Merge branch 'master' of http://lair.fifthhorseman.net/~dkg/git/monkeysphere

Conflicts:

	gpg2ssh/Makefile

4 files changed, 170 insertions, 0 deletions

diff --git a/doc/george/changelog b/doc/george/changelog
new file mode 100644
index 0000000..c157cec
--- /dev/null
+++ b/doc/george/changelog
@@ -0,0 +1,69 @@
+******************************************************************************
+*                                                                            *
+*               	george system log		                     *
+*                                                                            *
+******************************************************************************
+*  Please add new entries in reverse chronological order whenever you make   *
+*  changes to this system 					             *
+******************************************************************************
+
+2008-06-20 - dkg
+	* touched /etc/environment to get rid of some spurious auth.log
+	entries.
+	* turned up sshd's LogLevel from INFO to DEBUG
+	
+2008-06-19 - dkg
+	* installed rsync (for maintaining a public apt repo)
+	
+	* configured mathopd to listen on port 80, serving /srv/www as /
+	and /srv/apt as /debian.  We've got nothing in /srv/www at the
+	moment, though.
+
+	* installed lsof and psmisc as sysadmin utilities.  sorry for the
+	bloat!
+
+	* installed strace to try to figure out why onak is segfaulting.
+	
+2008-06-19 - dkg
+	* removed etch sources, switched "testing" to "lenny", added
+	lenny/updates, removed all contrib and non-free.
+	
+	* removed testing pin in /etc/apt/preferences
+	* ran the upgrade
+	
+	* reset emacs22 to emacs22-nox (avoiding dependencies)
+	
+	* removed sysklog and klogd because of errors restarting klogd.
+	Installed syslog-ng in their stead, which still gives errors
+	related to /proc/kmsg unreadability, but the install completes :/
+	
+	* added experimental
+	* juggled pinning: experimental: 1, unstable: 2	
+	* added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf
+	
+	* installed monkeysphere v0.1-1, changed host key, published
+	them via the local keyserver (see host-key-publication)
+
+	* added local unprivileged user accounts for everyone listed in
+	/usr/share/doc/monkeysphere/copyright
+
+	* configured authorized_user_ids for every user account based on
+	my best guess at their OpenPGP User ID (see
+	user-id-configuration).
+
+	* set up a cronjob (in /etc/crontab) to run "monkeysphere-server
+	update-users" at 26 minutes past the hour.
+	
+2008-06-18 - jrollins
+	* installed less, emacs;
+	* aptitude update && aptitude dist-upgrade
+
+2008-06-18 - micah
+	* debootstrap'd debian etch install
+	* installed /etc/apt/sources.list with local proxy sources for etch,
+	  testing, unstable, backports and volatile
+	* configured /etc/apt/preferences and apt.conf.d/local-conf to
+	  pin etch, but make testing, sid and backports available
+	* added backports.org apt-key
+	* installed openssh-server and openssh-client packages
+	* added dkg, jrollins, mjgoins ssh public_keys to /root/.ssh/authorized_keys
diff --git a/doc/george/host-key-publication b/doc/george/host-key-publication
new file mode 100644
index 0000000..03e2510
--- /dev/null
+++ b/doc/george/host-key-publication
@@ -0,0 +1,28 @@
+2008-06-19 02:34:57-0400
+------------------------
+
+Adding george's host key to the monkeysphere was more complicated than
+it needed to be.
+
+As the server admin, i did (accepting the defaults where possible):
+
+ monkeysphere-server gen-key
+ KEYID=$(GNUPGHOME=/etc/monkeysphere/gnupg gpg --with-colons --list-key  =ssh://$(hostname --fqdn) | grep ^pub: | cut -f5 -d:)
+ (umask 077 && GNUPGHOME=/etc/monkeysphere/gnupg gpg --export-secret-key $KEYID | openpgp2ssh $KEYID >/etc/monkeysphere/ssh_host_rsa_key)
+   # modify /etc/ssh/sshd_config to remove old host keys lines, and 
+   # add new line: HostKey /etc/monkeysphere/ssh_host_rsa_key 
+ /etc/init.d/ssh restart
+
+ KEYSERVER=george.riseup.net monkeysphere-server publish-key
+  # (needed to publish by hand here because of reasonable sanity checks)
+ monkeysphere-server show-fingerprint
+
+  # then from a remote host:
+ gpg --keyserver george.riseup.net --search =ssh://george.riseup.net
+ gpg --fingerprint --sign-key =ssh://george.riseup.net
+ KEYID=$(gpg --with-colons --list-key =ssh://george.riseup.net | grep ^pub: | cut -f5 -d:)
+ gpg --keyserver george.riseup.net --send "$KEYID"
+ gpg --keyserver george.riseup.net --send "$MYGPGID"
+
+
+How could this have been streamlined?
diff --git a/doc/george/policy b/doc/george/policy
new file mode 100644
index 0000000..a17a310
--- /dev/null
+++ b/doc/george/policy
@@ -0,0 +1,33 @@
+Policy for maintaining george.riseup.net
+----------------------------------------
+
+Riseup graciously provided the MonkeySphere project with a vserver for
+testing and public documentation.  This is known as george.riseup.net,
+for those who are curious about the MonkeySphere.
+
+george will be maintained as a debian lenny machine, with minimal
+packages from experimental as needed for installing and running what
+we build elsewhere.
+
+george will host 3 public-facing services: an ssh daemon on port 22,
+an http service on port 80, and an OpenPGP keyserver (the HKP
+protocol) on port 11371.
+
+Administration of george is a shared responsibility across the core
+members of the MonkeySphere development team.  Administrators will log
+changes in their git repositories, in doc/george/changelog (a peer of
+this policy file).
+
+monkeysphere packages installed on george will use unique, tagged
+version numbers so we know what we're running.
+
+We will try to keep the installation as minimal as possible while
+still allowing for comfortable day-to-day administration.
+
+We will use aptitude for package management where possible.
+
+Outstanding questions:
+
+Who should have superuser access?
+
+Who should get regular user accounts?
diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration
new file mode 100644
index 0000000..9a7f4d2
--- /dev/null
+++ b/doc/george/user-id-configuration
@@ -0,0 +1,40 @@
+2008-06-19 03:00:58-0400
+------------------------
+
+setting up authorized_user_id configuration on george was also more
+cumbersome than it needs to be.  Here's what i (dkg) did:
+
+monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+
+monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor <dkg@fifthhorseman.net>'
+monkeysphere-server update-user-userids jrollins 'Jameson Rollins <jrollins@fifthhorseman.net>'
+monkeysphere-server update-user-userids micah 'Micah Anderson <micah@riseup.net>' 
+monkeysphere-server update-user-userids mjgoins 'Matthew Goins <mjgoins@openflows.com>'
+monkeysphere-server update-user-userids ross 'Ross Glover <ross@ross.mayfirst.org>'
+monkeysphere-server update-user-userids jamie 'Jamie McClelland <jamie@mayfirst.org>'
+monkeysphere-server update-user-userids mlcastle 'mike castleman <m@mlcastle.net>'
+monkeysphere-server update-user-userids enw 'Elliot Winard <enw@caveteen.com>'
+monkeysphere-server update-user-userids greg 'Greg Lyle <greg@stealthisemail.com>' 
+
+
+then i added a scheduled:
+
+  monkeysphere-server update-users
+
+to run hourly via /etc/crontab
+
+and made sure that root's keys were working with a temporary symlink
+(see TODO about that business)
+
+and then modified /etc/ssh/sshd_config with:
+
+ AuthorizedKeysFile      /var/cache/monkeysphere/authorized_keys/%u
+
+
+Some outstanding questions:
+
+ * Should we ship a scheduled monkeysphere-server update-users cron
+   job automatically?
+
+ * why was i not prompted to confirm the trust-keys line, which seems
+   like the most delicate/sensitive line of all of them?