From 820957fe7d0af5ee5d916bd948b2ee0750fe73ea Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 21:18:27 -0500 Subject: updated Makefile copyright info to use © symbol since (c) is apparently legally meaningless MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7ca73ef..7d13c32 100755 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Makefile for monkeysphere -# (c) 2008-2009 Daniel Kahn Gillmor +# © 2008-2010 Daniel Kahn Gillmor # Licensed under GPL v3 or later MONKEYSPHERE_VERSION = `head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` -- cgit v1.2.3 From d31c6e8ae587c69731b3cead53358a5b6ddb88ea Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 21:18:56 -0500 Subject: added test of "monkeysphere keys-for-userid" --- tests/basic | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/basic b/tests/basic index 6fe3237..de8a659 100755 --- a/tests/basic +++ b/tests/basic @@ -10,7 +10,7 @@ # Jameson Rollins # Micah Anderson # -# Copyright: 2008-2009 +# Copyright: © 2008-2010 # License: GPL v3 or later # these tests should all be able to run as a non-privileged user. @@ -340,6 +340,12 @@ monkeysphere-authentication update-users $(whoami) ###################################################################### ### TESTS +## see whether keys-for-userid works from the client's perspective: +echo +echo "##################################################" +echo "### testing monkeysphere keys-for-userid ..." +diff -q <( monkeysphere keys-for-userid ssh://testhost ) <( cut -f1,2 -d' ' < "$TEMPDIR"/ssh_host_rsa_key.pub ) + # connect to test sshd, using monkeysphere ssh-proxycommand to verify # the identity before connection. This should work in both directions! echo -- cgit v1.2.3 From f5b9a51e0d2fbdaaa0b5987f1cb3ea0b6a8da7c2 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 21:20:35 -0500 Subject: updated test suite to use scheme://hostname instead of raw hostname, in preparation for multi-key monkeysphere-host --- tests/basic | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/basic b/tests/basic index de8a659..ae30529 100755 --- a/tests/basic +++ b/tests/basic @@ -250,7 +250,7 @@ echo echo "##################################################" echo "### import host key..." ssh-keygen -b 1024 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key -monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key testhost +monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost echo echo "##################################################" @@ -506,7 +506,7 @@ target_hostname=testhost2 ssh_test 255 echo echo "##################################################" echo "### add hostname, certify by admin, import by user..." -monkeysphere-host add-hostname testhost2 +monkeysphere-host add-hostname ssh://testhost2 < "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" @@ -527,7 +527,7 @@ target_hostname=testhost2 ssh_test echo echo "##################################################" echo "### ssh connection test for failure with 'testhost2' revoked..." -monkeysphere-host revoke-hostname testhost2 +monkeysphere-host revoke-hostname ssh://testhost2 gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpg --check-trustdb target_hostname=testhost2 ssh_test 255 -- cgit v1.2.3 From 5530ebf34aeff13473b70f0704f037ed127a3c0d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 21:33:55 -0500 Subject: updating test suite to new preferred "monkeysphere-host {add,revoke}-servicename" subcommand --- tests/basic | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/tests/basic b/tests/basic index ae30529..0ae398b 100755 --- a/tests/basic +++ b/tests/basic @@ -505,8 +505,8 @@ echo "### ssh connection test directly to 'testhost2' without new name..." target_hostname=testhost2 ssh_test 255 echo echo "##################################################" -echo "### add hostname, certify by admin, import by user..." -monkeysphere-host add-hostname ssh://testhost2 +echo "### add servicename, certify by admin, import by user..." +monkeysphere-host add-servicename ssh://testhost2 < "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" @@ -527,7 +527,7 @@ target_hostname=testhost2 ssh_test echo echo "##################################################" echo "### ssh connection test for failure with 'testhost2' revoked..." -monkeysphere-host revoke-hostname ssh://testhost2 +monkeysphere-host revoke-servicename ssh://testhost2 gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpg --check-trustdb target_hostname=testhost2 ssh_test 255 @@ -535,9 +535,7 @@ target_hostname=testhost2 ssh_test 255 # FIXME: addtest: remove admin as id-certifier and check ssh failure # FIXME: addtest: how do we test that set-expire makes sense after new -# hostnames have been added? - -# FIXME: addtest: revoke the host key and check ssh failure +# servicenames have been added? # test to make sure things are OK after the previous tests: echo @@ -551,7 +549,7 @@ ssh_test echo echo "##################################################" -echo "### revoking host key..." +echo "### revoking ssh host key..." # generate the revocation certificate and feed it directly to the test # user's keyring (we're not publishing to the keyservers) monkeysphere-host revoke-key | gpg --import -- cgit v1.2.3 From 792f1e3324076f8521de33aa15f1dd7ba9c9a73f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 22:23:05 -0500 Subject: changed test suite variable from HOSTKEY to SSHHOSTKEY; updated path to exported host keys (from ssh_host_rsa_key.pub.gpg to host_keys.gpg.pub) --- tests/basic | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/basic b/tests/basic index 0ae398b..ceb9963 100755 --- a/tests/basic +++ b/tests/basic @@ -255,8 +255,8 @@ monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost echo echo "##################################################" echo "### getting host key fingerprint..." -HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ ) -echo "$HOSTKEYID" +SSHHOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ ) +echo "$SSHHOSTKEYID" # change host key expiration echo @@ -270,8 +270,8 @@ monkeysphere-host set-expire 1 echo echo "##################################################" echo "### certifying server host key..." -< "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import -echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" +< "$MONKEYSPHERE_SYSCONFIGDIR"/host_keys.pub.gpg gpgadmin --import +echo y | gpgadmin --command-fd 0 --sign-key "$SSHHOSTKEYID" # FIXME: add revoker? @@ -321,7 +321,7 @@ monkeysphere gen-subkey echo echo "##################################################" echo "### export server key to testuser..." -gpgadmin --armor --export "$HOSTKEYID" | gpg --import +gpgadmin --armor --export "$SSHHOSTKEYID" | gpg --import # teach the "server" about the testuser's key echo @@ -507,20 +507,20 @@ echo echo "##################################################" echo "### add servicename, certify by admin, import by user..." monkeysphere-host add-servicename ssh://testhost2 -< "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import -printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" +< "$MONKEYSPHERE_SYSCONFIGDIR"/host_keys.pub.gpg gpgadmin --import +printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$SSHHOSTKEYID" echo echo "##################################################" echo "### ssh connection test with hostname 'testhost2' added..." -gpgadmin --export "$HOSTKEYID" | gpg --import +gpgadmin --export "$SSHHOSTKEYID" | gpg --import gpg --check-trustdb ssh_test echo echo "##################################################" echo "### ssh connection test directly to 'testhost2' ..." -gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg +gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/host_keys.pub.gpg gpg --check-trustdb target_hostname=testhost2 ssh_test @@ -528,7 +528,7 @@ echo echo "##################################################" echo "### ssh connection test for failure with 'testhost2' revoked..." monkeysphere-host revoke-servicename ssh://testhost2 -gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg +gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/host_keys.pub.gpg gpg --check-trustdb target_hostname=testhost2 ssh_test 255 -- cgit v1.2.3 From 7250e1b7f9930651038c72863c990de5ad89b42b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 22:27:21 -0500 Subject: added simple basic test for second key for monkeysphere-host, pulled this time from OpenSSL --- packaging/debian/control | 2 +- tests/basic | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/packaging/debian/control b/packaging/debian/control index 3d41f00..d70d023 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -3,7 +3,7 @@ Section: net Priority: extra Maintainer: Jameson Rollins Uploaders: Daniel Kahn Gillmor -Build-Depends: debhelper (>= 7.0), cpio, socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail +Build-Depends: debhelper (>= 7.0), cpio, socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail, openssl Standards-Version: 3.8.3 Homepage: http://web.monkeysphere.info/ Vcs-Git: git://git.monkeysphere.info/monkeysphere diff --git a/tests/basic b/tests/basic index ceb9963..f808387 100755 --- a/tests/basic +++ b/tests/basic @@ -547,6 +547,19 @@ echo "##################################################" echo "### ssh connection test for success..." ssh_test +echo +echo "##################################################" +echo "### Testing TLS setup..." + +openssl req -config "$TESTDIR"/openssl.cnf -x509 -newkey rsa:1024 -subj '/DC=net/DC=example/DC=testhost/CN=testhost.example.net/' -days 3 -keyout "$TEMPDIR"/tls_key.pem -nodes >"$TEMPDIR"/tls_cert.pem +monkeysphere-host import-key "$TEMPDIR"/tls_key.pem https://testhost + +# FIXME: how can we test this via an https client? +# We don't currently provide one. + +# FIXME: should we test other monkeysphere-host operations somehow now +# that we have more than one key in the host keyring? + echo echo "##################################################" echo "### revoking ssh host key..." -- cgit v1.2.3 From 1bdb595ef53d3ef72068de0129d0d8d9f1b629d3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 23:10:58 -0500 Subject: update monkeysphere(1) to acknowledge use beyond OpenSSH --- man/man1/monkeysphere.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 8b73583..c5296ec 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -11,9 +11,9 @@ monkeysphere - Monkeysphere client user interface .SH DESCRIPTION \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust -for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and -added to the authorized_keys and known_hosts files used by OpenSSH for -connection authentication. +for OpenSSH and TLS key-based authentication. OpenPGP keys are +tracked via GnuPG, and added to the authorized_keys and known_hosts +files used by OpenSSH for connection authentication. \fBmonkeysphere\fP is the Monkeysphere client utility. -- cgit v1.2.3 From 01bf1da3ec050356b1a82e15e6a02f38cb0ee94d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 23:11:53 -0500 Subject: update monkeysphere-authentication(8) to acknowledge use of monkeysphere beyond OpenSSH --- man/man8/monkeysphere-authentication.8 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 572aa6a..d891eda 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -1,4 +1,4 @@ -.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-AUTHENTICATION "8" "January 2010" "monkeysphere" "System Commands" .SH NAME @@ -11,9 +11,9 @@ monkeysphere\-authentication - Monkeysphere authentication admin tool. .SH DESCRIPTION \fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust -(WoT) for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, -and added to the authorized_keys and known_hosts files used by OpenSSH -for connection authentication. +(WoT) for key-based authentication. OpenPGP keys are tracked via +GnuPG, and added to the authorized_keys files used by OpenSSH for +connection authentication. \fBmonkeysphere\-authentication\fP is a Monkeysphere server admin utility for configuring and managing SSH user authentication through -- cgit v1.2.3 From 97f724476c2b51b5db9699fd484b837155fbba55 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Jan 2010 23:13:35 -0500 Subject: added missing openssl.cnf for test suite. --- tests/openssl.cnf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 tests/openssl.cnf diff --git a/tests/openssl.cnf b/tests/openssl.cnf new file mode 100644 index 0000000..3456dc5 --- /dev/null +++ b/tests/openssl.cnf @@ -0,0 +1,26 @@ +# OpenSSL configuration for the purposes of the monkeysphere test suite: + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +[ req ] +attributes = req_attributes +x509_extensions = monkeysphere_self_signed +distinguished_name = req_dn +attributes = req_attrs + +[ monkeysphere_self_signed ] + +# Just generate an X.509 cert that is for specific use as a TLS server +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +nsCertType = server + +[ req_dn ] +commonName = Common Name +commonName_max = 64 + +[ req_attrs ] -- cgit v1.2.3 From d670eab60c0ce98bb9f4dc439f9bbd0452ee0d0a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Jan 2010 00:47:19 -0500 Subject: overhaul monkeysphere-host(8) to match new multi-key capable interface --- man/man8/monkeysphere-host.8 | 226 ++++++++++++++++++++++++++++--------------- 1 file changed, 148 insertions(+), 78 deletions(-) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 131b8c7..2a670a1 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -1,8 +1,8 @@ -.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-HOST "8" "January 2010" "monkeysphere" "System Commands" .SH NAME -monkeysphere\-host - Monkeysphere host admin tool. +monkeysphere\-host - Monkeysphere host key administration tool. .SH SYNOPSIS @@ -11,35 +11,43 @@ monkeysphere\-host - Monkeysphere host admin tool. .SH DESCRIPTION \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust -for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and -added to the authorized_keys and known_hosts files used by OpenSSH for -connection authentication. +for SSH and TLS key-based authentication. -\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility for -managing the host's OpenPGP host key. +\fBmonkeysphere\-host\fP stores and manages OpenPGP certificates for +various services offered by the host. + +Most subcommands take a KEYID argument, which identifies (by OpenPGP +key ID (e.g. 0xDEADBEEF) or full OpenPGP fingerprint) which +certificate is to be operated upon. If only one certificate is +currently managed by \fBmonkeysphere\-host\fP, the KEYID argument may +be omitted, \fBmonkeysphere\-host\fP will operate on it. .SH SUBCOMMANDS \fBmonkeysphere\-host\fP takes various subcommands: .TP -.B import\-key FILE NAME[:PORT] -Import a pem-encoded ssh secret host key from file FILE. If FILE is -`\-', then the key will be imported from stdin. Only RSA keys are -supported at the moment. NAME[:PORT] is used to specify the -fully-qualified hostname (and port) used in the user ID of the new -OpenPGP key. If PORT is not specified, then no port is added to the -user ID, which means port 22 is assumed. `i' may be used in place of +.B import\-key FILE SCHEME://HOSTNAME[:PORT] +Import a PEM-encoded host secret key from file FILE. If FILE is `\-', +then the key will be imported from stdin. Only RSA keys are supported +at the moment. SCHEME://HOSTNAME[:PORT] is used to specify the scheme +(e.g. ssh or https), fully-qualified hostname (and port) used in the +user ID of the new OpenPGP key (e.g. ssh://example.net or +https://www.example.net). If PORT is not specified, then no port is +added to the user ID, which means the default port for that service +(e.g. 22 for ssh) is assumed. `i' may be used in place of `import\-key'. .TP -.B show\-key -Output information about host's OpenPGP and SSH keys. `s' may be used +.B show\-key [KEYID ...] +Output information about the OpenPGP certificate(s) for services +offered by the host, including their KEYIDs. If no KEYID is specified +(or if the special string `--all' is used), output information about +all certificates managed by \fBmonkeysphere\-host\fP. `s' may be used in place of `show\-key'. .TP -.B set\-expire [EXPIRE] -Extend the validity of the OpenPGP key for the host until EXPIRE from -the present. If EXPIRE is not specified, then the user will be -prompted for the extension term. Expiration is specified as with -GnuPG (measured from today's date): +.B set\-expire EXPIRE [KEYID] +Extend the validity of the OpenPGP certificate specified until EXPIRE +from the present. Expiration is specified as with GnuPG (measured +from today's date): .nf 0 = key does not expire = key expires in n days @@ -49,34 +57,42 @@ GnuPG (measured from today's date): .fi `e' may be used in place of `set\-expire'. .TP -.B add\-hostname HOSTNAME -Add a hostname user ID to the server host key. `n+' may be used in -place of `add\-hostname'. -.TP -.B revoke\-hostname HOSTNAME -Revoke a hostname user ID from the server host key. `n\-' may be used -in place of `revoke\-hostname'. -.TP -.B add\-revoker KEYID|FILE -Add a revoker to the host's OpenPGP key. The key ID will be loaded -from the keyserver. A file may be loaded instead of pulling the key -from the keyserver by specifying the path to the file as the argument, -or by specifying `\-' to load from stdin. `r+' may be be used in place -of `add-revoker'. -.TP -.B revoke\-key -Generate (with the option to publish) a revocation certificate for the -host's OpenPGP key. If such a certificate is published, your host key -will be permanently revoked. This subcommand will ask you a series of -questions, and then generate a key revocation certificate, sending it -to stdout. If you explicitly tell it to publish the revocation -certificate immediately, it will send it to the public keyservers. -USE WITH CAUTION! -.TP -.B publish\-key -Publish the host's OpenPGP key to the public keyservers. `p' may be -used in place of `publish-key'. Note that there is no way to remove a -key from the public keyservers once it is published! +.B add\-servicename SCHEME://HOSTNAME[:PORT] [KEYID] +Add a service-specific user ID to the specified certificate. For +example, the operator of `https://example.net' may wish to add an +additional servicename of `https://www.example.net' to the certificate +corresponding to the secret key used by the TLS-enabled web server. +`n+' may be used in place of `add\-hostname'. +.TP +.B revoke\-servicename SCHEME://HOSTNAME[:PORT] [KEYID] +Revoke a service-specific user ID from the specified certificate. +`n\-' may be used in place of `revoke\-hostname'. +.TP +.B add\-revoker REVOKER_KEYID|FILE [KEYID] +Add a revoker to the specified OpenPGP certificate. The revoker can +be specified by their own REVOKER_KEYID (in which case it will be +loaded from an OpenPGP keyserver), or by specifying a path to a file +containing the revoker's OpenPGP certificate, or by specifying `\-' to +load from stdin. `r+' may be be used in place of `add-revoker'. +.TP +.B revoke\-key [KEYID] +Generate (with the option to publish) a revocation certificate for +given OpenPGP certificate. If such a certificate is published, the +given key will be permanently revoked, and will no longer be accepted +by monkeysphere-enabled clients. This subcommand will ask you a +series of questions, and then generate a key revocation certificate, +sending it to stdout. You might want to store these certificates +safely offline, to publish in case of compromise). If you explicitly +tell it to publish the revocation certificate immediately, it will +send it to the public keyservers. PUBLISH THESE CERTIFICATES ONLY IF +YOU ARE SURE THE CORRESPONDING KEY WILL NEVER BE RE-USED! +.TP +.B publish\-key [KEYID ...] +Publish the specified OpenPGP certificates to the public keyservers. +If the special string `--all' is specified, all of the host's OpenPGP +certificates will be published. `p' may be used in place of +`publish-key'. Note that there is no way to remove a key from the +public keyservers once it is published! .TP .B version Show the monkeysphere version number. `v' may be used in place of @@ -96,37 +112,87 @@ there is a valid host key, that the key is not expired, that the sshd configuration points to the right place, etc. `d' may be used in place of `diagnostics'. -.SH SETUP HOST AUTHENTICATION +.SH SETUP SSH SERVER CERTIFICATES -To enable host verification via the monkeysphere, an OpenPGP key must -be made out of the host's ssh key, and the key must be published to -the Web of Trust. This is not done by default. The first step is to -import the host's ssh key into a monkeysphere-style OpenPGP key. This -is done with the import\-key command. When importing a key, you must -specify the path to the host's ssh RSA key to import, and a hostname -to use as the key's user ID: +To enable users to verify your SSH host's key via the monkeysphere, an +OpenPGP certificate must be made out of the host's RSA ssh key, and +the certificate must be published to the Web of Trust. Certificate +publication is not done by default. The first step is to import the +host's ssh key into a monkeysphere-style OpenPGP certificate. This is +done with the import\-key command. For example: -# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org +# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key ssh://host.example.org -On most systems, the ssh host RSA key is stored at +On most systems, sshd's RSA secret key is stored at /etc/ssh/ssh_host_rsa_key. -Once the host key has been imported, it must be published to the Web -of Trust so that users can retrieve the key when sshing to the host. -The host key is published to the keyserver with the publish\-key -command: - -$ monkeysphere\-host publish\-key - -In order for users logging into the system to be able to identify the -host via the monkeysphere, at least one person (e.g. a server admin) -will need to sign the host's key. This is done using standard OpenPGP -keysigning techniques, usually: pull the key from the keyserver, -verify and sign the key, and then re-publish the signature. Please -see http://web.monkeysphere.info/signing-host-keys/ for more -information. Once an admin's signature is published, users logging -into the host can use it to validate the host's key without having to -manually check the host key's fingerprint. +See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES for +how to make sure your users can verify the ssh service offered by your +host once the key is imported into \fBmonkeysphere\-host\fP. + +.SH SETUP WEB SERVER CERTIFICATES + +You can set up your HTTPS-capable web server so that your users can +verify it via the monkeysphere, without changing your server's +software at all. You just need access to a (PEM-encoded) version of +the server's RSA secret key (most secret keys are already stored +PEM-encoded). The first step is to import the web server's key into a +monkeysphere-style OpenPGP certificate. This is done with the +import\-key command. For example: + +# monkeysphere\-host import-key /etc/ssl/private/host.example.net-key.pem https://host.example.net + +If you don't know where the web server's key is stored on your +machine, consult the configuration files for your web server. +Debian-based systems using the `ssl-cert' packages often have a +default self-signed certificate stored in +`/etc/ssl/private/ssl-cert-snakeoil.key' ; if you're using that key, +your users are getting browser warnings about it. You can keep using +the same key, but help them use the OpenPGP WoT to verify that it does +belong to your web server by using something like: + +# monkeysphere\-host import-key /etc/ssl/private/ssl-cert-snakeoil.key https://$(hostname --fqdn) + +If you offer multiple HTTPS websites using the same secret key, you +should add the additional website names with the `add-servicename' +subcommand. + +See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES (the +next section) for how to make sure your users can verify the https +service offered by your host once the key is imported and any extra +site names have been added. Note that you can add or remove +additional servicenames at any time, but you'll need to certify any +new ones separately. + +.SH PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES + +Once the host key has been imported, the corresponding certificate +must be published to the Web of Trust so that users can retrieve the +cert when connecting to the host. The host certificates are published +to the keyserver with the publish\-key command: + +$ monkeysphere\-host publish\-key --all + +In order for users accessing the system to be able to identify the +host's service via the monkeysphere, at least one person (e.g. a +server admin) will need to sign the host's certificate. This is done +using standard OpenPGP keysigning techniques. Usually: pull the +host's OpenPGP certificate from the keyserver, verify and sign it, and +then re-publish your signature. More than one person can certify any +certificate. Please see +http://web.monkeysphere.info/signing-host-keys/ for more information +and details. Once an admin's signature is published, users accessing +the host can use the certificate to validate the host's key without +having to manually check the host key's fingerprint (in the case of +ssh) or without seeing a nasty "security warning" in their browsers +(in the case of https). + +.SH SECURITY CONSIDERATIONS + +Note that \fBmonkeysphere\-host\fP currently caches a copy of all +imported secret keys (stored in OpenPGP form for future manipulation) +in /var/lib/monkeysphere/host/secring.gpg. Cleartext backups of this +file could expose secret key material if not handled sensitively. .SH ENVIRONMENT @@ -149,9 +215,13 @@ If set to `false', never prompt the user for confirmation. (true) /etc/monkeysphere/monkeysphere\-host.conf System monkeysphere\-host config file. .TP -/var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg -A world-readable copy of the host's public key in OpenPGP format, -including all relevant self-signatures. +/var/lib/monkeysphere/host_keys.pub.gpg +A world-readable copy of all of the host's public keys in OpenPGP +format, including all relevant self-signatures. +.TP +/var/lib/monkeysphere/host/ +A locked directory (readable only by the superuser) containing copies +of all imported secret keys. .SH AUTHOR -- cgit v1.2.3 From 3291352baaa7578b57bf6d0e4b42675cee55fe1a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Jan 2010 00:58:22 -0500 Subject: updating getting-started docs to use the 0.28 monkeysphere-host syntax (specifying full service user ID including scheme) --- website/getting-started-admin.mdwn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn index aad4251..ab0acc6 100644 --- a/website/getting-started-admin.mdwn +++ b/website/getting-started-admin.mdwn @@ -1,8 +1,8 @@ Monkeysphere Server Administrator README ======================================== - Note: This documentation is for Monkeysphere version 0.23 or later. - If you are running a version prior to 0.23, we recommend that you upgrade. + Note: This documentation is for Monkeysphere version 0.28 or later. + If you are running a version prior to 0.28, we recommend that you upgrade. As the administrator of an SSH server, you can take advantage of the Monkeysphere in two ways: @@ -25,11 +25,11 @@ To begin, you must first import an ssh host key. This assumes that you have the ssh server installed, and that you have generated a host RSA key. Once that has been done, import the key: - # monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key server.example.net + # monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://server.example.net This will generate an OpenPGP certificate for the server. The primary user ID for this certificate will be the ssh service URI for the host, -(eg. `ssh://server.example.net`). Remember that the name you provide +(e.g. `ssh://server.example.net`). Remember that the name you provide here should probably be a fully qualified domain name for the host in order for your users to find it. -- cgit v1.2.3 From 94c28acd69a41f5733e3b4d800c755b053ca3449 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Jan 2010 14:12:41 -0500 Subject: adding website page about expanding the monkeysphere --- website/community.mdwn | 4 ++++ website/expansion.mdwn | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 website/expansion.mdwn diff --git a/website/community.mdwn b/website/community.mdwn index 4b13ee0..492703b 100644 --- a/website/community.mdwn +++ b/website/community.mdwn @@ -38,6 +38,10 @@ the following from inside the monkeysphere top level directory: This command will build an upstream tarball, attach the debian packaging directory, and build a sample deb. +If you want to help extend the scope of the Monkeysphere, take a look +at our +[list of environments that could make use of the project](/expansion). + ### Individual developer repositories ### You might also be interested in the repositories of individual diff --git a/website/expansion.mdwn b/website/expansion.mdwn new file mode 100644 index 0000000..13f368a --- /dev/null +++ b/website/expansion.mdwn @@ -0,0 +1,49 @@ +[[meta title="Expanding the Monkeysphere"]] + +# Expanding the Monkeysphere # + +The Monkeysphere currently has implementations that support two +popular protocols in use on the internet today: + + * SSH: Monkeysphere supports the OpenSSH implementation of the Secure + Shell protocol, for authenticating both hosts and users. + + * HTTPS: Monkeysphere supports secure web traffic by allowing users + of Mozilla-based browsers (such as + [Firefox](http://www.mozilla.com/en-US/firefox) or + [Iceweasel](http://wiki.debian.org/Iceweasel)) to authenticate web + sites that are not authenticated by the browser's built-in X.509 + verification. This should work with any HTTPS-capable web server. + +But there are many protocols and implementations on the 'net that +could use the Monkeysphere for key-based authentication but currently +do not. Here are some examples of places we think it could be useful. +If you can help with these (or suggest others), please pitch in! + + * HTTPS client authentication: web servers should be able to + authenticate clients that use asymmetric crypto. That is, the + client holds an RSA secret key, offers a (potentially self-signed) + X.509 Cert to the server as part of the TLS handshake, and the + server verifies the key material and commonName or subjectAltName + in the cert via the OpenPGP web of trust. + + * Other TLS connections: for example, SMTP services using STARTTLS + (server-to-server and client-to-server), IMAP or POP daemons (using + STARTTLS or a direct TLS wrapper), LDAP servers (or LDAPS), XMPP + connections (client-to-server and server-to-server) + + * IRC connections: this could be at the TLS layer, or maybe via some + exchange with the NickServ? + + * [OTR](http://www.cypherpunks.ca/otr) client-to-client handshakes. + + * Integration with + [OpenPGP Certificates for TLS (RFC 5081)](http://tools.ietf.org/html/rfc5081) + -- TLS clients or servers who receive an OpenPGP certificate from + their peer should be able to ask some part of the Monkeysphere + toolchain if the particular certificate is valid for the + connection. + + * [PKINIT](http://tools.ietf.org/html/rfc4556) for + [Kerberos](http://web.mit.edu/Kerberos/) + -- cgit v1.2.3