diff options
| author | Matt Goins <mjgoins@openflows.com> | 2009-03-24 16:46:57 -0400 |
|---|---|---|
| committer | Matt Goins <mjgoins@openflows.com> | 2009-03-24 16:46:57 -0400 |
| commit | f77a5d79b4a9b4b44cb3786237931458265e49ed (patch) | |
| tree | 9e6ccf151a5fe7fd4b6c0d4ded98a16d17e674a6 | |
| parent | b8c187a0803442fbf4d9c432cac90925791171aa (diff) | |
| parent | b371a109bbaf7e1d1bd424a0495dafca1284ada9 (diff) | |
Merge commit 'dkg/master'
| -rw-r--r-- | doc/ExternalValidation.html | 232 | ||||
| -rw-r--r-- | etc/monkeysphere.conf | 2 | ||||
| -rw-r--r-- | man/man1/monkeysphere.1 | 6 | ||||
| -rw-r--r-- | man/man8/monkeysphere-host.8 | 2 | ||||
| -rw-r--r-- | packaging/debian/changelog | 11 | ||||
| -rw-r--r-- | packaging/macports/Portfile | 40 | ||||
| -rwxr-xr-x | src/monkeysphere | 2 | ||||
| -rw-r--r-- | src/share/common | 33 | ||||
| -rw-r--r-- | src/share/m/gen_subkey | 7 | ||||
| -rw-r--r-- | src/share/m/ssh_proxycommand | 139 | ||||
| -rw-r--r-- | src/share/ma/add_certifier | 8 | ||||
| -rw-r--r-- | src/share/mh/add_hostname | 8 | ||||
| -rw-r--r-- | src/share/mh/add_revoker | 8 | ||||
| -rw-r--r-- | src/share/mh/revoke_hostname | 8 | ||||
| -rw-r--r-- | src/share/mh/set_expire | 2 | ||||
| -rw-r--r-- | website/download.mdwn | 40 | ||||
| -rw-r--r-- | website/news/0.24-accepted-in-Debian-testing.mdwn | 10 | ||||
| -rw-r--r-- | website/news/0.24-available-in-Backports-org.mdwn | 8 | ||||
| -rw-r--r-- | website/news/FreeBSD-0.24-port-accepted.mdwn | 11 | ||||
| -rw-r--r-- | website/news/FreeBSD-port-available.mdwn | 3 |
20 files changed, 448 insertions, 132 deletions
diff --git a/doc/ExternalValidation.html b/doc/ExternalValidation.html new file mode 100644 index 0000000..d176957 --- /dev/null +++ b/doc/ExternalValidation.html @@ -0,0 +1,232 @@ +<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> +<base href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation"><div style="margin:-1px -1px 0;padding:0;border:1px solid #999;background:#fff"><div style="margin:12px;padding:8px;border:1px solid #999;background:#ddd;font:13px arial,sans-serif;color:#000;font-weight:normal;text-align:left">This is Google's cache of <a href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation" style="text-decoration:underline;color:#00c">http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation</a>. It is a snapshot of the page as it appeared on Dec 15, 2008 14:31:48 GMT. The <a href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation" style="text-decoration:underline;color:#00c">current page</a> could have changed in the meantime. <a href="http://www.google.com/intl/en/help/features_list.html#cached" style="text-decoration:underline;color:#00c">Learn more</a><br><br><div style="float:right"><a href="http://74.125.47.132/search?q=cache:TK3CfB0McV4J:redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation+http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation&hl=en&gl=us&strip=1" style="text-decoration:underline;color:#00c">Text-only version</a></div> +<div>These terms only appear in links pointing to this page: <span style="font-weight:bold">http</span> <span style="font-weight:bold">redmine</span> <span style="font-weight:bold">josefsson</span> <span style="font-weight:bold">org</span> <span style="font-weight:bold">wiki</span> <span style="font-weight:bold">gnutls</span> <span style="font-weight:bold">gnutlsexternalvalidation</span> </div></div></div><div style="position:relative"> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> +<head> +<title>GnuTLS - GnuTLSExternalValidation - Redmine</title> +<meta http-equiv="content-type" content="text/html; charset=utf-8" /> +<meta name="description" content="Redmine" /> +<meta name="keywords" content="issue,bug,tracker" /> +<link href="/stylesheets/application.css?1227251496" media="all" rel="stylesheet" type="text/css" /> +<script src="/javascripts/prototype.js?1224248241" type="text/javascript"></script> +<script src="/javascripts/effects.js?1224248241" type="text/javascript"></script> +<script src="/javascripts/dragdrop.js?1224248241" type="text/javascript"></script> +<script src="/javascripts/controls.js?1224248241" type="text/javascript"></script> +<script src="/javascripts/application.js?1224248241" type="text/javascript"></script> +<link href="/stylesheets/jstoolbar.css?1224248241" media="screen" rel="stylesheet" type="text/css" /> +<!--[if IE]> + <style type="text/css"> + * html body{ width: expression( document.documentElement.clientWidth < 900 ? '900px' : '100%' ); } + body {behavior: url(/stylesheets/csshover.htc?1224248241);} + </style> +<![endif]--> + +<!-- page specific tags --> + + <link href="/stylesheets/scm.css?1224248241" media="screen" rel="stylesheet" type="text/css" /> +</head> +<body> +<div id="wrapper"> +<div id="top-menu"> + <div id="account"> + <ul><li><a href="/login" class="login">Sign in</a></li> +<li><a href="/account/register" class="register">Register</a></li></ul> </div> + + <ul><li><a href="/" class="home">Home</a></li> +<li><a href="/projects" class="projects">Projects</a></li> +<li><a href="http://www.redmine.org/guide" class="help">Help</a></li></ul></div> + +<div id="header"> + <div id="quick-search"> + <form action="/search/index/gnutls" method="get"> + <a href="/search/index/gnutls" accesskey="4">Search</a>: + <input accesskey="f" class="small" id="q" name="q" size="20" type="text" /> + </form> + + </div> + + <h1>GnuTLS</h1> + + <div id="main-menu"> + <ul><li><a href="/projects/show/gnutls">Overview</a></li> +<li><a href="/projects/activity/gnutls">Activity</a></li> +<li><a href="/projects/roadmap/gnutls">Roadmap</a></li> +<li><a href="/projects/gnutls/issues">Issues</a></li> +<li><a href="/wiki/gnutls" class="selected">Wiki</a></li> +<li><a href="/repositories/show/gnutls">Repository</a></li></ul> + </div> +</div> + +<div class="" id="main"> + <div id="sidebar"> + + <h3>Wiki</h3> + +<a href="/wiki/gnutls">Start page</a><br /> +<a href="/wiki/gnutls/Page_index/special">Index by title</a><br /> +<a href="/wiki/gnutls/Date_index/special">Index by date</a><br /> + + + </div> + + <div id="content"> + + + <div class="contextual"> + + + + + + + + +<a href="/wiki/gnutls/GnuTLSExternalValidation/history" class="icon icon-history">History</a> +</div> + + + + + +<div class="wiki"> + <h1 id="GnuTLSExternalValidation">GnuTLSExternalValidation<a href="#GnuTLSExternalValidation" class="wiki-anchor">¶</a></h1> + + + <p>This page is intended to flesh out ideas to externalize the X.509 chain validation, X.509 private key handling, and possibly also OpenPGP validation and private key handling.</p> + + + <p>It is important to realize that these are different problems, so the solution may be different. Let's first make the goals clear:</p> + + + <ul> + <li>Make it possible to store private keys in a process different from the process that runs the GnuTLS client/server.</li> + <li>Make it possible to perform X.509 chain validation in a different process.</li> + <li>Make it possible to perform OpenPGP key validation in a different process.</li> + </ul> + + + <p>One must decide whether the external agent should be responsible for making authentication decisions, authorization decisions, or both. Possibly it should be able to make both kind of decisions. The GnuTLS process can always make further authorization decisions as well.</p> + + + <p>For private keys, there is the PKCS#11 interface. GnuTLS has a branch that supports it. However, PKCS#11 doesn't solve the problem with an external process. It seems better to move the PKCS#11 interface to the external agent, rather than adding PKCS#11 interface to GnuTLS itself. Btw, GnuTLS already has PKCS#11 support on a special branch, and has been tested against the Scute PKCS#11 provider together with a Swedish eID X.509 smartcard.</p> + + + <p>The solution should allow simple integration with GNOME components such as <a href="http://live.gnome.org/Seahorse" class="external">SeaHorse</a>.</p> + + + <h2 id="Private-key-protocol">Private key protocol<a href="#Private-key-protocol" class="wiki-anchor">¶</a></h2> + + + <p>Possible we should re-use GnuPG's external protocol here? What we need is an IPC protocol that does:</p> + + + <pre><code>SIGN [ALG] [KEY-ID] [TLS-DATA]</code></pre> + + + <p>Where KEY-ID somehow denotes a key to use, and TLS-DATA is the data that needs to be signed using the TLS algorithm. Given that TLS supports several algorithms, and even RSA is supported in more than one mode, there needs to be an ALG flag to indicate this.</p> + + + <h2 id="X509-Chain-Validation">X.509 Chain Validation<a href="#X509-Chain-Validation" class="wiki-anchor">¶</a></h2> + + + <p>GnuPG's dirmngr <a href="http://www.gnupg.org/documentation/manuals/dirmngr/Dirmngr-Protocol.html#Dirmngr-Protocol" class="external">has a protocol for doing this</a>, using <a href="http://www.gnupg.org/documentation/manuals/assuan/" class="external">assuan</a>. Unfortunately, <a href="http://www.gnupg.org/documentation/manuals/assuan/Assuan.html#Assuan" class="external">assuan's design criteria</a> state "no protection against DoS needed". This might make it unsuitable for a TLS implementation or other online tool.</p> + + + <p>It is not clear to me whether the trusted CAs should be sent over the IPC, or whether it is something that is assumed to be known by the agent. The latter seems safer, but the former may be useful in some scenarios. <em>(what scenarios?)</em> They aren't mutually incompatible, so maybe we can support both.</p> + + + <p>Thus we need a command to send over a trusted certificate:</p> + + + <pre><code>TRUSTED [b64pem...]</code></pre> + + + <p>And also send over untrusted certificates provided by the TLS peer:</p> + + + <pre><code>UNTRUSTED [b64pem...]</code></pre> + + + <p>Finally, a request to perform chain validation on a particular certificate is performed using:</p> + + + <pre><code>VALIDATE [b64pem...]</code></pre> + + + <h2 id="Generic-Certificate-Validation">Generic Certificate Validation<a href="#Generic-Certificate-Validation" class="wiki-anchor">¶</a></h2> + + + <p>It would be nice to be able to hand the agent any kind of certificate (OpenPGP or X.509), or even to be able to hand the agent a raw public key to see if it validates.</p> + + + <p>The crucial request would be:</p> + + + <pre><code>VALIDATE {LABEL} {CERTTYPE} {PEERNAME} {CERTIFICATE}</code></pre> + + + <p>This says "I'm a program called LABEL. I'm about to send you a certificate of type CERTTYPE. I want you to tell me whether the specified PEERNAME matches one of the names stored in the certificate, and that the matching name in the certificate is cryptographically valid based on your knowledge of trusted certifiers."</p> + + + <p>The agent can respond with VALID or INVALID. We maybe should consider whether INVALID might be implemented as an extensible set of reasons for invalidity (e.g. EXPIRED, NOMATCH, UNTRUSTED, SELFSIGNED, etc): would the potential extensibility from this outweigh the added implementation and semantic complexity?</p> + + + <p>The possible options for CERTTYPE could be:</p> + + + <ul> + <li>RAWPUBKEY (maybe modelled after <a href="http://tools.ietf.org/html/rfc4253#section-6.6" class="external">ssh-dss and ssh-rsa in RFC 4253</a> ?)</li> + <li>OPENPGP (after <a href="http://tools.ietf.org/html/rfc4880#section-11.1" class="external">section 11.1 of RFC 4880</a> either base-64 encoded or raw)</li> + <li>X509 (after <a href="http://tools.ietf.org/html/rfc5280" class="external">RFC 5280</a>, either PEM or DER encoded)</li> + </ul> + + + <p>This would allow numerous clients and servers to make use of the validation agent. For example:</p> + + + <ul> + <li><a href="http://www.lysator.liu.se/~nisse/lsh/" class="external">lsh</a> could feed its fetched host keys to the validation agent instead of having to maintain ~/.lsh/host-acls</li> + <li><a href="http://www.openldap.org/doc/admin24/tls.html#Client%20Certificates" class="external">slapd</a> could use the validation agent to identify the DN of the remote client.</li> + <li><a href="http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts" class="external">subversion</a> could ask the validation agent to ensure that the OpenPGP certificate offered by a remote https server (using <a href="http://www.outoforder.cc/projects/apache/mod_gnutls/" class="external">mod_gnutls</a>) is in fact who it claims to be (and the mod_gnutls could validate the identity of the client in the same way).</li> + </ul> + + + <p>Additionally, it might be nice to have a command to offer intermediate certificates to the certificate store:</p> + + + <pre><code>UNTRUSTED {LABEL} {CERTTYPE} {CERTIFICATE}</code></pre> + + + <p>using UNTRUSTED with a RAWPUBKEY certificate wouldn't be a meaningful operation, but it could be used for intermediate X.509 certificates, or for the equivalent OpenPGP certificates (if such things were handy).</p> +</div> + + + + + + +<p class="other-formats"> +Also available in: +<span><a href="/wiki/gnutls/GnuTLSExternalValidation?export=html&version=9" class="html">HTML</a></span> +<span><a href="/wiki/gnutls/GnuTLSExternalValidation?export=txt&version=9" class="text">TXT</a></span> +</p> + + + + + + + + </div> +</div> + +<div id="ajax-indicator" style="display:none;"><span>Loading...</span></div> + +<div id="footer"> + Powered by <a href="http://www.redmine.org/">Redmine</a> © 2006-2008 Jean-Philippe Lang +</div> +</div> + +</body> +</html> diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 20df62b..53adf83 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -21,7 +21,7 @@ # Set whether or not to check keyservers at every monkeysphere # interaction, including all ssh connections if you use the -# monkeysphere-ssh-proxycommand. +# monkeysphere ssh-proxycommand. # NOTE: setting CHECK_KEYSERVER to true will leak information about # the timing and frequency of your ssh connections to the maintainer # of the keyserver. diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 327a623..320cdfd 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -42,8 +42,8 @@ were found but none were acceptable. `k' may be used in place of .B update\-authorized_keys Update the authorized_keys file for the user executing the command (see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all -monkeysphere keys are cleared from the authorized_keys file. Then, or -each user ID in the user's authorized_user_ids file, gpg will be +monkeysphere keys are cleared from the authorized_keys file. Then, +for each user ID in the user's authorized_user_ids file, gpg will be queried for keys associated with that user ID, optionally querying a keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in .BR monkeysphere (7)), @@ -65,7 +65,7 @@ will be used. The length of the generated key can be specified with the `\-\-length' or `\-l' option. `g' may be used in place of `gen\-subkey'. .TP -.B ssh\-proxycommand +.B ssh\-proxycommand [--no-connect] HOST [PORT] An ssh ProxyCommand that can be used to trigger a monkeysphere update of the ssh known_hosts file for a host that is being connected to with ssh. This works by updating the known_hosts file for the host first, diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 3e01105..e96a497 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -27,7 +27,7 @@ Import a pem-encoded ssh secret host key from file FILE. If FILE is `\-', then the key will be imported from stdin. Only RSA keys are supported at the moment. NAME[:PORT] is used to specify the fully-qualified hostname (and port) used in the user ID of the new -OpenPGP key. If PORT is not specified, the no port is added to the +OpenPGP key. If PORT is not specified, then no port is added to the user ID, which means port 22 is assumed. `i' may be used in place of `import\-key'. .TP diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 093c157..82ef1ae 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low * New upstream release: - - fix the marginal ui output so that it's not prefixed by the LOG_PREFIX - - -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 07 Mar 2009 12:28:13 -0500 + - update/fix the marginal ui output + - use msmktempdir everywhere (avoid unwrapped calls to mktemp for + portability) + - clean out some redundant "cat"s + - fix monkeysphere update-known_hosts for sshd running on non-standard + ports + + -- Jameson Graef Rollins <jrollins@finestructure.net> Wed, 18 Mar 2009 11:46:44 -0400 monkeysphere (0.24-1) unstable; urgency=low diff --git a/packaging/macports/Portfile b/packaging/macports/Portfile new file mode 100644 index 0000000..99d0d69 --- /dev/null +++ b/packaging/macports/Portfile @@ -0,0 +1,40 @@ +# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 +# $Id$ + +PortSystem 1.0 + +name monkeysphere +version 0.24 +categories net +maintainers nomaintainer +platforms darwin +description use the OpenPGP web of trust to verify ssh connections + +long_description SSH key-based authentication is tried-and-true, \ + but it lacks a true Public Key Infrastructure for \ + key certification, revocation and expiration. \ + Monkeysphere is a framework that uses the OpenPGP \ + web of trust for these PKI functions. It can be \ + used in both directions: for users to get \ + validated host keys, and for hosts to authenticate \ + users. + +homepage http://web.monkeysphere.info/ +master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ +distname ${name}_${version} +worksrcdir ${name}-${version} +checksums md5 8590532f4702fa44027a6a583657c9ef + +depends_run bin:ssh:openssh \ + port:gnupg \ + port:perl5.10 \ + port:p5-crypt-rsa \ + port:p5-digest-sha1 \ + port:procmail + +build.target build +destroot.args PREFIX=${destroot}${prefix} \ + CONFDIR=${destroot}${prefix}/etc/monkeysphere \ + DBDIR=${destroot}${prefix}/var/lib/monkeysphere \ + MANDIR=${destroot}${prefix}/share/man \ + DOCDIR=${destroot}${prefix}/share/doc/monkeysphere diff --git a/src/monkeysphere b/src/monkeysphere index 2e3bc16..fbc05b4 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -47,7 +47,7 @@ subcommands: update-authorized_keys (a) update authorized_keys file gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) - ssh-proxycommand monkeysphere ssh ProxyCommand + ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand subkey-to-ssh-agent (s) store authentication subkey in ssh-agent version (v) show version number help (h,?) this help diff --git a/src/share/common b/src/share/common index ea872ba..d6e4949 100644 --- a/src/share/common +++ b/src/share/common @@ -464,14 +464,23 @@ gpg2ssh() { # output known_hosts line from ssh key ssh2known_hosts() { local host + local port local key - host="$1" + # FIXME this does not properly deal with IPv6 hosts using the + # standard port (because it's unclear whether their final + # colon-delimited address section is a port number or an address + # string) + host=${1%:*} + port=${1##*:} key="$2" - echo -n "$host " - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE}" + # specify the host and port properly for new ssh known_hosts + # format + if [ "$port" != "$host" ] ; then + host="[${host}]:${port}" + fi + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # output authorized_keys line from ssh key @@ -482,41 +491,43 @@ ssh2authorized_keys() { userID="$1" key="$2" - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } # convert key from gpg to ssh known_hosts format gpg2known_hosts() { local host local keyID + local key host="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - echo -n "$host " - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}" + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # convert key from gpg to ssh authorized_keys format gpg2authorized_keys() { local userID local keyID + local key userID="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } ### GPG UTILITIES diff --git a/src/share/m/gen_subkey b/src/share/m/gen_subkey index dbd9dd6..a0fa3ce 100644 --- a/src/share/m/gen_subkey +++ b/src/share/m/gen_subkey @@ -44,8 +44,7 @@ Type '$PGRM help' for usage." check_gpg_authentication_subkey "$keyID" # generate the list of commands that will be passed to edit-key - editCommands=$(cat <<EOF -addkey + editCommands="addkey 7 S E @@ -53,9 +52,7 @@ A Q $keyLength 0 -save -EOF -) +save" # setup the temp fifo dir for retrieving the key password log debug "creating password fifo..." diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 7ab4bec..77f9d24 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -36,52 +36,55 @@ output_no_valid_key() { LOG_PREFIX= - cat <<EOF | log info --------------------- Monkeysphere warning ------------------- -Monkeysphere found OpenPGP keys for this hostname, but none had full validity. -EOF - - # retrieve the actual ssh key - sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') - # FIXME: should we do any checks for failed keyscans, eg. host not - # found? + # retrieve the ssh key being offered by the host + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \ + | awk '{ print $2, $3 }') # get the gpg info for userid gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) - # find all 'pub' and 'sub' lines in the gpg output, which each - # represent a retrieved key for the user ID - echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ - while IFS=: read -r type validity keyid uidfpr usage ; do - case $type in - 'pub'|'sub') - # get the ssh key of the gpg key - sshKeyGPG=$(gpg2ssh "$keyid") - - # if one of keys found matches the one offered by the - # host, then output info - if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then - cat <<EOF | log info + # output header + log info <<EOF +-------------------- Monkeysphere warning ------------------- +Monkeysphere found OpenPGP keys for this hostname, but none had full validity. +EOF + + # if the host key is retrieved from the host, check against known + # OpenPGP keys + if [ "$sshKeyOffered" ] ; then + # find all 'pub' and 'sub' lines in the gpg output, which each + # represent a retrieved key for the user ID + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + log info <<EOF An OpenPGP key matching the ssh key offered by the host was found: EOF - sshKeyGPGFile=$(msmktempfile) - printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ - awk '{ print $2 }') - rm -f "$sshKeyGPGFile" + sshKeyGPGFile=$(msmktempfile) + printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ + awk '{ print $2 }') + rm -f "$sshKeyGPGFile" - # get the sigs for the matching key - gpgSigOut=$(gpg_user --check-sigs \ - --list-options show-uid-validity \ - "$keyid") + # get the sigs for the matching key + gpgSigOut=$(gpg_user --check-sigs \ + --list-options show-uid-validity \ + "$keyid") - # output the sigs, but only those on the user ID - # we are looking for - echo "$gpgSigOut" | awk ' + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' { if (match($0,"^pub")) { print; } if (match($0,"^uid")) { ok=0; } @@ -89,51 +92,59 @@ if (match($0,"^uid.*'$userID'$")) { ok=1; print; } if (ok) { if (match($0,"^sig")) { print; } } } ' | log info - echo | log info + echo | log info - # output the other user IDs for reference - if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then - cat <<EOF | log info + # output the other user IDs for reference + if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then + log info <<EOF Other user IDs on this key: EOF - echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info - echo | log info - fi + echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info + echo | log info + fi - # output ssh fingerprint - cat <<EOF | log info + # output ssh fingerprint + log info <<EOF RSA key fingerprint is ${sshFingerprint}. EOF - # this whole process is in a "while read" - # subshell. the only way to get information out - # of the subshell is to change the return code. - # therefore we return 1 here to indicate that a - # matching gpg key was found for the ssh key - # offered by the host - return 1 - fi - ;; - esac - done || returnCode="$?" - - # if no key match was made (and the "while read" subshell returned - # 1) output how many keys were found - if (( returnCode != 1 )) ; then - cat <<EOF | log info + # this whole process is in a "while read" + # subshell. the only way to get information + # out of the subshell is to change the return + # code. therefore we return 1 here to + # indicate that a matching gpg key was found + # for the ssh key offered by the host + return 1 + fi + ;; + esac + done || returnCode="$?" + + # if no key match was made (and the "while read" subshell + # returned 1) output how many keys were found + if (( returnCode != 1 )) ; then + log info <<EOF None of the found keys matched the key offered by the host. Run the following command for more info about the found keys: gpg --check-sigs --list-options show-uid-validity =${userID} EOF - # FIXME: should we do anything extra here if the retrieved - # host key is actually in the known_hosts file and the ssh - # connection will succeed? Should the user be warned? - # prompted? + # FIXME: should we do anything extra here if the retrieved + # host key is actually in the known_hosts file and the ssh + # connection will succeed? Should the user be warned? + # prompted? + fi + + # if host key could not be retrieved from the host, output message + else + log info <<EOF +Could not retrieve RSA host key from $HOST. +EOF fi - cat <<EOF | log info + # output footer + log info <<EOF -------------------- ssh continues below -------------------- EOF } diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 544a3f0..402da08 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -153,16 +153,14 @@ gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import # edit-key script to ltsign key # NOTE: *all* user IDs will be ltsigned -ltsignCommand=$(cat <<EOF -ltsign +ltsignCommand="ltsign y $trustval $depth $domain y -save -EOF - ) +save" +# end script # core ltsigns the newly imported certifier key log debug "executing core ltsign script..." diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index b08d688..36f174d 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -43,14 +43,12 @@ else fi # edit-key script command to add user ID -adduidCommand=$(cat <<EOF -adduid +adduidCommand="adduid $userID -save -EOF -) +save" +# end script # execute edit-key script if echo "$adduidCommand" | gpg_host_edit ; then diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 03ae56f..077b0d0 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -106,14 +106,12 @@ of the host key? (Y/n) " OK; OK=${OK:-Y} fi # edit-key script to add revoker -addrevokerCommand=$(cat <<EOF -addrevoker +addrevokerCommand="addrevoker $fingerprint y save - -EOF - ) +" +# end script # core ltsigns the newly imported revoker key log debug "executing add revoker script..." diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index 2142af7..5dc327f 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -54,17 +54,15 @@ else fi # edit-key script command to revoke user ID -revuidCommand=$(cat <<EOF -$uidIndex +revuidCommand="$uidIndex revuid y 4 Hostname removed by monkeysphere-host: $DATE y -save -EOF - ) +save" +# end script # execute edit-key script if echo "$revuidCommand" | gpg_host_edit ; then diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 63e5c55..a6bf1f1 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -40,7 +40,7 @@ EOF update_gpg_pub_file -cat <<EOF | log info +log info <<EOF NOTE: Host key expiration date adjusted, but not yet published. Run '$PGRM publish-key' to publish the new expiration date. EOF diff --git a/website/download.mdwn b/website/download.mdwn index 0a891db..3cf9d62 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,15 +18,22 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is now available in the Debian unstable ("sid") -distribution](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is available in the Debian archive](http://packages.debian.org/search?keywords=monkeysphere&searchon=names§ion=all&suite=all) + +If you are running Debian unstable or testing install the latest monkeysphere +version as follows: + + aptitude install monkeysphere + +If you are running Debian stable, you can get the monkeysphere package +from [backports.org](http://backports.org/dokuwiki/doku.php?id=instructions) You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting the following lines in `/etc/apt/sources.list.d/monkeysphere.list`: - deb http://archive.monkeysphere.info/debian experimental monkeysphere - deb-src http://archive.monkeysphere.info/debian experimental monkeysphere + deb http://archive.monkeysphere.info/debian experimental monkeysphere + deb-src http://archive.monkeysphere.info/debian experimental monkeysphere The repository is currently signed by [The Monkeysphere archive signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C @@ -36,27 +43,16 @@ configuration after verifying its integrity](/archive-key). ## FreeBSD ## -There is [now a FreeBSD port available](/news/FreeBSD-port-available) -for the Monkeysphere. +There is [a FreeBSD port +available](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere) +for the Monkeysphere, built and tested against FreeBSD 7.1. -While the monkeysphere is not officially included in the ports tree -yet, [a problem -report](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128406) has -been submitted, and the package itself is functional. +You should be able to build and install the latest port with: -The latest version of the ports directory can be found in [the git -repository](/community) under -`packaging/freebsd/security/monkeysphere`. Please [let us -know](/community) if you encounter any problems with it on a FreeBSD -system. - -Until the port is accepted, you should be able to build the latest -port with: - - git clone git://git.monkeysphere.info/monkeysphere - cp -a monkeysphere/packaging/freebsd/security/monkeysphere /usr/ports/security cd /usr/ports/security/monkeysphere - make && make install + make package + +Enjoy! ## Source ## diff --git a/website/news/0.24-accepted-in-Debian-testing.mdwn b/website/news/0.24-accepted-in-Debian-testing.mdwn new file mode 100644 index 0000000..4222493 --- /dev/null +++ b/website/news/0.24-accepted-in-Debian-testing.mdwn @@ -0,0 +1,10 @@ +[[meta title="Monkeysphere 0.24 accepted in Debian testing"]] + +[Monkeysphere 0.24 is now available in the Debian testing distribution +("squeeze")](http://packages.debian.org/testing/monkeysphere). +Monkeysphere 0.24 is our strongest release yet. If you are running +Debian testing, installing the monkeysphere is now very easy: + + aptitude install monkeysphere + +See the [[download]] page for more information. diff --git a/website/news/0.24-available-in-Backports-org.mdwn b/website/news/0.24-available-in-Backports-org.mdwn new file mode 100644 index 0000000..e56af89 --- /dev/null +++ b/website/news/0.24-available-in-Backports-org.mdwn @@ -0,0 +1,8 @@ +[[meta title="Monkeysphere 0.24 accepted as a Debian Backport"]] + +[Monkeysphere 0.24 is now available at [Backports.org](http://backports.org). +If you are running Debian stable ("Lenny"), you can install this version +of the monkeysphere package by following the [instructions for installing +backports](http://backports.org/dokuwiki/doku.php?id=instructions). + +See the [[download]] page for more information. diff --git a/website/news/FreeBSD-0.24-port-accepted.mdwn b/website/news/FreeBSD-0.24-port-accepted.mdwn new file mode 100644 index 0000000..bdd5655 --- /dev/null +++ b/website/news/FreeBSD-0.24-port-accepted.mdwn @@ -0,0 +1,11 @@ +[[meta title="FreeBSD 0.24 port accepted"]] + +FreeBSD's ports tree now contains [a port of the +Monkeysphere](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere), +version 0.24. If you run FreeBSD, [update your ports +tree](http://www.freebsd.org/doc/en/books/handbook/ports-using.html), +and then: + + cd /usr/ports/security/monkeysphere + make package + diff --git a/website/news/FreeBSD-port-available.mdwn b/website/news/FreeBSD-port-available.mdwn index a03af4e..fde2b47 100644 --- a/website/news/FreeBSD-port-available.mdwn +++ b/website/news/FreeBSD-port-available.mdwn @@ -1,5 +1,8 @@ [[meta title="FreeBSD port available"]] +Update: [FreeBSD's official ports tree now contains monkeysphere +0.24](FreeBSD-0.24-port-accepted). + There is now a FreeBSD port available for the Monkeysphere. It has been built and tested (so far) on a FreeBSD 7.1 AMD64 system, |