Merge branch 'master' of http://lair.fifthhorseman.net/~dkg/git/monkeysphere

Conflicts:

	gpg2ssh/Makefile

7 files changed, 307 insertions, 51 deletions

diff --git a/doc/MonkeySpec b/doc/MonkeySpec
index 6ee278f..54aaa72 100644
--- a/doc/MonkeySpec
+++ b/doc/MonkeySpec
@@ -39,9 +39,9 @@ common components
 server-side components
 ----------------------
 * "howler": server gpg maintainer
-  - generates gpg keys for the server
-  - publishes server gpg keys
-  - used to specify userids to trust for user authentication
+  - generate gpg keys for the server
+  - publish server gpg keys
+  - give owner trust to keys for user authentication
 
 * "tamarin": concept - how to trigger or schedule rhesus at admin defined 
 	points (e.g. via cron or during ssh connections).
diff --git a/doc/README b/doc/README
index d8f1897..cda1194 100644
--- a/doc/README
+++ b/doc/README
@@ -1,36 +1,22 @@
 Monkeysphere README
 ===================
 
-Default files locations (by variable):
-
-MS_HOME=~/.config/monkeysphere
-MS_CONF=$MS_HOME/monkeysphere.conf
-AUTH_HOST_FILE=$MS_HOME/auth_host_ids
-AUTH_USER_FILE=$MS_HOME/auth_user_ids
-GNUPGHOME=~/.gnupg
-STAGING_AREA=$MS_HOME
-
-$STAGING_AREA/host_keys/KEYHASH
-$STAGING_AREA/known_hosts
-$STAGING_AREA/user_keys/KEYHASH
-$STAGING_AREA/authorized_keys
-
 user usage
 ----------
-For a user to update their ms known_hosts file:
+For a user to update their known_hosts file:
 
-$ rhesus --known_hosts
+$ monkeysphere update-known_hosts
 
-For a user to update their ms authorized_keys file:
+For a user to update their monkeysphere authorized_keys file:
 
-$ rhesus --authorized_keys
+$ monkeysphere update-authorized_keys
 
 server service publication
 --------------------------
-To publish a server host key use the "howler" component:
+To publish a server host key:
 
-# howler gen-key
-# howler publish-key
+# monkeysphere-server gen-key
+# monkeysphere-server publish-key
 
 This will generate the key for server with the service URI
 (ssh://server.hostname).  The server admin should now sign the server
@@ -42,38 +28,29 @@ $ gpg --sign-key 'ssh://server.hostname'
 
 server authorized_keys maintenance
 ----------------------------------
-A system can maintain ms authorized_keys files for it's users.  Some
-different variables need to be defined to help manage this.  The way
-this is done is by first defining a new MS_HOME:
+A system can maintain monkeysphere authorized_keys files for it's
+users.
 
-MS_HOME=/etc/monkeysphere
-
-This directory would then have a monkeysphere.conf which defines the
-following variables:
+For each user account on the server, the userids of people authorized
+to log into that account would be placed in:
 
-AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER"
-STAGING_AREA=/var/lib/monkeysphere/stage/$USER
-GNUPGHOME=$MS_HOME/gnupg
+/etc/monkeysphere/authorized_user_ids/USER
 
-For each user account on the server, the userids of people authorized
-to log into that account would be placed in the AUTH_USER_FILE for
-that user.  However, in order for users to become authenticated, the
-server must determine that the user keys have "full" validity.  This
-means that the server must fully trust at least one person whose
-signature on the connecting users key would validate the user.  This
-would generally be the server admin.  If the server admin's keyid is
-XXXXXXXX, then on the server run:
+However, in order for users to become authenticated, the server must
+determine that the user keys have "full" validity.  This means that
+the server must fully trust at least one person whose signature on the
+connecting users key would validate the user.  This would generally be
+the server admin.  If the server admin's keyid is XXXXXXXX, then on
+the server run:
 
-# howler trust-key XXXXXXXX
+# monkeysphere-server trust-keys XXXXXXXX
 
-To update the ms authorized_keys file for user "bob", the system would
-then run the following:
+To update the monkeysphere authorized_keys file for user "bob", the
+system would then run the following:
 
-# USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys
+# monkeysphere-server update-users bob
 
-To update the ms authorized_keys file for all users on the the system:
+To update the monkeysphere authorized_keys file for all users on the
+the system, run the same command with no arguments:
 
-MS_HOME=/etc/monkeysphere
-for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do
-    rhesus --authorized_keys
-done
+# monkeysphere-server update-users
diff --git a/doc/TODO b/doc/TODO
new file mode 100644
index 0000000..a82f031
--- /dev/null
+++ b/doc/TODO
@@ -0,0 +1,109 @@
+Next-Steps Monkeysphere Projects:
+---------------------------------
+
+Detail advantages of monkeysphere: detail the race conditions in ssh,
+   and how the monkeysphere can help you reduce these threat vectors:
+   threat model reduction diagrams.
+
+Determine how openssh handles multiple processes writing to
+   known_hosts/authorized_keys files (lockfile, atomic appends?)
+
+Handle unverified monkeysphere hosts in such a way that they're not
+   always removed from known_hosts file.  Ask user to lsign the host
+   key?
+
+Handle multiple hostnames (multiple user IDs?) when generating host
+   keys with gen-key.
+
+Work out the details (and describe a full use case) for assigning a
+   REVOKER during monkeysphere-server gen_key -- how is this set?  How
+   do we export it so it's available when a second-party revocation is
+   needed?
+
+Actually enable server hostkey publication.
+
+Streamline host key generation, publication, verification.  See
+   doc/george/host-key-publication for what dkg went through on
+   2008-06-19
+
+Ensure that authorized_user_ids are under as tight control as ssh
+   expects from authorized_keys: we don't want monkeysphere to be a
+   weak link in the filesystem.
+
+What happens when a user account has no corresponding
+   /etc/monkeysphere/authorized_user_ids/$USER file?  What gets placed
+   in /var/cache/monkeysphere/authorized_keys/$USER?  It looks
+   currently untouched, which could mean bad things for such a user.
+   - if authorized_user_ids is empty, then the user's authorized_keys
+     file will be also, unless the user-controlled authorized_keys file
+     is added.  I believe this is expected, correct behavior.
+
+Consider the default permissions for
+   /var/cache/monkeysphere/authorized_keys/* (and indeed the whole
+   directory path leading up to that)
+
+As an administrator, how do i reverse the effect of a
+   "monkeysphere-server trust-keys" that i later decide i should not
+   have run?
+
+Make sure alternate ports are handled for known_hosts.
+
+Script to import private key into ssh agent.
+
+Provide a friendly interactive UI for marginal or failing client-side
+   hostkey verifications.  Handle the common cases smoothly, and
+   provide good debugging info for the unusual cases.
+
+Make sure onak properly escapes user IDs with colons in them.
+
+Build a decent, presentable web site for documentation, evangelism,
+   etc.  Include a mention of how to report trouble or concerns.
+
+Create ssh2openpgp or convert to full-fledged keytrans.
+
+Resolve the bugs listed in openpgp2ssh(1):BUGS.
+
+Understand and document alternate trustdb models.
+
+Understand and document the output of gpg --check-trustdb:
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0  valid:   2  signed:  20  trust: 0-, 0q, 0n, 0m, 0f, 2u
+ gpg: depth: 1  valid:  20  signed:  67  trust: 15-, 0q, 1n, 3m, 1f, 0u
+ gpg: next trustdb check due at 2008-10-09
+
+Understand and document the numeric values between sig! and the keyid
+   in "gpg --check-sigs $KEYID" .  Compare with the details found from
+   "gpg --with-colons --check-sigs $KEYID".  This has to do with trust
+   signatures.
+
+Fix gpg's documentation to clarify the difference between validity and
+   ownertrust.  Include better documentation for trust signatures.
+
+Make it easier to do domain-relative ssh host trust signatures with
+   gnupg. (e.g. "i trust Jamie McClelland (keyID 76CC057D) to properly
+   identify ssh servers in the mayfirst.org domain") See:
+   http://tools.ietf.org/html/rfc4880#section-5.2.3.21 and grep for
+   "tsign" in gpg(1).
+
+Fix the order of questions when user does a tsign in gpg or gpg2.
+
+File bug against ssh-keygen about how "-R" option removes comments
+   from known_hosts file.
+
+File bug against ssh-keygen to see if we can get it to write to hash a
+   known_hosts file to/from stdout/stdin.
+
+Add environment variables sections to man pages.
+
+Environment variable scoping.
+
+Move environment variable precedence before conf file.
+
+When using ssh-proxycommand, if only host keys found are expired or
+   revoked, then output loud warning with prompt, or fail hard.
+
+Update monkeysphere-ssh-proxycommand man page with new keyserver
+   checking policy info.
+
+Update monkeysphere-ssh-proxycommand man page with info about
+   no-connect option.
diff --git a/doc/george/changelog b/doc/george/changelog
new file mode 100644
index 0000000..c157cec
--- /dev/null
+++ b/doc/george/changelog
@@ -0,0 +1,69 @@
+******************************************************************************
+*                                                                            *
+*               	george system log		                     *
+*                                                                            *
+******************************************************************************
+*  Please add new entries in reverse chronological order whenever you make   *
+*  changes to this system 					             *
+******************************************************************************
+
+2008-06-20 - dkg
+	* touched /etc/environment to get rid of some spurious auth.log
+	entries.
+	* turned up sshd's LogLevel from INFO to DEBUG
+	
+2008-06-19 - dkg
+	* installed rsync (for maintaining a public apt repo)
+	
+	* configured mathopd to listen on port 80, serving /srv/www as /
+	and /srv/apt as /debian.  We've got nothing in /srv/www at the
+	moment, though.
+
+	* installed lsof and psmisc as sysadmin utilities.  sorry for the
+	bloat!
+
+	* installed strace to try to figure out why onak is segfaulting.
+	
+2008-06-19 - dkg
+	* removed etch sources, switched "testing" to "lenny", added
+	lenny/updates, removed all contrib and non-free.
+	
+	* removed testing pin in /etc/apt/preferences
+	* ran the upgrade
+	
+	* reset emacs22 to emacs22-nox (avoiding dependencies)
+	
+	* removed sysklog and klogd because of errors restarting klogd.
+	Installed syslog-ng in their stead, which still gives errors
+	related to /proc/kmsg unreadability, but the install completes :/
+	
+	* added experimental
+	* juggled pinning: experimental: 1, unstable: 2	
+	* added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf
+	
+	* installed monkeysphere v0.1-1, changed host key, published
+	them via the local keyserver (see host-key-publication)
+
+	* added local unprivileged user accounts for everyone listed in
+	/usr/share/doc/monkeysphere/copyright
+
+	* configured authorized_user_ids for every user account based on
+	my best guess at their OpenPGP User ID (see
+	user-id-configuration).
+
+	* set up a cronjob (in /etc/crontab) to run "monkeysphere-server
+	update-users" at 26 minutes past the hour.
+	
+2008-06-18 - jrollins
+	* installed less, emacs;
+	* aptitude update && aptitude dist-upgrade
+
+2008-06-18 - micah
+	* debootstrap'd debian etch install
+	* installed /etc/apt/sources.list with local proxy sources for etch,
+	  testing, unstable, backports and volatile
+	* configured /etc/apt/preferences and apt.conf.d/local-conf to
+	  pin etch, but make testing, sid and backports available
+	* added backports.org apt-key
+	* installed openssh-server and openssh-client packages
+	* added dkg, jrollins, mjgoins ssh public_keys to /root/.ssh/authorized_keys
diff --git a/doc/george/host-key-publication b/doc/george/host-key-publication
new file mode 100644
index 0000000..03e2510
--- /dev/null
+++ b/doc/george/host-key-publication
@@ -0,0 +1,28 @@
+2008-06-19 02:34:57-0400
+------------------------
+
+Adding george's host key to the monkeysphere was more complicated than
+it needed to be.
+
+As the server admin, i did (accepting the defaults where possible):
+
+ monkeysphere-server gen-key
+ KEYID=$(GNUPGHOME=/etc/monkeysphere/gnupg gpg --with-colons --list-key  =ssh://$(hostname --fqdn) | grep ^pub: | cut -f5 -d:)
+ (umask 077 && GNUPGHOME=/etc/monkeysphere/gnupg gpg --export-secret-key $KEYID | openpgp2ssh $KEYID >/etc/monkeysphere/ssh_host_rsa_key)
+   # modify /etc/ssh/sshd_config to remove old host keys lines, and 
+   # add new line: HostKey /etc/monkeysphere/ssh_host_rsa_key 
+ /etc/init.d/ssh restart
+
+ KEYSERVER=george.riseup.net monkeysphere-server publish-key
+  # (needed to publish by hand here because of reasonable sanity checks)
+ monkeysphere-server show-fingerprint
+
+  # then from a remote host:
+ gpg --keyserver george.riseup.net --search =ssh://george.riseup.net
+ gpg --fingerprint --sign-key =ssh://george.riseup.net
+ KEYID=$(gpg --with-colons --list-key =ssh://george.riseup.net | grep ^pub: | cut -f5 -d:)
+ gpg --keyserver george.riseup.net --send "$KEYID"
+ gpg --keyserver george.riseup.net --send "$MYGPGID"
+
+
+How could this have been streamlined?
diff --git a/doc/george/policy b/doc/george/policy
new file mode 100644
index 0000000..a17a310
--- /dev/null
+++ b/doc/george/policy
@@ -0,0 +1,33 @@
+Policy for maintaining george.riseup.net
+----------------------------------------
+
+Riseup graciously provided the MonkeySphere project with a vserver for
+testing and public documentation.  This is known as george.riseup.net,
+for those who are curious about the MonkeySphere.
+
+george will be maintained as a debian lenny machine, with minimal
+packages from experimental as needed for installing and running what
+we build elsewhere.
+
+george will host 3 public-facing services: an ssh daemon on port 22,
+an http service on port 80, and an OpenPGP keyserver (the HKP
+protocol) on port 11371.
+
+Administration of george is a shared responsibility across the core
+members of the MonkeySphere development team.  Administrators will log
+changes in their git repositories, in doc/george/changelog (a peer of
+this policy file).
+
+monkeysphere packages installed on george will use unique, tagged
+version numbers so we know what we're running.
+
+We will try to keep the installation as minimal as possible while
+still allowing for comfortable day-to-day administration.
+
+We will use aptitude for package management where possible.
+
+Outstanding questions:
+
+Who should have superuser access?
+
+Who should get regular user accounts?
diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration
new file mode 100644
index 0000000..9a7f4d2
--- /dev/null
+++ b/doc/george/user-id-configuration
@@ -0,0 +1,40 @@
+2008-06-19 03:00:58-0400
+------------------------
+
+setting up authorized_user_id configuration on george was also more
+cumbersome than it needs to be.  Here's what i (dkg) did:
+
+monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+
+monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor <dkg@fifthhorseman.net>'
+monkeysphere-server update-user-userids jrollins 'Jameson Rollins <jrollins@fifthhorseman.net>'
+monkeysphere-server update-user-userids micah 'Micah Anderson <micah@riseup.net>' 
+monkeysphere-server update-user-userids mjgoins 'Matthew Goins <mjgoins@openflows.com>'
+monkeysphere-server update-user-userids ross 'Ross Glover <ross@ross.mayfirst.org>'
+monkeysphere-server update-user-userids jamie 'Jamie McClelland <jamie@mayfirst.org>'
+monkeysphere-server update-user-userids mlcastle 'mike castleman <m@mlcastle.net>'
+monkeysphere-server update-user-userids enw 'Elliot Winard <enw@caveteen.com>'
+monkeysphere-server update-user-userids greg 'Greg Lyle <greg@stealthisemail.com>' 
+
+
+then i added a scheduled:
+
+  monkeysphere-server update-users
+
+to run hourly via /etc/crontab
+
+and made sure that root's keys were working with a temporary symlink
+(see TODO about that business)
+
+and then modified /etc/ssh/sshd_config with:
+
+ AuthorizedKeysFile      /var/cache/monkeysphere/authorized_keys/%u
+
+
+Some outstanding questions:
+
+ * Should we ship a scheduled monkeysphere-server update-users cron
+   job automatically?
+
+ * why was i not prompted to confirm the trust-keys line, which seems
+   like the most delicate/sensitive line of all of them?