diff options
32 files changed, 624 insertions, 72 deletions
@@ -1,4 +1,4 @@ -MonkeySphere is a system to use the OpenPGP web-of-trust to +Monkeysphere is a system to use the OpenPGP web-of-trust to authenticate and encrypt ssh connections. It is free software, developed by: @@ -7,17 +7,17 @@ It is free software, developed by: Jamie McClelland <jamie@mayfirst.org> Micah Anderson <micah@riseup.net> Matthew Goins <mjgoins@openflows.com> - Mike Castleman <mlcastle@mlcastle.net> + Mike Castleman <m@mlcastle.net> Elliot Winard <enw@caveteen.com> Ross Glover <ross@ross.mayfirst.org> Greg Lyle <greg@stealthisemail.com> -MonkeySphere is distributed in the hope that it will be useful, but +Monkeysphere is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -MonkeySphere Copyright 2007, and are all released under the GPL, +Monkeysphere Copyright 2007, and are all released under the GPL, version 3 or later. @@ -1,4 +1,11 @@ -MONKEYSPHERE_VERSION = `head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` +#!/usr/bin/make -f + +# Makefile for monkeysphere + +# (c) 2008 Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# Licensed under GPL v3 or later + +MONKEYSPHERE_VERSION = `head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` # these defaults are for debian. porters should probably adjust them # before calling make install @@ -22,7 +29,7 @@ tarball: clean debian-package: tarball tar xzf monkeysphere_$(MONKEYSPHERE_VERSION).orig.tar.gz - cp -a debian monkeysphere-$(MONKEYSPHERE_VERSION) + cp -a packaging/debian monkeysphere-$(MONKEYSPHERE_VERSION) (cd monkeysphere-$(MONKEYSPHERE_VERSION) && debuild -uc -us) rm -rf monkeysphere-$(MONKEYSPHERE_VERSION) diff --git a/changelog b/changelog new file mode 120000 index 0000000..4264fa4 --- /dev/null +++ b/changelog @@ -0,0 +1 @@ +packaging/debian/changelog
\ No newline at end of file diff --git a/doc/george/changelog b/doc/george/changelog index b528fd0..30aa2b1 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,11 +7,18 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2009-01-30 - micah + * Replaced nullmailer with postfix, nullmailer doesn't handle aliases + and insisted either on constantly respooling mail when there was no + where to go. + 2009-01-24 - micah * Configured /etc/aliases to have root go to mjgoins, micah, dkg, jrollins * Configured /etc/nullmailer/remotes to have mail.riseup.net so remote delivery will work * Removed the hundreds of queued cron emails that had resulted in 30gig of mail.err logs * Rotated the giant logs out + * aptitude update && aptitude full-upgrade + 2008-10-29 - dkg * aptitude update && aptitude full-upgrade diff --git a/doc/zimmerman/changelog b/doc/zimmerman/changelog new file mode 100644 index 0000000..a92557d --- /dev/null +++ b/doc/zimmerman/changelog @@ -0,0 +1,28 @@ +****************************************************************************** +* * +* zimmerman system log * +* * +****************************************************************************** +* Please add new entries in reverse chronological order whenever you make * +* changes to this system (first command at top, last at bottom) * +****************************************************************************** + +2008-11-17 - micah + * verified the SHA256 values for the key material + * /usr/lib/sks/sks_build.sh (chose option #2: normalbuild) + * chown -R debian-sks:debian-sks /var/lib/sks + * edit /etc/default/sks to enable the initscript + * /etc/init.d/sks start + * rm -rf /var/lib/sks/dump + +2008-11-15 - micah + * aptitude update && aptitude full-upgrade + * aptitude install sks + * cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \ + http://nynex.net/keydump/ -e robots=off + * install monkeysphere 0.21-2 package + * apt-get install bzip2 ; bunzip2 /var/lib/sks/dump/*.bz2 + +2008-11-15 - jamie + * aptitude install esmtp-run mailx + * edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org diff --git a/debian/changelog b/packaging/debian/changelog index 300175d..39e4b33 100644 --- a/debian/changelog +++ b/packaging/debian/changelog @@ -1,13 +1,49 @@ -monkeysphere (0.20-1) UNRELEASED; urgency=low +monkeysphere (0.22~pre-1) UNRELEASED; urgency=low + + * New upstream release: + [ Jameson Rollins ] + + - added info log output when a new key is added to known_hosts file. + - added some useful output to the ssh-proxycommand for "marginal" + cases where keys are found for host but do not have full validity. + - force ssh-keygen to read from stdin to get ssh key fingerprint. + + [ Daniel Kahn Gillmor ] + + - automatically output two copies of the host's public key: one + standard ssh public key file, and the other a minimal OpenPGP key with + just the latest valid self-sig. + + -- Jameson Graef Rollins <jrollins@finestructure.net> Mon, 17 Nov 2008 18:15:43 -0500 + +monkeysphere (0.21-2) unstable; urgency=low + + * actually rmdir /var/lib/monkeysphere-* during prerm if possible. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 15 Nov 2008 16:36:57 -0500 + +monkeysphere (0.21-1) unstable; urgency=low + + * New upstream release: + - move debian packaging to packaging subdirectory. + * Add debian prerm script, and add debhelper lines to other install + scripts. + * Initial release to Debian (Closes: #505806) + + -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 16:14:27 -0500 + +monkeysphere (0.20-1) unstable; urgency=low - [ Jameson Graef Rollins ] - * clean up Makefile to generate more elegant source tarballs. - [ Daniel Kahn Gillmor ] * ensure that tempdirs are properly created, bail out otherwise instead of stumbling ahead. + * minor fussing with the test script to make it cleaner. + + [ Jameson Graef Rollins ] + * clean up Makefile to generate more elegant source tarballs. + * make myself the maintainer. - -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Oct 2008 15:03:23 -0400 + -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 13:12:57 -0500 monkeysphere (0.19-1) experimental; urgency=low diff --git a/debian/compat b/packaging/debian/compat index 7f8f011..7f8f011 100644 --- a/debian/compat +++ b/packaging/debian/compat diff --git a/debian/control b/packaging/debian/control index ccc3ad2..4c836b4 100644 --- a/debian/control +++ b/packaging/debian/control @@ -1,8 +1,8 @@ Source: monkeysphere Section: net Priority: extra -Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -Uploaders: Jameson Graef Rollins <jrollins@finestructure.net> +Maintainer: Jameson Graef Rollins <jrollins@finestructure.net> +Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0) Standards-Version: 3.8.0.1 Homepage: http://web.monkeysphere.info/ diff --git a/debian/copyright b/packaging/debian/copyright index 4c25286..4c25286 100644 --- a/debian/copyright +++ b/packaging/debian/copyright diff --git a/debian/monkeysphere.dirs b/packaging/debian/monkeysphere.dirs index 1f9e66b..1f9e66b 100644 --- a/debian/monkeysphere.dirs +++ b/packaging/debian/monkeysphere.dirs diff --git a/debian/monkeysphere.postinst b/packaging/debian/monkeysphere.postinst index 02d6304..8f1fe77 100755 --- a/debian/monkeysphere.postinst +++ b/packaging/debian/monkeysphere.postinst @@ -26,3 +26,10 @@ ln -sTf "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication # link in the gpg.conf ln -sTf "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/monkeysphere.postrm b/packaging/debian/monkeysphere.postrm index 8f87ed3..7c0fede 100755 --- a/debian/monkeysphere.postrm +++ b/packaging/debian/monkeysphere.postrm @@ -7,7 +7,6 @@ case $1 in purge) - rmdir --ignore-fail-on-non-empty /var/lib/monkeysphere || true echo "removing monkeysphere user..." userdel monkeysphere > /dev/null || true ;; diff --git a/debian/monkeysphere.preinst b/packaging/debian/monkeysphere.preinst index 860286b..528da84 100755 --- a/debian/monkeysphere.preinst +++ b/packaging/debian/monkeysphere.preinst @@ -20,3 +20,10 @@ if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authenti chown root:root "$ETC"/gpg-authentication.conf ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packaging/debian/monkeysphere.prerm b/packaging/debian/monkeysphere.prerm new file mode 100755 index 0000000..00523a1 --- /dev/null +++ b/packaging/debian/monkeysphere.prerm @@ -0,0 +1,20 @@ +#!/bin/sh -e + +# prerm script for monkeysphere + +# Author: Jameson Rollins <jrollins@fifthhorseman.net> +# Copyright 2008 + +VARLIB="/var/lib/monkeysphere" + +rm -f "$VARLIB"/gnupg-host/gpg.conf +rm -f "$VARLIB"/gnupg-authentication/gpg.conf +rmdir --ignore-fail-on-non-empty "$VARLIB"/gnupg-host +rmdir --ignore-fail-on-non-empty "$VARLIB"/gnupg-authentication + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/packaging/debian/rules index cbe925d..cbe925d 100755 --- a/debian/rules +++ b/packaging/debian/rules diff --git a/packaging/freebsd/security/monkeysphere/pkg-plist b/packaging/freebsd/security/monkeysphere/pkg-plist index 04a704a..9d9d40a 100644 --- a/packaging/freebsd/security/monkeysphere/pkg-plist +++ b/packaging/freebsd/security/monkeysphere/pkg-plist @@ -13,6 +13,12 @@ etc/monkeysphere/monkeysphere.conf.sample @unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi etc/monkeysphere/monkeysphere-server.conf.sample @exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi +@unexec if cmp -s %D/etc/monkeysphere/gnupg-host.conf.sample %D/etc/monkeysphere/gnupg-host.conf; then rm -f %D/etc/monkeysphere/gnupg-host.conf; fi +etc/monkeysphere/gnupg-host.conf.sample +@exec if [ ! -f %D/etc/monkeysphere/gnupg-host.conf ] ; then cp -p %D/%F %B/gnupg-host.conf; fi +@unexec if cmp -s %D/etc/monkeysphere/gnupg-authentication.conf.sample %D/etc/monkeysphere/gnupg-authentication.conf; then rm -f %D/etc/monkeysphere/gnupg-authentication.conf; fi +etc/monkeysphere/gnupg-authentication.conf.sample +@exec if [ ! -f %D/etc/monkeysphere/gnupg-authentication.conf ] ; then cp -p %D/%F %B/gnupg-authentication.conf; fi @dirrm share/doc/monkeysphere @dirrm share/monkeysphere @dirrm etc/monkeysphere @@ -639,7 +639,7 @@ process_user_id() { ;; 'uid') # user ids if [ "$lastKey" != pub ] ; then - log verbose " - got a user ID after a sub key?! user IDs should only follow primary keys!" + log verbose " ! got a user ID after a sub key?! user IDs should only follow primary keys!" continue fi # if an acceptable user ID was already found, skip @@ -652,6 +652,8 @@ process_user_id() { if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then # mark user ID acceptable uidOK=true + else + log debug " - unacceptable user ID validity ($validity)." fi else continue @@ -693,10 +695,12 @@ process_user_id() { # if sub key validity is not ok, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + log debug " - unacceptable sub key validity ($validity)." continue fi # if sub key capability is not ok, skip if ! check_capability "$usage" $requiredCapability ; then + log debug " - unacceptable sub key capability ($usage)." continue fi @@ -742,6 +746,7 @@ process_user_id() { process_host_known_hosts() { local host local userID + local noKey= local nKeys local nKeysOK local ok @@ -768,8 +773,9 @@ process_host_known_hosts() { continue fi - # remove the old host key line, and note if removed - remove_line "$KNOWN_HOSTS" "$sshKey" + # remove any old host key line, and note if removed nothing is + # removed + remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true # if key OK, add new host line if [ "$ok" -eq '0' ] ; then @@ -788,6 +794,11 @@ process_host_known_hosts() { else ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" fi + + # log if this is a new key to the known_hosts file + if [ "$noKey" ] ; then + log info "* new key for $host added to known_hosts file." + fi fi done diff --git a/src/monkeysphere-server b/src/monkeysphere-server index e78903b..a1844ee 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -132,13 +132,13 @@ show_server_key() { fingerprint=$(fingerprint_server_key) gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint" - # dumping to a file named ' ' so that the ssh-keygen output - # doesn't claim any potentially bogus hostname(s): - tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" - gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " + # do some crazy "Here Strings" redirection to get the key to + # ssh-keygen, since it doesn't read from stdin cleanly echo -n "ssh fingerprint: " - (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }') - rm -rf "$tmpkey" + ssh-keygen -l -f /dev/stdin \ + <<<$(gpg_authentication "--export $fingerprint" | \ + openpgp2ssh "$fingerprint" 2>/dev/null) | \ + awk '{ print $1, $2, $4 }' echo -n "OpenPGP fingerprint: " echo "$fingerprint" } @@ -399,7 +399,11 @@ EOF (umask 077 && \ gpg_host --export-secret-key "$fingerprint" | \ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") - log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" + log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" + gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" } # extend the lifetime of a host key: diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 6276092..a609199 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -14,13 +14,129 @@ # ProxyCommand monkeysphere-ssh-proxycommand %h %p ######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +######################################################################## +# FUNCTIONS +######################################################################## usage() { -cat <<EOF >&2 + cat <<EOF >&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... EOF } +log() { + echo "$@" >&2 +} + +output_no_valid_key() { + local sshKeyOffered + local userID + local type + local validity + local keyid + local uidfpr + local usage + local sshKeyGPG + local tmpkey + local sshFingerprint + local gpgSigOut + + userID="ssh://${HOSTP}" + + log "-------------------- Monkeysphere warning -------------------" + log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity." + + # retrieve the actual ssh key + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') + # FIXME: should we do any checks for failed keyscans, eg. host not + # found? + + # get the gpg info for userid + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # find all 'pub' and 'sub' lines in the gpg output, which each + # represent a retrieved key for the user ID + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + log "An OpenPGP key matching the ssh key offered by the host was found:" + log + + # do some crazy "Here Strings" redirection to get the key to + # ssh-keygen, since it doesn't read from stdin cleanly + sshFingerprint=$(ssh-keygen -l -f /dev/stdin \ + <<<$(echo "$sshKeyGPG") | \ + awk '{ print $2 }') + + # get the sigs for the matching key + gpgSigOut=$(gpg --check-sigs \ + --list-options show-uid-validity \ + "$keyid") + + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' +{ +if (match($0,"^pub")) { print; } +if (match($0,"^uid")) { ok=0; } +if (match($0,"^uid.*'$userID'$")) { ok=1; print; } +if (ok) { if (match($0,"^sig")) { print; } } +} +' >&2 + log + + # output the other user IDs for reference + if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then + log "Other user IDs on this key:" + echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2 + log + fi + + # output ssh fingerprint + log "RSA key fingerprint is ${sshFingerprint}." + + # this whole process is in a "while read" + # subshell. the only way to get information out + # of the subshell is to change the return code. + # therefore we return 1 here to indicate that a + # matching gpg key was found for the ssh key + # offered by the host + return 1 + fi + ;; + esac + done + + # if no key match was made (and the "while read" subshell returned + # 1) output how many keys were found + if (($? != 1)) ; then + log "None of the found keys matched the key offered by the host." + log "Run the following command for more info about the found keys:" + log "gpg --check-sigs --list-options show-uid-validity =${userID}" + # FIXME: should we do anything extra here if the retrieved + # host key is actually in the known_hosts file and the ssh + # connection will succeed? Should the user be warned? + # prompted? + fi + + log "-------------------- ssh continues below --------------------" +} + ######################################################################## # export the monkeysphere log level @@ -35,7 +151,7 @@ HOST="$1" PORT="$2" if [ -z "$HOST" ] ; then - echo "Host not specified." >&2 + log "Host not specified." usage exit 255 fi @@ -88,6 +204,39 @@ export MONKEYSPHERE_CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known_hosts "$HOSTP" +# output on depending on the return of the update-known_hosts +# subcommand, which is (ultimately) the return code of the +# update_known_hosts function in common +case $? in + 0) + # acceptable host key found so continue to ssh + true + ;; + 1) + # no hosts at all found so also continue (drop through to + # regular ssh host verification) + true + ;; + 2) + # at least one *bad* host key (and no good host keys) was + # found, so output some usefull information + output_no_valid_key + ;; + *) + # anything else drop through + true + ;; +esac + +# FIXME: what about the case where monkeysphere successfully finds a +# valid key for the host and adds it to the known_hosts file, but a +# different non-monkeysphere key for the host already exists in the +# known_hosts, and it is this non-ms key that is offered by the host? +# monkeysphere will succeed, and the ssh connection will succeed, and +# the user will be left with the impression that they are dealing with +# a OpenPGP/PKI host key when in fact they are not. should we use +# ssh-keyscan to compare the keys first? + # exec a netcat passthrough to host for the ssh connection if [ -z "$NO_CONNECT" ] ; then if (which nc 2>/dev/null >/dev/null); then diff --git a/tests/basic b/tests/basic index 289a1b7..5ba7a25 100755 --- a/tests/basic +++ b/tests/basic @@ -13,10 +13,11 @@ # all subcommands in this script should complete without failure: set -e +# piped commands should return the code of the first non-zero return +set -o pipefail ## make sure that the right tools are installed to run the test. the ## test has *more* requirements than plain ol' monkeysphere: - which socat || { echo "You must have socat installed to run this test." ; exit 1; } ## FIXME: other checks? @@ -53,6 +54,7 @@ ssh_test() { # kill the sshd process if it's still running kill "$SSHD_PID" + SSHD_PID= set -e @@ -86,9 +88,16 @@ cleanup() { echo "### removing temp dir..." rm -rf "$TEMPDIR" + if [ "$SSHD_PID" ] ; then + echo "### killing off lingering sshd..." + kill "$SSHD_PID" + fi + wait } +SSHD_PID= + ## setup trap trap failed_cleanup EXIT @@ -120,7 +129,6 @@ export MONKEYSPHERE_LOG_LEVEL=DEBUG export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket -export SSHD_PID= # Make sure $DISPLAY is set to convince ssh and monkeysphere to fall # back on $SSH_ASKPASS. Make sure it's not set to the current actual diff --git a/utils/build-freebsd-distinfo b/utils/build-freebsd-distinfo index a333ba7..53fcd69 100755 --- a/utils/build-freebsd-distinfo +++ b/utils/build-freebsd-distinfo @@ -1,6 +1,6 @@ #!/bin/bash -VERSION=`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` +VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` { echo "MD5 (monkeysphere_${VERSION}.orig.tar.gz) =" $(md5sum "monkeysphere_${VERSION}.orig.tar.gz" | cut -f1 -d\ ) diff --git a/utils/build-releasenote b/utils/build-releasenote index f7561da..b25a87c 100755 --- a/utils/build-releasenote +++ b/utils/build-releasenote @@ -1,10 +1,10 @@ #!/bin/bash -VERSION=`head -n1 debian/changelog | sed 's/.*(\([^)]*\)).*/\1/'` +VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^)]*\)).*/\1/'` { sed "s/__VERSION__/$VERSION/g" < utils/releasenote.header - head -n$(( $(grep -n '^ --' debian/changelog | head -n1 | cut -f1 -d:) - 2 )) debian/changelog | tail -n+3 + head -n$(( $(grep -n '^ --' packaging/debian/changelog | head -n1 | cut -f1 -d:) - 2 )) packaging/debian/changelog | tail -n+3 sed "s/__VERSION__/$VERSION/g" < utils/releasenote.footer } > "website/news/release-$VERSION.mdwn" diff --git a/website/bugs/useful_information.mdwn b/website/bugs/useful_information.mdwn new file mode 100644 index 0000000..025d678 --- /dev/null +++ b/website/bugs/useful_information.mdwn @@ -0,0 +1,50 @@ +I would like to know, at INFO (default) log level, when the +monkeyspehere makes a "real" modification to my known\_hosts file; that +is, when it adds or deletes a key. + +Apparently this is hard because monkeysphere is currently configured to +delete all keys and then add good keys, so a key added for the first +time seems to the monkeysphere very similar to a key re-added ten +seconds after last login. + +Still, from a UI perspective, I want to know what monkeysphere is doing. + +------ + +It looks like jrollins committed a change for reporting at INFO level +when a host key gets added by the monkeysphere: +2459fa3ea277d7b9289945748619eab1e3441e5c + +When i connect to a host whose key is not already present in my +known_hosts file, i get the following to stderr: + + ms: * new key for squeak.fifthhorseman.net added to known_hosts file. + +This doesn't fully close this bug, because we aren't notifying on key +deletion, afaict. + +------ + +So current log level DEBUG will output a message if the known host +file has been modified. If the issue is that you want to know at the +default log level everytime the known\_hots file is modified, then we +should just move this message to INFO instead of debug, and then maybe +remove the message that I added above. I was under the impression +that the issue was more about notification that a *new* key was added +to the known\_hosts file, and therefore the new INFO message above +fixed that problem. Should we do this instead? + +In general, more verbose log levels *do* tell the user what the +monkeysphere is doing. Moving to DEBUG log level will tell you pretty +much everything that happens. I do *not* think that this should be +the default log level, though. + +------ + +I wouldn't want to see an extremely verbose default log level. But i +do think that saying something like "key blah blah blah was stripped +from your known\_hosts file because it was expired" (for example) +would be useful. I think this case would occur infrequently enough +that it is worth reporting in the UI at the regular log level. + + --dkg diff --git a/website/doc.mdwn b/website/doc.mdwn index 56498e8..cd7bc76 100644 --- a/website/doc.mdwn +++ b/website/doc.mdwn @@ -2,24 +2,24 @@ # Documentation # -## Dependencies ## - -Monkeysphere relies on: - - * [GnuTLS](http://gnutls.org/) version 2.4.0 or later - * [OpenSSH](http://openssh.com/) - * [GnuPG](http://gnupg.org/) - ## Getting started ## * [Downloading and installing](/download) * Getting started as a [user](/getting-started-user) * Getting started as a [server admin](/getting-started-admin) + +## Going further ## + + * [Signing host keys](/signing-host-keys) + +## Under the hood ## + * [Developing the monkeysphere](/community) + * [Technical details](/technical-details) ## References ## - * [Initial specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH) + * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH) * [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880) * [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252) * [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/) diff --git a/website/download.mdwn b/website/download.mdwn index 1f27fde..6d5a73f 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -2,10 +2,25 @@ # Downloading and Installing # +Once you've installed the packages, please see the [documentation +page](/doc) to read up on how to get started [as a regular +user](/getting-started-user) or [as a systems +administrator](/getting-started-admin). + +## Dependencies ## + +Monkeysphere relies on: + + * [GnuTLS](http://gnutls.org/) + * version 2.4 or later for general use + * [version 2.6 or later](/news/gnutls-2.6-enables-monkeysphere) to use the `monkeysphere subkey-to-ssh-agent` subcommand. + * [OpenSSH](http://openssh.com/) + * [GnuPG](http://gnupg.org/) + ## Debian ## -If you are running a Debian system, you can install Monkeysphere -by following these directions: +If you are running a [Debian](http://www.debian.org/) system, you can +install Monkeysphere by following these directions: You can add this repo to your system by putting the following lines in `/etc/apt/sources.list.d/monkeysphere.list`: @@ -13,23 +28,20 @@ You can add this repo to your system by putting the following lines in deb http://archive.monkeysphere.info/debian experimental monkeysphere deb-src http://archive.monkeysphere.info/debian experimental monkeysphere -The repository is currently signed by the Monkeysphere archive -signing key, key id EB8AF314 (fingerprint: `2E8D -D26C 53F1 197D DF40 3E61 18E6 67F1 EB8A F314`). To cryptographically +The repository is currently signed by [The Monkeysphere archive +signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C +53F1 197D DF40 3E61 18E6 67F1 EB8A F314`). To cryptographically verify the packages, you'll want to [add this key to your apt configuration after verifying its integrity](/archive-key). To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will -also need [version 2.6 of GnuTLS](/news/gnutls-2.6-enables-monkeysphere), -which is available in Debian experimental. - -Once you've installed the packages, you might want to read up on how -to get started [as a regular user](/getting-started-user) or [as a -systems administrator](/getting-started-admin). +also need [version 2.6 of +GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is available in +Debian experimental. ## FreeBSD ## -There is [now a FreeBSD port available](/news/FreeBSD-port-available/) +There is [now a FreeBSD port available](/news/FreeBSD-port-available) for the Monkeysphere. While the monkeysphere is not officially included in the ports tree @@ -51,44 +63,50 @@ port with: cd /usr/ports/security/monkeysphere make && make install +To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will +also need [version 2.6 of +GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is [slated to be +available after the 7.1 ports slush is +over](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127330). + ## Source ## For those that would like to download the source directly, [the source is available](/community) via [git](http://git.or.cz/). The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.19.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.21.orig.tar.gz) is also available, and has these checksums: <pre> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -checksums for the monkeysphere 0.19 release: +checksums for the monkeysphere 0.21 release: MD5: -64c643dd0ab642bbc8814aec1718000e monkeysphere_0.19.orig.tar.gz +15fe181983565aca0fbe4c41f9f6752e monkeysphere_0.21.orig.tar.gz SHA1: -ea3c263b084d2c0b7922cd96677be192201700e4 monkeysphere_0.19.orig.tar.gz +27e915a45cdbe50a139ed4f4b13746b17c165b0f monkeysphere_0.21.orig.tar.gz SHA256: -321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522 monkeysphere_0.19.orig.tar.gz +1535c3f722f5f5c1646a4981efef4a262ac7b23bf4b980c9aee11af2600eedc2 monkeysphere_0.21.orig.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) -iQIVAwUBSQgMCRjmZ/HrivMUAQI2Jg//bZoSxx0Nor6uBikRGHQny8LzgUT/0kpv -xg0eRmL9kQwhGis/sdOiJ9cHykJ1ukhRiIZGfxPBdxiQbWGs9nM6147TGIDgqx6D -yYIW41dvzTRB0TwjNd7g1q6MaSiDNuU/6dD+ooM3/IiR8PDR7X8we0WhSM63KD+v -HeMsN51UMhBfeaZ06fxrjYoJCvnp0YNYJpLuvtd5tzxqJCJA2Vh5VqJMbMP/MtbY -zM/zuNXRI1mJnQZeU++IaAnimX7c7SsGjLaloZG8mapYqqY0tKJ5Yod6aeloq+i5 -wI4gZuuPcgAntD6cnPaqB1ni/d71yywme5F75zpezXGzKzDSh1J5oE6akjMi2lJE -DSOKp7zb7TvDwXxCl+vOVod81F260gPhonlTsD/LpBfPGPBdWlWP+fFchb9N/a2u -weCMhUYX1u8Jg/bHIycjoQjPEgZwCkJT9RKF1NTLyWvb4P4a3sPe+fauCMZFbTQ/ -3EYPRBY+PfIDO09XswdB5O3gq6B33ChyWJpdwlXEEHMcFt1FuezuP0avVM9/3ZNp -MkqalDrUEd65X8o+CE3KjFxjMceVdda9mz2netnoHrFMW6X3mFqE2fTldgHi1mCT -hMCqpPzY04+HOHYZ0GapR3pvedd4dwhkNYrdpckp+nJMTRfexEPH/NXDVNH/mxKg -jLoIos0SaiY= -=VUsz +iQIVAwUBSR8+7BjmZ/HrivMUAQLeKg/+JT4LCXBR/06p/w2KBd1MKqch5Qf2ryIo +mxCTWtZRgVQSeOFUJ5SXX+Tfs7VZfkV5HuahUH3NmGC6EMhYyB2olwBOOoIAqEKw +1zVyn49bowCee+gTc3QHyT0Eqgt2ARtzl3/VrHkiw2MaJN3IZXseovyL8ksnEu+u +s8fq26imtBrrucIxp4ZtHUw/h/YrJohHcJ8QQN5/UWFLug4C4aRFmnzL+oCySxAa +0au/zFxxRZE5pMhLUvRwwCwPFx2CGBz6y9lAOiDPhhUqh+Bf7JKWJzk35Dj5Tm+2 +lCIzYtfpBkuF9ehCrm8WYF5aFg+gto8Bc6IJci9J6h2npBYIG0IbWOknMZz3+Ti2 +c3EltlJjK0LKEHujDYjf9tkNAxbBdtlYuw8x925ILeK7n8xX0Jr1TDzPyAIYaogv +IVqsgnvQ489K8k06173kyrPaetyvOlU3bN1zcPdqTyCD6+eBbeCeKXO4324C8iMF +rQPW4HScOdIidqFuzHyIT7PoY4DwWMgeAVymRSEufifvRcdCvQdlC4MaxxVf5I8A +ATkD3CrY+5NZeERAGbmlu7Uz+sUk5tLUH0Q2qvjZUIQRctfr4BMheuBubsLR9yP3 +FZ4Q4kl34eU/WU7NtTmIFy7gDhLSIoeQINfYZlNEXQ7Y/RZUOEwoPI/spAXgw6De +Xpsw0wPZtcM= +=JDaA -----END PGP SIGNATURE----- </pre> diff --git a/website/features.mdwn b/website/features.mdwn new file mode 100644 index 0000000..1aabda1 --- /dev/null +++ b/website/features.mdwn @@ -0,0 +1,4 @@ +[[meta title="Features"]] + +# Features # + diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn index 6c8ad53..1c373ac 100644 --- a/website/getting-started-admin.mdwn +++ b/website/getting-started-admin.mdwn @@ -7,6 +7,7 @@ so that your users can have it automatically verified, and you can set up your machine to automatically identify connecting users by their presence in the OpenPGP web of trust. + Server host key publication --------------------------- To generate and publish a server host key: @@ -48,6 +49,7 @@ effect. As with any change to `sshd_config`, be sure to retain an existing session to the machine while you test your changes so you don't get locked out. + Monkeysphere authorized_keys maintenance ---------------------------------------- diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn index 66378dc..9b04edc 100644 --- a/website/getting-started-user.mdwn +++ b/website/getting-started-user.mdwn @@ -20,19 +20,21 @@ done with a simple cronjob. An example of crontab line to do this is: This would refresh your keychain every day at noon. + Install the monkeysphere software on your system ------------------------------------------------ If you haven't installed monkeysphere yet, you will need to [download -and install] (/download) before continuing. +and install](/download) before continuing. Make sure that you have the GnuTLS library version 2.6 or later installed on your system. If you can't (or don't want to) upgrade to GnuTLS 2.6 or later, there are patches for GnuTLS 2.4 available in [the Monkeysphere git repo](/community). + Keeping your `known_hosts` file in sync with your keyring ------------------------------------------------------------ +--------------------------------------------------------- With your keyring updated, you want to make sure that OpenSSH can still see the most recent trusted information about who the various @@ -47,6 +49,7 @@ key for that host to the `known_hosts` file if one is found. This command could be added to a crontab as well, if desired. + Using `monkeysphere-ssh-proxycommand`(1) ---------------------------------------- @@ -91,6 +94,7 @@ If you have more than one secret key, you'll need to specify the key you want to add the subkey to on the command line. + Using your OpenPGP authentication key for SSH --------------------------------------------- @@ -105,6 +109,7 @@ you can feed your authentication subkey to your ssh agent by running: FIXME: using the key with a single ssh connection? + Establish trust --------------- diff --git a/website/news/release-0.20-1.mdwn b/website/news/release-0.20-1.mdwn new file mode 100644 index 0000000..841369d --- /dev/null +++ b/website/news/release-0.20-1.mdwn @@ -0,0 +1,18 @@ +[[meta title="Monkeysphere 0.20-1 released!"]] + +Monkeysphere 0.20-1 has been released. + +Notes from the changelog: + +<pre> + [ Daniel Kahn Gillmor ] + * ensure that tempdirs are properly created, bail out otherwise instead + of stumbling ahead. + * minor fussing with the test script to make it cleaner. + + [ Jameson Graef Rollins ] + * clean up Makefile to generate more elegant source tarballs. + * make myself the maintainer. +</pre> + +[[Download]] it now! diff --git a/website/news/release-0.21-1.mdwn b/website/news/release-0.21-1.mdwn new file mode 100644 index 0000000..e807775 --- /dev/null +++ b/website/news/release-0.21-1.mdwn @@ -0,0 +1,10 @@ +[[meta title="Monkeysphere 0.21-1 released!"]] + +Monkeysphere 0.21-1 has been released. + +Notes from the changelog: + +<pre> +</pre> + +[[Download]] it now! diff --git a/website/signing-host-keys.mdwn b/website/signing-host-keys.mdwn new file mode 100644 index 0000000..1eb61a0 --- /dev/null +++ b/website/signing-host-keys.mdwn @@ -0,0 +1,127 @@ +# Signing a host's SSH key using OpenPGP # + +This page is meant to address the issue of signing OpenPGP-based SSH +host keys. Machines are not people, so the circumstances under which +one should sign a host key are different from those under which one +should sign another person's key. + +# Why are signatures on an SSH host key important? # + +In order for users to validate a host (an SSH server) in a +monkeysphere-enabled network, the host key must have *full* calculated +validity from the perspective of the connecting user. If the user has +not themselves signed the server's key, then the server's key can only +be valid if other people that the user trusts have signed the key. + +If only one person has signed the server's key, then the user must +fully trust the single person who has signed the host key. Full trust +should be granted sparingly and with consideration, though, so unless +the user knows the server admin very well, they will in general not +have full trust of this person. + +However, full trust of the host key can also be achieved if the +server key has been signed by three or more people that the user has + *marginal* trust of. In other words, three or more *marginally* +trusted signatures equals one *fully* trusted signature. It is much +more common for users to have marginal trust of other users in the Web +of Trust. For this reason, it is advisable to have as many people +sign the server key as possible. + +## What information should you have before signing a host key? ## + +Before signing the key of a person, you want to do two things: + +1. verify the identity of the person. +2. verify that the person is actually in control of the key that you +are signing. + +For a server, you want to do basically the same thing: + +1. verify the identity of the server. +2. verify that the server is actually in control of the key that you +are signing. + +However, verifying these things for a server is less intuitive than it +is for a human. + +Verifying that the host is in control of the key is, in principle, +straightforward. If you are logged on to the machine in question, +then you can check directly that the key exists on the system. + +What is not so straightforward is what exactly it means to "verify the +identity" of a remote server on the internet? The identity in this +case is the fully qualified domain name (FQDN) of the host. Verifying +this identity amounts to being sure that the host in question really +is located at that FQDN. + +## Signing the host key ## + +If you are the person (or persons) that actually setup the server and +configured Monkeysphere and ssh on the server, then you should sign +the host key as part of that process. When the server is first set +up, the administrators who set it up are the only ones who can +actually vouch for the server key, so their signatures are necessary +to get things going. Their signatures are also necessary so that they +can validate the host key themselves and log into the server via +monkeysphere-enabled ssh in the future. + +If you did not set up the server initially, you do not have an +accumulated full trust of the person(s) who did, and you do not +necessarily have console access to the server directly, it's hard to +confidently verify the server identity and key ownership. You would +like to be able to walk up to the server, log in at the console, and +get the fingerprint of the ssh host key directly. But this is usually +impossible. + +However, it is still possible to verify the server identity *and* +server ownership of the key, even in this case. + +## Remotely verifying host identity and key possession ## + +It is in fact possible to verify the identity and key ownership of a +server in one fell swoop with monkeysphere-enabled ssh. Here is the +procedure: + +> **Attempt to make a monkeysphere-enabled ssh connection to the host in +question. Monkeysphere will check that the ssh host key offered by the +host matches the OpenPGP key with the correct host FQDN user ID. If +the ssh host key and the OpenPGP key with the correct user ID match, +then you will have effectively:** + +>**1. verified the host identity, because you actually connected to the +host in question, which you know because you:** + +>**2. verified the host is in control of the key, because the ssh host +key offered by the host matches the OpenPGP key with correct host FQDN +user ID.** + +Here is an example: + + servo:~ 0$ ssh zimmermann.mayfirst.org + -------------------- Monkeysphere warning ------------------- + Monkeysphere found OpenPGP keys for this hostname, but none had full validity. + An OpenPGP key matching the ssh key offered by the host was found: + + pub 2048R/860E8F9C 2008-10-29 [expires: 2009-02-26] + uid [marginal] ssh://zimmermann.mayfirst.org + sig! 76CC057D 2008-11-15 Jamie McClelland <jamie@mayfirst.org> + sig!3 860E8F9C 2008-10-29 ssh://zimmermann.mayfirst.org + sig! D21739E9 2008-10-29 Daniel Kahn Gillmor <dkg@fifthhorseman.net> + sig! 1CF2D62A 2008-11-16 Micah Anderson <micah@riseup.net> + + RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e. + -------------------- ssh continues below -------------------- + The authenticity of host 'zimmermann.mayfirst.org (<no hostip for proxy command>)' can't be established. + RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e. + No matching host key fingerprint found in DNS. + Are you sure you want to continue connecting (yes/no)? no + Host key verification failed. + servo:~ 255$ + +I have attempted to connect to the host zimmermann.mayfirst.org. +zimmermann's host key has only *marginal* validity for the FQDN user +ID in question, so I am not able to connect. However, the +Monkeysphere has checked that the ssh host key actually does match the +OpenPGP key with the correct user ID `ssh://zimmermann.mayfirst.org`. +I have therefore verified the identity of zimmermann, and verified +that zimmermann is in possession of the key in question. diff --git a/website/technical-details.mdwn b/website/technical-details.mdwn new file mode 100644 index 0000000..902e356 --- /dev/null +++ b/website/technical-details.mdwn @@ -0,0 +1,28 @@ +[[meta title="Technical Details"]] + +# Technical Details # + +Under construction. + +## Host key verification ## + +When an ssh connection is initiated, the ssh client checks that the +host key presented by the server matches one found in the connecting +user's `known_hosts` file. If so, the ssh client allows the +connection to continue. If not, the client asks the user if they +would like to accept the host key for future session by asking the +user to verify the host key's fingerprint. + +### Adding a server to the monkeysphere ### + +Servers are "monkeysphere enabled" by generating an OpenPGP +authentication key for the server, translating the key into on ssh +key, and publishing the host key to the Web of Trust. + +### Verifying a host key ### + +## User authentication ## + +### Adding an individual to the monkeysphere ### + +### Verifying a user key ### |