

Data type: Optional[Variant[String, Sensitive[String]]]

Specify the HMAC key as a base64 encoded string. This allows non-ascii characters to be included in the base64-decoded key.

Default value: undef

fw_access_timeout_seconds

Data type: Optional[Integer]

Define the length of time access will be granted by fwknop through the firewall after a valid SPA packet is received from the source IP address that matches this stanza's source.

If fw_access_timeout is not set then a default timeout of 30 seconds will automatically be set.

Default value: undef

include

Data type: Optional[String]

This processes the access.conf stanzas from an additional file. Complete stanzas should be contained within each file.

Default value: undef

include_folder

Data type: Optional[String]

This processes all the *.conf files in the specified directory.

Default value: undef

encryption_mode

Data type: Optional[String]

Specify the encryption mode when AES is used. The default is CBC mode, but other modes can be selected such as OFB and CFB. In general, it is recommended to not use this parameter and leave it as the default. Note that the string "legacy" can be specified in order to generate SPA packets with the old initialization vector strategy used by versions of fwknop before 2.5. With the 2.5 release, fwknop uses PBKDF1 for key derivation.

Default value: undef

hmac_digest_type

Data type: Optional[String]

Specify the digest algorithm for incoming SPA packet authentication. Must be one of MD5, SHA1, SHA256, SHA384, SHA512, SHA3_256, or SHA3_512. This is an optional field, and if not specified then fwknopd defaults to using SHA256 if the access stanza requires an HMAC.

Default value: undef

access_expire

Data type: Optional[String]

Defines an expiration date for the access stanza in MM/DD/YYYY format. All SPA packets that match an expired stanza will be ignored. This parameter is optional.

Default value: undef

access_expire_epoch

Data type: Optional[Integer]

Defines an expiration date for the access stanza as the epoch time, and is useful if a more accurate expiration time needs to be given than the day resolution offered by the access_expire parameter above. All SPA packets that match an expired stanza will be ignored. This parameter is optional.

Default value: undef

enable_cmd_exec

Data type: Optional[Boolean]

This specifies whether or not fwknopd will accept complete commands that are contained within a SPA packet. Any such command will be executed as user specified using the cmd_exec_user parameter by the fwknopd server. If not set here, the default is false.

Default value: undef

cmd_exec_user

Data type: Optional[String]

This specifies the user that will execute commands contained within a SPA packet. If not specified, fwknopd will execute it as the user it is running as (most likely root). Setting this to a non-root user is highly recommended.

Default value: undef

enable_cmd_sudo_exec

Data type: Optional[Boolean]

sudo provides a powerful means of restricting the sets of commands that users can execute via the "sudoers" file. By enabling this feature (and in "enable_cmd_exec" mode), all incoming commands from valid SPA packets will be prefixed by "/path/to/sudo -u -g " where the path to sudo is set by the "sudo_exe" parameter, "" is set by the "cmd_sudo_exec_user" parameter (default is "root" if not set), and "" is set by "cmd_sudo_exec_group" (default is also "root" if not set).

Default value: undef

cmd_sudo_exec_user

Data type: Optional[String]

Specify the user (via "sudo -u ") that will execute a command contained within a SPA packet. If this parameter is not given, fwknopd will assume the command should be executed as root.

Default value: undef

cmd_exec_group

Data type: Optional[String]

Specify the group (via setgid) that will execute a command contained within a SPA packet. If this parameter is not given, fwknopd will execute the command as the user it is running as (most likely root). Setting this to a non-root user such as "nobody" is highly recommended if elevated permissions are not needed.

Default value: undef

cmd_sudo_exec_group

Data type: Optional[String]

Specify the group (via "sudo -g ") that will execute a command contained within a SPA packet. If this parameter is not given, fwknopd will assume the command should be executed as root.

Default value: undef

cmd_cycle_open

Data type: Optional[String]

Specify a command open/close cycle to be executed upon receipt of a valid SPA packet. This directive sets the initial command, and is meant to be used in conjunction with the "cmd_cycle_close" parameter below. The main application of this feature is to allow fwknopd to interact with firewall or ACL's that are not natively supported, and facilitate the same access model as for the main supported firewalls such as iptables. That is, a command is executed to open the firewall or ACL, and then a corresponding close command is executed after a timer expires. Both the "cmd_cycle_open" and "cmd_cycle_close" parameters support special substitution strings to allow values to be taken from the SPA payload and used on the command line of the executed command. These strings begin with a "$" character, and include "$IP" (the allow IP decrypted from the SPA payload), "$SRC" (synonym for "$IP") , "$PKT_SRC" (the source IP in the network layer header of the SPA packet), "$DST" (the destination IP), "$PORT" (the allow port), and "$PROTO" (the allow protocol), "$TIMEOUT" (set the client timeout if specified).

Default value: undef

cmd_cycle_close

Data type: Optional[String]

Specify the close command that corresponds to the open command set by the "cmd_cycle_open" parameter. The same string substitutions such as "$IP", "$PORT", and "$PROTO" are supported. In addition, the special value "NONE" can be set to allow no close command to be executed after the open command. This might be handy in certain situations where, say, indefinite access is desired and allowed.

Default value: undef

cmd_cycle_timer_seconds

Data type: Optional[Integer]

Set the number of seconds after which the close command set in "cmd_cycle_close" will be executed. This defines the open/close timer interval.

Default value: undef

sudo_exe

Data type: Optional[String]

Define the path to the sudo binary. Default is "/usr/bin/sudo".

Default value: undef

require_username

Data type: Optional[String]

Require a specific username from the client system as encoded in the SPA data. This parameter is optional and if not specified, the username data in the SPA data is ignored.

Default value: undef

require_source_address

Data type: Optional[Boolean]

Force all SPA packets to contain a real IP address within the encrypted data. This makes it impossible to use the "-s" command line argument on the fwknop client command line, so either "-R" has to be used to automatically resolve the external address (if the client is behind a NAT) or the client must know the external IP. If not set here, the default is false.

Default value: undef

force_nat

Data type: Optional[String]

For any valid SPA packet, force the requested connection to be NAT'd through to the specified (usually internal) IP and port value. This is useful if there are multiple internal systems running a service such as SSHD, and you want to give transparent access to only one internal system for each stanza in the access.conf file. This way, multiple external users can each directly access only one internal system per SPA key.

Default value: undef

force_snat

Data type: Optional[String]

For any valid SPA packet, add an SNAT rule in addition to any DNAT rule created with a corresponding (required) force_nat parameter. This is analogous to the "fwknop::snat_translate_ip" parameter except that it is per access stanza and overrides any value set with "fwknop::snat_translate_ip". This is useful for situations where an incoming NAT'd connection may be otherwise unanswerable due to routing constraints (i.e. the system receiving the SPA authenticated connection has a default route to a different device than the SPA system itself).

Default value: undef

force_masquerade

Data type: Optional[Boolean]

This is similar to the "force_snat" parameter, except that it is not necessary to also specify an IP address for SNAT rules because the MASQUERADE target is used instead.

Default value: undef

forward_all

Data type: Optional[Boolean]

In NAT scenarios, control whether all traffic is forwarded through the fwknopd system as opposed to just forwarding connections to specific services as requested by the fwknop client.

Default value: undef

disable_dnat

Data type: Optional[Boolean]

Control whether DNAT rules are created in force_nat scenarios. This is mainly used in conjunction with the forward_all parameter to allow fwknopd to act essentially as an SPA gateway. I.e., the fwknop client is used to gain access via SPA to the broader Internet after being granted an IP via DHCP, but prior to sending the SPA packet all traffic is blocked by default to the Internet.

Default value: undef

gpg_decrypt_id

Data type: Optional[String]

Define a GnuPG key ID to use for decrypting SPA messages that have been encrypted by an fwknop client using GPG. This keyword is required for authentication that is based on gpg keys. The gpg key ring on the client must have imported and signed the fwknopd server key, and vice versa.

It is ok to use a sensitive personal gpg key on the client, but each fwknopd server should have its own gpg key that is generated specifically for fwknop communications. The reason for this is that this decryption password within this file.

Note that you can use either keyID or its corresponding email address.

For more information on using fwknop with GnuPG keys, see the following link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html

Default value: undef

gpg_decrypt_pw

Data type: Optional[Variant[String, Sensitive[String]]]

Specify the decryption password for the gpg key defined by the gpg_decrypt_id parameter. This is a required field for gpg-based authentication.

Default value: undef

gpg_allow_no_pw

Data type: Optional[Boolean]

Allow fwknopd to leverage a GnuPG key pair that does not have an associated password. While this may sound like a controversial deployment mode, in automated environments it makes sense because "there is usually no way to store a password more securely than on the secret keyring itself" according to: "http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment". Using this feature and removing the passphrase from a GnuPG key pair is useful in some environments where libgpgme is forced to use gpg-agent and/or pinentry to collect a passphrase.

Default value: undef

gpg_require_sig

Data type: Optional[Boolean]

With this setting set to true, fwknopd check all GPG-encrypted SPA messages for a signature (signed by the sender's key). If the incoming message is not signed, the decryption process will fail. If not set, the default is false.

Default value: undef

gpg_disable_sig

Data type: Optional[Boolean]

Disable signature verification for incoming SPA messages. This is not a recommended setting, and the default is false.

Default value: undef

gpg_ignore_sig_verify_error

Data type: Optional[Boolean]

Setting this will allow fwknopd to accept incoming GPG-encrypted packets that are signed, but the signature did not pass verification (i.e. the signer key was expired, etc.). This setting only applies if the gpg_require_sig parameter is also set to true.

Default value: undef

gpg_remote_id

Data type: Optional[String]

Define a list of gpg key ID's that are required to have signed any incoming SPA messages that have been encrypted with the fwknopd server key. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism. This setting only applies if the gpg_require_sig is set to true.

Default value: undef

gpg_fingerprint_id

Data type: Optional[String]

Specify a set of full-length GnuPG key fingerprints instead of the shorter key identifiers set with the "gpg_remote_id" parameter. Here is an example fingerprint for one of the fwknop test suite keys: 00CC95F05BC146B6AC4038C9E36F443C6A3FAD56.

Default value: undef

gpg_home_dir

Data type: Optional[String]

Define the path to the GnuPG directory to be used by fwknopd. If this keyword is not specified here, then fwknopd will default to using the "/root/.gnupg" directory for the server key(s).

Default value: undef

gpg_exe

Data type: Optional[String]

Define the path to the GnuPG executable. If this keyword is not specified then fwknopd will default to using /usr/bin/gpg.

Default value: undef

order

Data type: Variant[String, Integer]

Reorders your access stanzas within the access.conf. Stanzas that share the same order number are ordered by name. Default is '10'.

Default value: '10'

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog. and this project adheres to Semantic Versioning.

1.0.2 - 2024-10-01

Fixed

• Managed fwknopd service will enable and ensure running.

1.0.1 - 2024-08-23

Added

• Reference documentation is generated when releasing to puppet forge.

1.0.0 - 2024-08-23

Added

• Complete reference documentation.
• package_manage and service_manage parameters so this module's management of the package and service are optional.

0.1.0 - 2024-08-22

Added

• fwknop class which manages /etc/fwknop/fwknopd.conf and /etc/fwknop/access.conf
• fwknop::access defined type which adds stanzas to /etc/fwknop/access.conf
• Very little documentation.
• CI automation for running tests and releasing with puppet forge.