GPGSesame is a perl script that collects and verifies Open PGP signed / encrypted mail and allows access through a Linux Netfilter firewall. This enables you to remotely open holes in your iptables by simply sending a GPG email to authenticate yourself. The version here opens acess to the SSH port, but you're free to modify the script if you want to change that.
If signed / encrypted email seems a bit too complicated or you don't fancy carrying a GPG key around with you for authentication, you could use a dynamic dns account instead. See
ddns holes
Otherwise read on for more information...
GPGSesame
GPG Sesame originally used the IPTables::IPv4 perl module to manipulate netfilter rules. IPTables::IPv4 used the unpublished API available in libipt. The API has moved on and libipt seems to have been replaced with libnfnetlink and so IPTables::IPv4 no longer works. As there is still no published API for Netfilter I wouldn't expect it to be fixed or replaced anytime soon.
Because of this GPGSesame now calls the iptables binary to do the firewall changes and should work on any linux distro.
Copyright: Mark Boddington (C) 2004 -2006
How it works
You just need to send a signed and encrypted email to the adress that GPGSesame monitors. It must be signed with a trusted key and encrypted with GPGSesames public key. In the body of the message you must have a PGPAddress line with the IP you want added and a PGPDate line with the current date. If the messages is too old it will not be processed....
Example:
PGPAddress: 192.168.1.15
PGPDate: 2005-05-16 15:15
GPGSesame README
This is free software. Released under the GNU GPL Version 2.0.
This is a fairly simple perl script which use OpenPGP encrypted
email to authenticate users and add access rules to iptables.
I wrote this so I could send a signed encrypted email to my PC
and request SSH access from anywhere I happen to be.
You need an iptables chain with a RETURN rule at the bottom.
Jump into this chain from INPUT and sesame.pl will add/remove
rules from that chain.
sesame.pl should be run from cron, it will check for mail,
add rules and delete expired rules. You will probably want to
set the frequency of the checks to sensible values based on
your Access and email timeouts.
rules are added at the begining. Each host gets two entries.
One rule to log the access and one rule to accept the access.
the logging rule contains the expiry timestamp and will be
seen in you kernel log when an access occurs. When sesame.pl
deletes the rule after expirey it first deletes the log rule
then any rule that has the same source address.
You need these perl modules:
Mail::GnuPG
GnuPG::Interface
MIME::Entity
Net::POP3
Date::Calc
================================================================
To add an iptables chain:
iptables -N PGPHOST
To add a RETURN rule to this chain so processing returns and
continues through the INPUT chain:
iptables -A PGPHOST -j RETURN
To jump into this chain from INPUT
iptables -A INPUT -j PGPHOST
===============================================================
To generate your gpg key:
gpg --homedir=<GPGDIR> --gen-key
To import a gpg key from your own keyring into the applications keyring:
gpg --export <KEYID> -a | gpg --homedir=<GPGDIR> --import
To trust an imported key:
gpg --homedir=<GPGDIR> --sign-key <KEYID>
To list your keys
gpg --homedir=<GPGDIR> --list-keys
