diff options
| author | Matt Goins <mjgoins@openflows.com> | 2009-04-08 00:43:05 -0400 |
|---|---|---|
| committer | Matt Goins <mjgoins@openflows.com> | 2009-04-08 00:43:05 -0400 |
| commit | dfd67a14003fbfb4b1ba2269e7d47f4d0c44fcf8 (patch) | |
| tree | 3372902f39b0995a39b62851671fe33e4ceeb56e | |
| parent | f77a5d79b4a9b4b44cb3786237931458265e49ed (diff) | |
| parent | ee3872232ffc40ab0ae7ea823059806f839f2700 (diff) | |
Merge commit 'dkg/master'
| -rwxr-xr-x | Makefile | 5 | ||||
| -rw-r--r-- | README | 15 | ||||
| -rw-r--r-- | packaging/debian/changelog | 4 | ||||
| -rw-r--r-- | packaging/debian/control | 2 | ||||
| -rw-r--r-- | packaging/macports/Portfile | 68 | ||||
| -rw-r--r-- | patches/gnutls/22_functional_s2k_with_GNU_dummy.diff | 146 | ||||
| -rwxr-xr-x | patches/gnutls/build | 36 | ||||
| -rwxr-xr-x | src/monkeysphere | 1 | ||||
| -rw-r--r-- | src/share/common | 51 | ||||
| -rwxr-xr-x | src/share/keytrans | 6 | ||||
| -rw-r--r-- | src/share/m/gen_subkey | 6 | ||||
| -rw-r--r-- | src/share/m/ssh_proxycommand | 6 | ||||
| -rw-r--r-- | src/share/m/subkey_to_ssh_agent | 2 | ||||
| -rw-r--r-- | src/share/ma/setup | 4 | ||||
| -rw-r--r-- | src/share/ma/update_users | 2 | ||||
| -rwxr-xr-x | tests/basic | 9 | ||||
| -rw-r--r-- | tests/common | 2 | ||||
| -rwxr-xr-x | utils/build-macports-portfile | 9 | ||||
| -rwxr-xr-x | utils/build-releasenote | 2 | ||||
| -rw-r--r-- | utils/preparing-release | 13 | ||||
| -rw-r--r-- | website/news/gnutls-2.6-enables-monkeysphere.mdwn | 11 |
21 files changed, 171 insertions, 229 deletions
@@ -37,6 +37,9 @@ debian-package: tarball freebsd-distinfo: ./utils/build-freebsd-distinfo +macports-portfile: + ./utils/build-macports-portfile + clean: # clean up old monkeysphere packages lying around as well. rm -f monkeysphere_* @@ -78,6 +81,6 @@ releasenote: ./utils/build-releasenote test: - ./tests/basic + MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/basic .PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test @@ -0,0 +1,15 @@ +The Monkeysphere Project +------------------------ + +The Monkeysphere project's goal is to extend OpenPGP's web of trust to +new areas of the Internet to help us securely identify each other +while we work online. + +Specifically, monkeysphere currently offers a framework to leverage +the OpenPGP web of trust for OpenSSH authentication. + +In other words, it allows you to use secure shell as you normally do, +but to identify yourself and the servers you administer or connect to +with your OpenPGP keys. OpenPGP keys are tracked via GnuPG, and +monkeysphere manages the known_hosts and authorized_keys files used by +OpenSSH for authentication, checking them for cryptographic validity. diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 82ef1ae..9d404a8 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -7,8 +7,10 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low - clean out some redundant "cat"s - fix monkeysphere update-known_hosts for sshd running on non-standard ports + - some portability improvements + * update Standard-Version to 3.8.1 - -- Jameson Graef Rollins <jrollins@finestructure.net> Wed, 18 Mar 2009 11:46:44 -0400 + -- Jameson Graef Rollins <jrollins@finestructure.net> Mon, 06 Apr 2009 22:20:55 -0700 monkeysphere (0.24-1) unstable; urgency=low diff --git a/packaging/debian/control b/packaging/debian/control index 616a95a..3601c10 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -4,7 +4,7 @@ Priority: extra Maintainer: Jameson Graef Rollins <jrollins@finestructure.net> Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Build-Depends: debhelper (>= 7.0), socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail -Standards-Version: 3.8.0.1 +Standards-Version: 3.8.1 Homepage: http://web.monkeysphere.info/ Vcs-Git: git://git.monkeysphere.info/monkeysphere Dm-Upload-Allowed: yes diff --git a/packaging/macports/Portfile b/packaging/macports/Portfile index 99d0d69..d73a656 100644 --- a/packaging/macports/Portfile +++ b/packaging/macports/Portfile @@ -2,14 +2,11 @@ # $Id$ PortSystem 1.0 - name monkeysphere version 0.24 -categories net +categories net security maintainers nomaintainer -platforms darwin description use the OpenPGP web of trust to verify ssh connections - long_description SSH key-based authentication is tried-and-true, \ but it lacks a true Public Key Infrastructure for \ key certification, revocation and expiration. \ @@ -18,23 +15,60 @@ long_description SSH key-based authentication is tried-and-true, \ used in both directions: for users to get \ validated host keys, and for hosts to authenticate \ users. - homepage http://web.monkeysphere.info/ -master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ -distname ${name}_${version} -worksrcdir ${name}-${version} -checksums md5 8590532f4702fa44027a6a583657c9ef +platforms darwin depends_run bin:ssh:openssh \ port:gnupg \ - port:perl5.10 \ - port:p5-crypt-rsa \ + port:perl5 \ + port:p5-crypt-openssl-rsa \ + port:p5-crypt-openssl-bignum \ port:p5-digest-sha1 \ port:procmail -build.target build -destroot.args PREFIX=${destroot}${prefix} \ - CONFDIR=${destroot}${prefix}/etc/monkeysphere \ - DBDIR=${destroot}${prefix}/var/lib/monkeysphere \ - MANDIR=${destroot}${prefix}/share/man \ - DOCDIR=${destroot}${prefix}/share/doc/monkeysphere +master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ +distname ${name}_${version} +extract.suffix .orig.tar.gz +worksrcdir ${name}-${version} +checksums md5 8590532f4702fa44027a6a583657c9ef + +use_configure no + +post-build { + # update paths to SYS*DIRs + exec sed -i .tmp -e "s|/etc/monkeysphere|${prefix}/etc/monkeysphere|g" \ + ${worksrcpath}/src/share/defaultenv \ + ${worksrcpath}/src/transitions/0.23 \ + ${worksrcpath}/man/man1/monkeysphere.1 \ + ${worksrcpath}/man/man8/monkeysphere-authentication.8 \ + ${worksrcpath}/man/man8/monkeysphere-host.8 \ + ${worksrcpath}/etc/monkeysphere-authentication.conf + exec sed -i .tmp -e "s|/var/lib/monkeysphere|${prefix}/var/db/monkeysphere|g" \ + ${worksrcpath}/src/transitions/0.23 \ + ${worksrcpath}/man/man1/monkeysphere.1 \ + ${worksrcpath}/man/man8/monkeysphere-authentication.8 \ + ${worksrcpath}/man/man8/monkeysphere-host.8 \ + ${worksrcpath}/src/monkeysphere-host \ + ${worksrcpath}/src/monkeysphere-authentication \ + ${worksrcpath}/doc/getting-started-admin.mdwn + exec sed -i .tmp -e "s|/usr/share/monkeysphere|${prefix}/share/monkeysphere|g" \ + ${worksrcpath}/src/monkeysphere-host \ + ${worksrcpath}/src/monkeysphere-authentication \ + ${worksrcpath}/src/monkeysphere + + # fix perl shebang line to point to macports perl install + exec sed -i .tmp -e "s|^#!/usr/bin/perl -T$|#!/opt/local/bin/perl -T|" \ + ${worksrcpath}/src/share/keytrans + + # remove leftover sed cruft + exec find ${worksrcpath} -name *.tmp -delete +} + +destroot.destdir DESTDIR=${destroot}${prefix} +destroot.args PREFIX= + +# variant to use the port version of bash, which may be much newer +# than the one provided by the system +variant port-bash description {use port version of Bash} { + depends_run-append port:bash +} diff --git a/patches/gnutls/22_functional_s2k_with_GNU_dummy.diff b/patches/gnutls/22_functional_s2k_with_GNU_dummy.diff deleted file mode 100644 index 2d7e35d..0000000 --- a/patches/gnutls/22_functional_s2k_with_GNU_dummy.diff +++ /dev/null @@ -1,146 +0,0 @@ -diff -ruN gnutls26-2.4.1.orig/lib/opencdk/opencdk.h gnutls26-2.4.1/lib/opencdk/opencdk.h ---- gnutls26-2.4.1.orig/lib/opencdk/opencdk.h 2008-06-30 16:45:51.000000000 -0400 -+++ gnutls26-2.4.1/lib/opencdk/opencdk.h 2008-08-21 19:23:44.000000000 -0400 -@@ -214,7 +214,11 @@ - enum cdk_s2k_type_t { - CDK_S2K_SIMPLE = 0, - CDK_S2K_SALTED = 1, -- CDK_S2K_ITERSALTED = 3 -+ CDK_S2K_ITERSALTED = 3, -+ CDK_S2K_GNU_EXT = 101 -+ /* GNU S2K extensions: refer to DETAILS from GnuPG: -+ http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/doc/DETAILS?root=GnuPG -+ */ - }; - - -diff -ruN gnutls26-2.4.1.orig/lib/opencdk/read-packet.c gnutls26-2.4.1/lib/opencdk/read-packet.c ---- gnutls26-2.4.1.orig/lib/opencdk/read-packet.c 2008-06-30 16:45:51.000000000 -0400 -+++ gnutls26-2.4.1/lib/opencdk/read-packet.c 2008-08-21 19:30:09.000000000 -0400 -@@ -78,10 +78,35 @@ - } - - --static int -+/* read about S2K at http://tools.ietf.org/html/rfc4880#section-3.7.1 */ -+static cdk_error_t - read_s2k (cdk_stream_t inp, cdk_s2k_t s2k) - { -- return CDK_Not_Implemented; -+ size_t nread; -+ -+ s2k->mode = cdk_stream_getc (inp); -+ s2k->hash_algo = cdk_stream_getc (inp); -+ if (s2k->mode == CDK_S2K_SIMPLE) -+ return 0; -+ else if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED) -+ { -+ if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread)) -+ return CDK_Inv_Packet; -+ if (nread != DIM (s2k->salt)) -+ return CDK_Inv_Packet; -+ -+ if (s2k->mode == CDK_S2K_ITERSALTED) -+ s2k->count = cdk_stream_getc (inp); -+ } -+ else if (s2k->mode == CDK_S2K_GNU_EXT) -+ { -+ /* GNU extensions to the S2K : read DETAILS from gnupg */ -+ return 0; -+ } -+ else -+ return CDK_Not_Implemented; -+ -+ return 0; - } - - -@@ -194,6 +219,7 @@ - static cdk_error_t - read_symkey_enc (cdk_stream_t inp, size_t pktlen, cdk_pkt_symkey_enc_t ske) - { -+ cdk_error_t ret; - cdk_s2k_t s2k; - size_t minlen; - size_t nread, nleft; -@@ -213,7 +239,9 @@ - return CDK_Out_Of_Core; - - ske->cipher_algo = cdk_stream_getc (inp); -- s2k->mode = cdk_stream_getc (inp); -+ ret = read_s2k(inp, s2k); -+ if (ret != 0) -+ return ret; - switch (s2k->mode) - { - case CDK_S2K_SIMPLE : minlen = 0; break; -@@ -225,18 +253,6 @@ - return CDK_Inv_Packet; - } - -- s2k->hash_algo = cdk_stream_getc (inp); -- if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED) -- { -- if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread)) -- return CDK_Inv_Packet; -- if (nread != DIM (s2k->salt)) -- return CDK_Inv_Packet; -- -- if (s2k->mode == CDK_S2K_ITERSALTED) -- s2k->count = cdk_stream_getc (inp); -- } -- - ske->seskeylen = pktlen - 4 - minlen; - /* We check if there is an encrypted session key and if it fits into - the buffer. The maximal key length is 256-bit. */ -@@ -421,14 +437,19 @@ - rc = read_s2k (inp, sk->protect.s2k); - if (rc) - return rc; -- sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo); -- if (!sk->protect.ivlen) -- return CDK_Inv_Packet; -- rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread); -- if (rc) -- return rc; -- if (nread != sk->protect.ivlen) -- return CDK_Inv_Packet; -+ /* refer to --export-secret-subkeys in gpg(1) */ -+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT) -+ sk->protect.ivlen = 0; -+ else { -+ sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo); -+ if (!sk->protect.ivlen) -+ return CDK_Inv_Packet; -+ rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread); -+ if (rc) -+ return rc; -+ if (nread != sk->protect.ivlen) -+ return CDK_Inv_Packet; -+ } - } - else - sk->protect.algo = sk->s2k_usage; -@@ -476,6 +497,22 @@ - return CDK_Out_Of_Core; - if (stream_read (inp, sk->encdata, sk->enclen, &nread)) - return CDK_Inv_Packet; -+ /* Handle the GNU S2K extensions we know (just gnu-dummy right now): */ -+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT) { -+ unsigned char gnumode; -+ if ((sk->enclen < strlen("GNU") + 1) || -+ (0 != memcmp("GNU", sk->encdata, strlen("GNU")))) -+ return CDK_Inv_Packet; -+ gnumode = sk->encdata[strlen("GNU")]; -+ /* we only handle gnu-dummy (mode 1). -+ mode 2 should refer to external smart cards. -+ */ -+ if (gnumode != 1) -+ return CDK_Inv_Packet; -+ /* gnu-dummy should have no more data */ -+ if (sk->enclen != strlen("GNU") + 1) -+ return CDK_Inv_Packet; -+ } - nskey = cdk_pk_get_nskey (sk->pk->pubkey_algo); - if (!nskey) - return CDK_Inv_Algo; diff --git a/patches/gnutls/build b/patches/gnutls/build deleted file mode 100755 index b42832a..0000000 --- a/patches/gnutls/build +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -e - -# build a patched version of GnuTLS version 2.4.x, including the -# ability to parse and accept the GNU S2K extension known as -# "gnu-dummy" (which doesn't have any secret key data at all) - -# Note: you probably want to prepare your build system in the -# following way: - -# apt-get build-dep libgnutls26 -# aptitude install devscripts fakeroot - -# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# Date: 2008-08-22 00:11:05-0400 - -# Note: please run this from the current directory, so it can find and -# transfer the patch it needs. - -set -e - -if ! dpkg -l devscripts fakeroot >/dev/null ; then - exit 1 -fi - -workingdir=$(mktemp -d -p .) - -(cd "$workingdir" && apt-get source libgnutls26) - -cp ./*.diff "$workingdir/gnutls26-2.4".*/debian/patches/ - -cd "$workingdir/gnutls26-2.4".* -dch --local .s2kext --distribution experimental 'added patch to handle GNU extensions to S2K' -debuild -uc -us -sa - -echo now you should: -echo reprepro -C gnutls include experimental "$workingdir/"*.changes diff --git a/src/monkeysphere b/src/monkeysphere index fbc05b4..147c179 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -48,6 +48,7 @@ subcommands: gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand + --no-connect do not make TCP connection to host subkey-to-ssh-agent (s) store authentication subkey in ssh-agent version (v) show version number help (h,?) this help diff --git a/src/share/common b/src/share/common index d6e4949..11e7969 100644 --- a/src/share/common +++ b/src/share/common @@ -147,8 +147,8 @@ lock() { local action="$1" local file="$2" - if ! ( which lockfile-create >/dev/null 2>/dev/null ) ; then - if ! ( which lockfile >/dev/null ); then + if ! ( type lockfile-create &>/dev/null ) ; then + if ! ( type lockfile &>/dev/null ); then failure "Neither lockfile-create nor lockfile are in the path!" fi use_lockfileprogs= @@ -197,7 +197,7 @@ advance_date() { local shortunits # try things the GNU way first - if date -d "$number $longunits" "$format" >/dev/null 2>&1; then + if date -d "$number $longunits" "$format" &>/dev/null; then date -d "$number $longunits" "$format" else # otherwise, convert to (a limited version of) BSD date syntax: @@ -252,7 +252,13 @@ check_capability() { # hash of a file file_hash() { - md5sum "$1" 2> /dev/null + if type md5sum &>/dev/null ; then + md5sum "$1" + elif type md5 &>/dev/null ; then + md5 "$1" + else + failure "Neither md5sum nor md5 are in the path!" + fi } # convert escaped characters in pipeline from gpg output back into @@ -303,7 +309,9 @@ passphrase_prompt() { local fifo="$2" local PASS - if [ "$DISPLAY" ] && which "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then + if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then + printf 'Launching "%s"\n' "${SSH_ASKPASS:-ssh-askpass}" | log info + printf '(with prompt "%s")\n' "$prompt" | log debug "${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo" else read -s -p "$prompt" PASS @@ -331,7 +339,7 @@ remove_line() { fi # if the string is in the file... - if grep -q -F "$string" "$file" 2> /dev/null ; then + if grep -q -F "$string" "$file" 2>/dev/null ; then tempfile=$(mktemp "${file}.XXXXXXX") || \ failure "Unable to make temp file '${file}.XXXXXXX'" @@ -382,7 +390,7 @@ translate_ssh_variables() { path="$2" # get the user's home directory - userHome=$(getent passwd "$uname" | cut -d: -f6) + userHome=$(get_homedir "$uname") # translate '%u' to user name path=${path/\%u/"$uname"} @@ -437,7 +445,7 @@ check_key_file_permissions() { # return 2 if path has group or other writability if is_write "$gAccess" || is_write "$oAccess" ; then log error "improper group or other writability on path '$path':" - log error " group: $gAccess, other: $oAcess" + log error " group: $gAccess, other: $oAccess" return 2 fi @@ -450,6 +458,25 @@ check_key_file_permissions() { fi } +# return a list of all users on the system +list_users() { + if type getent &>/dev/null ; then + # for linux and FreeBSD systems + getent passwd | cut -d: -f1 + elif type dscl &>/dev/null ; then + # for Darwin systems + dscl localhost -list /Search/Users + else + failure "Neither getent or dscl is in the path! Could not determine list of users." + fi +} + +# return the path to the home directory of a user +get_homedir() { + local uname=${1:-`whoami`} + eval "echo ~${uname}" +} + ### CONVERSION UTILITIES # output the ssh key for a given key ID @@ -458,7 +485,7 @@ gpg2ssh() { keyID="$1" - gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null + gpg --export "$keyID" | openpgp2ssh "$keyID" 2>/dev/null } # output known_hosts line from ssh key @@ -549,7 +576,7 @@ gpg_fetch_userid() { echo 1,2,3,4,5 | \ gpg --quiet --batch --with-colons \ --command-fd 0 --keyserver "$KEYSERVER" \ - --search ="$userID" > /dev/null 2>&1 + --search ="$userID" &>/dev/null returnCode="$?" return "$returnCode" @@ -809,7 +836,7 @@ process_host_known_hosts() { # hash from stdin to stdout tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) ssh2known_hosts "$host" "$sshKey" > "$tmpfile" - ssh-keygen -H -f "$tmpfile" 2> /dev/null + ssh-keygen -H -f "$tmpfile" 2>/dev/null cat "$tmpfile" >> "$KNOWN_HOSTS" rm -f "$tmpfile" "${tmpfile}.old" else @@ -1091,7 +1118,7 @@ process_authorized_user_ids() { # check permissions on the authorized_user_ids file path check_key_file_permissions $(whoami) "$authorizedUserIDs" || failure - if ! meat "$authorizedUserIDs" > /dev/null ; then + if ! meat "$authorizedUserIDs" >/dev/null ; then log debug " no user IDs to process." return fi diff --git a/src/share/keytrans b/src/share/keytrans index 8b2e2ea..f9288fa 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w -T +#!/usr/bin/perl -T # keytrans: this is an RSA key translation utility; it is capable of # transforming RSA keys (both public keys and secret keys) between @@ -195,11 +195,11 @@ my $keyserver_prefs = { nomodify => 0x80 ########### Math/Utility Functions ############## -# see the bottom of page 43 of RFC 4880 +# see the bottom of page 44 of RFC 4880 (http://tools.ietf.org/html/rfc4880#page-44) sub simple_checksum { my $bytes = shift; - return unpack("%32W*",$bytes) % 65536; + return unpack("%16C*",$bytes); } # calculate the multiplicative inverse of a mod b this is euclid's diff --git a/src/share/m/gen_subkey b/src/share/m/gen_subkey index a0fa3ce..05004f6 100644 --- a/src/share/m/gen_subkey +++ b/src/share/m/gen_subkey @@ -57,14 +57,16 @@ save" # setup the temp fifo dir for retrieving the key password log debug "creating password fifo..." fifoDir=$(msmktempdir) - trap "rm -rf $fifoDir" EXIT (umask 077 && mkfifo "$fifoDir/pass") - log verbose "generating subkey..." + # FIXME: are we adequately cleaning up any trailing gpg process here? + trap "rm -rf $fifoDir; kill %% || true" EXIT echo "$editCommands" | gpg_user --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" & + log debug "Prompting for passphrase" # FIXME: this needs to fail more gracefully if the passphrase is incorrect passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass" + log info "Generating subkey. This may take a long time..." trap - EXIT rm -rf "$fifoDir" diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 77f9d24..74b0f85 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -186,7 +186,7 @@ URI="ssh://${HOSTP}" # CHECK_KEYSERVER variable in the monkeysphere.conf file. # if the host is in the gpg keyring... -if gpg_user --list-key ="${URI}" 2>&1 >/dev/null ; then +if gpg_user --list-key ="${URI}" &>/dev/null ; then # do not check the keyserver CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"} @@ -253,9 +253,9 @@ esac # exec a netcat passthrough to host for the ssh connection if [ -z "$NO_CONNECT" ] ; then - if (which nc 2>/dev/null >/dev/null); then + if (type nc &>/dev/null); then exec nc "$HOST" "$PORT" - elif (which socat 2>/dev/null >/dev/null); then + elif (type socat &>/dev/null); then exec socat STDIO "TCP:$HOST:$PORT" else echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2 diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent index aa647a6..edc177b 100644 --- a/src/share/m/subkey_to_ssh_agent +++ b/src/share/m/subkey_to_ssh_agent @@ -27,7 +27,7 @@ subkey_to_ssh_agent() { local kname # if there's no agent running, don't bother: - if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then + if [ -z "$SSH_AUTH_SOCK" ] || ! type ssh-add >/dev/null ; then failure "No ssh-agent available." fi diff --git a/src/share/ma/setup b/src/share/ma/setup index b453f3c..4c87009 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -57,9 +57,9 @@ EOF if [ -z "$CORE_FPR" ] ; then log info "setting up Monkeysphere authentication trust core..." - local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | perl -MMIME::Base64 -ne 'print encode_base64($_)')) + local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(dd if=/dev/urandom bs=21 count=1 | perl -MMIME::Base64 -ne 'print encode_base64($_)')) - log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..." + printf "generating monkeysphere authentication trust core key:\nsize: %d bits\nuid: '%s'\n" "$CORE_KEYLENGTH" "$CORE_UID" | log debug PEM2OPENPGP_USAGE_FLAGS=certify \ PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \ | gpg_core --import \ diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 3a5c006..c5c74cf 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -24,7 +24,7 @@ if [ "$1" ] ; then unames="$@" else # or just look at all users if none specified - unames=$(getent passwd | cut -d: -f1) + unames=$(list_users) fi # set mode diff --git a/tests/basic b/tests/basic index 7277168..f38c9ac 100755 --- a/tests/basic +++ b/tests/basic @@ -129,6 +129,10 @@ export MONKEYSPHERE_LOG_LEVEL=DEBUG export MONKEYSPHERE_CORE_KEYLENGTH=1024 export MONKEYSPHERE_PROMPT=false +# unset SUBKEYS_FOR_AGENT variable which, if set, would confuse the +# into trying to use the user's key, instead of the testuser's key +unset MONKEYSPHERE_SUBKEYS_FOR_AGENT + export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket @@ -146,7 +150,8 @@ export DISPLAY=monkeys echo echo "##################################################" echo "### configuring testuser home..." -cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/ +(cd "$TESTDIR"/home && find testuser | cpio -pdu "$TEMPDIR") + # set up environment for testuser export TESTHOME="$TEMPDIR"/testuser export GNUPGHOME="$TESTHOME"/.gnupg @@ -166,7 +171,7 @@ get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf echo echo "##################################################" echo "### configuring admin home..." -cp -a "$TESTDIR"/home/admin "$TEMPDIR"/ +(cd "$TESTDIR"/home && find admin | cpio -pdu "$TEMPDIR") # set up sshd echo diff --git a/tests/common b/tests/common index e53c31e..a000c56 100644 --- a/tests/common +++ b/tests/common @@ -3,7 +3,7 @@ failed_cleanup() { # FIXME: can we be more verbose here? echo 'FAILED!' - if [ "$MONKEYSPHERE_TEST_ALLOW_EXAMINATION" = prompt ] ; then + if [ -z "$MONKEYSPHERE_TEST_NO_EXAMINE" ] ; then read -p "press enter to cleanup and remove tmp (or type bash for a subshell to examine): " XX if [ "$XX" = bash ] ; then echo "Entering subshell..." diff --git a/utils/build-macports-portfile b/utils/build-macports-portfile new file mode 100755 index 0000000..c5e6a48 --- /dev/null +++ b/utils/build-macports-portfile @@ -0,0 +1,9 @@ +#!/bin/bash -e + +PORTFILE="packaging/macports/Portfile" + +VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` +MD5=`md5sum monkeysphere_${VERSION}.orig.tar.gz | awk '{ print $1 }'` + +sed -i~ 's/^version.*$/version '"$VERSION"/ "$PORTFILE" +sed -i~ 's/^checksums.*$/checksums md5 '"$MD5"/ "$PORTFILE" diff --git a/utils/build-releasenote b/utils/build-releasenote index b25a87c..1dee649 100755 --- a/utils/build-releasenote +++ b/utils/build-releasenote @@ -39,3 +39,5 @@ set +e git add website/download.mdwn gpg --verify website/download.mdwn + +printf "please remember to add the new version to the bugtracker:\n https://labs.riseup.net/code/projects/settings/monkeysphere\n" diff --git a/utils/preparing-release b/utils/preparing-release index dd9d224..90dc200 100644 --- a/utils/preparing-release +++ b/utils/preparing-release @@ -14,3 +14,16 @@ * create debian-specific version tag: git tag -s -m 'Tagging Monkeysphere $whatever-1' monkeysphere_$whatever-1 + + * update FreeBSD and Macports info: + + make freebsd-distinfo + make macports-portsfile + + (probably should consider tagging these ports as well to make them + easy to recover) + + * remember to add the new version (n + 1) to the bugtracker if it's + not already: + + https://labs.riseup.net/code/projects/settings/monkeysphere diff --git a/website/news/gnutls-2.6-enables-monkeysphere.mdwn b/website/news/gnutls-2.6-enables-monkeysphere.mdwn index b7894c5..6de2f6a 100644 --- a/website/news/gnutls-2.6-enables-monkeysphere.mdwn +++ b/website/news/gnutls-2.6-enables-monkeysphere.mdwn @@ -1,5 +1,16 @@ [[meta title="GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys"]] +----- + +**2009-04-05 UPDATE:** Since Monkeysphere no longer depends on GnuTLS +at all ([moved to using Perl for key +translation](news/release-0.24-1)), and GnuTLS 2.6 is now available in +Debian testing, we have removed the GnuTLS patches from the repostiory +(although they will continue to be available in the history, or +course). + +----- + We [announced earlier](/news/modified-gnutls-2.4.x-available) that the Monkeysphere project was providing patched versions of GnuTLS to support one piece of Monkeysphere functionality. Fortunately, those |