summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew James Goins <mjgoins@openflows.com>2010-03-14 17:40:46 -0400
committerMatthew James Goins <mjgoins@openflows.com>2010-03-14 17:40:46 -0400
commitdd71f5ec4a69c58f894f4f6961ca3786a192bc62 (patch)
tree1e5bb5331837afcf9f77187daaaebf15c93606d7
parent970c7500631f46b5aa6279bf607c7d11ede7549e (diff)
parent3d46f5954da2bc9a2dd8d2ce35713136149c2983 (diff)
Merge remote branch 'dkg/master'
-rw-r--r--changelog2
-rw-r--r--doc/george/changelog5
-rw-r--r--doc/zimmermann/changelog26
-rw-r--r--etc/monkeysphere.conf13
-rw-r--r--man/man1/monkeysphere.12
-rw-r--r--man/man7/monkeysphere.77
-rw-r--r--man/man8/monkeysphere-authentication.87
-rw-r--r--man/man8/monkeysphere-host.82
-rw-r--r--packaging/debian/70monkeysphere_use-validation-agent38
-rw-r--r--packaging/debian/changelog5
-rw-r--r--packaging/debian/control1
-rw-r--r--packaging/debian/monkeysphere.dirs2
-rw-r--r--packaging/debian/monkeysphere.install1
-rwxr-xr-xsrc/monkeysphere3
-rwxr-xr-xsrc/monkeysphere-host12
-rw-r--r--src/share/common4
-rw-r--r--src/share/ma/list_certifiers2
-rw-r--r--src/share/ma/setup1
-rw-r--r--website/validation-agent.mdwn32
-rw-r--r--website/validation-agent/protocol.mdwn24
20 files changed, 167 insertions, 22 deletions
diff --git a/changelog b/changelog
index cba8b4e..e29cbaf 100644
--- a/changelog
+++ b/changelog
@@ -3,6 +3,8 @@ monkeysphere (0.29~pre1) UNRELEASED; urgency=low
* Fix man page typo about monkeysphere authorized_keys location
* Monkeysphere should work properly even if the user has "armor" in
their gpg.conf (closes MS #1625)
+ * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
+ environment variable (and defaults to true)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:38:43 -0500
diff --git a/doc/george/changelog b/doc/george/changelog
index d15814c..ffb7cb0 100644
--- a/doc/george/changelog
+++ b/doc/george/changelog
@@ -6,6 +6,11 @@
* Please add new entries in reverse chronological order whenever you make *
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2010-03-09 - micah
+ * setup /srv/micah.monkeysphere.info
+ * replaced /etc/mathopd.conf virtual for daniel with one for me
+ * removed /srv/daniel.monkeysphere.info - not used
+
2010-03-08 - mjgoins
* Adding self to webmaster's authorized_user_ids
* updating ikiwiki to use the version from lenny backports
diff --git a/doc/zimmermann/changelog b/doc/zimmermann/changelog
index 8dedf58..f3e8171 100644
--- a/doc/zimmermann/changelog
+++ b/doc/zimmermann/changelog
@@ -7,10 +7,32 @@
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2010-03-10 - micah
+ * Updated /etc/monkeysphere/*.conf to use zimmermann
+ for the keyserver
+
+2010-03-09 - dkg
+ * transferred the https://z.m.o key from /root/.gnupg into the
+ monkeysphere-host keyring with:
+
+ gpg --export-secret-keys | GNUPGHOME=/var/lib/monkeysphere/host gpg --import
+
+ * used undocumented "monkeysphere-host update-pgp-pub-file" to
+ refresh the output of m-h s.
+
+2010-02-19 - dkg
+ * upgraded to monkeysphere 0.28-1~bpo50+1 (includes gnupg from
+ backports.org)
+
+2010-02-?? - dkg
+ * manually created an OpenPGP certificate for zimmermann's https
+ RSA key, stored in /root/.gnupg; published it to the keyserver
+ network, certified it myself.
+
2008-11-29 - dkg
* zimmermann now uses an X.509 certificate signed by the MF/PL CA
for its HTTPS connection.
-
+
2008-11-19 - dkg
* added 10 SKS peers as a result of feedback from sks-devel.
* set localtime to America/New_York via dpkg-reconfigure tzdata
@@ -20,7 +42,7 @@
* made nginx proxy plain ol' HTTP on port 80 also so that SKS does
not need to try to listen on a privileged port.
* turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf
-
+
2008-11-19 - mlc
* aptitude install nginx
* get rid of /etc/nginx/sites-enabled/default
diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf
index 53adf83..ce6e82a 100644
--- a/etc/monkeysphere.conf
+++ b/etc/monkeysphere.conf
@@ -21,10 +21,11 @@
# Set whether or not to check keyservers at every monkeysphere
# interaction, including all ssh connections if you use the
-# monkeysphere ssh-proxycommand.
-# NOTE: setting CHECK_KEYSERVER to true will leak information about
-# the timing and frequency of your ssh connections to the maintainer
-# of the keyserver.
+# monkeysphere ssh-proxycommand. Leave unset for default behavior
+# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false.
+# NOTE: setting CHECK_KEYSERVER explicitly to true will leak
+# information about the timing and frequency of your ssh connections
+# to the maintainer of the keyserver.
#CHECK_KEYSERVER=true
# The path to the SSH known_hosts file.
@@ -36,3 +37,7 @@
# The path to the SSH authorized_keys file.
#AUTHORIZED_KEYS=~/.ssh/authorized_keys
+
+# Set to true to enable validation agent during X session startup
+# where available.
+#USE_VALIDATION_AGENT=false
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index 6abd36c..4d8eab6 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -201,7 +201,7 @@ added to the given user's authorized_keys file.
.SH AUTHOR
Written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7
index e4c2bf0..4d1deca 100644
--- a/man/man7/monkeysphere.7
+++ b/man/man7/monkeysphere.7
@@ -1,9 +1,8 @@
-.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks"
+.TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks"
.SH NAME
-monkeysphere - ssh authentication framework using OpenPGP Web of
-Trust
+monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust
.SH DESCRIPTION
@@ -75,7 +74,7 @@ https://host.example.com[:port]
.SH AUTHOR
Written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8
index b2dfbdf..ea9debd 100644
--- a/man/man8/monkeysphere-authentication.8
+++ b/man/man8/monkeysphere-authentication.8
@@ -177,6 +177,11 @@ false may expose users to abuse by other users on the system. (true)
/etc/monkeysphere/monkeysphere\-authentication.conf
System monkeysphere-authentication config file.
.TP
+/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt
+If monkeysphere-authentication is configured to query an hkps
+keyserver, it will use X.509 Certificate Authority certificates in
+this file to validate any X.509 certificates used by the keyserver.
+.TP
/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
.TP
@@ -189,7 +194,7 @@ added to the given user's authorized_keys file.
.SH AUTHOR
This man page was written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index 4735940..00ea777 100644
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -226,7 +226,7 @@ of all imported secret keys (this is the host's GNUPGHOME directory).
.SH AUTHOR
This man page was written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent
new file mode 100644
index 0000000..c3135a8
--- /dev/null
+++ b/packaging/debian/70monkeysphere_use-validation-agent
@@ -0,0 +1,38 @@
+# /etc/X11/Xsession.d/70monkeysphere_use-validation-agent
+
+# This is a script to be sourced by Xsession. It wraps the session
+# startup argument with a monkeysphere-validation-agent nested
+# process, if available and none already exist.
+
+# Enable this system-wide by setting
+# MONKEYSPHERE_USE_VALIDATION_AGENT=true in
+# /etc/monkeysphere/monkeysphere.conf
+
+# Note that there is some weird interaction between this and
+# dbus-session at the moment: dbus-launch can start the msva just
+# fine, but if msva tries to start dbus-launch, dbus-launch fails
+# with:
+
+# Failed to waitpid() for babysitter intermediate process: No child processes
+
+# So this is placed at position 70 -- *before* the dbus Xsession
+# startup script, which is at 75 as of 2010-03-12, when i wrote this.
+
+# this is also good, because it means that the MSVA will learn about
+# the dbus session parameters, in case we want the agent to use dbus
+# to communicate with the user.
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+MSVAGENT=/usr/bin/monkeysphere-validation-agent
+MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf
+MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf"
+
+if [ -x "$MSVAGENT" ] ; then
+ if [ "$(USE_VALIDATION_AGENT=
+. "$MSSYSCONFIG" 2>/dev/null
+. "$MSUSERCONFIG" 2>/dev/null || :
+printf '%s' "$USE_VALIDATION_AGENT")" = "true" ] ; then
+ STARTUP="$MSVAGENT $STARTUP"
+ fi
+fi
diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index 10429fe..d971ee6 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -6,8 +6,11 @@ monkeysphere (0.29~pre1-1) UNRELEASED; urgency=low
[ Daniel Kahn Gillmor ]
* bumped Standards-Version to 3.8.4 (no changes needed)
* indicated bash dependency on version 3.2 or later (see MS #1687)
+ * including /etc/Xsession.d/70monkeysphere_use_validation_agent so that
+ administrators and users can choose to start up a validation agent for
+ each X session using monkeysphere.conf
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:40:56 -0500
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Mar 2010 01:57:39 -0500
monkeysphere (0.28-1) unstable; urgency=low
diff --git a/packaging/debian/control b/packaging/debian/control
index 9a32642..6cd0143 100644
--- a/packaging/debian/control
+++ b/packaging/debian/control
@@ -28,6 +28,7 @@ Depends: openssh-client,
adduser,
${misc:Depends}
Recommends: netcat | socat, ssh-askpass, cron
+Suggests: monkeysphere-validation-agent
Enhances: openssh-client, openssh-server
Description: leverage the OpenPGP web of trust for SSH and TLS authentication
SSH key-based authentication is tried-and-true, but it lacks a true
diff --git a/packaging/debian/monkeysphere.dirs b/packaging/debian/monkeysphere.dirs
index e07fb2c..3e39efe 100644
--- a/packaging/debian/monkeysphere.dirs
+++ b/packaging/debian/monkeysphere.dirs
@@ -8,3 +8,5 @@ usr/share/man/man1
usr/share/man/man7
usr/share/man/man8
etc/monkeysphere
+etc/X11
+etc/X11/Xsession.d
diff --git a/packaging/debian/monkeysphere.install b/packaging/debian/monkeysphere.install
new file mode 100644
index 0000000..63a2dd7
--- /dev/null
+++ b/packaging/debian/monkeysphere.install
@@ -0,0 +1 @@
+debian/70monkeysphere_use-validation-agent etc/X11/Xsession.d
diff --git a/src/monkeysphere b/src/monkeysphere
index e268058..a763151 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -3,7 +3,7 @@
# monkeysphere: Monkeysphere client tool
#
# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
@@ -276,6 +276,7 @@ case $COMMAND in
;;
'keys-for-userid'|'u')
+ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
keys_for_userid "$@"
;;
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 12e7bad..a5db8c1 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -74,7 +74,7 @@ EOF
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trustdb --no-greeting --quiet --no-tty "$@"
}
# list the info about the a key, in colon format, to stdout
@@ -239,7 +239,7 @@ prompt_userid_exists() {
if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then
fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10)
if [ "$PROMPT" != "false" ] ; then
- printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2
+ printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$userID" "$fingerprint" >&2
read OK; OK=${OK:=N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "Service name not added."
@@ -268,7 +268,7 @@ multi_key() {
for key in $keys ; do
if (( i++ > 0 )) ; then
- echo "##############################"
+ printf "\n"
fi
"$cmd" "$key"
done
@@ -309,8 +309,9 @@ show_key() {
# FIXME: make no-show-keyring work so we don't have to do the grep'ing
# FIXME: can we show uid validity somehow?
gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \
- | grep -v "^${GNUPGHOME}/pubring.gpg$" \
- | egrep -v '^-+$'
+ | grep -v "^${GNUPGHOME}/pubring.gpg$" \
+ | egrep -v '^-+$' \
+ | grep -v '^$'
# list revokers, if there are any
revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \
@@ -320,7 +321,6 @@ show_key() {
for key in $revokers ; do
echo "revoker: $key"
done
- echo
fi
# list the pgp fingerprint
diff --git a/src/share/common b/src/share/common
index 37f5305..cabc378 100644
--- a/src/share/common
+++ b/src/share/common
@@ -581,6 +581,10 @@ gpg_fetch_userid() {
--search ="$userID" &>/dev/null
returnCode="$?"
+ if [ "$returnCode" != 0 ] ; then
+ log error "Failure ($returnCode) searching keyserver $KEYSERVER for user id '$userID'"
+ fi
+
return "$returnCode"
}
diff --git a/src/share/ma/list_certifiers b/src/share/ma/list_certifiers
index 38a3222..789eb9d 100644
--- a/src/share/ma/list_certifiers
+++ b/src/share/ma/list_certifiers
@@ -4,7 +4,7 @@
# Monkeysphere authentication list-certifiers subcommand
#
# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
diff --git a/src/share/ma/setup b/src/share/ma/setup
index 6c75fef..f965487 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -43,6 +43,7 @@ EOF
# Edits will be overwritten.
no-greeting
list-options show-uid-validity
+keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt
EOF
# make sure the monkeysphere user owns everything in the sphere
diff --git a/website/validation-agent.mdwn b/website/validation-agent.mdwn
new file mode 100644
index 0000000..d95e7d4
--- /dev/null
+++ b/website/validation-agent.mdwn
@@ -0,0 +1,32 @@
+[[!meta title="Monkeysphere Validation Agent"]]
+
+# Monkeysphere Validation Agent #
+
+The Monkeysphere Validation Agent offers a local service for systems
+to validate certificates (both X.509 and OpenPGP) and other public
+keys in their proper contexts.
+
+Among other reasons, having a validation agent is a good thing
+because:
+
+* Multiple tools can rely on the same PKI (e.g. the user's web browser
+ and the user's ssh client).
+* A single validation agent can present a consistent UI to the user
+ (when used in an end-user context), or provide a unified trust model
+ to various services (when used in a server-side context).
+* Authentication/certificate validation code can potentially be
+ isolated to a protected environment.
+
+## Implementations ##
+
+There are currently two implementations of the validation agent:
+
+ * msva-perl
+ * msva-ruby
+
+## Protocol ##
+
+The Monkeysphere Validation Agent protocol (MSVA) is defined as a
+minimal HTTP server with JSON-encapsulated requests and responses.
+You may want to read [more protocol details](protocol).
+
diff --git a/website/validation-agent/protocol.mdwn b/website/validation-agent/protocol.mdwn
new file mode 100644
index 0000000..4e6811a
--- /dev/null
+++ b/website/validation-agent/protocol.mdwn
@@ -0,0 +1,24 @@
+[[!meta title="Validation Agent Protocol"]]
+
+# Validation Agent Protocol #
+
+In its current form, the
+[Monkeysphere Validation Agent](/validation-agent) is conceived of as
+a minimalistic HTTP server that accepts two different requests:
+
+ GET / -- initial contact query, protocol version compatibility.
+ (no query parameters)
+ (returns: protoversion, server, available)
+
+ POST /reviewcert -- request validation of a certificate
+ (query parameters: uid, context, pkc)
+ (returns: valid, message)
+
+Query parameters are posted as a JSON blob (*not* as
+www-form-encoded).
+
+The variables that are returned are application/json as well.
+
+* PKC means: public key carrier: raw key, OpenPGP cert, or X.509 cert
+* UID means: User ID (like in OpenPGP)
+* context refers to the setting in which the certificate is offered. For example, "https" means: "this certificate was offered by an HTTPS server"