diff options
26 files changed, 290 insertions, 109 deletions
@@ -16,7 +16,7 @@ tarball: clean rm -rf monkeysphere-$(MONKEYSPHERE_VERSION) mkdir -p monkeysphere-$(MONKEYSPHERE_VERSION)/doc ln -s ../../website/getting-started-user.mdwn ../../website/getting-started-admin.mdwn ../../doc/TODO ../../doc/MonkeySpec monkeysphere-$(MONKEYSPHERE_VERSION)/doc - ln -s ../COPYING ../etc ../Makefile ../man ../src monkeysphere-$(MONKEYSPHERE_VERSION) + ln -s ../COPYING ../etc ../Makefile ../man ../src ../tests monkeysphere-$(MONKEYSPHERE_VERSION) tar -ch monkeysphere-$(MONKEYSPHERE_VERSION) | gzip -n > monkeysphere_$(MONKEYSPHERE_VERSION).orig.tar.gz rm -rf monkeysphere-$(MONKEYSPHERE_VERSION) diff --git a/debian/changelog b/debian/changelog index 7acf323..ad795e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -monkeysphere (0.16~pre-1) UNRELEASED; urgency=low +monkeysphere (0.16-1) experimental; urgency=low [ Daniel Kahn Gillmor ] * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better @@ -12,13 +12,15 @@ monkeysphere (0.16~pre-1) UNRELEASED; urgency=low getopt lives. * monkeysphere-server diagnostics now counts problems and suggests a re-run after they have been resolved. + * completed basic test suite: this can be run from the git sources or + the tarball with: cd tests && ./basic [ Jameson Graef Rollins ] * Genericize fs location variables. * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at install. - -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sat, 11 Oct 2008 14:27:17 -0400 + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 26 Oct 2008 03:06:18 -0400 monkeysphere (0.15-1) experimental; urgency=low diff --git a/etc/gnupg-authentication.conf b/etc/gnupg-authentication.conf index e00d317..7e5620b 100644 --- a/etc/gnupg-authentication.conf +++ b/etc/gnupg-authentication.conf @@ -8,7 +8,7 @@ primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg # PGP keyserver to use for PGP queries. -keyserver hkp://pgp.mit.edu +keyserver hkp://pool.sks-keyservers.net # GPG list options. It is recommended that you have at least # "show-uid-validity". diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index e5e3694..cc3d93f 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -22,7 +22,7 @@ LIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls RUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \ gpg:${PORTSDIR}/security/gnupg \ lockfile:${PORTSDIR}/mail/procmail \ - getopt:${PORTSDIR}/misc/getopt \ + /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \ bash:${PORTSDIR}/shells/bash MAN1= monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1 @@ -30,7 +30,7 @@ MAN7= monkeysphere.7 MAN8= monkeysphere-server.8 MANCOMPRESSED= yes -MAKE_ARGS= ETCPREFIX=/usr/local MANPREFIX=/usr/local/man ETCSUFFIX=.sample +MAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample # get rid of cruft after the patching: post-patch: diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index b8ad49b..3495f1a 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16~pre.orig.tar.gz) = c5c5211440e31d04df1f7904ec859fb9 -SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = 77faf81cc51dff754ecb7122de26818b908e06ab4e0bdbd0320346dde53612cd -SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59253 +MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 6e9489117794fa6afab8935b75cc5ccf +SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = fceab7cc77d9755e6484895ede56701b298ce3649bfcd10288a12803a565b7e5 +SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59721 diff --git a/packaging/freebsd/files/patch-etclocation b/packaging/freebsd/files/patch-etclocation index ebf5c0e..0100a9c 100644 --- a/packaging/freebsd/files/patch-etclocation +++ b/packaging/freebsd/files/patch-etclocation @@ -41,16 +41,14 @@ index f207e2c..360408e 100644 System-wide monkeysphere config file. .TP /var/lib/monkeysphere/authorized_keys/USER -diff --git src/common src/common -index c8a7db6..cb4f8e1 100644 ---- src/common -+++ src/common +--- src/common.orig 2008-10-12 14:58:00.000000000 -0400 ++++ src/common 2008-10-25 17:40:34.000000000 -0400 @@ -16,7 +16,7 @@ ### COMMON VARIABLES # managed directories --ETC="/etc/monkeysphere" -+ETC="/usr/local/etc/monkeysphere" - export ETC +-SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} ++SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"} + export SYSCONFIGDIR ######################################################################## diff --git a/packaging/freebsd/files/patch-sharelocation b/packaging/freebsd/files/patch-sharelocation index be88e13..99c9604 100644 --- a/packaging/freebsd/files/patch-sharelocation +++ b/packaging/freebsd/files/patch-sharelocation @@ -1,26 +1,22 @@ -diff --git src/monkeysphere src/monkeysphere -index 512d608..44f2b17 100755 ---- src/monkeysphere -+++ src/monkeysphere +--- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400 ++++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400 @@ -13,7 +13,7 @@ ######################################################################## PGRM=$(basename $0) --SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} -+SHARE=${MONKEYSPHERE_SHARE:-"/usr/local/share/monkeysphere"} - export SHARE - . "${SHARE}/common" || exit 1 +-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} ++SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} + export SYSSHAREDIR + . "${SYSSHAREDIR}/common" || exit 1 -diff --git src/monkeysphere-server src/monkeysphere-server -index 4cda008..e359be7 100755 ---- src/monkeysphere-server -+++ src/monkeysphere-server +--- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400 ++++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400 @@ -13,7 +13,7 @@ ######################################################################## PGRM=$(basename $0) --SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"} -+SHARE=${MONKEYSPHERE_SHARE:="/usr/local/share/monkeysphere"} - export SHARE - . "${SHARE}/common" || exit 1 +-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} ++SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} + export SYSSHAREDIR + . "${SYSSHAREDIR}/common" || exit 1 diff --git a/packaging/freebsd/files/patch-varlocation b/packaging/freebsd/files/patch-varlocation index 27f1527..c4d8dcd 100644 --- a/packaging/freebsd/files/patch-varlocation +++ b/packaging/freebsd/files/patch-varlocation @@ -42,19 +42,6 @@ index f207e2c..29c7b6a 100644 Monkeysphere authentication GNUPG home directory. .SH AUTHOR -diff --git src/monkeysphere-server src/monkeysphere-server -index e590f3c..f46e8bb 100755 ---- src/monkeysphere-server -+++ src/monkeysphere-server -@@ -17,7 +17,7 @@ SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"} - export SHARE - . "${SHARE}/common" || exit 1 - --VARLIB="/var/lib/monkeysphere" -+VARLIB="/var/monkeysphere" - export VARLIB - - # UTC date in ISO 8601 format if needed diff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn index 6c8ad53..67fdda1 100644 --- doc/getting-started-admin.mdwn @@ -77,3 +64,27 @@ index 6c8ad53..67fdda1 100644 And then read the section below about how to ensure these files are maintained. You'll need to restart `sshd` to have your changes take +--- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400 ++++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400 +@@ -17,7 +17,7 @@ + export SYSSHAREDIR + . "${SYSSHAREDIR}/common" || exit 1 + +-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} ++SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"} + export SYSDATADIR + + # UTC date in ISO 8601 format if needed +--- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400 ++++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400 +@@ -4,8 +4,8 @@ + # It is highly recommended that you + # DO NOT MODIFY + # these variables. +-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg +-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg ++primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg ++keyring /var/monkeysphere/gnupg-host/pubring.gpg + + # PGP keyserver to use for PGP queries. + keyserver hkp://pgp.mit.edu diff --git a/packaging/freebsd/pkg-plist b/packaging/freebsd/pkg-plist index 43346c1..04a704a 100644 --- a/packaging/freebsd/pkg-plist +++ b/packaging/freebsd/pkg-plist @@ -16,4 +16,3 @@ etc/monkeysphere/monkeysphere-server.conf.sample @dirrm share/doc/monkeysphere @dirrm share/monkeysphere @dirrm etc/monkeysphere - diff --git a/src/monkeysphere-server b/src/monkeysphere-server index d3ba5e4..0c56279 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -66,8 +66,17 @@ subcommands: EOF } +# function to run command as monkeysphere user su_monkeysphere_user() { - su "$MONKEYSPHERE_USER" -c "$@" + # if the current user is the monkeysphere user, then just eval + # command + if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then + eval "$@" + + # otherwise su command as monkeysphere user + else + su "$MONKEYSPHERE_USER" -c "$@" + fi } # function to interact with the host gnupg keyring diff --git a/tests/basic b/tests/basic index b9ae8f1..2befac2 100755 --- a/tests/basic +++ b/tests/basic @@ -2,38 +2,46 @@ # Tests to ensure that the monkeysphere is working -# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# Date: 2008-09-13 13:40:15-0400 +# Authors: +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# Jameson Rollins <jrollins@fifthhorseman.net> +# Copyright: 2008 +# License: GPL v3 or later -# these tests might be best run under fakeroot, particularly the -# "server-side" tests. Using fakeroot, they should be able to be run +# these tests should all be able to # as a non-privileged user. -# NOTE: these tests have *not* themselves been tested yet -# (2008-09-13). Please exercise with caution! +# all subcommands in this script should complete without failure: +set -e -# these tests assume a commonly-trusted "Admin's key", a fake key -# permanently stored in ./home/admin/.gnupg: +# gpg command for test admin user gpgadmin() { - GNUPGHOME="$TESTDIR"/home/admin/.gnupg gpg "$@" + GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@" } +failed_cleanup() { +# FIXME: can we be more verbose here? + echo 'FAILED!' + read -p "press enter to cleanup and remove tmp:" + + cleanup +} # cleanup: cleanup() { - # FIXME: stop the sshd process + if ( ps "$SSHD_PID" >/dev/null ) ; then + echo "### stopping still-running sshd..." + kill "$SSHD_PID" + fi - echo - echo "-- removing temp dir..." + echo "### removing temp dir..." rm -rf "$TEMPDIR" - # FIXME: how should we clear out the temporary $VARLIB? - - # FIXME: clear out ssh client config file and known hosts. + wait } ## setup trap -#trap cleanup EXIT +trap failed_cleanup EXIT ## set up some variables to ensure that we're operating strictly in ## the tests, not system-wide: @@ -42,6 +50,10 @@ export TESTDIR=$(pwd) # make temp dir TEMPDIR="$TESTDIR"/tmp +if [ -e "$TEMPDIR" ] ; then + echo "tempdir '$TEMPDIR' already exists." + exit 1 +fi mkdir "$TEMPDIR" # Use the local copy of executables first, instead of system ones. @@ -52,62 +64,108 @@ export MONKEYSPHERE_SYSDATADIR="$TEMPDIR" export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src export MONKEYSPHERE_MONKEYSPHERE_USER="$USER" +export MONKEYSPHERE_CHECK_KEYSERVER=false + +SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket +# copy in admin and testuser home to tmp +echo "### copying admin and testuser homes..." +cp -a "$TESTDIR"/home/admin "$TEMPDIR"/ +cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/ + +cat <<EOF >> "$TEMPDIR"/testuser/.ssh/config +UserKnownHostsFile $TEMPDIR/testuser/.ssh/known_hosts +ProxyCommand $TEMPDIR/testuser/.ssh/proxy-command %h %p $SOCKET +EOF + +cat <<EOF >> "$TEMPDIR"/testuser/.monkeysphere/monkeysphere.conf +KNOWN_HOSTS=$TEMPDIR/testuser/.ssh/known_hosts +EOF + +# set up a simple default monkeysphere-server.conf +cat <<EOF >> "$TEMPDIR"/monkeysphere-server.conf +AUTHORIZED_USER_IDS="$TEMPDIR/testuser/.monkeysphere/authorized_user_ids" +EOF + ### SERVER TESTS -# create the temp gnupghome directories +# setup monkeysphere temp gnupghome directories mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication +mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys +cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf +primary-keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-authentication/pubring.gpg +keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-host/pubring.gpg +EOF # create a new host key -echo "-- generating server key..." -echo | monkeysphere-server gen-key --length 1024 --expire 0 +echo "### generating server key..." +# add gpg.conf with quick-random +echo "quick-random" >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf +echo | monkeysphere-server gen-key --length 1024 --expire 0 testhost +# remove the gpg.conf +rm "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf HOSTKEYID=$( monkeysphere-server show-key | tail -n1 | cut -f3 -d\ ) # certify it with the "Admin's Key". # (this would normally be done via keyservers) -echo "-- certifying server key..." +echo "### certifying server key..." monkeysphere-server gpg-authentication-cmd "--armor --export $HOSTKEYID" | gpgadmin --import -gpgadmin --sign-key "$HOSTKEYID" +echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" # FIXME: how can we test publish-key without flooding junk into the # keyservers? -# indicate that the "Admin's" key is an identity certifier for the -# host - -echo "-- adding admin as certifier..." -monkeysphere-server add-identity-certifier "$TESTDIR"/home/admin/.gnupg/pubkey.gpg +# add admin as identity certifier for testhost +echo "### adding admin as certifier..." +echo y | monkeysphere-server add-identity-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg +# initialize base sshd_config +cp etc/ssh/sshd_config "$SSHD_CONFIG" # write the sshd_config -cat <<EOF > "$TEMPDIR"/sshd_config +cat <<EOF >> "$SSHD_CONFIG" HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key +AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u EOF -# launch sshd with the new host key. -echo "-- starting sshd..." -socat EXEC:'/usr/sbin/sshd -f '"$TEMPDIR"/sshd_config' -i -d -d -d -D -e' "UNIX-LISTEN:${TEMPDIR/socket}" & - +# launch test sshd with the new host key. +echo "### starting sshd..." +socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & +export SSHD_PID=$! ### TESTUSER TESTS -# copy testuser home directory into temp dir -cp -r "$TESTDIR"/home/testuser "$TEMPDIR"/ - # generate an auth subkey for the test user -echo "-- generating key for testuser..." -MONKEYSPHERE_GNUPGHOME="$TEMPDIR"/testuser/.gnupg \ - monkeysphere gen-subkey --expire 0 +echo "### generating key for testuser..." +export GNUPGHOME="$TEMPDIR"/testuser/.gnupg +export SSH_ASKPASS="$TEMPDIR"/testuser/.ssh/askpass +export MONKEYSPHERE_HOME="$TEMPDIR"/testuser/.monkeysphere + +monkeysphere gen-subkey --expire 0 + +# add server key to testuser keychain +echo "### export server key to testuser..." +gpgadmin --armor --export "$HOSTKEYID" | gpg --import + +# teach the "server" about the testuser's key +echo "### export testuser key to server..." +gpg --export testuser | monkeysphere-server gpg-authentication-cmd --import +echo "### update server authorized_keys file for this testuser..." +monkeysphere-server update-users "$USER" -# connect to sample sshd host key, using monkeysphere to verify the -# identity before connection. +# connect to test sshd, using monkeysphere-ssh-proxycommand to verify +# the identity before connection. This should work in both directions! +echo "### testuser connecting to sshd socket..." -## FIXME: implement! +ssh-agent bash -c \ + "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" -# create a new client side key, certify it with the "CA", use it to -# log in. +trap - EXIT -## FIXME: implement! +echo +echo "Monkeysphere basic tests completed successfully!" +echo +cleanup diff --git a/tests/etc/ssh/sshd_config b/tests/etc/ssh/sshd_config new file mode 100644 index 0000000..82c72b9 --- /dev/null +++ b/tests/etc/ssh/sshd_config @@ -0,0 +1,23 @@ +# Base sshd_config for monkeysphere test + +# HostKey and AuthorizedKeysFile lines will be added dynamically +# during test. + +# goal: minimal ssh configuration to do public key authentication. + +Protocol 2 +PubkeyAuthentication yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +X11Forwarding no +PrintMotd no +PrintLastLog no +TCPKeepAlive no +AcceptEnv LANG LC_* +UsePAM no +UsePrivilegeSeparation no +LogLevel DEBUG diff --git a/tests/home/testuser/.gnupg/gpg.conf b/tests/home/testuser/.gnupg/gpg.conf new file mode 100644 index 0000000..f65c71b --- /dev/null +++ b/tests/home/testuser/.gnupg/gpg.conf @@ -0,0 +1,5 @@ +# command to avoid depleting the system entropy +quick-random +# other options +verify-options show-uid-validity +list-options show-uid-validity diff --git a/tests/home/testuser/.gnupg/pubring.gpg b/tests/home/testuser/.gnupg/pubring.gpg Binary files differindex 8cea4b5..bef6b42 100644 --- a/tests/home/testuser/.gnupg/pubring.gpg +++ b/tests/home/testuser/.gnupg/pubring.gpg diff --git a/tests/home/testuser/.gnupg/random_seed b/tests/home/testuser/.gnupg/random_seed Binary files differindex 40ab6a6..230b315 100644 --- a/tests/home/testuser/.gnupg/random_seed +++ b/tests/home/testuser/.gnupg/random_seed diff --git a/tests/home/testuser/.gnupg/secring.gpg b/tests/home/testuser/.gnupg/secring.gpg Binary files differindex a5519a6..26cf230 100644 --- a/tests/home/testuser/.gnupg/secring.gpg +++ b/tests/home/testuser/.gnupg/secring.gpg diff --git a/tests/home/testuser/.gnupg/trustdb.gpg b/tests/home/testuser/.gnupg/trustdb.gpg Binary files differindex e67f5c8..bc946df 100644 --- a/tests/home/testuser/.gnupg/trustdb.gpg +++ b/tests/home/testuser/.gnupg/trustdb.gpg diff --git a/tests/home/testuser/.monkeysphere/authorized_user_ids b/tests/home/testuser/.monkeysphere/authorized_user_ids new file mode 100644 index 0000000..4b51eaf --- /dev/null +++ b/tests/home/testuser/.monkeysphere/authorized_user_ids @@ -0,0 +1 @@ +Monkeysphere Test Suite Test User (DO NOT USE!!!) <testuser@example.net> diff --git a/tests/home/testuser/.monkeysphere/monkeysphere.conf b/tests/home/testuser/.monkeysphere/monkeysphere.conf new file mode 100644 index 0000000..59cc0cf --- /dev/null +++ b/tests/home/testuser/.monkeysphere/monkeysphere.conf @@ -0,0 +1,3 @@ +# monkeysphere config for testuser in monkeysphere test suite + +# KNOWN_HOSTS will be dynamically defined after creation. diff --git a/tests/home/testuser/.ssh/askpass b/tests/home/testuser/.ssh/askpass new file mode 100755 index 0000000..5b7b059 --- /dev/null +++ b/tests/home/testuser/.ssh/askpass @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +# phony/automatic askpass, to provide the passphrase for the +# testuser's GPG key. + +echo abc123 diff --git a/tests/home/testuser/.ssh/config b/tests/home/testuser/.ssh/config new file mode 100644 index 0000000..1da2344 --- /dev/null +++ b/tests/home/testuser/.ssh/config @@ -0,0 +1,10 @@ +# ssh config file for testuser for monkeysphere test suite. +Host * +PasswordAuthentication no +KbdInteractiveAuthentication no +RSAAuthentication no +GSSAPIAuthentication no +StrictHostKeyChecking yes +LogLevel DEBUG + +# UserKnownHostsFile and ProxyCommand will be filled in dynamically. diff --git a/tests/home/testuser/.ssh/proxy-command b/tests/home/testuser/.ssh/proxy-command new file mode 100755 index 0000000..21c66fa --- /dev/null +++ b/tests/home/testuser/.ssh/proxy-command @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +# simple socket-based proxy-command wrapper for testing monkeysphere. + +# pass this thing the host, the port, and the socket. + +monkeysphere-ssh-proxycommand --no-connect "$1" "$2" && \ +exec socat STDIO UNIX:"$3" diff --git a/utils/build-releasenote b/utils/build-releasenote index 1b832a4..f7561da 100755 --- a/utils/build-releasenote +++ b/utils/build-releasenote @@ -28,7 +28,8 @@ checksums temprelease=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) trap "rm -f $temprelease" EXIT set -e -head -n$(( $(grep -n '^-----BEGIN PGP SIGNED MESSAGE-----$' website/download.mdwn | head -n1 | cut -f1 -d:) - 1 )) website/download.mdwn >$temprelease +head -n$(( $(grep -n '^-----BEGIN PGP SIGNED MESSAGE-----$' website/download.mdwn | head -n1 | cut -f1 -d:) - 1 )) website/download.mdwn | \ + sed -e 's|http://archive\.monkeysphere\.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_[[:digit:].]\+\.orig\.tar\.gz|http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_'"${VERSION%%-*}"'.orig.tar.gz|g' >$temprelease checksums | gpg --no-tty --clearsign --default-key EB8AF314 >>$temprelease cat utils/download.mdwn.footer >>$temprelease mv "$temprelease" website/download.mdwn diff --git a/website/bugs/authorized_keys_not_cleared.mdwn b/website/bugs/authorized_keys_not_cleared.mdwn new file mode 100644 index 0000000..7246997 --- /dev/null +++ b/website/bugs/authorized_keys_not_cleared.mdwn @@ -0,0 +1,20 @@ +[[meta title="users with missing or empty authorized keys and User IDs should have MS-generated keys cleared" ]] + +I had a user who had a bunch of entries in +`~/.monkeysphere/authorized_user_ids`, and a bunch of raw keys in +`~/.ssh/authorized_keys`. My system's `monkeysphere-server` handled +this situation appropriately, and populated +`/var/lib/monkeysphere/authorized_keys/user` with the full set. + +Then i wanted to wipe out all key entries for that user. So i did: + + mkdir ~user/backup + mv ~user/.ssh ~user/.monkeysphere ~user/backup + monkeysphere-server update-users user + +I expected this to either remove +`/var/lib/monkeysphere/authorized_keys/user`, or truncate it to 0 +bytes. However, it just remained untouched, and the old keys +persisted. + +This seems like a potential security problem. diff --git a/website/download.mdwn b/website/download.mdwn index 3ba40f4..ae8ad9a 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -45,38 +45,38 @@ look at the source, we recommend [using git](/community). But if you want a tarball of the most recent release, we publish those too. The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.14.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.16.orig.tar.gz) has these checksums: <pre> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -checksums for the monkeysphere 0.15 release: +checksums for the monkeysphere 0.16 release: MD5: -8be275e5b5119921a536d8a67d3bfe24 monkeysphere_0.15.orig.tar.gz +4bc223e8004e0e374bd54f0315585c49 monkeysphere_0.16.orig.tar.gz SHA1: -65da0a047d935e856e2a0d7032dbbb339a3ce20a monkeysphere_0.15.orig.tar.gz +82c78ea1aeecb3059a14af9dfab0f471ce315e38 monkeysphere_0.16.orig.tar.gz SHA256: -44f3feb6e9f6921d2ed0406af4e3862f67da9261c8f00c7ea37cfea5031cbc77 monkeysphere_0.15.orig.tar.gz +f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 monkeysphere_0.16.orig.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) -iQIVAwUBSMG2fxjmZ/HrivMUAQJ40RAAjb4Rh9qJQztp+tAOxpvXKmItRTFyBTeB -QQWjl/gNSWbAOvZX9t+F63P8Dp/ET9XoE2iXUnClvCtkkKvwbKISHyM4C9tgu0z9 -Yggb6lFPt/Qz2fD/HTMxkeN+n0p/FVjLW9WlLPyKF++u/o8JelyuiXocHORzjtc/ -9HyQfdbZuUPA16ZsAb9D66aIC2pWR21EiXHj95EvUkm6AO53Sy9G5gzzveflRrLm -UdrcwCnbXiZklbs9wXxeZTa4qLAhv31RmkCzbE3/lNwFSBfzFFfi2HXZqQdRmIgu -xuV/wmi8xgxUbv7dbB7yhhqwFmRnzeuV3rvuvSdjqGjFu6R0fqorIOtLtBkG1m0Q -RP5gs5mU+DreYkdeLWpFFFVjaJkz0cNUcnT22EJ5JgfeH3fkoAPpjlUMvgh8apGq -CbtqmBfYVOLyifiwptCSwlQvfY2guBVmsW+C60g78vMlCa0Tezp79I5H1KdsXKlY -cw1eLt3HhEy39yojmcD5EI293tfWTIYvULXvMIZjqEFnkFvoAogtinfd8fDoH15j -8yqXOUfkuuSeGmPReyiZZkbBTMXOdM6JsXmjEMI5T9dnZcC0CClnDGfcxE2UfPQZ -v9tneWXZzFmnWaAqH+T+SJJ4gpMhD+i0vXgQ7xOhUUCF+tiY8Qh1eltR2Kf+VeYW -d+MRglTs/Z4= -=AmW6 +iQIVAwUBSQQdZRjmZ/HrivMUAQJaIA/6AnZG0yYJJ+0C4S0McnBnLMyiA4zQzVsH +5J9dAYO771h0TZnlre1NZdgiP37YiPA1et24O/S7da0Ud/CND+V7CGrsxPzsfEbP +xTPVDST2BgvnDo9LYN4Q9h7QD4lOiGjhoJM6PN/R6Zo2OGiw+yZ8RP+BW5AxW21e +3AnasZ2XLEmwqI0AMl9OWsLk4NzeS7t+ycWjwJKINOk/5ghzlOR0Use/mRyTHvzy +GhMjrLoqtgHo85pAfAWT7LkwTt+FDVRzLZl2shzJszewvPFva+z2A8kvuY+vAzUw +CSvIAC5MSrheFUg1JC+6efVbUTgn3RZj+zn7CxyttVuRzjyrnY2WkiMOT5mKuZCg +LR42FEXnDCNHjreVLB6PoU1bOseohRbfK2yN+oDSoXmO4GoKetokGEWU/S+pi/gq +dhjyMZUYv1pgE9Vtz3ps0vVC4e8D/i39qEm7JB2AWPWU4jGX5cLCeEkrfXGsGWyu +OxGGywarXfNp83R62QTh2cPZlkACj3IwoYgZ2h8r98ikyJlQE0Y7V8uHKsx1DMJX +JBemkEVW5P7pZiRS7X2zqLGIDNwqBKNRnjZ7bAhqThJXpCBWNuZ+DjGY743BBddr +RAfQUvdjbSEOD78NMh6pLLg3iYJA902EVXZX8Q8JQnjg5GlUrB2yS5uz82dwjbpx +dy0gzEhr4DA= +=DY0y -----END PGP SIGNATURE----- </pre> diff --git a/website/news/release-0.16-1.mdwn b/website/news/release-0.16-1.mdwn new file mode 100644 index 0000000..7354521 --- /dev/null +++ b/website/news/release-0.16-1.mdwn @@ -0,0 +1,31 @@ +[[meta title="Monkeysphere 0.16-1 released!"]] + +# Monkeysphere 0.16-1 released! # + +Monkeysphere 0.16-1 has been released. + +Notes from the changelog: + +<pre> + [ Daniel Kahn Gillmor ] + * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better + portability. + * fixed busted lockfile arrangement, where empty file was being locked + * portability fixes in the way we use date, mktemp, hostname, su + * stop using /usr/bin/stat, since the syntax appears to be totally + unportable + * require GNU getopt, and test for getopt failures (look for getopt in + /usr/local/bin first, since that's where FreeBSD's GNU-compatible + getopt lives. + * monkeysphere-server diagnostics now counts problems and suggests a + re-run after they have been resolved. + * completed basic test suite: this can be run from the git sources or + the tarball with: cd tests && ./basic + + [ Jameson Graef Rollins ] + * Genericize fs location variables. + * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at + install. +</pre> + +[[Download]] it now! |