Hi - Christian Perrier wrote: [...] Sorry for the delay, I have written the README.Debian file. > I will probably not suggest better thigns than Justin, but I could > make an overall check of the general debconf use, etc. > > I also suggest that you'll send a call for translations *before* > uploading the package introducing debconf templates....and, if you > translate them to French yourself, that you request for a review in > debian-l10n-french. Ok. [...] > I also suggest you send the package description from debian/control > for review, while you're at it. So, below you will find: - part of the debian/control - fwknop-server.templates - README.Debian - if you like http://www.dthconnex.com/data/control http://www.dthconnex.com/data/fwknop-server.templates http://www.dthconnex.com/data/README.Debian and inline :) Lines are wrapped at 72 characters, so I made some changes to make it clean. I hope this is not too bad with your MUA. Part of debian control --------------------------------------- [...] Description: FireWall KNock OPerator server side It implements an authorization scheme called Single Packet Authorization (SPA) that is based around Netfilter and libpcap. . By using Netfilter to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. . The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored. Description: FireWall KNock OPerator client side [...] idem as above . This is the client program responsible for accepting password input from the user; constructing SPA packets that conform to the fwknop packet format; encrypting packet data. Part of fwknop-server.templates --------------------------------------- I have removed the hostname question. [...] _Description: Configure fwknop to protect the SSH port? The FireWall KNock OPerator daemon has not been set up yet. This install process can configure fwknopd to protect the SSH port with a simple Rijndael shared key, but moving to a GnuPG setup is recommended. Setting up GnuPG for SPA communications involves a few manual steps that are described in the fwknop documentation. In the meantime, using Rjindael for SPA encryption and decryption provides decent security. [...] _Description: Sniffing interface: By default, fwknop-server uses libpcap, and needs to know which Ethernet interface should be put in promiscuous mode. [...] _Description: Encryption key to use: By default, SPA packets are encrypted with the Rijndael block cipher, which requires an encryption key. This password must be at least eight characters in length. README.Debian ---------------------------------------- Quick setup -------------------------------------------------------------------------------- As the FWKnop OPerator daemon can be configured in many ways, this package allows the user to turn the SSH protection on by the use of a Rjindael password. Although this provides decent security, moving to a GnuPG setup is recommended. During the installation process, if the daemon has not previously been configured, the user will be prompted for a quick setup. In case you decline the offer, you can still run it with the following command: [code] # dpkg-reconfigure fwknop-server [/code] You will be asked few questions, then the FWKnop OPerator daemon will be started according to your settings. Edit access.conf and fwknop.conf in /etc/fwknop/ if you would like to make some other changes and restart the daemon. [code] # invoke-rc.d fwknop-server restart [/code] Check your installation -------------------------------------------------------------------------------- To verify that your installation was successful, try connecting to your SSH server using the fwknop client. [code] [...] [/code] Minimal steps to configure the FWKnop OPerator server -------------------------------------------------------------------------------- In case you would prefer to update both access.conf and fwknop.conf files in /etc/fwknop by hand, here is the list of the variables that have to be defined: in access.conf: -> KEY: myverylongkey or -> GPG_HOME_DIR: /root/.gnupg; -> GPG_DECRYPT_ID: ABCD1234; -> GPG_DECRYPT_PW: myGpgPassword; -> GPG_REMOTE_ID: 1234ABCD; in fwknop.conf: -> HOSTNAME: diamond.dthconnex.com -> PCAP_INTF: eth0 By default, the FWKnop OPerator daemon is not allowed to start at boot time through the init scripts in /etc/init.d/. You can change this behaviour by updating the START_DAEMON variable from "no" to "yes" in /etc/default/fwknop-server. Thanks, -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/ Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: OpenPGP digital signature