|
|
381c564 |
Summary: A Single Packet Authorization (SPA) implementation
|
|
|
381c564 |
Name: fwknop
|
|
|
690f76e |
Version: 2.6.10
|
|
|
e087b39 |
Release: 9%{?dist}
|
|
|
6c28328 |
License: GPLv2
|
|
|
381c564 |
Url: http://www.cipherdyne.org/fwknop/
|
|
Warren Togami |
323f9fc |
Source0: http://cipherdyne.org/fwknop/download/fwknop-%{version}.tar.bz2
|
|
Warren Togami |
323f9fc |
Source1: http://cipherdyne.org/fwknop/download/fwknop-%{version}.tar.bz2.asc
|
|
|
60d9343 |
Source2: fwknopd.service
|
|
|
3571af5 |
Patch1: fwknop-2.6.10-gcc.patch
|
|
|
e071128 |
BuildRequires: libpcap-devel iptables systemd gpgme-devel gpg firewalld
|
|
|
b0d0e42 |
BuildRequires: gcc
|
|
|
c18907d |
BuildRequires: make
|
|
|
6c28328 |
Requires: logrotate
|
|
|
7bc4880 |
Requires(post): systemd
|
|
|
7bc4880 |
Requires(preun): systemd
|
|
|
7bc4880 |
Requires(postun): systemd
|
|
|
381c564 |
|
|
|
7db355c |
%package devel
|
|
|
7db355c |
Summary: The fwknop library, header and API docs
|
|
|
7db355c |
Requires: gpg, gpgme
|
|
|
7db355c |
Requires: %{name}%{?_isa} >= %{version}-%{release}
|
|
|
7db355c |
|
|
|
381c564 |
%description
|
|
|
381c564 |
fwknop implements an authorization scheme known as Single Packet
|
|
|
381c564 |
Authorization (SPA) that requires only a single encrypted packet to
|
|
|
381c564 |
communicate various pieces of information including desired access through an
|
|
|
381c564 |
iptables policy and/or specific commands to execute on the target system.
|
|
|
381c564 |
The main application of this program is to protect services such as SSH with
|
|
|
381c564 |
an additional layer of security in order to make the exploitation of
|
|
|
381c564 |
vulnerabilities (both 0-day and unpatched code) much more difficult. The
|
|
|
381c564 |
authorization server passively monitors authorization packets via libpcap and
|
|
|
381c564 |
hence there is no "server" to which to connect in the traditional sense. Any
|
|
|
381c564 |
service protected by fwknop is inaccessible (by using iptables to
|
|
|
381c564 |
intercept packets within the kernel) before authenticating; anyone scanning for
|
|
|
381c564 |
the service will not be able to detect that it is even listening. This
|
|
|
381c564 |
authorization scheme offers many advantages over port knocking, include being
|
|
|
381c564 |
non-replayable, much more data can be communicated, and the scheme cannot be
|
|
|
381c564 |
broken by simply connecting to extraneous ports on the server in an effort to
|
|
|
381c564 |
break knock sequences. The authorization packets can easily be spoofed as
|
|
|
381c564 |
well, and this makes it possible to make it appear as though, say,
|
|
|
381c564 |
www.yahoo.com is trying to authenticate to a target system but in reality the
|
|
|
381c564 |
actual connection will come from a seemingly unrelated IP. Although the
|
|
|
381c564 |
default data collection method is to use libpcap to sniff packets off the
|
|
|
381c564 |
wire, fwknop can also read packets out of a file that is written by the
|
|
|
381c564 |
iptables ulogd pcap writer or by a separate sniffer process.
|
|
|
381c564 |
|
|
|
7db355c |
%description devel
|
|
|
7db355c |
The Firewall Knock Operator library, libfko, provides the Single Packet
|
|
|
7db355c |
Authorization implementation and API for the other fwknop components.
|
|
|
7db355c |
|
|
|
381c564 |
%prep
|
|
|
381c564 |
%setup -q
|
|
|
3571af5 |
%patch1 -p1 -b .gcc10
|
|
|
381c564 |
|
|
|
381c564 |
%build
|
|
|
7db355c |
%configure --with-firewall-cmd=/usr/bin/firewall-cmd --with-gpgme
|
|
|
d3c7b7b |
# remove Rpath
|
|
|
d3c7b7b |
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
|
|
|
d3c7b7b |
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
|
|
Viktor Hercinger |
a8e1721 |
# Parallel build fails with version 2.0.4, the upstream fix does not always work
|
|
Viktor Hercinger |
a8e1721 |
make %{?_smp_mflags} -j1 OPTS="$RPM_OPT_FLAGS"
|
|
|
381c564 |
|
|
|
7db355c |
%check
|
|
|
5073cfa |
# check needs root access
|
|
|
7db355c |
#cd test; ./run-test-suite.sh --enable-all
|
|
|
7db355c |
|
|
|
381c564 |
%install
|
|
|
c7c7c5f |
%make_install
|
|
|
d3c7b7b |
|
|
|
d3c7b7b |
# init script
|
|
|
60d9343 |
install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_unitdir}/fwknopd.service
|
|
|
d3c7b7b |
|
|
|
d3c7b7b |
# devel stuff
|
|
|
7db355c |
rm $RPM_BUILD_ROOT/%{_libdir}/libfko.{la,a}
|
|
|
7db355c |
|
|
|
381c564 |
%post
|
|
|
7bc4880 |
%systemd_post fwknopd.service
|
|
|
381c564 |
|
|
|
381c564 |
%preun
|
|
|
e071128 |
%systemd_preun fwknopd.service
|
|
|
381c564 |
|
|
|
381c564 |
%postun
|
|
|
7bc4880 |
%systemd_postun_with_restart fwknopd.service
|
|
|
381c564 |
|
|
|
60d9343 |
%triggerun -- fwknop < 2.0-2
|
|
|
60d9343 |
# Save the current service runlevel info
|
|
|
60d9343 |
# User must manually run systemd-sysv-convert --apply fwknopd
|
|
|
60d9343 |
# to migrate them to systemd targets
|
|
|
60d9343 |
/usr/bin/systemd-sysv-convert --save fwknopd >/dev/null 2>&1 ||:
|
|
|
60d9343 |
|
|
|
60d9343 |
# Run these because the SysV package being removed won't do them
|
|
|
60d9343 |
/sbin/chkconfig --del fwknopd >/dev/null 2>&1 || :
|
|
|
60d9343 |
/bin/systemctl try-restart fwknopd.service >/dev/null 2>&1 || :
|
|
|
60d9343 |
|
|
|
381c564 |
%files
|
|
|
7db355c |
%doc CREDITS ChangeLog README
|
|
|
7db355c |
%license COPYING
|
|
|
381c564 |
%dir %{_sysconfdir}/fwknop
|
|
|
7db355c |
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/fwknop/fwknopd.conf
|
|
|
7db355c |
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/fwknop/access.conf
|
|
|
7db355c |
%attr(0755,root,root) %{_bindir}/fwknop
|
|
|
7db355c |
%attr(0755,root,root) %{_sbindir}/fwknopd
|
|
|
0cff705 |
%{_unitdir}/fwknopd.service
|
|
|
7db355c |
%attr(0644,root,root) %{_mandir}/man8/fwknop.8*
|
|
|
7db355c |
%attr(0644,root,root) %{_mandir}/man8/fwknopd.8*
|
|
|
8cd2ff8 |
%attr(0644,root,root) %{_libdir}/libfko.so.3.0.0
|
|
|
8cd2ff8 |
%attr(0644,root,root) %{_libdir}/libfko.so.3
|
|
|
7db355c |
%exclude %{_infodir}/dir
|
|
|
7db355c |
|
|
|
7db355c |
%files devel
|
|
|
7db355c |
%attr(0644,root,root) %{_libdir}/libfko.so
|
|
|
7db355c |
%attr(0644,root,root) %{_includedir}/fko.h
|
|
|
7db355c |
%attr(0644,root,root) %{_infodir}/libfko.info*
|
|
|
381c564 |
|
|
|
381c564 |
%changelog
|
|
|
e087b39 |
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-9
|
|
|
e087b39 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
|
e087b39 |
|
|
|
7cac890 |
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.6.10-8
|
|
|
7cac890 |
- Rebuilt for updated systemd-rpm-macros
|
|
|
7cac890 |
See https://pagure.io/fesco/issue/2583.
|
|
|
7cac890 |
|
|
|
4de7f85 |
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-7
|
|
|
4de7f85 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
|
4de7f85 |
|
|
|
9eb6275 |
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-6
|
|
|
9eb6275 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
|
9eb6275 |
|
|
|
0bcce07 |
* Mon Feb 10 2020 Jakub Jelen <jjelen@redhat.com> - 2.6.10-5
|
|
|
0bcce07 |
- Unbreak build with gcc10 (#1799378)
|
|
|
0bcce07 |
|
|
|
590e775 |
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-4
|
|
|
590e775 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
|
590e775 |
|
|
|
3307e8f |
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-3
|
|
|
3307e8f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
|
3307e8f |
|
|
|
6f85cf2 |
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.10-2
|
|
|
6f85cf2 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
|
6f85cf2 |
|
|
|
690f76e |
* Tue Aug 07 2018 Jakub Jelen <jjelen@redhat.com> - 2.6.10-1
|
|
|
690f76e |
- New upstream release (#1613332)
|
|
|
690f76e |
|
|
|
47bf084 |
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-7
|
|
|
47bf084 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
|
47bf084 |
|
|
|
65d3f4d |
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-6
|
|
|
65d3f4d |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
65d3f4d |
|
|
|
92c1def |
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-5
|
|
|
92c1def |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
|
92c1def |
|
|
|
088c3a9 |
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-4
|
|
|
088c3a9 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
088c3a9 |
|
|
|
2e7287f |
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-3
|
|
|
2e7287f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
|
2e7287f |
|
|
|
e83eae2 |
* Sat Dec 10 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 2.6.9-2
|
|
|
e83eae2 |
- Rebuild for gpgme 1.18
|
|
|
e83eae2 |
|
|
|
8cd2ff8 |
* Thu Jun 16 2016 Jakub Jelen <jjelen@redhat.com> - 2.6.9-1
|
|
|
8cd2ff8 |
- New upstream release
|
|
|
8cd2ff8 |
|
|
|
1a6cff1 |
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-2
|
|
|
1a6cff1 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
|
|
1a6cff1 |
|
|
|
5073cfa |
* Thu Dec 24 2015 Jakub Jelen <jjelen@redhat.com> 2.6.8-1
|
|
|
5073cfa |
- New upstream release
|
|
|
5073cfa |
|
|
|
20dbb3f |
* Wed Nov 25 2015 Jakub Jelen <jjelen@redhat.com> 2.6.7-1
|
|
|
20dbb3f |
- New upstram release
|
|
|
20dbb3f |
|
|
|
872ba6a |
* Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 2.6.6-2
|
|
|
872ba6a |
- Provide -devel subpackage (#1252077)
|
|
|
872ba6a |
|
|
|
ad7fad1 |
* Mon Jun 29 2015 Jakub Jelen <jjelen@redhat.com> 2.6.6-1
|
|
|
ad7fad1 |
- New upstream release
|
|
|
ad7fad1 |
- Fix problematic firewalld dependency (#1236331)
|
|
|
ad7fad1 |
|
|
|
7a2032d |
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.5-3
|
|
|
7a2032d |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
|
|
7a2032d |
|
|
|
b4c0b25 |
* Tue Apr 07 2015 Jakub Jelen <jjelen@redhat.com> 2.6.5-2
|
|
|
b4c0b25 |
- Add possibility to use gpg and firewalld (#976453)
|
|
|
b4c0b25 |
|
|
|
424ff81 |
* Tue Apr 07 2015 Jakub Jelen <jjelen@redhat.com> 2.6.5-1
|
|
|
424ff81 |
- New upstream release
|
|
|
424ff81 |
|
|
|
0b329aa |
* Wed Feb 25 2015 Jakub Jelen <jjelen@redhat.com> 2.6.3-2
|
|
|
0b329aa |
- Make service start after network (#1195303)
|
|
|
0b329aa |
- Update install scriptlet for systemd (#850124)
|
|
|
0b329aa |
|
|
Warren Togami |
323f9fc |
* Thu Aug 21 2014 Warren Togami <warren@slickage.com> - 2.6.3-1
|
|
Warren Togami |
323f9fc |
- upgrade to fwknop-2.6.3
|
|
Warren Togami |
323f9fc |
|
|
|
5f43075 |
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.1-3
|
|
|
5f43075 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
|
|
5f43075 |
|
|
|
7ce9625 |
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.1-2
|
|
|
7ce9625 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
|
7ce9625 |
|
|
|
0cff705 |
* Tue Aug 13 2013 Lukas Vrabec <lvrabec@redhat.com> - 2.5.1-1
|
|
|
0cff705 |
- Update to fwknop-2.5.1
|
|
|
0cff705 |
- Add systemd to BuildRequires
|
|
|
0cff705 |
|
|
|
9714605 |
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.4-2
|
|
|
9714605 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
|
|
9714605 |
|
|
Viktor Hercinger |
a8e1721 |
* Tue Jan 22 2013 Viktor Hercinger <vhercing@redhat.com> - 2.0.4-1
|
|
Viktor Hercinger |
a8e1721 |
- Update to fwknop-2.0.4
|
|
Viktor Hercinger |
a8e1721 |
|
|
|
b5eebdc |
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0-3
|
|
|
b5eebdc |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
|
|
b5eebdc |
|
|
|
60d9343 |
* Tue Apr 17 2012 Jon Ciesla <limburgher@gmail.com> - 2.0-2
|
|
|
60d9343 |
- Migrate to systemd, BZ 767777.
|
|
|
60d9343 |
- Added disttag.
|
|
|
60d9343 |
|
|
|
d3c7b7b |
* Thu Jan 12 2012 Peter Vrabec <pvrabec@redhat.com> - 2.0-1
|
|
|
d3c7b7b |
- upgrade
|
|
|
d3c7b7b |
|
|
|
458d212 |
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.12-2
|
|
|
458d212 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
|
|
458d212 |
|
|
|
9619bd2 |
* Wed Sep 16 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.12-1
|
|
|
9619bd2 |
- Update to fwknop-1.9.12.
|
|
|
9619bd2 |
|
|
|
b16af34 |
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.11-2
|
|
|
b16af34 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
|
|
b16af34 |
|
|
|
031f3ad |
* Thu May 14 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.11-1
|
|
|
031f3ad |
- Update to fwknop-1.9.11.
|
|
|
031f3ad |
|
|
|
d59c873 |
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.9-3
|
|
|
d59c873 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
|
|
d59c873 |
|
|
|
34d60e5 |
* Mon Jan 05 2009 Peter Vrabec <pvrabec@redhat.com> 1.9.9-2
|
|
|
34d60e5 |
- add /var/log/fwknop/errs directory (#469395)
|
|
|
34d60e5 |
|
|
|
7985a77 |
* Mon Nov 17 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.9-1
|
|
|
7985a77 |
- Update to fwknop-1.9.9
|
|
|
7985a77 |
|
|
|
4bf5ce1 |
* Sat Oct 4 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.8-1
|
|
|
4bf5ce1 |
- Update to fwknop-1.9.8
|
|
|
4bf5ce1 |
- Add missing Requires:
|
|
|
4bf5ce1 |
- Use the "nodeps" tarball
|
|
|
4bf5ce1 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.7-1
|
|
|
6c28328 |
- Update to fwknop-1.9.7
|
|
|
6c28328 |
- License specified to be GPLv2
|
|
|
6c28328 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-4
|
|
|
6c28328 |
- Don't change SNAT_TRANSLATE_IP to "localhost" in the default config.
|
|
|
6c28328 |
- Add Requires: logrotate.
|
|
|
6c28328 |
|
|
|
381c564 |
* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-3
|
|
|
381c564 |
- fix sed cmd in spec file
|
|
|
381c564 |
|
|
|
381c564 |
* Mon Aug 11 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2
|
|
|
381c564 |
- add logrotate file
|
|
|
381c564 |
- do not set hostname during install
|
|
|
381c564 |
|
|
|
381c564 |
* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1
|
|
|
381c564 |
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
|
|
|
381c564 |
since).
|
|
|
381c564 |
|
|
|
381c564 |
* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>
|
|
|
381c564 |
- Release of fwknop-1.9.6
|