27 Jun 2002 chipx86   » (Journeyer)

effbot

Wow, quite an old article you dug up there. Yeah, I was a part of that project for several years, and as is the case in many news articles, the actual details of what happened were never presented correctly.

The split was planned in advance by a group of people (who were not sharing the code anyway) and put into action that one day... We had a lot of very good developers left, so it wasn't like everybody was gone, and actually I think it was only 10 or so people that left the project. I can't remember. Their goals for the kernel were much different from ours, so the code they eventually showed after the split wasn't even a Stanford Cache Kernel. Anyhow, we did have a working kernel, though it wasn't usable for much. It was eventually decided that our energy could better be put to other uses. The group of people that split produced some code, but I don't believe it was ever in a useful state either. Last I heard, they quit too.

Freedows was a project that was often bashed by a lot of people, and was frequently called vaporware. However, unless you were one of the people that was part of the project and followed it closely, you'll never know how hard we tried. I like to think that we gained some pretty good management skills from it, and I know I learned a lot about operating system design that way. I don't consider it a waste of time at all.

Knock Knock

Okay, now that I have this thing close to working, I'll talk a bit more about it.

It's basically two extra security layers for a system. It is a small daemon used in conjunction with your firewall. You would first set whatever ports you want closed to the general public as closed or stealth. Then you would run the daemon (after setting the options in the config).

The daemon, knockd, listens on the ports and waits for a "secret knock," which is a sequence of ports being hit in a certain amount of time. Because of the limited amount of time, it cannot be brute-forced. The longer the sequence, the harder it would be to guess it.

After the client, called a knocker, sends the secret knock, it then checks a port on the server, which is used for authentication through knock-knock. The daemon will ask for a username and password, and the knocker will give it (either one stored in the config or manually typed in from the user). The traffic will be encrypted.

The Knock Knock auth port is also closed or stealth, but when the sequence is set, knockd opens up that port for your IP address. If you enter your username and password (specific to knockd) incorrectly three times, it will be closed down again. If you enter it correctly, the ports setup with that sequence in knockd will open up to your IP address only. The config file will let admins specify an amount of time for these ports to be open, or specify a timeout period, where if no activity is sent on these ports in a certain amount of time, they will shut down.

This would allow a server to run such services as telnet, ssh, ftp, cvs, etc. for only people with knockers and the correct secret knocks and username/passwords. These services will be shut off to anybody else.

So far, I have a prototype knockd and console knocker client written. It does not have authentication yet, but you can knock. It also doesn't have configuration yet. I hope to add these today.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!