[client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw
authorMichael Rash <mbr@cipherdyne.org>
Wed, 19 Jun 2013 02:51:22 +0000 (22:51 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Wed, 19 Jun 2013 02:51:22 +0000 (22:51 -0400)
This change brings similar functionality to the client as the GPG_ALLOW_NO_PW
keyword in the server access.conf file.  Although this option is less likely
to be used than the analogous server functionality, it stands to reason that
the client should offer this feature.  The test suite has also been updated to
not use the --get-key option for the 'no password' GPG tests.

client/cmd_opts.h
client/config_init.c
client/fwknop.8.in
client/fwknop.c
client/fwknop_common.h
doc/fwknop.man.asciidoc
test/test-fwknop.pl
test/tests/gpg_no_pw.pl

index 0c0a111..154f602 100644 (file)
@@ -66,6 +66,7 @@ enum {
     GPG_SIGNER_KEY,
     GPG_HOME_DIR,
     GPG_AGENT,
+    GPG_ALLOW_NO_SIGNING_PW,
     NOOP /* Just to be a marker for the end */
 };
 
@@ -97,6 +98,7 @@ static struct option cmd_opts[] =
     {"gpg-signer-key",      1, NULL, GPG_SIGNER_KEY },
     {"gpg-home-dir",        1, NULL, GPG_HOME_DIR },
     {"gpg-agent",           0, NULL, GPG_AGENT },
+    {"gpg-no-signing-pw",   0, NULL, GPG_ALLOW_NO_SIGNING_PW },
     {"get-key",             1, NULL, 'G'},
     {"get-hmac-key",        1, NULL, GET_HMAC_KEY },
     {"help",                0, NULL, 'h'},
index 2a347c6..9e06faa 100644 (file)
@@ -91,6 +91,7 @@ enum
     FWKNOP_CLI_ARG_ENCRYPTION_MODE,
     FWKNOP_CLI_ARG_USE_GPG,
     FWKNOP_CLI_ARG_USE_GPG_AGENT,
+    FWKNOP_CLI_ARG_GPG_NO_SIGNING_PW,
     FWKNOP_CLI_ARG_GPG_RECIPIENT,
     FWKNOP_CLI_ARG_GPG_SIGNER,
     FWKNOP_CLI_ARG_GPG_HOMEDIR,
@@ -101,6 +102,8 @@ enum
     FWKNOP_CLI_ARG_RAND_PORT,
     FWKNOP_CLI_ARG_KEY_RIJNDAEL,
     FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64,
+    FWKNOP_CLI_ARG_GPG_SIGNING_PW,
+    FWKNOP_CLI_ARG_GPG_SIGNING_PW_BASE64,
     FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE,
     FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
     FWKNOP_CLI_ARG_KEY_HMAC,
@@ -120,40 +123,43 @@ enum
 
 static fko_var_t fko_var_array[FWKNOP_CLI_LAST_ARG] =
 {
-    { "DIGEST_TYPE",        FWKNOP_CLI_ARG_DIGEST_TYPE          },
-    { "SPA_SERVER_PROTO",   FWKNOP_CLI_ARG_SPA_SERVER_PROTO     },
-    { "SPA_SERVER_PORT",    FWKNOP_CLI_ARG_SPA_SERVER_PORT      },
-    { "SPA_SOURCE_PORT",    FWKNOP_CLI_ARG_SPA_SOURCE_PORT      },
-    { "FW_TIMEOUT",         FWKNOP_CLI_ARG_FW_TIMEOUT           },
-    { "ALLOW_IP",           FWKNOP_CLI_ARG_ALLOW_IP             },
-    { "TIME_OFFSET",        FWKNOP_CLI_ARG_TIME_OFFSET          },
-    { "ENCRYPTION_MODE",    FWKNOP_CLI_ARG_ENCRYPTION_MODE      },
-    { "USE_GPG",            FWKNOP_CLI_ARG_USE_GPG              },
-    { "USE_GPG_AGENT",      FWKNOP_CLI_ARG_USE_GPG_AGENT        },
-    { "GPG_RECIPIENT",      FWKNOP_CLI_ARG_GPG_RECIPIENT        },
-    { "GPG_SIGNER",         FWKNOP_CLI_ARG_GPG_SIGNER           },
-    { "GPG_HOMEDIR",        FWKNOP_CLI_ARG_GPG_HOMEDIR          },
-    { "SPOOF_USER",         FWKNOP_CLI_ARG_SPOOF_USER           },
-    { "SPOOF_SOURCE_IP",    FWKNOP_CLI_ARG_SPOOF_SOURCE_IP      },
-    { "ACCESS",             FWKNOP_CLI_ARG_ACCESS               },
-    { "SPA_SERVER",         FWKNOP_CLI_ARG_SPA_SERVER           },
-    { "RAND_PORT",          FWKNOP_CLI_ARG_RAND_PORT            },
-    { "KEY",                FWKNOP_CLI_ARG_KEY_RIJNDAEL         },
-    { "KEY_BASE64",         FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64  },
-    { "HMAC_DIGEST_TYPE",   FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE     },
-    { "HMAC_KEY_BASE64",    FWKNOP_CLI_ARG_KEY_HMAC_BASE64      },
-    { "HMAC_KEY",           FWKNOP_CLI_ARG_KEY_HMAC             },
-    { "USE_HMAC",           FWKNOP_CLI_ARG_USE_HMAC             },
-    { "KEY_FILE",           FWKNOP_CLI_ARG_KEY_FILE             },
-    { "HMAC_KEY_FILE",      FWKNOP_CLI_ARG_HMAC_KEY_FILE        },
-    { "NAT_ACCESS",         FWKNOP_CLI_ARG_NAT_ACCESS           },
-    { "HTTP_USER_AGENT",    FWKNOP_CLI_ARG_HTTP_USER_AGENT      },
-    { "RESOLVE_URL",        FWKNOP_CLI_ARG_RESOLVE_URL          },
-    { "NAT_LOCAL",          FWKNOP_CLI_ARG_NAT_LOCAL            },
-    { "NAT_RAND_PORT",      FWKNOP_CLI_ARG_NAT_RAND_PORT        },
-    { "NAT_PORT",           FWKNOP_CLI_ARG_NAT_PORT             },
-    { "VERBOSE",            FWKNOP_CLI_ARG_VERBOSE              },
-    { "RESOLVE_IP_HTTP",    FWKNOP_CLI_ARG_RESOLVE_IP_HTTP      }
+    { "DIGEST_TYPE",           FWKNOP_CLI_ARG_DIGEST_TYPE           },
+    { "SPA_SERVER_PROTO",      FWKNOP_CLI_ARG_SPA_SERVER_PROTO      },
+    { "SPA_SERVER_PORT",       FWKNOP_CLI_ARG_SPA_SERVER_PORT       },
+    { "SPA_SOURCE_PORT",       FWKNOP_CLI_ARG_SPA_SOURCE_PORT       },
+    { "FW_TIMEOUT",            FWKNOP_CLI_ARG_FW_TIMEOUT            },
+    { "ALLOW_IP",              FWKNOP_CLI_ARG_ALLOW_IP              },
+    { "TIME_OFFSET",           FWKNOP_CLI_ARG_TIME_OFFSET           },
+    { "ENCRYPTION_MODE",       FWKNOP_CLI_ARG_ENCRYPTION_MODE       },
+    { "USE_GPG",               FWKNOP_CLI_ARG_USE_GPG               },
+    { "USE_GPG_AGENT",         FWKNOP_CLI_ARG_USE_GPG_AGENT         },
+    { "GPG_RECIPIENT",         FWKNOP_CLI_ARG_GPG_RECIPIENT         },
+    { "GPG_SIGNER",            FWKNOP_CLI_ARG_GPG_SIGNER            },
+    { "GPG_HOMEDIR",           FWKNOP_CLI_ARG_GPG_HOMEDIR           },
+    { "GPG_SIGNING_PW",        FWKNOP_CLI_ARG_GPG_SIGNING_PW        },
+    { "GPG_SIGNING_PW_BASE64", FWKNOP_CLI_ARG_GPG_SIGNING_PW_BASE64 },
+    { "GPG_NO_SIGNING_PW",     FWKNOP_CLI_ARG_GPG_NO_SIGNING_PW    },
+    { "SPOOF_USER",            FWKNOP_CLI_ARG_SPOOF_USER            },
+    { "SPOOF_SOURCE_IP",       FWKNOP_CLI_ARG_SPOOF_SOURCE_IP       },
+    { "ACCESS",                FWKNOP_CLI_ARG_ACCESS                },
+    { "SPA_SERVER",            FWKNOP_CLI_ARG_SPA_SERVER            },
+    { "RAND_PORT",             FWKNOP_CLI_ARG_RAND_PORT             },
+    { "KEY",                   FWKNOP_CLI_ARG_KEY_RIJNDAEL          },
+    { "KEY_BASE64",            FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64   },
+    { "HMAC_DIGEST_TYPE",      FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE      },
+    { "HMAC_KEY_BASE64",       FWKNOP_CLI_ARG_KEY_HMAC_BASE64       },
+    { "HMAC_KEY",              FWKNOP_CLI_ARG_KEY_HMAC              },
+    { "USE_HMAC",              FWKNOP_CLI_ARG_USE_HMAC              },
+    { "KEY_FILE",              FWKNOP_CLI_ARG_KEY_FILE              },
+    { "HMAC_KEY_FILE",         FWKNOP_CLI_ARG_HMAC_KEY_FILE         },
+    { "NAT_ACCESS",            FWKNOP_CLI_ARG_NAT_ACCESS            },
+    { "HTTP_USER_AGENT",       FWKNOP_CLI_ARG_HTTP_USER_AGENT       },
+    { "RESOLVE_URL",           FWKNOP_CLI_ARG_RESOLVE_URL           },
+    { "NAT_LOCAL",             FWKNOP_CLI_ARG_NAT_LOCAL             },
+    { "NAT_RAND_PORT",         FWKNOP_CLI_ARG_NAT_RAND_PORT         },
+    { "NAT_PORT",              FWKNOP_CLI_ARG_NAT_PORT              },
+    { "VERBOSE",               FWKNOP_CLI_ARG_VERBOSE               },
+    { "RESOLVE_IP_HTTP",       FWKNOP_CLI_ARG_RESOLVE_IP_HTTP       }
 };
 
 /* Array to define which conf. variables are critical and should not be
@@ -166,7 +172,9 @@ static int critical_var_array[] =
     FWKNOP_CLI_ARG_KEY_HMAC,
     FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
     FWKNOP_CLI_ARG_GPG_RECIPIENT,
-    FWKNOP_CLI_ARG_GPG_SIGNER
+    FWKNOP_CLI_ARG_GPG_SIGNER,
+    FWKNOP_CLI_ARG_GPG_SIGNING_PW,
+    FWKNOP_CLI_ARG_GPG_SIGNING_PW_BASE64
 };
 
 /**
@@ -925,6 +933,13 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
             options->use_gpg_agent = 1;
         else;
     }
+    /* No GPG signing passphrase ? */
+    else if (var->pos == FWKNOP_CLI_ARG_GPG_NO_SIGNING_PW)
+    {
+        if (is_yes_str(val))
+            options->gpg_no_signing_pw = 1;
+        else;
+    }
     /* GPG Recipient */
     else if (var->pos == FWKNOP_CLI_ARG_GPG_RECIPIENT)
     {
@@ -986,6 +1001,25 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
         strlcpy(options->key_base64, val, sizeof(options->key_base64));
         options->have_base64_key = 1;
     }
+    /* GnuPG signing passphrase */
+    else if (var->pos == FWKNOP_CLI_ARG_GPG_SIGNING_PW)
+    {
+        strlcpy(options->key, val, sizeof(options->key));
+        options->have_key = 1;
+    }
+    /* GnuPG signing passphrase (base-64 encoded) */
+    else if (var->pos == FWKNOP_CLI_ARG_GPG_SIGNING_PW_BASE64)
+    {
+        if (! is_base64((unsigned char *) val, strlen(val)))
+        {
+            log_msg(LOG_VERBOSITY_WARNING,
+                "GPG_SIGNING_KEY_BASE64 argument '%s' doesn't look like base64-encoded data.",
+                val);
+            parse_error = -1;
+        }
+        strlcpy(options->key_base64, val, sizeof(options->key_base64));
+        options->have_base64_key = 1;
+    }
     /* HMAC digest type */
     else if (var->pos == FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE)
     {
@@ -2044,6 +2078,12 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 add_var_to_bitmask(FWKNOP_CLI_ARG_USE_GPG, &var_bitmask);
                 add_var_to_bitmask(FWKNOP_CLI_ARG_USE_GPG_AGENT, &var_bitmask);
                 break;
+            case GPG_ALLOW_NO_SIGNING_PW:
+                options->use_gpg = 1;
+                options->gpg_no_signing_pw = 1;
+                add_var_to_bitmask(FWKNOP_CLI_ARG_USE_GPG, &var_bitmask);
+                add_var_to_bitmask(FWKNOP_CLI_ARG_GPG_NO_SIGNING_PW, &var_bitmask);
+                break;
             case NAT_LOCAL:
                 options->nat_local = 1;
                 add_var_to_bitmask(FWKNOP_CLI_ARG_NAT_LOCAL, &var_bitmask);
index 07a503d..716b572 100644 (file)
@@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
-.\"      Date: 06/16/2013
+.\"      Date: 06/18/2013
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "06/16/2013" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "06/18/2013" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -658,6 +658,15 @@ Specify the GnuPG key ID, e\&.g\&. \(lq+ABCD1234+\(rq (see the output of "gpg \-
 \fBfwknopd\fR
 daemon on the remote server to authenticate who created the SPA message\&.
 .RE
+.PP
+\fB\-\-gpg\-no\-signing\-pw\fR
+.RS 4
+Instruct
+\fBfwknop\fR
+to not acquire a passphrase for usage of GnuPG signing key\&. This option is provided to make SPA packet construction easier for client\-side operations in automated environments where the passphrase for the signing key has been removed from the GnuPG key ring\&. However, it is usually better to leverage
+\fIgpg\-agent\fR
+instead of using this option\&.
+.RE
 .SH "FWKNOPRC FILE"
 .sp
 The \fI\&.fwknoprc\fR file is used to set various parameters to override default program parameters at runtime\&. It also allows for additional named configuration \fIstanzas\fR for setting program parameters for a particular invocation\&.
index 6585e42..8c21a14 100644 (file)
@@ -1085,14 +1085,6 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
     memset(key, 0x0, MAX_KEY_LEN+1);
     memset(hmac_key, 0x0, MAX_KEY_LEN+1);
 
-    /* First of all if we are using GPG and GPG_AGENT
-     * then there is no password to return.
-    */
-    if(options->use_gpg
-      && (options->use_gpg_agent
-           || (crypt_op == CRYPT_OP_ENCRYPT && options->gpg_signer_key[0] == '\0')))
-        return;
-
     if (options->have_key)
     {
         strlcpy(key, options->key, MAX_KEY_LEN+1);
@@ -1123,7 +1115,16 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
         }
         else if (options->use_gpg)
         {
-            if(crypt_op == CRYPT_OP_DECRYPT)
+            if(options->use_gpg_agent)
+                log_msg(LOG_VERBOSITY_NORMAL,
+                    "[+] GPG mode set, signing passphrase acquired via gpg-agent");
+            else if(options->gpg_no_signing_pw)
+                log_msg(LOG_VERBOSITY_NORMAL,
+                    "[+] GPG mode set, signing passphrase not required");
+            else if(crypt_op == CRYPT_OP_ENCRYPT)
+                log_msg(LOG_VERBOSITY_NORMAL,
+                    "[+] GPG mode set, encrypt instead of decrypt operation");
+            else if(crypt_op == CRYPT_OP_DECRYPT)
             {
                 key_tmp = getpasswd("Enter passphrase for secret key: ", options->input_fd);
                 if(key_tmp == NULL)
@@ -1149,11 +1150,11 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
         else
         {
             if(crypt_op == CRYPT_OP_ENCRYPT)
-                    key_tmp = getpasswd("Enter encryption key: ", options->input_fd);
+                key_tmp = getpasswd("Enter encryption key: ", options->input_fd);
             else if(crypt_op == CRYPT_OP_DECRYPT)
                 key_tmp = getpasswd("Enter decryption key: ", options->input_fd);
             else
-                    key_tmp = getpasswd("Enter key: ", options->input_fd);
+                key_tmp = getpasswd("Enter key: ", options->input_fd);
 
             if(key_tmp == NULL)
             {
index 779acb4..266243c 100644 (file)
@@ -151,6 +151,7 @@ typedef struct fko_cli_options
     unsigned char   test;
     unsigned char   use_gpg;
     unsigned char   use_gpg_agent;
+    unsigned char   gpg_no_signing_pw;
     int             time_offset_plus;
     int             time_offset_minus;
     int             fw_timeout;
index c28c2fb..2a0c040 100644 (file)
@@ -543,6 +543,12 @@ More comprehensive information on this can be found here:
     the *fwknopd* daemon on the remote server to authenticate who created
     the SPA message.
 
+*--gpg-no-signing-pw*::
+    Instruct *fwknop* to not acquire a passphrase for usage of GnuPG signing
+    key.  This option is provided to make SPA packet construction easier for
+    client-side operations in automated environments where the passphrase for
+    the signing key has been removed from the GnuPG key ring.  However, it is
+    usually better to leverage 'gpg-agent' instead of using this option.
 
 FWKNOPRC FILE
 -------------
index 5df129e..e763e83 100755 (executable)
@@ -445,6 +445,12 @@ our $default_client_gpg_args_no_get_key = "$default_client_args_no_get_key " .
     "--gpg-signer-key $gpg_client_key " .
     "--gpg-home-dir $gpg_client_home_dir";
 
+our $default_client_gpg_args_no_pw = "$default_client_args_no_get_key " .
+    "--gpg-no-signing-pw " .
+    "--gpg-recipient-key $gpg_server_key " .
+    "--gpg-signer-key $gpg_client_key " .
+    "--gpg-home-dir $gpg_client_home_dir_no_pw";
+
 our $default_server_conf_args = "-c $cf{'def'} -a $cf{'def_access'} " .
     "-d $default_digest_file -p $default_pid_file";
 
index 282467e..3b30f66 100644 (file)
@@ -5,9 +5,8 @@
         'subcategory' => 'client+server',
         'detail'   => 'complete cycle (tcp/22 ssh)',
         'function' => \&spa_cycle,
-        'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
-        'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
+        'cmdline'  => $default_client_gpg_args_no_pw,
+        'fwknopd_cmdline' => $default_server_gpg_args_no_pw,
         'fw_rule_created' => $NEW_RULE_REQUIRED,
         'fw_rule_removed' => $NEW_RULE_REMOVED,
         'fatal'    => $NO
@@ -17,8 +16,7 @@
         'subcategory' => 'client+server',
         'detail'   => 'multi gpg-IDs (tcp/22 ssh)',
         'function' => \&spa_cycle,
-        'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+        'cmdline'  => $default_client_gpg_args_no_pw,
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir " .
             "$valgrind_str $fwknopdCmd -c $cf{'def'} " .
             "-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
         'subcategory' => 'client+server',
         'detail'   => 'iptables - no flush at init',
         'function' => \&iptables_no_flush_init_exit,
-        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
-            "--gpg-recipient-key $gpg_server_key " .
-            "--gpg-signer-key $gpg_client_key " .
-            "--gpg-home-dir $gpg_client_home_dir_no_pw",
+        'cmdline'  => $default_client_gpg_args_no_pw,
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir " .
             "$valgrind_str $fwknopdCmd -c $cf{'no_flush_init'} " .
             "-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
         'subcategory' => 'client+server',
         'detail'   => 'iptables - no flush at exit',
         'function' => \&iptables_no_flush_init_exit,
-        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
-            "--gpg-recipient-key $gpg_server_key " .
-            "--gpg-signer-key $gpg_client_key " .
-            "--gpg-home-dir $gpg_client_home_dir_no_pw",
+        'cmdline'  => $default_client_gpg_args_no_pw,
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir " .
             "$valgrind_str $fwknopdCmd -c $cf{'no_flush_exit'} " .
             "-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
         'subcategory' => 'client+server',
         'detail'   => 'iptables - no flush at init or exit',
         'function' => \&iptables_no_flush_init_exit,
-        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
-            "--gpg-recipient-key $gpg_server_key " .
-            "--gpg-signer-key $gpg_client_key " .
-            "--gpg-home-dir $gpg_client_home_dir_no_pw",
+        'cmdline'  => $default_client_gpg_args_no_pw,
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir " .
             "$valgrind_str $fwknopdCmd -c $cf{'no_flush_init_or_exit'} " .
             "-a $cf{'multi_gpg_no_pw_access'} $intf_str " .
@@ -92,8 +75,8 @@
         'detail'   => 'complete cycle (tcp/23 telnet)',
         'function' => \&spa_cycle,
         'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
+            "$fwknopCmd -A tcp/23 -a $fake_ip -D $loopback_ip " .
+            "--gpg-no-signing-pw --verbose --verbose " .
             "--gpg-recipient-key $gpg_server_key " .
             "--gpg-signer-key $gpg_client_key " .
             "--gpg-home-dir $gpg_client_home_dir_no_pw",
         'detail'   => 'complete cycle (tcp/9418 git)',
         'function' => \&spa_cycle,
         'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
+            "$fwknopCmd -A tcp/9418 -a $fake_ip -D $loopback_ip " .
+            "--gpg-no-signing-pw --verbose --verbose " .
             "--gpg-recipient-key $gpg_server_key " .
             "--gpg-signer-key $gpg_client_key " .
             "--gpg-home-dir $gpg_client_home_dir_no_pw",
         'detail'   => 'complete cycle (tcp/60001)',
         'function' => \&spa_cycle,
         'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
+            "$fwknopCmd -A tcp/60001 -a $fake_ip -D $loopback_ip " .
+            "--gpg-no-singing-pw --verbose --verbose " .
             "--gpg-recipient-key $gpg_server_key " .
             "--gpg-signer-key $gpg_client_key " .
             "--gpg-home-dir $gpg_client_home_dir_no_pw",
         'detail'   => 'complete cycle (udp/53 dns)',
         'function' => \&spa_cycle,
         'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
-            "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip --get-key " .
-            "$local_key_file --verbose --verbose " .
+            "$fwknopCmd -A udp/53 -a $fake_ip -D $loopback_ip " .
+            "--gpg-no-signing-pw --verbose --verbose " .
             "--gpg-recipient-key $gpg_server_key " .
             "--gpg-signer-key $gpg_client_key " .
             "--gpg-home-dir $gpg_client_home_dir_no_pw",
         'detail'   => 'replay attack detection',
         'function' => \&replay_detection,
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'server_positive_output_matches' => [qr/Replay\sdetected\sfrom\ssource\sIP/],
         'fatal'    => $NO
         'function' => \&replay_detection,
         'pkt_prefix' => 'U2FsdGVkX1',
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
             "$fwknopdCmd $default_server_conf_args $intf_str",
         'server_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
         'function' => \&replay_detection,
         'pkt_prefix' => 'hQ',
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
             "$fwknopdCmd $default_server_conf_args $intf_str",
         'server_positive_output_matches' => [qr/Data\sis\snot\sa\svalid\sSPA\smessage\sformat/],
         'detail'   => 'non-base64 altered SPA data',
         'function' => \&altered_non_base64_spa_data,
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'fatal'    => $NO
     },
         'detail'   => 'base64 altered SPA data',
         'function' => \&altered_base64_spa_data,
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'fatal'    => $NO
     },
         'detail'   => 'appended data to SPA pkt',
         'function' => \&appended_spa_data,
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'fatal'    => $NO
     },
         'detail'   => 'prepended data to SPA pkt',
         'function' => \&prepended_spa_data,
         'cmdline'  => "$default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'fatal'    => $NO
     },
         'detail'   => 'spoof username (tcp/22 ssh)',
         'function' => \&spa_cycle,
         'cmdline'  => "SPOOF_USER=$spoof_user $default_client_gpg_args_no_homedir "
-            . "--gpg-home-dir $gpg_client_home_dir_no_pw",
+            . "--gpg-home-dir $gpg_client_home_dir_no_pw --gpg-no-signing-pw",
         'fwknopd_cmdline'  => $default_server_gpg_args_no_pw,
         'positive_output_matches' => [qr/Username:\s*$spoof_user/],
         'server_positive_output_matches' => [qr/Username:\s*$spoof_user/],