From 70674cae8b3d69d0e750125387b26c0d5857c5ba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 12 Aug 2008 18:24:18 -0700 Subject: fix another bug when processing ssh key files that do not exist. --- debian/changelog | 5 ++++- src/common | 13 +++++++++---- src/monkeysphere-ssh-proxycommand | 2 +- ...phere-should-respect-keyserver-settings-in-gpg.conf | 18 ------------------ 4 files changed, 14 insertions(+), 24 deletions(-) delete mode 100644 website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.conf diff --git a/debian/changelog b/debian/changelog index f6b69f8..d4fdf9c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,7 +6,10 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low * More monkeysphere-server diagnostics * monkeysphere --gen-subkey now guesses what KeyID you meant. - -- Daniel Kahn Gillmor Thu, 07 Aug 2008 13:31:14 -0400 + [ Jameson Graef Rollins ] + * fix another bug for when ssh key files are missing. + + -- Jameson Graef Rollins Tue, 12 Aug 2008 17:58:09 -0700 monkeysphere (0.7-1) experimental; urgency=low diff --git a/src/common b/src/common index b4e786b..cbfa956 100644 --- a/src/common +++ b/src/common @@ -64,6 +64,11 @@ check_capability() { return 0 } +# hash of a file +file_hash() { + md5sum "$1" 2> /dev/null +} + # convert escaped characters from gpg output back into original # character # FIXME: undo all escape character translation in with-colons gpg output @@ -573,7 +578,7 @@ update_known_hosts() { lockfile-create "$KNOWN_HOSTS" # note pre update file checksum - fileCheck="$(cat "$KNOWN_HOSTS" | md5sum)" + fileCheck="$(file_hash "$KNOWN_HOSTS")" for host ; do # process the host @@ -596,7 +601,7 @@ update_known_hosts() { lockfile-remove "$KNOWN_HOSTS" # note if the known_hosts file was updated - if [ "$(cat "$KNOWN_HOSTS" | md5sum)" != "$fileCheck" ] ; then + if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then log "known_hosts file updated." fi @@ -711,7 +716,7 @@ update_authorized_keys() { lockfile-create "$AUTHORIZED_KEYS" # note pre update file checksum - fileCheck="$(cat "$AUTHORIZED_KEYS" | md5sum)" + fileCheck="$(file_hash "$AUTHORIZED_KEYS")" # remove any monkeysphere lines from authorized_keys file remove_monkeysphere_lines "$AUTHORIZED_KEYS" @@ -739,7 +744,7 @@ update_authorized_keys() { lockfile-remove "$AUTHORIZED_KEYS" # note if the authorized_keys file was updated - if [ "$(cat "$AUTHORIZED_KEYS" | md5sum)" != "$fileCheck" ] ; then + if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then log "authorized_keys file updated." fi diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 438db87..780ff03 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -59,7 +59,7 @@ if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then else # if the host key is found in the known_hosts file... # FIXME: this only works for default known_hosts location - hostKey=$(ssh-keygen -F "$HOST") + hostKey=$(ssh-keygen -F "$HOST" 2>/dev/null) if [ "$hostKey" ] ; then # do not check the keyserver diff --git a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.conf b/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.conf deleted file mode 100644 index 31468bc..0000000 --- a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.conf +++ /dev/null @@ -1,18 +0,0 @@ -[[meta title="Monkeysphere should consult keyserver setting in gpg.conf"]] - -Currently, monkeysphere-ssh-proxycommand checks the following places to -determine which keyserver to use (in order of priority): - - * environment variable (MONKEYSPHERE_KEYSERVER) - * KEYSERVER variable in ~/.config/monkeysphere/monkeysphere.conf - * default value of subkeys.pgp.net - -It would be useful if monkeysphere also consulted ~/.gnupg/gpg.conf, using the -following order instead: - - * environment variable (MONKEYSPHERE_KEYSERVER) - * KEYSERVER variable in ~/.config/monkeysphere/monkeysphere.conf - * keyserver variable in ~/.gnupg/gpg.conf - * default value of subkeys.pgp.net - -- Sir Jam Jam -- cgit v1.2.3 From 221b6ca36694b3ec437794a925c7b665a065a74e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 11:51:48 -0400 Subject: switched published URL to dkgs git repo to use the git protocol. --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index f215f80..982f88f 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -32,7 +32,7 @@ The git repo from this web site: [Daniel Kahn Gillmor](http://cmrg.fifthhorseman.net/wiki/dkg): - git clone http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git monkeysphere + git clone git://lair.fifthhorseman.net/~dkg/monkeysphere monkeysphere ## Contact ## -- cgit v1.2.3 From 0b6031739ca8457616b043dc5b5649367271ed9f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 12:01:32 -0400 Subject: updates run on george. --- doc/george/changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index 93f00db..0790f65 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,10 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2008-08-13 - dkg + * aptitude update && aptitude full-upgrade + * restarted services to clear up dependencies on old libraries + 2008-08-07 - dkg * aptitude update && aptitude dist-upgrade * removed debian's experimental from the sources.list -- cgit v1.2.3 From f672b68d7d43e4e8bd57b72a1bf9788dd52e728b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 15:57:31 -0400 Subject: documenting our trouble with (and possible approaches to) handling passphrase-locked secret keys. --- .../bugs/handle-passphrase-locked-secret-keys.mdwn | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 website/bugs/handle-passphrase-locked-secret-keys.mdwn diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn new file mode 100644 index 0000000..a61b5ba --- /dev/null +++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn @@ -0,0 +1,83 @@ +[[meta title="MonkeySphere needs to be able to cleanly export passphrase-locked secret keys from the GPG keyring"]] + +At the moment, the only tool we have to export passphrase-locked +secret keys from the GPG keyring is `gpg` itself (and `gpg2`, which +has roughly the same behavior). + +As a result, we have the `seckey2sshagent` hack, which is unfriendly +and awkward to use. + +Ideally, `openpgp2ssh` would be able to convert passphrase-locked +secret keys into clean subkeys. However, i've tried to do this via +GnuTLS, and that library is not ready for this. + +OpenCDK, which is the component of GnuTLS which reads OpenPGP-style +keys, cannot cope with encrypted secret key material. I have had +[some +success](http://lists.gnu.org/archive/html/gnutls-devel/2008-06/msg00092.html) +in getting GnuTLS's OpenCDK to accept the existence of encrypted +secret key packets, [i learned that OpenCDK as included in GnuTLS is +incapable of dealing with the encrypted packets +themselves](http://lists.gnu.org/archive/html/gnutls-devel/2008-07/msg00012.html). + + +Some possible resolutions: + +--------- + +If we can assume that the passphrase-encrypted key we want to use is +actually a subkey, and if we could fix GnuTLS to ignore the use of the +"gnu-dummy S2K" produced by `gpg --export-secret-subkeys` for the +primary key, then something like the following script should actually +work for reasonable values of `$KEYID`: + + TMPDIR=$(mktemp -d) + uname 077 + mkfifo "$TMPDIR/passphrase" + kname="MonkeySphere Key $KEYID" + mkfifo "$TMPDIR/$kname" + ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & + gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" + (cd "$TMPDIR" && ssh-add -c "$kname") + rm -rf "$TMPDIR" + +--------- + +Ben Laurie and Rachel Willmer's +[OpenPGPSDK](http://openpgp.nominet.org.uk) is a candidate: this is a +C-based library that intends to implement RFC 4880 functionality. + +We could potentially re-write `openpgp2ssh` using this library, and it +*should* be able to handle everything we need from the OpenPGP side +(though it might need to be re-linked to OpenSSL to handle PEM-encoded +exports. + +Concerns: + +* OpenPGPSDK is not in debian yet, and doesn't currently (2008-08-13) + build with gcc 4.2 or 4.3. + +* OpenPGPSDK uses the apache license and appears to link to OpenSSL, + which has a GPL-incompatible license. I think this would mean that + `openpgp2ssh` could not remain GPL (though the rest of the + monkeysphere could). + +--------- + +We could try to use perl. The last time i checked, the pure-perl +OpenPGP implementations all depended on Math::PARI, which [is not in +debian](http://bugs.debian.org/440527). The most likely candidate is +[Crypt::OpenPGP](http://search.cpan.org/~btrott/Crypt-OpenPGP), +despite [some +bugginess](http://cpanratings.perl.org/dist/Crypt-OpenPGP). + +Concerns: + +* the aforementioned buggy reviews + +* there's a lot of dependency chasing to get anything like this + available in debian. + +--------- + +Other alternatives? -- cgit v1.2.3 From dfb394d65acbb060bc6350b7829024fd641aa73d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:20:32 -0400 Subject: suggesting reorganization of monkeysphere-server shortcuts. --- .../reorganize-monkeysphere-server-shortcuts.mdwn | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn diff --git a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn new file mode 100644 index 0000000..5a4b946 --- /dev/null +++ b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn @@ -0,0 +1,19 @@ +[[meta title="Reorganize monkeysphere-server shortcuts"]] + +Currently, `monkeysphere-server` supports three subcommands to adjust +the "identity certifiers": + +* `add-identity-certifier` (`a`) +* `remove-identity-certifier` (`r`) +* `list-identity-certifier` (`l`) + +Since [we also want to be able to add/remove multiple +hostnames](multiple-hostnames), i think we should change the shortcuts +from `a`, `r`, and `l` to `c+`, `c-`, and `c`. + +This would let us create new subcommands like: + +* `add-host-name` (`n+`) +* `revoke-host-name` (`n-`) +* `list-host-names` (`n`) + -- cgit v1.2.3 From 6f34ff65e63588a27a4076ef79f0737ea38cf68b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:49:17 -0400 Subject: making monkeysphere-server publish-key stricter about choice of emitted host key. --- src/monkeysphere-server | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3ca0656..d9b8676 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -372,10 +372,10 @@ publish_server_key() { # FIXME: need to figure out better way to identify host key # dummy command so as not to publish fakes keys during testing # eventually: - #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)" + #gpg_authentication "--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)" echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." echo "The following command should publish the key:" - echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'" + echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)'" exit 255 } -- cgit v1.2.3 From 48bdbc58cfe649c404240b629d9cef5134da5937 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:51:39 -0400 Subject: suggesting that we start encouraging host key publication. --- website/bugs/allow-publishing-to-public-keyservers.mdwn | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 website/bugs/allow-publishing-to-public-keyservers.mdwn diff --git a/website/bugs/allow-publishing-to-public-keyservers.mdwn b/website/bugs/allow-publishing-to-public-keyservers.mdwn new file mode 100644 index 0000000..c6c8057 --- /dev/null +++ b/website/bugs/allow-publishing-to-public-keyservers.mdwn @@ -0,0 +1,16 @@ +[[meta title="monkeysphere-server publish-key does not work"]] + +Currently, if you try to run `monkeysphere-server publish-key`, you +can get the following output: + + Really publish key to subkeys.pgp.net? (y/N) y + NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + The following command should publish the key: + monkeysphere-server gpg-authentication-cmd '--keyserver subkeys.pgp.net --send-keys foo.example.org' + +I think we've demonstrated that this system works enough to warrant +using the public keyserver infrastructure. + +I suggest that we should actually enable this feature explicitly. +(leaving in the prompt is fine, though it would be nice to be able to +`--force` it or something). -- cgit v1.2.3 From f11ad8ca1d864d40bdf9ede74bc00d586b0a339c Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 13 Aug 2008 15:35:06 -0700 Subject: close "missing-known_hosts-causes-error" --- website/bugs/missing-known_hosts-causes-error.mdwn | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/website/bugs/missing-known_hosts-causes-error.mdwn b/website/bugs/missing-known_hosts-causes-error.mdwn index 8f4e27c..4a5cf99 100644 --- a/website/bugs/missing-known_hosts-causes-error.mdwn +++ b/website/bugs/missing-known_hosts-causes-error.mdwn @@ -6,3 +6,9 @@ As a user, if you don't have a `~/.ssh/known_hosts` file, cat: /home/foo/.ssh/known_hosts: No such file or directory this should be fixable with a simple test. + +------ + +Fixed in 70674cae8b3d69d0e750125387b26c0d5857c5ba. + +[[bugs/done]] 2008-08-12 -- cgit v1.2.3 From 56d6185075f3416b60d5cd3dcebd8cae28ec4295 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 23:01:03 -0400 Subject: added note about GnuTLS patch for "gnu-dummy" S2K extension --- website/bugs/handle-passphrase-locked-secret-keys.mdwn | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn index a61b5ba..b66e4c7 100644 --- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn +++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn @@ -41,6 +41,13 @@ work for reasonable values of `$KEYID`: (cd "$TMPDIR" && ssh-add -c "$kname") rm -rf "$TMPDIR" +Good news! [I've crafted a patch for GnuTLS to enable it to read +exported subkeys using this GNU +extension](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html), +so if we can get it incorporated into upstream (and/or into debian), +we have a possible solution, as long as the authentication key is a +subkey, and not a primary key. + --------- Ben Laurie and Rachel Willmer's -- cgit v1.2.3 From d3c6dd0928ec9c7a3fd1f155c4b4b1bd1b3e6b41 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 14 Aug 2008 09:58:38 -0700 Subject: commiting some bug comments. --- website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn | 8 ++++++++ website/bugs/multiple-hostnames.mdwn | 9 +++++++++ website/bugs/setup-test-server-for-public.mdwn | 7 +++++++ 3 files changed, 24 insertions(+) diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn index c0b3244..28556e3 100644 --- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn @@ -121,3 +121,11 @@ up specifically for the process). If we're not OK with relying on the agent, `--gen-subkey` needs fixing. + +--- + +I think requiring the agent and using it for getting the passphrase is +fine. That should make this bug fairly easy to fix, so I'll get on +it. + +-- BJ (jgr) diff --git a/website/bugs/multiple-hostnames.mdwn b/website/bugs/multiple-hostnames.mdwn index ab5e4e2..5668aae 100644 --- a/website/bugs/multiple-hostnames.mdwn +++ b/website/bugs/multiple-hostnames.mdwn @@ -13,3 +13,12 @@ ones). For example: `george.riseup.net` is now also known as `monkeysphere.info`. It'd be nice to have a convenient way to add that hostname to the key without mucking around with gpg directly. + +--- + +So how do we imagine the behavior here? I assume that basically it +would just add/remove user ID's to/from the host key locally. I guess +we will continue to rely on the "publish-key" subcommand to actually +publish all changes to the keys. + +-- BJ (jgr) diff --git a/website/bugs/setup-test-server-for-public.mdwn b/website/bugs/setup-test-server-for-public.mdwn index 2cafafc..2ec2a24 100644 --- a/website/bugs/setup-test-server-for-public.mdwn +++ b/website/bugs/setup-test-server-for-public.mdwn @@ -44,3 +44,10 @@ write a simple note like: before you connect to the host. Here's how... --dkg + +--- + +So do we agree that george is doing what we want, and we can therefore +close this bug? + +-- BJ (jgr) -- cgit v1.2.3 From 7d5d1b04f621325a986d3345718c12e9ec753391 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Aug 2008 13:29:58 -0400 Subject: more comments on bugs. --- .../monkeysphere-gen-subkey-fails-without-agent.mdwn | 6 ++++++ website/bugs/multiple-hostnames.mdwn | 13 +++++++++++++ website/bugs/setup-test-server-for-public.mdwn | 16 ++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn index 28556e3..7e735d2 100644 --- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn @@ -129,3 +129,9 @@ fine. That should make this bug fairly easy to fix, so I'll get on it. -- BJ (jgr) + +--- + +Alternately, we could use `--passwd-fd` and `ssh-agent`, along the +lines i proposed [for handling passphrase-locked secret +keys](handle-passphrase-locked-secret-keys). diff --git a/website/bugs/multiple-hostnames.mdwn b/website/bugs/multiple-hostnames.mdwn index 5668aae..7597af5 100644 --- a/website/bugs/multiple-hostnames.mdwn +++ b/website/bugs/multiple-hostnames.mdwn @@ -22,3 +22,16 @@ we will continue to rely on the "publish-key" subcommand to actually publish all changes to the keys. -- BJ (jgr) + +--- + +I think [when we reorganize the `monkeysphere-server` +shortcuts](reorganize-monkeysphere-server-shortcuts) it'll make it +clearer what the right interface should be. + +As for what should actually happen, i think that the server should +actively revoke old User IDs, rather than removing them. It should +probably prompt the administrator to re-publish the host key as well, +to ensure that the new User IDs are published. + + --dkg diff --git a/website/bugs/setup-test-server-for-public.mdwn b/website/bugs/setup-test-server-for-public.mdwn index 2ec2a24..aa6da61 100644 --- a/website/bugs/setup-test-server-for-public.mdwn +++ b/website/bugs/setup-test-server-for-public.mdwn @@ -51,3 +51,19 @@ So do we agree that george is doing what we want, and we can therefore close this bug? -- BJ (jgr) + +--- + +I'm fine with closing this bug, unless we want to set up the limited +shell access/welcome letter like i described above. If we want to do +that, it'd be worth keeping it open until those scripts are written. + +I envision a script you'd invoke like: + + root@george# addmsuser foo 'Foo T. Bar ' + +Which would create the `foo` account, populate +`~foo/.config/monkeysphere/authorized_user_ids`, make a note in a log +someplace, and send a welcome letter. + +--dkg -- cgit v1.2.3 From 29bd1c086f55f6a0bec2a2a55bf0cdd7d1f14a97 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Aug 2008 16:41:17 -0400 Subject: added note about post to openssh-unix-dev w.r.t. an ssh client config parser --- website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn index 0f6654c..2dac579 100644 --- a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn +++ b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn @@ -22,3 +22,12 @@ any ssh or sshd config file. This will probably need to be delt with down the line, but it's not a particular easy task at the moment. -- Big Jimmy. + +--- + +I've [posted to the `openssh-unix-dev` list to see if there is a +possibility of openssh making our lives easier +here](http://marc.info/?l=openssh-unix-dev&m=121804767122918&w=2), but +i haven't had much of a response yet. + +--dkg -- cgit v1.2.3 From 6d4dbe49e803c76d1c8ac3550aff6c246a251371 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 14 Aug 2008 21:05:26 -0700 Subject: commit bug comment --- website/bugs/setup-test-server-for-public.mdwn | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/website/bugs/setup-test-server-for-public.mdwn b/website/bugs/setup-test-server-for-public.mdwn index aa6da61..c926dc6 100644 --- a/website/bugs/setup-test-server-for-public.mdwn +++ b/website/bugs/setup-test-server-for-public.mdwn @@ -67,3 +67,11 @@ Which would create the `foo` account, populate someplace, and send a welcome letter. --dkg + +--- + +That idea really seems like a lot more trouble than it's worth to me, +and I'm not really willing to maintain it myself, but if someone else +wants to handle that, that would be fine with me. + +-- jgr -- cgit v1.2.3 From 2f89210eb11ccb0a7289f89a545697029b2bb9d7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 14 Aug 2008 21:05:40 -0700 Subject: Add sorting of the processed key lines so that "good" keys are output at the end. This is done so that they take precedence over "bad" when being processed in key files. If bad keys are processed after good keys, there is a possibility of malicious bad key causing good keys to be continually removed from key files, which would be a big nuisance. --- src/common | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/common b/src/common index 9c76bd1..17955a7 100644 --- a/src/common +++ b/src/common @@ -484,7 +484,10 @@ process_user_id() { fi ;; esac - done + done | sort -t: -k1 -n -r + # NOTE: this last sort is important so that the "good" keys (key + # flag '0') come last. This is so that they take precedence when + # being processed in the key files over "bad" keys (key flag '1') } # process a single host in the known_host file @@ -498,16 +501,15 @@ process_host_known_hosts() { local tmpfile host="$1" + userID="ssh://${host}" log "processing: $host" - userID="ssh://${host}" - nKeys=0 nKeysOK=0 IFS=$'\n' - for line in $(process_user_id "ssh://${host}") ; do + for line in $(process_user_id "${userID}") ; do # note that key was found nKeys=$((nKeys+1)) -- cgit v1.2.3 From d9f2518ac29723403af5069953eec07b47ea21be Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 14 Aug 2008 21:12:51 -0700 Subject: update changelog for last commit. --- debian/changelog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index d4fdf9c..0d6155e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,8 +8,11 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low [ Jameson Graef Rollins ] * fix another bug for when ssh key files are missing. + * sort processed keys so that "good" keys are processed after "bad" + keys. This will prevent malicious bad keys from causing good keys to + be removed from key files. - -- Jameson Graef Rollins Tue, 12 Aug 2008 17:58:09 -0700 + -- Jameson Graef Rollins Thu, 14 Aug 2008 21:12:43 -0700 monkeysphere (0.7-1) experimental; urgency=low -- cgit v1.2.3 From 0181b6fc50824941e4f7ac3f535a216b8189568e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 14 Aug 2008 22:34:17 -0700 Subject: reorganize shortcuts for monkeysphere-server --- man/man8/monkeysphere-server.8 | 6 +++--- src/monkeysphere-server | 20 ++++++++++---------- .../reorganize-monkeysphere-server-shortcuts.mdwn | 3 +++ 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 527cae7..74e9a10 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -68,15 +68,15 @@ domain (e.g. "trust KEYID to certify user identities within the @example.org domain"). A certifier trust level can be specified with the `-t' or `--trust' option (possible values are `marginal' and `full' (default is `full')). A certifier trust depth can be specified -with the `-d' or `--depth' option (default is 1). `a' may be used in +with the `-d' or `--depth' option (default is 1). `c+' may be used in place of `add-identity-certifier'. .TP .B remove-identity-certifier KEYID Instruct system to ignore user identity certifications made by KEYID. -`r' may be used in place of `remove-identity-certifier'. +`c-' may be used in place of `remove-identity-certifier'. .TP .B list-identity-certifiers -List key IDs trusted by the system to certify user identities. `l' +List key IDs trusted by the system to certify user identities. `c' may be used in place of `list-identity-certifiers'. .TP .B gpg-authentication-cmd diff --git a/src/monkeysphere-server b/src/monkeysphere-server index d9b8676..21973dd 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -43,16 +43,16 @@ subcommands: -l|--length BITS key length in bits (2048) -e|--expire EXPIRE date to expire -r|--revoker FINGERPRINT add a revoker - show-fingerprint (f) show server's host key fingerprint - publish-key (p) publish server's host key to keyserver - diagnostics (d) report on the server's monkeysphere status + show-fingerprint (f) show server host key fingerprint + publish-key (p) publish server host key to keyserver + diagnostics (d) report on server monkeysphere status - add-identity-certifier (a) KEYID import and tsign a certification key - -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN + add-id-certifier (c+) KEYID import and tsign a certification key + -n|--domain DOMAIN limit ID certifications to DOMAIN -t|--trust TRUST trust level of certifier (full) -d|--depth DEPTH trust depth for certifier (1) - remove-identity-certifier (r) KEYID remove a certification key - list-identity-certifiers (l) list certification keys + remove-id-certifier (c-) KEYID remove a certification key + list-id-certifiers (c) list certification keys gpg-authentication-cmd CMD gnupg-authentication command @@ -696,15 +696,15 @@ case $COMMAND in diagnostics ;; - 'add-identity-certifier'|'add-certifier'|'a') + 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') add_certifier "$1" ;; - 'remove-identity-certifier'|'remove-certifier'|'r') + 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') remove_certifier "$1" ;; - 'list-identity-certifiers'|'list-certifiers'|'list-certifier'|'l') + 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') list_certifiers "$@" ;; diff --git a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn index 5a4b946..104bda7 100644 --- a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn +++ b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn @@ -17,3 +17,6 @@ This would let us create new subcommands like: * `revoke-host-name` (`n-`) * `list-host-names` (`n`) +--- + +[[bugs/done]] 2008-08-14 -- cgit v1.2.3 From bb35e6ff08dbd33d3f47e9c969eb3da3a9acf18d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 00:33:27 -0700 Subject: add start of add/revoke-hostname functions. revocation needs to be implemented. --- man/man8/monkeysphere-server.8 | 18 +++++++-- src/monkeysphere-server | 91 +++++++++++++++++++++++++++++++++++------- 2 files changed, 91 insertions(+), 18 deletions(-) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 74e9a10..8e7278b 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -44,9 +44,21 @@ specified with the `-e' or `--expire' option (prompt otherwise). A key revoker fingerprint can be specified with the `-r' or `--revoker' option. `g' may be used in place of `gen-key'. .TP -.B show-fingerprint -Show the fingerprint for the host's OpenPGP key. `f' may be used in place of -`show-fingerprint'. +.B add-hostname HOSTNAME +Add a hostname user ID to the server host key. `n+' may be used in +place of `add-hostname'. +.TP +.B revoke-hostname HOSTNAME +Revoke a hostname user ID from the server host key. `n-' may be used +in place of `revoke-hostname'. +.TP +.B show-key +Output gpg information about host's OpenPGP key. `s' may be used in +place of `show-key'. +.TP +.B fingerprint +Output just the fingerprint for the host's OpenPGP key. `f' may be +used in place of `fingerprint'. .TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 21973dd..598c3f7 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -39,11 +39,14 @@ MonkeySphere server admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files - gen-key (g) [HOSTNAME] generate gpg key for the server + gen-key (g) [NAME[:PORT]] generate gpg key for the server -l|--length BITS key length in bits (2048) -e|--expire EXPIRE date to expire -r|--revoker FINGERPRINT add a revoker - show-fingerprint (f) show server host key fingerprint + add-hostname (n+) NAME[:PORT] add hostname user ID to server key + revoke-hostname (n-) NAME[:PORT] revoke hostname user ID + show-key (s) output all server host key information + fingerprint (f) output just the key fingerprint publish-key (p) publish server host key to keyserver diagnostics (d) report on server monkeysphere status @@ -97,6 +100,17 @@ gpg_authentication() { su_monkeysphere_user "gpg $@" } +# output key information +show_server_key() { + gpg_host --list-secret-keys --fingerprint +} + +# output just key fingerprint +fingerprint_server_key() { + gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode | \ + grep '^fpr:' | head -1 | cut -d: -f10 +} + # update authorized_keys for users update_users() { if [ "$1" ] ; then @@ -339,9 +353,8 @@ EOF # output the server fingerprint fingerprint_server_key "=${userID}" - # find the key fingerprint of the server primary key - fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \ - grep '^fpr:' | head -1 | cut -d: -f10) + # find the key fingerprint of the newly generated key + fingerprint=$(fingerprint_server_key) # export host ownertrust to authentication keyring log "setting ultimate owner trust for server key..." @@ -356,9 +369,47 @@ EOF log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } -# gpg output key fingerprint -fingerprint_server_key() { - gpg_host --fingerprint --list-secret-keys +# add hostname user ID to server key +add_hostname() { + if [ -z "$1" ] ; then + failure "You must specify a hostname to add." + fi + + userID="ssh://${1}" + + if [ "$(gpg_host --list-key "=${userID}")" ] ; then + failure "Host userID '$userID' already exists." + fi + + fingerprint=$(fingerprint_server_key) + + adduidCommand=$(cat < Date: Fri, 15 Aug 2008 00:49:49 -0700 Subject: enabled host key publication. be aware. --- debian/changelog | 3 ++- src/monkeysphere-server | 11 +++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0d6155e..160d1d6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,8 +11,9 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low * sort processed keys so that "good" keys are processed after "bad" keys. This will prevent malicious bad keys from causing good keys to be removed from key files. + * enabled host key publication. - -- Jameson Graef Rollins Thu, 14 Aug 2008 21:12:43 -0700 + -- Jameson Graef Rollins Fri, 15 Aug 2008 00:48:22 -0700 monkeysphere (0.7-1) experimental; urgency=low diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 598c3f7..3259e33 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -414,20 +414,19 @@ revoke_hostname() { # publish server key to keyserver publish_server_key() { - read -p "Really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} + read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi + # find the key fingerprint + fingerprint=$(fingerprint_server_key) + # publish host key # FIXME: need to figure out better way to identify host key # dummy command so as not to publish fakes keys during testing # eventually: - #gpg_authentication "--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)" - echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." - echo "The following command should publish the key:" - echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)'" - exit 255 + gpg_authentication "--keyserver $KEYSERVER --send-keys $fingerprint" } diagnostics() { -- cgit v1.2.3 From 6649b331ec60ae138c3c893d65e3465a57939c97 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 00:52:25 -0700 Subject: update bugs --- website/bugs/allow-publishing-to-public-keyservers.mdwn | 4 ++++ website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/website/bugs/allow-publishing-to-public-keyservers.mdwn b/website/bugs/allow-publishing-to-public-keyservers.mdwn index c6c8057..1548775 100644 --- a/website/bugs/allow-publishing-to-public-keyservers.mdwn +++ b/website/bugs/allow-publishing-to-public-keyservers.mdwn @@ -14,3 +14,7 @@ using the public keyserver infrastructure. I suggest that we should actually enable this feature explicitly. (leaving in the prompt is fine, though it would be nice to be able to `--force` it or something). + +--- + +[[bugs/done]] 2008-08-15 in 6fb350a883fa4d8b1bc9b5e01cc3b01c96354d08 diff --git a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn index 104bda7..ad66dd5 100644 --- a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn +++ b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn @@ -19,4 +19,4 @@ This would let us create new subcommands like: --- -[[bugs/done]] 2008-08-14 +[[bugs/done]] 2008-08-14 in 0181b6fc50824941e4f7ac3f535a216b8189568e -- cgit v1.2.3 From 9ce83dcd98305f63c3e3df9bd9ba82291800c43e Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Fri, 15 Aug 2008 10:16:36 -0400 Subject: fix link in dkg's comment. --- website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn index 7e735d2..51cf57e 100644 --- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn @@ -134,4 +134,4 @@ it. Alternately, we could use `--passwd-fd` and `ssh-agent`, along the lines i proposed [for handling passphrase-locked secret -keys](handle-passphrase-locked-secret-keys). +keys](/bugs/handle-passphrase-locked-secret-keys). -- cgit v1.2.3 From c7497687d04959d1b9593e89ce860a50fa18f719 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 08:29:07 -0700 Subject: remove defunct comment --- src/monkeysphere-server | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3259e33..023ce9b 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -423,9 +423,6 @@ publish_server_key() { fingerprint=$(fingerprint_server_key) # publish host key - # FIXME: need to figure out better way to identify host key - # dummy command so as not to publish fakes keys during testing - # eventually: gpg_authentication "--keyserver $KEYSERVER --send-keys $fingerprint" } -- cgit v1.2.3