Show HN: Totpgate – Single-packet authorization via TOTP
Totpgate is a lightweight port knocking daemon that utilizes TOTP for single-packet authorization. It listens on UDP for a valid TOTP and opens a TCP port temporarily upon validation. This method enhances security by making each authorization unique and resistant to replay attacks.
- ▪Totpgate operates without external binaries or shared libraries, using a statically linked binary to communicate directly with the kernel.
- ▪The daemon validates the TOTP against a shared secret and modifies nftables rules to allow access for a limited time.
- ▪Pre-built binaries for various architectures are available, and users can also build from source with specific requirements.
Opening excerpt (first ~120 words) tap to expand
totpgate Single Packet Authorization via TOTP — a lightweight port knocking daemon that listens on UDP for a valid TOTP and, upon matching, temporarily opens a TCP port via direct netlink firewall manipulation. No external binaries, no shared libraries — just a statically linked binary speaking netlink directly to the kernel. Why Traditional port knocking sequences are predictable (fixed port order) and replayable. TOTP-based single-packet authorization replaces the sequence with a time-based one-time password, making each grant unique and replay-proof.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.