diff options
author | Matthew James Goins <mjgoins@openflows.com> | 2010-03-14 17:40:46 -0400 |
---|---|---|
committer | Matthew James Goins <mjgoins@openflows.com> | 2010-03-14 17:40:46 -0400 |
commit | dd71f5ec4a69c58f894f4f6961ca3786a192bc62 (patch) | |
tree | 1e5bb5331837afcf9f77187daaaebf15c93606d7 | |
parent | 970c7500631f46b5aa6279bf607c7d11ede7549e (diff) | |
parent | 3d46f5954da2bc9a2dd8d2ce35713136149c2983 (diff) |
Merge remote branch 'dkg/master'
-rw-r--r-- | changelog | 2 | ||||
-rw-r--r-- | doc/george/changelog | 5 | ||||
-rw-r--r-- | doc/zimmermann/changelog | 26 | ||||
-rw-r--r-- | etc/monkeysphere.conf | 13 | ||||
-rw-r--r-- | man/man1/monkeysphere.1 | 2 | ||||
-rw-r--r-- | man/man7/monkeysphere.7 | 7 | ||||
-rw-r--r-- | man/man8/monkeysphere-authentication.8 | 7 | ||||
-rw-r--r-- | man/man8/monkeysphere-host.8 | 2 | ||||
-rw-r--r-- | packaging/debian/70monkeysphere_use-validation-agent | 38 | ||||
-rw-r--r-- | packaging/debian/changelog | 5 | ||||
-rw-r--r-- | packaging/debian/control | 1 | ||||
-rw-r--r-- | packaging/debian/monkeysphere.dirs | 2 | ||||
-rw-r--r-- | packaging/debian/monkeysphere.install | 1 | ||||
-rwxr-xr-x | src/monkeysphere | 3 | ||||
-rwxr-xr-x | src/monkeysphere-host | 12 | ||||
-rw-r--r-- | src/share/common | 4 | ||||
-rw-r--r-- | src/share/ma/list_certifiers | 2 | ||||
-rw-r--r-- | src/share/ma/setup | 1 | ||||
-rw-r--r-- | website/validation-agent.mdwn | 32 | ||||
-rw-r--r-- | website/validation-agent/protocol.mdwn | 24 |
20 files changed, 167 insertions, 22 deletions
@@ -3,6 +3,8 @@ monkeysphere (0.29~pre1) UNRELEASED; urgency=low * Fix man page typo about monkeysphere authorized_keys location * Monkeysphere should work properly even if the user has "armor" in their gpg.conf (closes MS #1625) + * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER + environment variable (and defaults to true) -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:38:43 -0500 diff --git a/doc/george/changelog b/doc/george/changelog index d15814c..ffb7cb0 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -6,6 +6,11 @@ * Please add new entries in reverse chronological order whenever you make * * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2010-03-09 - micah + * setup /srv/micah.monkeysphere.info + * replaced /etc/mathopd.conf virtual for daniel with one for me + * removed /srv/daniel.monkeysphere.info - not used + 2010-03-08 - mjgoins * Adding self to webmaster's authorized_user_ids * updating ikiwiki to use the version from lenny backports diff --git a/doc/zimmermann/changelog b/doc/zimmermann/changelog index 8dedf58..f3e8171 100644 --- a/doc/zimmermann/changelog +++ b/doc/zimmermann/changelog @@ -7,10 +7,32 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2010-03-10 - micah + * Updated /etc/monkeysphere/*.conf to use zimmermann + for the keyserver + +2010-03-09 - dkg + * transferred the https://z.m.o key from /root/.gnupg into the + monkeysphere-host keyring with: + + gpg --export-secret-keys | GNUPGHOME=/var/lib/monkeysphere/host gpg --import + + * used undocumented "monkeysphere-host update-pgp-pub-file" to + refresh the output of m-h s. + +2010-02-19 - dkg + * upgraded to monkeysphere 0.28-1~bpo50+1 (includes gnupg from + backports.org) + +2010-02-?? - dkg + * manually created an OpenPGP certificate for zimmermann's https + RSA key, stored in /root/.gnupg; published it to the keyserver + network, certified it myself. + 2008-11-29 - dkg * zimmermann now uses an X.509 certificate signed by the MF/PL CA for its HTTPS connection. - + 2008-11-19 - dkg * added 10 SKS peers as a result of feedback from sks-devel. * set localtime to America/New_York via dpkg-reconfigure tzdata @@ -20,7 +42,7 @@ * made nginx proxy plain ol' HTTP on port 80 also so that SKS does not need to try to listen on a privileged port. * turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf - + 2008-11-19 - mlc * aptitude install nginx * get rid of /etc/nginx/sites-enabled/default diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 53adf83..ce6e82a 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -21,10 +21,11 @@ # Set whether or not to check keyservers at every monkeysphere # interaction, including all ssh connections if you use the -# monkeysphere ssh-proxycommand. -# NOTE: setting CHECK_KEYSERVER to true will leak information about -# the timing and frequency of your ssh connections to the maintainer -# of the keyserver. +# monkeysphere ssh-proxycommand. Leave unset for default behavior +# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. +# NOTE: setting CHECK_KEYSERVER explicitly to true will leak +# information about the timing and frequency of your ssh connections +# to the maintainer of the keyserver. #CHECK_KEYSERVER=true # The path to the SSH known_hosts file. @@ -36,3 +37,7 @@ # The path to the SSH authorized_keys file. #AUTHORIZED_KEYS=~/.ssh/authorized_keys + +# Set to true to enable validation agent during X session startup +# where available. +#USE_VALIDATION_AGENT=false diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 6abd36c..4d8eab6 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -201,7 +201,7 @@ added to the given user's authorized_keys file. .SH AUTHOR Written by: -Jameson Rollins <jrollins@fifthhorseman.net>, +Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net> .SH SEE ALSO diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index e4c2bf0..4d1deca 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -1,9 +1,8 @@ -.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks" +.TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks" .SH NAME -monkeysphere - ssh authentication framework using OpenPGP Web of -Trust +monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust .SH DESCRIPTION @@ -75,7 +74,7 @@ https://host.example.com[:port] .SH AUTHOR Written by: -Jameson Rollins <jrollins@fifthhorseman.net>, +Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net> .SH SEE ALSO diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index b2dfbdf..ea9debd 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -177,6 +177,11 @@ false may expose users to abuse by other users on the system. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +If monkeysphere-authentication is configured to query an hkps +keyserver, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +.TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .TP @@ -189,7 +194,7 @@ added to the given user's authorized_keys file. .SH AUTHOR This man page was written by: -Jameson Rollins <jrollins@fifthhorseman.net>, +Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins <mjgoins@openflows.com> diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 4735940..00ea777 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -226,7 +226,7 @@ of all imported secret keys (this is the host's GNUPGHOME directory). .SH AUTHOR This man page was written by: -Jameson Rollins <jrollins@fifthhorseman.net>, +Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins <mjgoins@openflows.com> diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent new file mode 100644 index 0000000..c3135a8 --- /dev/null +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -0,0 +1,38 @@ +# /etc/X11/Xsession.d/70monkeysphere_use-validation-agent + +# This is a script to be sourced by Xsession. It wraps the session +# startup argument with a monkeysphere-validation-agent nested +# process, if available and none already exist. + +# Enable this system-wide by setting +# MONKEYSPHERE_USE_VALIDATION_AGENT=true in +# /etc/monkeysphere/monkeysphere.conf + +# Note that there is some weird interaction between this and +# dbus-session at the moment: dbus-launch can start the msva just +# fine, but if msva tries to start dbus-launch, dbus-launch fails +# with: + +# Failed to waitpid() for babysitter intermediate process: No child processes + +# So this is placed at position 70 -- *before* the dbus Xsession +# startup script, which is at 75 as of 2010-03-12, when i wrote this. + +# this is also good, because it means that the MSVA will learn about +# the dbus session parameters, in case we want the agent to use dbus +# to communicate with the user. + +# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> + +MSVAGENT=/usr/bin/monkeysphere-validation-agent +MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf +MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" + +if [ -x "$MSVAGENT" ] ; then + if [ "$(USE_VALIDATION_AGENT= +. "$MSSYSCONFIG" 2>/dev/null +. "$MSUSERCONFIG" 2>/dev/null || : +printf '%s' "$USE_VALIDATION_AGENT")" = "true" ] ; then + STARTUP="$MSVAGENT $STARTUP" + fi +fi diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 10429fe..d971ee6 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -6,8 +6,11 @@ monkeysphere (0.29~pre1-1) UNRELEASED; urgency=low [ Daniel Kahn Gillmor ] * bumped Standards-Version to 3.8.4 (no changes needed) * indicated bash dependency on version 3.2 or later (see MS #1687) + * including /etc/Xsession.d/70monkeysphere_use_validation_agent so that + administrators and users can choose to start up a validation agent for + each X session using monkeysphere.conf - -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:40:56 -0500 + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Mar 2010 01:57:39 -0500 monkeysphere (0.28-1) unstable; urgency=low diff --git a/packaging/debian/control b/packaging/debian/control index 9a32642..6cd0143 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -28,6 +28,7 @@ Depends: openssh-client, adduser, ${misc:Depends} Recommends: netcat | socat, ssh-askpass, cron +Suggests: monkeysphere-validation-agent Enhances: openssh-client, openssh-server Description: leverage the OpenPGP web of trust for SSH and TLS authentication SSH key-based authentication is tried-and-true, but it lacks a true diff --git a/packaging/debian/monkeysphere.dirs b/packaging/debian/monkeysphere.dirs index e07fb2c..3e39efe 100644 --- a/packaging/debian/monkeysphere.dirs +++ b/packaging/debian/monkeysphere.dirs @@ -8,3 +8,5 @@ usr/share/man/man1 usr/share/man/man7 usr/share/man/man8 etc/monkeysphere +etc/X11 +etc/X11/Xsession.d diff --git a/packaging/debian/monkeysphere.install b/packaging/debian/monkeysphere.install new file mode 100644 index 0000000..63a2dd7 --- /dev/null +++ b/packaging/debian/monkeysphere.install @@ -0,0 +1 @@ +debian/70monkeysphere_use-validation-agent etc/X11/Xsession.d diff --git a/src/monkeysphere b/src/monkeysphere index e268058..a763151 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -3,7 +3,7 @@ # monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@fifthhorseman.net> +# Jameson Rollins <jrollins@finestructure.net> # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # Micah Anderson <micah@riseup.net> @@ -276,6 +276,7 @@ case $COMMAND in ;; 'keys-for-userid'|'u') + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} keys_for_userid "$@" ;; diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 12e7bad..a5db8c1 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -74,7 +74,7 @@ EOF # function to interact with the gpg keyring gpg_host() { - GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@" + GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trustdb --no-greeting --quiet --no-tty "$@" } # list the info about the a key, in colon format, to stdout @@ -239,7 +239,7 @@ prompt_userid_exists() { if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10) if [ "$PROMPT" != "false" ] ; then - printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2 + printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$userID" "$fingerprint" >&2 read OK; OK=${OK:=N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Service name not added." @@ -268,7 +268,7 @@ multi_key() { for key in $keys ; do if (( i++ > 0 )) ; then - echo "##############################" + printf "\n" fi "$cmd" "$key" done @@ -309,8 +309,9 @@ show_key() { # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ - | grep -v "^${GNUPGHOME}/pubring.gpg$" \ - | egrep -v '^-+$' + | grep -v "^${GNUPGHOME}/pubring.gpg$" \ + | egrep -v '^-+$' \ + | grep -v '^$' # list revokers, if there are any revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ @@ -320,7 +321,6 @@ show_key() { for key in $revokers ; do echo "revoker: $key" done - echo fi # list the pgp fingerprint diff --git a/src/share/common b/src/share/common index 37f5305..cabc378 100644 --- a/src/share/common +++ b/src/share/common @@ -581,6 +581,10 @@ gpg_fetch_userid() { --search ="$userID" &>/dev/null returnCode="$?" + if [ "$returnCode" != 0 ] ; then + log error "Failure ($returnCode) searching keyserver $KEYSERVER for user id '$userID'" + fi + return "$returnCode" } diff --git a/src/share/ma/list_certifiers b/src/share/ma/list_certifiers index 38a3222..789eb9d 100644 --- a/src/share/ma/list_certifiers +++ b/src/share/ma/list_certifiers @@ -4,7 +4,7 @@ # Monkeysphere authentication list-certifiers subcommand # # The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@fifthhorseman.net> +# Jameson Rollins <jrollins@finestructure.net> # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # diff --git a/src/share/ma/setup b/src/share/ma/setup index 6c75fef..f965487 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -43,6 +43,7 @@ EOF # Edits will be overwritten. no-greeting list-options show-uid-validity +keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt EOF # make sure the monkeysphere user owns everything in the sphere diff --git a/website/validation-agent.mdwn b/website/validation-agent.mdwn new file mode 100644 index 0000000..d95e7d4 --- /dev/null +++ b/website/validation-agent.mdwn @@ -0,0 +1,32 @@ +[[!meta title="Monkeysphere Validation Agent"]] + +# Monkeysphere Validation Agent # + +The Monkeysphere Validation Agent offers a local service for systems +to validate certificates (both X.509 and OpenPGP) and other public +keys in their proper contexts. + +Among other reasons, having a validation agent is a good thing +because: + +* Multiple tools can rely on the same PKI (e.g. the user's web browser + and the user's ssh client). +* A single validation agent can present a consistent UI to the user + (when used in an end-user context), or provide a unified trust model + to various services (when used in a server-side context). +* Authentication/certificate validation code can potentially be + isolated to a protected environment. + +## Implementations ## + +There are currently two implementations of the validation agent: + + * msva-perl + * msva-ruby + +## Protocol ## + +The Monkeysphere Validation Agent protocol (MSVA) is defined as a +minimal HTTP server with JSON-encapsulated requests and responses. +You may want to read [more protocol details](protocol). + diff --git a/website/validation-agent/protocol.mdwn b/website/validation-agent/protocol.mdwn new file mode 100644 index 0000000..4e6811a --- /dev/null +++ b/website/validation-agent/protocol.mdwn @@ -0,0 +1,24 @@ +[[!meta title="Validation Agent Protocol"]] + +# Validation Agent Protocol # + +In its current form, the +[Monkeysphere Validation Agent](/validation-agent) is conceived of as +a minimalistic HTTP server that accepts two different requests: + + GET / -- initial contact query, protocol version compatibility. + (no query parameters) + (returns: protoversion, server, available) + + POST /reviewcert -- request validation of a certificate + (query parameters: uid, context, pkc) + (returns: valid, message) + +Query parameters are posted as a JSON blob (*not* as +www-form-encoded). + +The variables that are returned are application/json as well. + +* PKC means: public key carrier: raw key, OpenPGP cert, or X.509 cert +* UID means: User ID (like in OpenPGP) +* context refers to the setting in which the certificate is offered. For example, "https" means: "this certificate was offered by an HTTPS server" |