From adec130f20e374ae0d8f615f45916e27771a0278 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 18:06:45 -0500 Subject: fixing stupid internal version number synchronization. --- src/share/common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/common b/src/share/common index 5e0cb6a..a21d803 100644 --- a/src/share/common +++ b/src/share/common @@ -21,7 +21,7 @@ SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} export SYSCONFIGDIR # monkeysphere version -VERSION=0.23~pre +VERSION=0.23 # default log level LOG_LEVEL="INFO" -- cgit v1.2.3 From 3492507e7dc279be4e6c703733d8a174d0204d91 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 18:28:20 -0500 Subject: preparing for stupid brown paper bag 0.23.1 release. --- packaging/debian/changelog | 7 +++++++ src/share/common | 2 +- website/download.mdwn | 36 ++++++++++++++++++------------------ website/news/release-0.23.1-1.mdwn | 12 ++++++++++++ 4 files changed, 38 insertions(+), 19 deletions(-) create mode 100644 website/news/release-0.23.1-1.mdwn diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 50a7071..96b719b 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.23.1-1) unstable; urgency=low + + * New Upstrem "Brown Paper Bag" Release: + - adjusts internal version numbers + + -- Daniel Kahn Gillmor Sat, 21 Feb 2009 18:09:47 -0500 + monkeysphere (0.23-1) unstable; urgency=low "The Golden Bezoar Release" diff --git a/src/share/common b/src/share/common index a21d803..0c26a91 100644 --- a/src/share/common +++ b/src/share/common @@ -21,7 +21,7 @@ SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} export SYSCONFIGDIR # monkeysphere version -VERSION=0.23 +VERSION=0.23.1 # default log level LOG_LEVEL="INFO" diff --git a/website/download.mdwn b/website/download.mdwn index cc050a0..db25be6 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -77,38 +77,38 @@ For those that would like to download the source directly, [the source is available](/community) via [git](http://git.or.cz/). The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.23.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.23.1.orig.tar.gz) is also available, and has these checksums: 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.23 release:
+checksums for the monkeysphere 0.23.1 release:
 
 MD5:
-2c3e985884ecf7a5f53825f9034932a3  monkeysphere_0.23.orig.tar.gz
+9ab4a35052b41d6468a4ab4758fd23b2  monkeysphere_0.23.1.orig.tar.gz
 
 SHA1:
-6f03b9d813d48479c86623c7facf634d72da2cb0  monkeysphere_0.23.orig.tar.gz
+1e3004505b5c2cda98194d1241f76303b154aac6  monkeysphere_0.23.1.orig.tar.gz
 
 SHA256:
-7854d9c358b684c2b292b4f3470780d2c7e069466bd228885d6a246e0bd1abde  monkeysphere_0.23.orig.tar.gz
+998b8f8f0c498aa7d58eed6519c23ab9808cb8b622f97f8aa47865b718024d6c  monkeysphere_0.23.1.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSaCGXxjmZ/HrivMUAQKIUhAAs/b+2z+cKkcP3bwfD8ItW377rXY3+ZrV
-pomzhzSuSk52gYxa6QBQ7rgYdWac996VRTSxR14yEM8iLyqxaBpvbvOJCgqv0B51
-VHJiosV8nVqjUXdrOa2iRFqPF3+zaINjsIgJSB5aKCjT6d2sxlYoe5OpIU1JD/yN
-E/ypvO8v3xNZ7V2YU858H2UhT0J2kMmnYPrprgoqgebWrVke/tnQLnGew/A9leel
-ZEWVhWaN+RO6n/obxxKbRHT2cAp2CW/qccFGAf80XB//i7yTD5KxlK1Ls0nLT43H
-3MQPZZsOTKFZsMfOD9Y46CN5ZDm/e3SnGhi7UgW2xDP4QhGihUVYputYHr4lvboA
-uoO2g7JT2MltsuyxFMacscf9tx9cgF80ndHTBUxqDtlh/aK1xlC4tPSwSgQwuKwy
-JabvCz3fwiQbZc08OhB/5DhuDPORhQk2CJJ7HGrN1Sc2Cde0x667rQjI/ckrUC0Y
-PIqXUp8trB+p85tQSSuWJEgxVbNRZ4hVftvNvLECKv7fd0bVdNeVvV57H5ieJ8FR
-adPVaASkhF+pL122t3qC/vSbUi956Hk3pKMT9+05vLnfzYM78A6j1jA4pTvlEzaC
-WWdvL2BvARlhw5OUz4gomCpw5ZSxWjsnF6SHte85UmmunZpmE67/udyvcPqMNzjA
-vG61wNXtmqA=
-=JqmC
+iQIVAwUBSaCKiRjmZ/HrivMUAQLA3A//Tn5R4TI//yPF6T0+swIHH9VnYhFIjitV
+pzm0aWQ/MfygAm24S64edudva6Mgnm5GsDmHzv9Kg0n12+NtCc+VTIH56aMwKO9J
+riT2BalxTny0UaMeIU2gsJP0H5GuEbFWknFMcKGwIKhEuiDKgF/QJNJKNNokBL55
+rivnxKrBKy5f2o2th+RxopA2jzVfUNKWtPlJz52vYyMGn7qkWdWY6zhm48PvHt1P
+9cR3Llzu6uQflVk/PaMZmsW/q8WFEp/9Igsws1GTac4XPl0N5FFwdYmOZRLwu2sF
+k5y7sdH+tZt+sKKuMYTloulj7nq27Zi3THrlqUuanvibWPVLiBTdnIV47fg17YsO
+Pr4UTeOEIxKRsJXTwYhFmToxrO5ehRo7DcPU4Y6+YaaNnneMdR8ZF0FbNmvpkLrU
+wYoT6nkCn/81Wde7G0bc2Lo6RlXPEhRfACQuLkokv2+bbzcsWn16s4TLIJLBi9Ev
+XQ4we8zp16h1wWSssXOk19iEDFIMcJ7lrc37ItEbdmOXdlyG6FlDZWWo9vyR8LDH
+AXEqjSNm0T2o1OjUwmUWSws+Y3cyhNlYMpAtq3u67qkMCBW3zEH4GhDvG6kcvt32
+NizDUn8ClMR4m7znlR3eNlnavYVMETuUutHeGq0lB2N008kbT2S+Ciz539ady7sg
+s2QqAl6xNzo=
+=JCyh
 -----END PGP SIGNATURE-----
diff --git a/website/news/release-0.23.1-1.mdwn b/website/news/release-0.23.1-1.mdwn new file mode 100644 index 0000000..79b3c05 --- /dev/null +++ b/website/news/release-0.23.1-1.mdwn @@ -0,0 +1,12 @@ +[[meta title="Monkeysphere 0.23.1-1 released!"]] + +Monkeysphere 0.23.1-1 has been released. + +Notes from the changelog: + +
+  * New Upstrem "Brown Paper Bag" Release:
+   - adjusts internal version numbers
+
+ +[[Download]] it now! -- cgit v1.2.3 From 8bb27ea643be1fd951ad6d9b131d771ded3efd34 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 19:49:53 -0500 Subject: writing down some notes for future releases. --- utils/preparing-release | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 utils/preparing-release diff --git a/utils/preparing-release b/utils/preparing-release new file mode 100644 index 0000000..3c7ded5 --- /dev/null +++ b/utils/preparing-release @@ -0,0 +1,19 @@ +### Notes about preparing a release for the monkeysphere ### + + * make sure that packaging/debian/changelog has a reasonable version + number. + + * make sure that src/share/common contains the upstream part of that + version number in the VERSION= line + + * make tarball + + * make releasenote + + * create upstream version tag: + + git tag -s -m 'Tagging Monkeysphere $whatever' monkeysphere_$whatever + + * create debian-specific version tag: + + git tag -s -m 'Tagging Monkeysphere $whatever-1' monkeysphere_$whatever-1 -- cgit v1.2.3 From 224f87f09060a10519440dc8660a57b82cb0ba58 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 20:31:16 -0500 Subject: fix syntax error in m-a diagnostics. --- src/share/ma/diagnostics | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 8fc4b31..d9df9eb 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -103,7 +103,7 @@ fi # make sure that at least one identity certifier exists echo echo "Checking for Identity Certifiers..." -if ! monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' then +if ! monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ; then echo "! No Identity Certifiers found!" echo " - Recommendation: once you know who should be able to certify the identities of connecting users, you should add their key, with: -- cgit v1.2.3 From bf3e2e6ecafbab7e80124ea4ba2bda61ee4423e9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 20:33:01 -0500 Subject: added some FIXMEs to transitions/0.23, concerning host keys that were originally created with an expiration date. --- src/transitions/0.23 | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/transitions/0.23 b/src/transitions/0.23 index f09dfff..dead788 100755 --- a/src/transitions/0.23 +++ b/src/transitions/0.23 @@ -143,12 +143,24 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then + FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) + # create host home mkdir -p "${MHDATADIR}" chmod 0700 "${MHDATADIR}" log "importing host key from old monkeysphere installation\n" - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys | \ + +# export from the pubring as well as the that new (non-expired) +# self-sigs are available, otherwise the secret key import may fail + +# FIXME: turns out the secret key import fails anyway, stupidly :( + +# FIXME: if all self-sigs are expired, then the secret key import may +# fail anyway. How should we deal with that? + + (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys && \ + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export $FPR) | \ GNUPGHOME="$MHDATADIR" gpg --quiet --no-tty --import monkeysphere-host update-gpg-pub-file -- cgit v1.2.3 From 687e4c47929c53e8da032a58a884cb6a2c1098f6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 20:34:26 -0500 Subject: reverse sense of test for valid identity certifiers in m-a diagnostics. --- src/share/ma/diagnostics | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index d9df9eb..0caf8d2 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -103,7 +103,7 @@ fi # make sure that at least one identity certifier exists echo echo "Checking for Identity Certifiers..." -if ! monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ; then +if monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ; then echo "! No Identity Certifiers found!" echo " - Recommendation: once you know who should be able to certify the identities of connecting users, you should add their key, with: -- cgit v1.2.3 From 03ff202d879440fce56abe7dbae1e50d88398b14 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 21 Feb 2009 20:39:05 -0500 Subject: notes about disastrous george upgrade. --- doc/george/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index 7cd700c..793d1ae 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,16 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2009-02-21 - dkg + * upgraded to the latest versions of packages for lenny. + * upgraded george to monkeysphere 0.23.1. the transition upgrade + failed due to the way that gpg exports self-signatures secret + keys; it only exports the first self-sig for each user id, even if + that one is expired. Then any subsequent import fails, even if + the target import keyring knows about some valid self-signatures. + * i man-handled the upgrade into place so that george doesn't just + fail on us, but this is a pretty major bug in the transition process. + 2009-01-31 - jrollins * applied diff represented in commit f75a5747a8b99e04c02c475791c476f1fbd2b674 to change log level for -- cgit v1.2.3 From 4c4ce4467921a05e70825edf2331d359dc63b879 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 22 Feb 2009 10:32:23 -0500 Subject: modified /etc/crontab on george to run monkeysphere-authentication instead of monkeysphere-server. was I the only one getting frequent emails from george about this? --- doc/george/changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index 793d1ae..a4e0289 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -6,6 +6,9 @@ * Please add new entries in reverse chronological order whenever you make * * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2009-02-22 - jrollins + * fixed /etc/crontab line for update-users (was trying to run + monkeysphere-server instead of monkeysphere-authentication). 2009-02-21 - dkg * upgraded to the latest versions of packages for lenny. -- cgit v1.2.3 From e71c7bb4dff26178f714cd0fcdbb3058effa4066 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 22 Feb 2009 12:07:34 -0500 Subject: Fix how version number is saved/retrieved. Version is now stored in VERSION file, which is created in the tarball target. This is then installed at /usr/share/monkeysphere/VERSION, and cat'ed when the version number is requested by the front-end ui. No more manual setting of version number required (to avoid future problems, aka "0.23.1"). This system is also more flexible, as the VERSION file could potentially hold more info than just the release number. --- Makefile | 2 ++ packaging/debian/changelog | 7 +++++++ src/monkeysphere | 2 +- src/monkeysphere-authentication | 2 +- src/monkeysphere-host | 2 +- src/share/common | 8 +++++--- tests/basic | 16 ---------------- utils/preparing-release | 3 --- 8 files changed, 17 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 71df92b..0284a8a 100755 --- a/Makefile +++ b/Makefile @@ -24,6 +24,7 @@ tarball: clean mkdir -p monkeysphere-$(MONKEYSPHERE_VERSION)/doc ln -s ../../website/getting-started-user.mdwn ../../website/getting-started-admin.mdwn ../../doc/TODO ../../doc/MonkeySpec monkeysphere-$(MONKEYSPHERE_VERSION)/doc ln -s ../COPYING ../etc ../Makefile ../man ../src ../tests monkeysphere-$(MONKEYSPHERE_VERSION) + echo $(MONKEYSPHERE_VERSION) > monkeysphere-$(MONKEYSPHERE_VERSION)/VERSION tar -ch --exclude='*~' monkeysphere-$(MONKEYSPHERE_VERSION) | gzip -n > monkeysphere_$(MONKEYSPHERE_VERSION).orig.tar.gz rm -rf monkeysphere-$(MONKEYSPHERE_VERSION) @@ -50,6 +51,7 @@ install: all installman mkdir -p $(DESTDIR)$(PREFIX)/share/monkeysphere/m $(DESTDIR)$(PREFIX)/share/monkeysphere/mh $(DESTDIR)$(PREFIX)/share/monkeysphere/ma $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere + install -m 0644 VERSION $(DESTDIR)$(PREFIX)/share/monkeysphere install src/monkeysphere src/keytrans/openpgp2ssh src/keytrans/pem2openpgp $(DESTDIR)$(PREFIX)/bin install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 96b719b..58a80a3 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.24~pre-1) UNRELEASED; urgency=low + + * New upstream release: + - Fixed how version information is stored/retrieved. + + -- Jameson Graef Rollins Sun, 22 Feb 2009 12:02:06 -0500 + monkeysphere (0.23.1-1) unstable; urgency=low * New Upstrem "Brown Paper Bag" Release: diff --git a/src/monkeysphere b/src/monkeysphere index 371983f..6db4827 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -239,7 +239,7 @@ case $COMMAND in ;; 'version'|'v') - echo "$VERSION" + version ;; '--help'|'help'|'-h'|'h'|'?') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 497470d..c009653 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -199,7 +199,7 @@ case $COMMAND in ;; 'version'|'v') - echo "$VERSION" + version ;; '--help'|'help'|'-h'|'h'|'?') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 1b0de0c..c454354 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -315,7 +315,7 @@ case $COMMAND in ;; 'version'|'v') - echo "$VERSION" + version ;; '--help'|'help'|'-h'|'h'|'?') diff --git a/src/share/common b/src/share/common index 0c26a91..b2dcd35 100644 --- a/src/share/common +++ b/src/share/common @@ -20,9 +20,6 @@ SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} export SYSCONFIGDIR -# monkeysphere version -VERSION=0.23.1 - # default log level LOG_LEVEL="INFO" @@ -41,6 +38,11 @@ PROMPT="true" ######################################################################## ### UTILITY FUNCTIONS +# output version info +version() { + cat "${SYSSHAREDIR}/VERSION" +} + # failure function. exits with code 255, unless specified otherwise. failure() { [ "$1" ] && echo "$1" >&2 diff --git a/tests/basic b/tests/basic index 9308e21..b1fe9ed 100755 --- a/tests/basic +++ b/tests/basic @@ -138,22 +138,6 @@ export SOCKET="$TEMPDIR"/ssh-socket # *anything* with any running X11 session. export DISPLAY=monkeys -## make sure that the version number matches the debian changelog -## (don't bother if this is being run from the tests). - -if [ -f "$TESTDIR"/../packaging/debian/changelog ]; then - echo - echo "##################################################" - echo "### checking version string match..." - repver=$(monkeysphere version) - debver=$(head -n1 "$TESTDIR"/../packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/') - if [ "$repver" = "$debver" ] ; then - echo "Versions match!" - else - printf "reported version string (%s) does not match debian changelog (%s)\n" "$repver" "$debver" - exit 1 - fi -fi ###################################################################### ### CONFIGURE ENVIRONMENTS diff --git a/utils/preparing-release b/utils/preparing-release index 3c7ded5..dd9d224 100644 --- a/utils/preparing-release +++ b/utils/preparing-release @@ -3,9 +3,6 @@ * make sure that packaging/debian/changelog has a reasonable version number. - * make sure that src/share/common contains the upstream part of that - version number in the VERSION= line - * make tarball * make releasenote -- cgit v1.2.3 From be6cca8523345c6a3a3e8cddce7d8954a2bf5a54 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 22 Feb 2009 12:16:32 -0500 Subject: fix some return code setting stuf that was no longer being used, and change name of return code variable in update_users, since all-caps variables should be reserved for global vars. --- src/monkeysphere-authentication | 5 ----- src/monkeysphere-host | 5 ----- src/share/ma/update_users | 9 ++++----- 3 files changed, 4 insertions(+), 15 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index c009653..c5c48d5 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -42,9 +42,6 @@ DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS -# default return code -RETURN=0 - ######################################################################## # FUNCTIONS ######################################################################## @@ -211,5 +208,3 @@ case $COMMAND in Type '$PGRM help' for usage." ;; esac - -exit "$RETURN" diff --git a/src/monkeysphere-host b/src/monkeysphere-host index c454354..5e7a931 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -41,9 +41,6 @@ DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS -# default return code -RETURN=0 - ######################################################################## # FUNCTIONS ######################################################################## @@ -327,5 +324,3 @@ case $COMMAND in Type '$PGRM help' for usage." ;; esac - -exit "$RETURN" diff --git a/src/share/ma/update_users b/src/share/ma/update_users index bfefc31..c180b56 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -13,6 +13,7 @@ update_users() { +local returnCode=0 local unames local uname local authorizedKeysDir @@ -26,8 +27,6 @@ else unames=$(getent passwd | cut -d: -f1) fi -RETURN=0 - # set mode MODE="authorized_keys" @@ -94,7 +93,7 @@ for uname in $unames ; do # process authorized_user_ids file, as monkeysphere user su_monkeysphere_user \ ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" \ - || RETURN="$?" + || returnCode="$?" else log debug "not processing authorized_user_ids." fi @@ -141,7 +140,7 @@ for uname in $unames ; do log error "Failed to install authorized_keys for '$uname'!" rm -f "${authorizedKeysDir}/${uname}" # indicate that there has been a failure: - RETURN=1 + returnCode=1 } else rm -f "${authorizedKeysDir}/${uname}" @@ -154,5 +153,5 @@ for uname in $unames ; do rm -rf "$TMPLOC" done -return $RETURN +return $returnCode } -- cgit v1.2.3 From 5ebbfc2d643fbee80b5d53a7b326fd12d9202caa Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 22 Feb 2009 17:10:31 -0500 Subject: really really fix m-a diagnostics checking of identity certifiers. --- src/share/ma/diagnostics | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 0caf8d2..913a53d 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -103,7 +103,7 @@ fi # make sure that at least one identity certifier exists echo echo "Checking for Identity Certifiers..." -if monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ; then +if !( monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ) ; then echo "! No Identity Certifiers found!" echo " - Recommendation: once you know who should be able to certify the identities of connecting users, you should add their key, with: -- cgit v1.2.3 From 47b5e916b2a84a378ec08b3b03531f9a8ccc062b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 22 Feb 2009 17:56:30 -0500 Subject: egrep -q terminates at the first match. m-a list-identity-certifiers chokes if it cannot write to stdout. Because we are setting pipefail, this causes the pipeline checking for any certifiers to return untrue. solution? do not use -q, and send the output to /dev/null --- src/share/ma/diagnostics | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 913a53d..8eca586 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -103,7 +103,7 @@ fi # make sure that at least one identity certifier exists echo echo "Checking for Identity Certifiers..." -if !( monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' ) ; then +if ! ( monkeysphere-authentication list-identity-certifiers | egrep '^[A-F0-9]{40}:' >/dev/null ) ; then echo "! No Identity Certifiers found!" echo " - Recommendation: once you know who should be able to certify the identities of connecting users, you should add their key, with: -- cgit v1.2.3 From 63394a539e9cc2d97e022f9c73473baf78c2b020 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 22 Feb 2009 20:28:38 -0500 Subject: made patches/gnutls/build set -e --- patches/gnutls/build | 2 ++ 1 file changed, 2 insertions(+) diff --git a/patches/gnutls/build b/patches/gnutls/build index 77f5900..b42832a 100755 --- a/patches/gnutls/build +++ b/patches/gnutls/build @@ -16,6 +16,8 @@ # Note: please run this from the current directory, so it can find and # transfer the patch it needs. +set -e + if ! dpkg -l devscripts fakeroot >/dev/null ; then exit 1 fi -- cgit v1.2.3 From 8e75a7936ec9ea383993b391713f96760e6fb196 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 25 Feb 2009 22:52:18 -0500 Subject: remove left over references to expert subcommand in man pages. --- man/man8/monkeysphere-authentication.8 | 2 -- man/man8/monkeysphere-host.8 | 2 -- 2 files changed, 4 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 361822d..a52e9ab 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -7,8 +7,6 @@ monkeysphere-authentication \- Monkeysphere authentication admin tool. .SH SYNOPSIS .B monkeysphere-authentication \fIsubcommand\fP [\fIargs\fP] -.br -.B monkeysphere-authentication expert \fIexpert-subcommand\fP [\fIargs\fP] .SH DESCRIPTION diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 7909b62..c457711 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -7,8 +7,6 @@ monkeysphere-host \- Monkeysphere host admin tool. .SH SYNOPSIS .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP] -.br -.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP] .SH DESCRIPTION -- cgit v1.2.3 From ed24f09f17c6f5aa8722af9facce34bbe02e3844 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 27 Feb 2009 21:33:08 -0500 Subject: wrote a first pass at explaining the concept of identity certifiers --- man/man7/monkeysphere.7 | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index 578d96c..d54bd5a 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -14,7 +14,33 @@ connection authentication. .SH IDENTITY CERTIFIERS -FIXME: describe identity certifier concept +Each host that uses the \fBMonkeysphere\fP to authenticate its remote +users needs some way to determine that those users are who they claim +to be. SSH permits key-based authentication, but we want instead to +bind authenticators to human-comprehensible user identities. This +switch from raw keys to User IDs makes it possible for administrators +to see intuitively who has access to an account, and it also enables +end users to transition keys (and revoke compromised ones) +automatically across all \fBMonkeysphere\fP-enabled hosts. The User +IDs and certifications that the \fBMonkeysphere\fP relies on are found +in the OpenPGP Web of Trust. + +However, in order to establish this binding, each host must know whose +cerifications to trust. Someone who a host trusts to certify User +Identities is called an Identity Certifier. A host must have at least +one Identity Certifier in order to bind User IDs to keys. Commonly, +every ID Certifier would be trusted by the host to fully identify any +User ID, but more nuanced approaches are possible as well. For +example, a given host could specify a dozen ID certifiers, but assign +them all "marginal" trust. Then any given User ID would need to be +certified in the OpenPGP Web of Trust by at least three of those +certifiers. + +It is also possible to limit the scope of trust for a given ID +Certifier to a particular domain. That is, a host can be configured +to fully (or marginally) trust a particular ID Certifier only when +they certify identities within, say, example.org (based on the e-mail +address in the User ID). .SH KEY ACCEPTABILITY -- cgit v1.2.3 From 90e182fac0303b6a5a9c9da92446b366b2bdadd7 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 12:46:51 -0500 Subject: transition script should ensure that the (old, deprecated) monkeysphere-server.conf gets renamed to monkeysphere-authentication.conf --- src/transitions/0.23 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/transitions/0.23 b/src/transitions/0.23 index dead788..67d1f63 100755 --- a/src/transitions/0.23 +++ b/src/transitions/0.23 @@ -21,6 +21,7 @@ set -e SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} +SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} MADATADIR="${SYSDATADIR}/authentication" MHDATADIR="${SYSDATADIR}/host" @@ -43,6 +44,13 @@ is_domain_name() { printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$' } + +# move the old server conf file to be the authentication conf file +if [ -f "$SYSCONFIGDIR"/monkeysphere-server.conf -a \ + ! -f "$SYSCONFIGDIR"/monkeysphere-authentication.conf ] ; then + mv "$SYSCONFIGDIR"/monkeysphere-server.conf "$SYSCONFIGDIR"/monkeysphere-authentication.conf +fi + # run the authentication setup (this is also the first chance to bail # if 0.23 is not fully-installed, because m-a did not exist before # 0.23) -- cgit v1.2.3 From 54abd85dc6b4c54a99644eec21ce51635012ea8b Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 28 Feb 2009 13:07:36 -0500 Subject: work on maintainer scripts: - remove preinst and prerm because they were empty - put everything in postint into 'config' argument, since that's really what it is - make sure deletion of monkeysphere user is correct, based on what we found here: http://wiki.debian.org/AccountHandlingInMaintainerScripts --- packaging/debian/changelog | 3 ++- packaging/debian/monkeysphere.postinst | 34 +++++++++++++++++++--------------- packaging/debian/monkeysphere.postrm | 9 +++++++-- packaging/debian/monkeysphere.preinst | 25 ------------------------- packaging/debian/monkeysphere.prerm | 15 --------------- 5 files changed, 28 insertions(+), 58 deletions(-) delete mode 100755 packaging/debian/monkeysphere.preinst delete mode 100755 packaging/debian/monkeysphere.prerm diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 58a80a3..46f7863 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,9 +1,10 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low + * update/cleanup mainterscripts * New upstream release: - Fixed how version information is stored/retrieved. - -- Jameson Graef Rollins Sun, 22 Feb 2009 12:02:06 -0500 + -- Jameson Graef Rollins Sat, 28 Feb 2009 13:02:57 -0500 monkeysphere (0.23.1-1) unstable; urgency=low diff --git a/packaging/debian/monkeysphere.postinst b/packaging/debian/monkeysphere.postinst index 3d0d66f..bbb02cf 100755 --- a/packaging/debian/monkeysphere.postinst +++ b/packaging/debian/monkeysphere.postinst @@ -7,21 +7,25 @@ VARLIB="/var/lib/monkeysphere" -# add a monkeysphere user if one does not already exist -if ! getent passwd monkeysphere >/dev/null ; then - echo "adding monkeysphere user..." - adduser --quiet --system --no-create-home --group \ - --home "$VARLIB" \ - --shell '/bin/bash' \ - --gecos 'monkeysphere authentication user,,,' \ - monkeysphere -fi - -# try to transition from to 0.23: -/usr/share/monkeysphere/transitions/0.23 - -# setup monkeysphere authentication -monkeysphere-authentication setup +case $1 in + configure) + # add a monkeysphere user if one does not already exist + if ! getent passwd monkeysphere >/dev/null ; then + echo "adding monkeysphere user..." + adduser --quiet --system --no-create-home --group \ + --home "$VARLIB" \ + --shell '/bin/bash' \ + --gecos 'monkeysphere authentication user,,,' \ + monkeysphere + fi + + # try to transition from to 0.23: + /usr/share/monkeysphere/transitions/0.23 + + # setup monkeysphere authentication + monkeysphere-authentication setup + ;; +esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/packaging/debian/monkeysphere.postrm b/packaging/debian/monkeysphere.postrm index 79f7245..e70a1b1 100755 --- a/packaging/debian/monkeysphere.postrm +++ b/packaging/debian/monkeysphere.postrm @@ -7,8 +7,13 @@ case $1 in purge) - echo "removing monkeysphere user..." - userdel monkeysphere > /dev/null || true + # delete monkeysphere user + # http://wiki.debian.org/AccountHandlingInMaintainerScripts + if type deluser >/dev/null 2>&1; then + deluser --quiet --system monkeysphere > /dev/null || true + else + echo >&2 "not removing monkeysphere system account because deluser command was not found" + fi ;; esac diff --git a/packaging/debian/monkeysphere.preinst b/packaging/debian/monkeysphere.preinst deleted file mode 100755 index fd22f6f..0000000 --- a/packaging/debian/monkeysphere.preinst +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -e - -# preinst script for monkeysphere - -# Author: Jameson Rollins -# Copyright 2008-2009 - -ETC="/etc/monkeysphere" - -# move the old server conf file to be the authentication conf file -if [ -f "$ETC"/monkeysphere-server.conf -a \ - ! -f "$ETC"/monkeysphere-authentication.conf ] ; then - mv "$ETC"/monkeysphere-server.conf "$ETC"/monkeysphere-authentication.conf -fi - -# remove the old gpg-*.conf files -rm -f "$ETC"/gpg-host.conf -rm -f "$ETC"/gpg-authentication.conf - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/packaging/debian/monkeysphere.prerm b/packaging/debian/monkeysphere.prerm deleted file mode 100755 index 5835f53..0000000 --- a/packaging/debian/monkeysphere.prerm +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -e - -# prerm script for monkeysphere - -# Author: Jameson Rollins -# Copyright 2008-2009 - -true - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 -- cgit v1.2.3 From 7f7a83939b6a457bb5a92462ea94057a43e60b16 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 13:30:29 -0500 Subject: made transitions/0.23 a little bit more resilient; made it so that running again after a failure is not fooled by the previous failure into thinking that the transition is done. --- src/transitions/0.23 | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/transitions/0.23 b/src/transitions/0.23 index 67d1f63..b0c967a 100755 --- a/src/transitions/0.23 +++ b/src/transitions/0.23 @@ -154,8 +154,9 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) # create host home - mkdir -p "${MHDATADIR}" - chmod 0700 "${MHDATADIR}" + mkdir -p $(dirname "$MHDATADIR") + NEWDATADIR=$(mktemp -d "${MHDATADIR}.XXXXXX") + chmod 0700 "${NEWDATADIR}" log "importing host key from old monkeysphere installation\n" @@ -167,10 +168,20 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then # FIXME: if all self-sigs are expired, then the secret key import may # fail anyway. How should we deal with that? - (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys && \ - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export $FPR) | \ - GNUPGHOME="$MHDATADIR" gpg --quiet --no-tty --import - + if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys && \ + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export "$FPR") | \ + GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --import ; then + : we are in good shape! + else + if ! GNUPGHOME="$NEWDATADIR" gpg --list-secret-key >/dev/null ; then + log "The old host key (%s) was not imported properly.\n" "$FPR" + exit 1 + fi + fi + + # if we get here cleanly, then we're OK to move forward: + mv "$NEWDATADIR" "$MHDATADIR" + monkeysphere-host update-gpg-pub-file else log "No host key found in old monkeysphere install; not importing any host key.\n" @@ -192,7 +203,8 @@ fi if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --no-permission-warning --export | \ - monkeysphere-authentication gpg-cmd --import + monkeysphere-authentication gpg-cmd --import || \ + log "No OpenPGP certificates imported into monkeysphere-authentication trust sphere.\n" mkdir -p "$STASHDIR" chmod 0700 "$STASHDIR" -- cgit v1.2.3 From e83267c80493b9279bd35e8adf91963d0ec6f0b6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 14:00:07 -0500 Subject: functionalize the bulk of pem2openpgp. --- src/keytrans/pem2openpgp | 329 +++++++++++++++++++++++++---------------------- 1 file changed, 172 insertions(+), 157 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 2631da6..3492361 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -32,12 +32,6 @@ use MIME::Base64; ## make sure all length() and substr() calls use bytes only: use bytes; -my $uid = shift; - -# FIXME: fail if there is no given user ID; or should we default to -# hostname_long() from Sys::Hostname::Long ? - - my $old_format_packet_lengths = { one => 0, two => 1, four => 2, @@ -348,172 +342,193 @@ sub fingerprint { } -my $rsa; -if (defined $ENV{PEM2OPENPGP_NEWKEY}) { - $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); -} else { - # we're just not dealing with newline business right now. slurp in - # the whole file. - undef $/; - $rsa = Crypt::OpenSSL::RSA->new_private_key(); -} +# FIXME: handle DSA keys as well! +sub pem2openpgp { + my $rsa = shift; + my $uid = shift; + my $args = shift; -$rsa->use_sha1_hash(); + $rsa->use_sha1_hash(); -# see page 22 of RFC 4880 for why i think this is the right padding -# choice to use: -$rsa->use_pkcs1_padding(); + # see page 22 of RFC 4880 for why i think this is the right padding + # choice to use: + $rsa->use_pkcs1_padding(); -if (! $rsa->check_key()) { - die "key does not check"; -} + if (! $rsa->check_key()) { + die "key does not check"; + } -my $version = pack('C', 4); -# strong assertion of identity: -my $sigtype = pack('C', $sig_types->{positive_certification}); -# RSA -my $pubkey_algo = pack('C', $asym_algos->{rsa}); -# SHA1 -my $hash_algo = pack('C', $digests->{sha1}); - -# FIXME: i'm worried about generating a bazillion new OpenPGP -# certificates from the same key, which could easily happen if you run -# this script more than once against the same key (because the -# timestamps will differ). How can we prevent this? - -# this environment variable (if set) overrides the current time, to -# be able to create a standard key? If we read the key from a file -# instead of stdin, should we use the creation time on the file? -my $timestamp = 0; -if (defined $ENV{PEM2OPENPGP_TIMESTAMP}) { - $timestamp = ($ENV{PEM2OPENPGP_TIMESTAMP} + 0); -} else { - $timestamp = time(); -} + my $version = pack('C', 4); + # strong assertion of identity: + my $sigtype = pack('C', $sig_types->{positive_certification}); + # RSA + my $pubkey_algo = pack('C', $asym_algos->{rsa}); + # SHA1 + my $hash_algo = pack('C', $digests->{sha1}); + + # FIXME: i'm worried about generating a bazillion new OpenPGP + # certificates from the same key, which could easily happen if you run + # this script more than once against the same key (because the + # timestamps will differ). How can we prevent this? + + # this environment variable (if set) overrides the current time, to + # be able to create a standard key? If we read the key from a file + # instead of stdin, should we use the creation time on the file? + my $timestamp = 0; + if (defined $args->{timestamp}) { + $timestamp = ($args->{timestamp} + 0); + } else { + $timestamp = time(); + } -my $creation_time_packet = pack('CCN', 5, $subpacket_types->{sig_creation_time}, $timestamp); + my $creation_time_packet = pack('CCN', 5, $subpacket_types->{sig_creation_time}, $timestamp); -my $flags = 0; -if (! defined $ENV{PEM2OPENPGP_USAGE_FLAGS}) { - $flags = $usage_flags->{certify}; -} else { - my @ff = split(",", $ENV{PEM2OPENPGP_USAGE_FLAGS}); - foreach my $f (@ff) { - if (! defined $usage_flags->{$f}) { - die "No such flag $f"; + my $flags = 0; + if (! defined $args->{usage_flags}) { + $flags = $usage_flags->{certify}; + } else { + my @ff = split(",", $args->{usage_flags}); + foreach my $f (@ff) { + if (! defined $usage_flags->{$f}) { + die "No such flag $f"; + } + $flags |= $usage_flags->{$f}; } - $flags |= $usage_flags->{$f}; } + + my $usage_packet = pack('CCC', 2, $subpacket_types->{usage_flags}, $flags); + + + # how should we determine how far off to set the expiration date? + # default is no expiration. Specify the timestamp in seconds from the + # key creation. + my $expiration_packet = ''; + if (defined $args->{expiration}) { + my $expires_in = $args->{expiration} + 0; + $expiration_packet = pack('CCN', 5, $subpacket_types->{key_expiration_time}, $expires_in); + } + + + # prefer AES-256, AES-192, AES-128, CAST5, 3DES: + my $pref_sym_algos = pack('CCCCCCC', 6, $subpacket_types->{preferred_cipher}, + $ciphers->{aes256}, + $ciphers->{aes192}, + $ciphers->{aes128}, + $ciphers->{cast5}, + $ciphers->{tripledes} + ); + + # prefer SHA-1, SHA-256, RIPE-MD/160 + my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest}, + $digests->{sha1}, + $digests->{sha256}, + $digests->{ripemd160} + ); + + # prefer ZLIB, BZip2, ZIP + my $pref_zip_algos = pack('CCCCC', 4, $subpacket_types->{preferred_compression}, + $zips->{zlib}, + $zips->{bzip2}, + $zips->{zip} + ); + + # we support the MDC feature: + my $feature_subpacket = pack('CCC', 2, $subpacket_types->{features}, + $features->{mdc}); + + # keyserver preference: only owner modify (???): + my $keyserver_pref = pack('CCC', 2, $subpacket_types->{keyserver_prefs}, + $keyserver_prefs->{nomodify}); + + my $subpackets_to_be_hashed = + $creation_time_packet. + $usage_packet. + $expiration_packet. + $pref_sym_algos. + $pref_hash_algos. + $pref_zip_algos. + $feature_subpacket. + $keyserver_pref; + + my $subpacket_octets = pack('n', length($subpackets_to_be_hashed)); + + my $sig_data_to_be_hashed = + $version. + $sigtype. + $pubkey_algo. + $hash_algo. + $subpacket_octets. + $subpackets_to_be_hashed; + + my $pubkey = make_rsa_pub_key_body($rsa, $timestamp); + my $seckey = make_rsa_sec_key_body($rsa, $timestamp); + + # this is for signing. it needs to be an old-style header with a + # 2-packet octet count. + + my $key_data = make_packet($packet_types->{pubkey}, $pubkey, {'packet_length'=>2}); + + # take the last 8 bytes of the fingerprint as the keyid: + my $keyid = substr(fingerprint($rsa, $timestamp), 20 - 8, 8); + + # the v4 signature trailer is: + + # version number, literal 0xff, and then a 4-byte count of the + # signature data itself. + my $trailer = pack('CCN', 4, 0xff, length($sig_data_to_be_hashed)); + + my $uid_data = + pack('CN', 0xb4, length($uid)). + $uid; + + my $datatosign = + $key_data. + $uid_data. + $sig_data_to_be_hashed. + $trailer; + + my $data_hash = Digest::SHA1::sha1_hex($datatosign); + + my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid); + + my $sig = Crypt::OpenSSL::Bignum->new_from_bin($rsa->sign($datatosign)); + + my $sig_body = + $sig_data_to_be_hashed. + pack('n', length($issuer_packet)). + $issuer_packet. + pack('n', hex(substr($data_hash, 0, 4))). + mpi_pack($sig); + + return + make_packet($packet_types->{seckey}, $seckey). + make_packet($packet_types->{uid}, $uid). + make_packet($packet_types->{sig}, $sig_body); } -my $usage_packet = pack('CCC', 2, $subpacket_types->{usage_flags}, $flags); +my $rsa; +if (defined $ENV{PEM2OPENPGP_NEWKEY}) { + $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); +} else { + # slurp in the entire stdin: + undef $/; + my $stdin = ; -# how should we determine how far off to set the expiration date? -# default is no expiration. Specify the timestamp in seconds from the -# key creation. -my $expiration_packet = ''; -if (defined $ENV{PEM2OPENPGP_EXPIRATION}) { - my $expires_in = $ENV{PEM2OPENPGP_EXPIRATION} + 0; - $expiration_packet = pack('CCN', 5, $subpacket_types->{key_expiration_time}, $expires_in); + $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); } +my $uid = shift; -# prefer AES-256, AES-192, AES-128, CAST5, 3DES: -my $pref_sym_algos = pack('CCCCCCC', 6, $subpacket_types->{preferred_cipher}, - $ciphers->{aes256}, - $ciphers->{aes192}, - $ciphers->{aes128}, - $ciphers->{cast5}, - $ciphers->{tripledes} - ); - -# prefer SHA-1, SHA-256, RIPE-MD/160 -my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest}, - $digests->{sha1}, - $digests->{sha256}, - $digests->{ripemd160} - ); - -# prefer ZLIB, BZip2, ZIP -my $pref_zip_algos = pack('CCCCC', 4, $subpacket_types->{preferred_compression}, - $zips->{zlib}, - $zips->{bzip2}, - $zips->{zip} - ); - -# we support the MDC feature: -my $feature_subpacket = pack('CCC', 2, $subpacket_types->{features}, - $features->{mdc}); - -# keyserver preference: only owner modify (???): -my $keyserver_pref = pack('CCC', 2, $subpacket_types->{keyserver_prefs}, - $keyserver_prefs->{nomodify}); - -my $subpackets_to_be_hashed = - $creation_time_packet. - $usage_packet. - $expiration_packet. - $pref_sym_algos. - $pref_hash_algos. - $pref_zip_algos. - $feature_subpacket. - $keyserver_pref; - -my $subpacket_octets = pack('n', length($subpackets_to_be_hashed)); - -my $sig_data_to_be_hashed = - $version. - $sigtype. - $pubkey_algo. - $hash_algo. - $subpacket_octets. - $subpackets_to_be_hashed; - -my $pubkey = make_rsa_pub_key_body($rsa, $timestamp); -my $seckey = make_rsa_sec_key_body($rsa, $timestamp); - -# this is for signing. it needs to be an old-style header with a -# 2-packet octet count. - -my $key_data = make_packet($packet_types->{pubkey}, $pubkey, {'packet_length'=>2}); - -# take the last 8 bytes of the fingerprint as the keyid: -my $keyid = substr(fingerprint($rsa, $timestamp), 20 - 8, 8); - -# the v4 signature trailer is: - -# version number, literal 0xff, and then a 4-byte count of the -# signature data itself. -my $trailer = pack('CCN', 4, 0xff, length($sig_data_to_be_hashed)); - -my $uid_data = - pack('CN', 0xb4, length($uid)). - $uid; - -my $datatosign = - $key_data. - $uid_data. - $sig_data_to_be_hashed. - $trailer; - -my $data_hash = Digest::SHA1::sha1_hex($datatosign); - -my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid); - -my $sig = Crypt::OpenSSL::Bignum->new_from_bin($rsa->sign($datatosign)); - -my $sig_body = - $sig_data_to_be_hashed. - pack('n', length($issuer_packet)). - $issuer_packet. - pack('n', hex(substr($data_hash, 0, 4))). - mpi_pack($sig); - -print - make_packet($packet_types->{seckey}, $seckey). - make_packet($packet_types->{uid}, $uid). - make_packet($packet_types->{sig}, $sig_body); +# FIXME: fail if there is no given user ID; or should we default to +# hostname_long() from Sys::Hostname::Long ? +print pem2openpgp($rsa, + $uid, + { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, + expiration => $ENV{PEM2OPENPGP_EXPIRATION}, + usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, + } + ); -- cgit v1.2.3 From b08a2e207f22000b494fc1aabe413bea5eb8f7d5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 14:08:41 -0500 Subject: rewrite stdin slurping to match example in perldoc -f unpack. --- src/keytrans/pem2openpgp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 3492361..4e6ebe7 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -509,12 +509,14 @@ sub pem2openpgp { my $rsa; +my $stdin; if (defined $ENV{PEM2OPENPGP_NEWKEY}) { $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); } else { - # slurp in the entire stdin: - undef $/; - my $stdin = ; + $stdin = do { + local $/; # slurp! + ; + }; $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); } -- cgit v1.2.3 From 3cc809546f716f93be416f2f3edd9e06ea17a547 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 14:22:22 -0500 Subject: make pem2openpgp closer to a generic keytrans so that we can reuse it for the openpgp2ssh replacement. --- src/keytrans/pem2openpgp | 55 ++++++++++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 4e6ebe7..4dda6ca 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -23,6 +23,7 @@ use strict; use warnings; +use File::Basename; use Crypt::OpenSSL::RSA; use Crypt::OpenSSL::Bignum; use Crypt::OpenSSL::Bignum::CTX; @@ -508,29 +509,41 @@ sub pem2openpgp { } -my $rsa; -my $stdin; -if (defined $ENV{PEM2OPENPGP_NEWKEY}) { - $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); -} else { - $stdin = do { - local $/; # slurp! - ; - }; +for (basename($0)) { + if (/^pem2openpgp$/) { - $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); -} + my $rsa; + my $stdin; + if (defined $ENV{PEM2OPENPGP_NEWKEY}) { + $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); + } else { + $stdin = do { + local $/; # slurp! + ; + }; + + $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); + } -my $uid = shift; + my $uid = shift; -# FIXME: fail if there is no given user ID; or should we default to -# hostname_long() from Sys::Hostname::Long ? + # FIXME: fail if there is no given user ID; or should we default to + # hostname_long() from Sys::Hostname::Long ? -print pem2openpgp($rsa, - $uid, - { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, - expiration => $ENV{PEM2OPENPGP_EXPIRATION}, - usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, - } - ); + print pem2openpgp($rsa, + $uid, + { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, + expiration => $ENV{PEM2OPENPGP_EXPIRATION}, + usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, + } + ); + } + elsif (/^openpgp2ssh$/) { + print STDERR "woo\n"; + } + else { + print STDERR "Unrecognized keytrans call.\n"; + die 1; + } +} -- cgit v1.2.3 From 375c864f9b89cb8f8923dfcb7a9ba2e783a244da Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 15:55:10 -0500 Subject: start to make an openpgp2ssh implementation within pem2openpgp. --- src/keytrans/pem2openpgp | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 4dda6ca..9b7d8f6 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -509,6 +509,45 @@ sub pem2openpgp { } + + +sub openpgp2ssh { + my $instr = shift; + my $fpr = shift; + + my $packettag; + read($instr, $packettag, 1); + $packettag = ord($packettag); + + my $packetlen; + if ( ! (0x80 & $packettag)) { + print STDERR "This is not an OpenPGP packet"; + exit 1; + } + if (0x40 & $packettag) { + print STDERR "This is a new-style packet header"; + $tag = (0x3f & $packettag); + } else { + print STDERR "This is an old-style packet header"; + $lentype = 0x03 & $packettag; + $tag = (0x3c & $packettag ) >> 2; + if ($lentype == 0) { + read($instr, $packetlen, 1); + $packetlen = unpack('%C', $packetlen); + } elsif ($lentype == 1) { + read($instr, $packetlen, 2); + $packetlen = unpack('%S', $packetlen); + } elsif ($lentype == 2) { + read($instr, $packetlen, 4); + $packetlen = unpack('%L', $packetlen); + } + } + printf(STDERR, "Packet is %d long\n", $packetlen); + + print $packettag; +} + + for (basename($0)) { if (/^pem2openpgp$/) { @@ -539,7 +578,11 @@ for (basename($0)) { ); } elsif (/^openpgp2ssh$/) { - print STDERR "woo\n"; + my $fpr = shift; + my $instream; + open($instream,'-'); + binmode($instream, ":bytes"); + openpgp2ssh($instream, $fpr); } else { print STDERR "Unrecognized keytrans call.\n"; -- cgit v1.2.3 From 21062dd622620dd44001858bd9cb4116ac978529 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 17:17:13 -0500 Subject: successfully parsing out the packets in pem2openpgp keytrans operation. --- src/keytrans/pem2openpgp | 92 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 64 insertions(+), 28 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 9b7d8f6..94fd3c8 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -516,41 +516,78 @@ sub openpgp2ssh { my $fpr = shift; my $packettag; - read($instr, $packettag, 1); - $packettag = ord($packettag); + my $dummy; + my $tag; - my $packetlen; - if ( ! (0x80 & $packettag)) { - print STDERR "This is not an OpenPGP packet"; - exit 1; - } - if (0x40 & $packettag) { - print STDERR "This is a new-style packet header"; - $tag = (0x3f & $packettag); - } else { - print STDERR "This is an old-style packet header"; - $lentype = 0x03 & $packettag; - $tag = (0x3c & $packettag ) >> 2; - if ($lentype == 0) { - read($instr, $packetlen, 1); - $packetlen = unpack('%C', $packetlen); - } elsif ($lentype == 1) { - read($instr, $packetlen, 2); - $packetlen = unpack('%S', $packetlen); - } elsif ($lentype == 2) { - read($instr, $packetlen, 4); - $packetlen = unpack('%L', $packetlen); + while (! eof($instr)) { + read($instr, $packettag, 1); + $packettag = ord($packettag); + + my $packetlen; + if ( ! (0x80 & $packettag)) { + die "This is not an OpenPGP packet\n"; + } + if (0x40 & $packettag) { + print STDERR "This is a new-style packet header\n"; + $tag = (0x3f & $packettag); + my $nextlen = 0; + read($instr, $nextlen, 1); + $nextlen = ord($nextlen); + if ($nextlen < 192) { + $packetlen = $nextlen; + } elsif ($nextlen < 224) { + my $newoct; + read($instr, $newoct, 1); + $newoct = ord($newoct); + $packetlen = (($nextlen - 192) << 8) + ($newoct) + 192; + } elsif ($nextlen == 255) { + read($instr, $nextlen, 4); + $packetlen = unpack('%L', $nextlen); + } else { + # packet length is undefined. + } + } else { + my $lentype; + print STDERR "This is an old-style packet header\n"; + $lentype = 0x03 & $packettag; + $tag = ( 0x3c & $packettag ) >> 2; + if ($lentype == 0) { + read($instr, $packetlen, 1) or die "could not read packet length\n"; + $packetlen = unpack('C', $packetlen); + } elsif ($lentype == 1) { + read($instr, $packetlen, 2) or die "could not read packet length\n"; + $packetlen = unpack('n', $packetlen); + } elsif ($lentype == 2) { + read($instr, $packetlen, 4) or die "could not read packet length\n"; + $packetlen = unpack('N', $packetlen); + } else { + # packet length is undefined. + } + } + + if (! defined($packetlen)) { + die "Undefined packet lengths are not supported.\n"; + } + printf(STDERR "Packet is %d long\n", $packetlen); + + if ($tag == $packet_types->{pubkey} || + $tag == $packet_types->{pub_subkey} || + $tag == $packet_types->{seckey} || + $tag == $packet_types->{sec_subkey}) { + printf(STDERR "Packet type %d\n", $tag); + read($instr, $dummy, $packetlen) or die "Could not seek!\n"; + } else { + printf(STDERR "We do not care about this packet.\n"); + read($instr, $dummy, $packetlen) or die "Could not seek!\n"; } } - printf(STDERR, "Packet is %d long\n", $packetlen); - print $packettag; + print $tag; } for (basename($0)) { if (/^pem2openpgp$/) { - my $rsa; my $stdin; if (defined $ENV{PEM2OPENPGP_NEWKEY}) { @@ -585,8 +622,7 @@ for (basename($0)) { openpgp2ssh($instream, $fpr); } else { - print STDERR "Unrecognized keytrans call.\n"; - die 1; + die "Unrecognized keytrans call.\n"; } } -- cgit v1.2.3 From 2e2299e705d1e67d170137bd499f1ffa511a60a7 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 17:55:40 -0500 Subject: calculating and emitting key fingerprints in openpgp2ssh rewrite. --- src/keytrans/pem2openpgp | 61 +++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 52 insertions(+), 9 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 94fd3c8..ae7c91f 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -288,6 +288,20 @@ sub mpi_pack { return pack('n', $mpilen).$val; } +# pull an OpenPGP-specified MPI off of a given stream. +sub read_mpi { + my $instr = shift; + + my $bitlen; + read($instr, $bitlen, 2) or die "could not read MPI length.\n"; + $bitlen = unpack('n', $bitlen); + + my $ret; + read($instr, $ret, ($bitlen + 7)/8) or die "could not read MPI body.\n"; + return Crypt::OpenSSL::Bignum->new_from_bin($ret); +} + + # FIXME: genericize these to accept either RSA or DSA keys: sub make_rsa_pub_key_body { my $key = shift; @@ -509,8 +523,6 @@ sub pem2openpgp { } - - sub openpgp2ssh { my $instr = shift; my $fpr = shift; @@ -528,7 +540,6 @@ sub openpgp2ssh { die "This is not an OpenPGP packet\n"; } if (0x40 & $packettag) { - print STDERR "This is a new-style packet header\n"; $tag = (0x3f & $packettag); my $nextlen = 0; read($instr, $nextlen, 1); @@ -542,13 +553,12 @@ sub openpgp2ssh { $packetlen = (($nextlen - 192) << 8) + ($newoct) + 192; } elsif ($nextlen == 255) { read($instr, $nextlen, 4); - $packetlen = unpack('%L', $nextlen); + $packetlen = unpack('N', $nextlen); } else { # packet length is undefined. } } else { my $lentype; - print STDERR "This is an old-style packet header\n"; $lentype = 0x03 & $packettag; $tag = ( 0x3c & $packettag ) >> 2; if ($lentype == 0) { @@ -568,17 +578,50 @@ sub openpgp2ssh { if (! defined($packetlen)) { die "Undefined packet lengths are not supported.\n"; } - printf(STDERR "Packet is %d long\n", $packetlen); if ($tag == $packet_types->{pubkey} || $tag == $packet_types->{pub_subkey} || $tag == $packet_types->{seckey} || $tag == $packet_types->{sec_subkey}) { printf(STDERR "Packet type %d\n", $tag); - read($instr, $dummy, $packetlen) or die "Could not seek!\n"; + + my $ver; + read($instr, $ver, 1) or die "could not read key version\n"; + $ver = ord($ver); + if ($ver != 4) { + printf(STDERR "We only work with version 4 keys. This key appears to be version $ver.\n"); + read($instr, $dummy, $packetlen - 1) or die "Could not skip past this packet.\n"; + } else { + + my $timestamp; + read($instr, $timestamp, 4) or die "could not read key timestamp.\n"; + $timestamp = unpack('N', $timestamp); + + my $algo; + read($instr, $algo, 1) or die "could not read key algorithm.\n"; + $algo = ord($algo); + if ($algo != $asym_algos->{rsa}) { + printf(STDERR "We only support RSA keys (this key used algorithm %d).\n", $algo); + read($instr, $dummy, $packetlen - 6) or die "Could not skip past this packet.\n"; + } else { + ## we have an RSA key. + my $modulus = read_mpi($instr); + my $exponent = read_mpi($instr); + + my $pubkey = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, $exponent); + my $foundfpr = fingerprint($pubkey, $timestamp); + + printf(STDERR "key fpr: %s\n", Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex()); + + if ($tag == $packet_types->{seckey} || + $tag == $packet_types->{sec_subkey}) { + die "Cannot deal with secret keys yet!\n"; + } + + } + } } else { - printf(STDERR "We do not care about this packet.\n"); - read($instr, $dummy, $packetlen) or die "Could not seek!\n"; + read($instr, $dummy, $packetlen) or die "Could not skip past this packet!\n"; } } -- cgit v1.2.3 From b62cb24951ccb9026fa9c2d660398be094a8b62f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 18:54:38 -0500 Subject: further perl-only openpgp2ssh work. public keys are now translated. --- src/keytrans/pem2openpgp | 62 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index ae7c91f..40188c7 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -288,7 +288,38 @@ sub mpi_pack { return pack('n', $mpilen).$val; } -# pull an OpenPGP-specified MPI off of a given stream. +# takes a Crypt::OpenSSL::Bignum, returns an MPI packed in preparation +# for an OpenSSH-style public key format. see: +# http://marc.info/?l=openssh-unix-dev&m=121866301718839&w=2 +sub openssh_mpi_pack { + my $num = shift; + + my $val = $num->to_bin(); + my $mpilen = length($val); + + my $ret = pack('N', $mpilen); + + # if the first bit of the leading byte is high, we should include a + # 0 byte: + if (ord($val) & 0x80) { + $ret = pack('NC', $mpilen+1, 0); + } + + return $ret.$val; +} + +sub openssh_pubkey_pack { + my $key = shift; + + my ($modulus, $exponent) = $key->get_key_parameters(); + + return openssh_mpi_pack(Crypt::OpenSSL::Bignum->new_from_bin("ssh-rsa")). + openssh_mpi_pack($exponent). + openssh_mpi_pack($modulus); + } + +# pull an OpenPGP-specified MPI off of a given stream, returning it as +# a Crypt::OpenSSL::Bignum. sub read_mpi { my $instr = shift; @@ -527,10 +558,18 @@ sub openpgp2ssh { my $instr = shift; my $fpr = shift; + if (defined $fpr) { + if (length($fpr) < 8) { + die "We need at least 8 hex digits of fingerprint.\n"; + } + } + my $packettag; my $dummy; my $tag; + my $key; + while (! eof($instr)) { read($instr, $packettag, 1); $packettag = ord($packettag); @@ -583,8 +622,6 @@ sub openpgp2ssh { $tag == $packet_types->{pub_subkey} || $tag == $packet_types->{seckey} || $tag == $packet_types->{sec_subkey}) { - printf(STDERR "Packet type %d\n", $tag); - my $ver; read($instr, $ver, 1) or die "could not read key version\n"; $ver = ord($ver); @@ -610,8 +647,17 @@ sub openpgp2ssh { my $pubkey = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, $exponent); my $foundfpr = fingerprint($pubkey, $timestamp); - - printf(STDERR "key fpr: %s\n", Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex()); + + my $foundfprstr = Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex(); + + # is this a match? + if ((!defined($fpr)) || + (substr($foundfprstr, -1 * length($fpr)) eq $fpr)) { + if (defined($key)) { + die "Found two matching keys.\n"; + } + $key = $pubkey; + } if ($tag == $packet_types->{seckey} || $tag == $packet_types->{sec_subkey}) { @@ -625,7 +671,9 @@ sub openpgp2ssh { } } - print $tag; + if (defined($key)) { + return "ssh-rsa ".encode_base64(openssh_pubkey_pack($key), ''); + } } @@ -662,7 +710,7 @@ for (basename($0)) { my $instream; open($instream,'-'); binmode($instream, ":bytes"); - openpgp2ssh($instream, $fpr); + print openpgp2ssh($instream, $fpr); } else { die "Unrecognized keytrans call.\n"; -- cgit v1.2.3 From 2f91cf1747c882c9db1e8cde2ed00e5d909ff122 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 20:27:30 -0500 Subject: outputting secret key material now with perl-only openpgp2ssh. --- src/keytrans/pem2openpgp | 76 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 64 insertions(+), 12 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 40188c7..37b372a 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -316,19 +316,23 @@ sub openssh_pubkey_pack { return openssh_mpi_pack(Crypt::OpenSSL::Bignum->new_from_bin("ssh-rsa")). openssh_mpi_pack($exponent). openssh_mpi_pack($modulus); - } +} # pull an OpenPGP-specified MPI off of a given stream, returning it as # a Crypt::OpenSSL::Bignum. sub read_mpi { my $instr = shift; + my $readtally = shift; my $bitlen; read($instr, $bitlen, 2) or die "could not read MPI length.\n"; $bitlen = unpack('n', $bitlen); + $$readtally += 2; + my $bytestoread = ($bitlen + 7)/8; my $ret; - read($instr, $ret, ($bitlen + 7)/8) or die "could not read MPI body.\n"; + read($instr, $ret, $bytestoread) or die "could not read MPI body.\n"; + $$readtally += $bytestoread; return Crypt::OpenSSL::Bignum->new_from_bin($ret); } @@ -562,6 +566,7 @@ sub openpgp2ssh { if (length($fpr) < 8) { die "We need at least 8 hex digits of fingerprint.\n"; } + $fpr = uc($fpr); } my $packettag; @@ -623,27 +628,32 @@ sub openpgp2ssh { $tag == $packet_types->{seckey} || $tag == $packet_types->{sec_subkey}) { my $ver; + my $readbytes = 0; read($instr, $ver, 1) or die "could not read key version\n"; + $readbytes += 1; $ver = ord($ver); + if ($ver != 4) { - printf(STDERR "We only work with version 4 keys. This key appears to be version $ver.\n"); - read($instr, $dummy, $packetlen - 1) or die "Could not skip past this packet.\n"; + printf(STDERR "We only work with version 4 keys. This key appears to be version %s.\n", $ver); + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; } else { my $timestamp; read($instr, $timestamp, 4) or die "could not read key timestamp.\n"; + $readbytes += 4; $timestamp = unpack('N', $timestamp); my $algo; read($instr, $algo, 1) or die "could not read key algorithm.\n"; + $readbytes += 1; $algo = ord($algo); if ($algo != $asym_algos->{rsa}) { printf(STDERR "We only support RSA keys (this key used algorithm %d).\n", $algo); - read($instr, $dummy, $packetlen - 6) or die "Could not skip past this packet.\n"; + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; } else { ## we have an RSA key. - my $modulus = read_mpi($instr); - my $exponent = read_mpi($instr); + my $modulus = read_mpi($instr, \$readbytes); + my $exponent = read_mpi($instr, \$readbytes); my $pubkey = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, $exponent); my $foundfpr = fingerprint($pubkey, $timestamp); @@ -661,7 +671,42 @@ sub openpgp2ssh { if ($tag == $packet_types->{seckey} || $tag == $packet_types->{sec_subkey}) { - die "Cannot deal with secret keys yet!\n"; + if (!defined($key)) { # we don't think the public part of + # this key matches + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } else { + my $s2k; + read($instr, $s2k, 1) or die "Could not read S2K octet.\n"; + $readbytes += 1; + $s2k = ord($s2k); + if ($s2k == 0) { + # secret material is unencrypted + # see http://tools.ietf.org/html/rfc4880#section-5.5.3 + my $d = read_mpi($instr, \$readbytes); + my $p = read_mpi($instr, \$readbytes); + my $q = read_mpi($instr, \$readbytes); + my $u = read_mpi($instr, \$readbytes); + + my $checksum; + read($instr, $checksum, 2) or die "Could not read checksum of secret key material.\n"; + $readbytes += 2; + $checksum = unpack('n', $checksum); + + # FIXME: compare with the checksum! how? the data is + # gone into the Crypt::OpenSSL::Bignum + + $key = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, + $exponent, + $d, + $p, + $q); + + $key->check_key() or die "Secret key is not a valid RSA key.\n"; + } else { + print(STDERR "We cannot handle encrypted secret keys. Skipping!\n") ; + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } + } } } @@ -671,9 +716,7 @@ sub openpgp2ssh { } } - if (defined($key)) { - return "ssh-rsa ".encode_base64(openssh_pubkey_pack($key), ''); - } + return $key; } @@ -710,7 +753,16 @@ for (basename($0)) { my $instream; open($instream,'-'); binmode($instream, ":bytes"); - print openpgp2ssh($instream, $fpr); + my $key = openpgp2ssh($instream, $fpr); + if (defined($key)) { + if ($key->is_private()) { + print $key->get_private_key_string(); + } else { + print "ssh-rsa ".encode_base64(openssh_pubkey_pack($key), '')."\n"; + } + } else { + die "No matching key found.\n"; + } } else { die "Unrecognized keytrans call.\n"; -- cgit v1.2.3 From a4375ee022de3c6ac6b3be371e1372bb8d720bb3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 28 Feb 2009 20:36:46 -0500 Subject: test for presence of User ID in pem2openpgp. --- src/keytrans/pem2openpgp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 37b372a..73becfe 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -724,6 +724,14 @@ for (basename($0)) { if (/^pem2openpgp$/) { my $rsa; my $stdin; + + my $uid = shift; + defined($uid) or die "You must specify a user ID string.\n"; + + # FIXME: fail if there is no given user ID; or should we default to + # hostname_long() from Sys::Hostname::Long ? + + if (defined $ENV{PEM2OPENPGP_NEWKEY}) { $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); } else { @@ -735,11 +743,6 @@ for (basename($0)) { $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); } - my $uid = shift; - - # FIXME: fail if there is no given user ID; or should we default to - # hostname_long() from Sys::Hostname::Long ? - print pem2openpgp($rsa, $uid, { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, -- cgit v1.2.3 From 620e3d1021993760ef7572ed9e5d6bf9f033b91e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 28 Feb 2009 20:56:18 -0500 Subject: openpgp2ssh in ms-host show-key function takes the host gpg key from the temporary gpghome, instead of from the saved ssh_host_key_rsa.pub.gpg key file. --- src/monkeysphere-host | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 5e7a931..9e4a8c4 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -174,7 +174,7 @@ show_key() { # create the ssh key TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub - openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null >"$TMPSSH" + gpg --export | openpgp2ssh 2>/dev/null >"$TMPSSH" # get the gpg fingerprint HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \ -- cgit v1.2.3 From 207272adad58f4ee86f961367e56fd478c754b39 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 03:24:20 -0500 Subject: fix rounding issue. Thanks, Richard K Darst! --- src/keytrans/pem2openpgp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp index 73becfe..8bf17fb 100755 --- a/src/keytrans/pem2openpgp +++ b/src/keytrans/pem2openpgp @@ -29,6 +29,7 @@ use Crypt::OpenSSL::Bignum; use Crypt::OpenSSL::Bignum::CTX; use Digest::SHA1; use MIME::Base64; +use POSIX; ## make sure all length() and substr() calls use bytes only: use bytes; @@ -329,7 +330,7 @@ sub read_mpi { $bitlen = unpack('n', $bitlen); $$readtally += 2; - my $bytestoread = ($bitlen + 7)/8; + my $bytestoread = POSIX::floor(($bitlen + 7)/8); my $ret; read($instr, $ret, $bytestoread) or die "could not read MPI body.\n"; $$readtally += $bytestoread; -- cgit v1.2.3 From ef9a47ba86dbd16bbff44cc01e5a2485823bbbdd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 04:03:57 -0500 Subject: removed test_gnu_dummy_s2k_extension(); no longer necessary --- src/share/common | 46 ----------------------------------------- src/share/m/subkey_to_ssh_agent | 8 ------- 2 files changed, 54 deletions(-) diff --git a/src/share/common b/src/share/common index b2dcd35..a9d23b2 100644 --- a/src/share/common +++ b/src/share/common @@ -336,52 +336,6 @@ passphrase_prompt() { fi } -test_gnu_dummy_s2k_extension() { - -# this block contains a demonstration private key that has had the -# primary key stripped out using the GNU S2K extension known as -# "gnu-dummy" (see /usr/share/doc/gnupg/DETAILS.gz). The subkey is -# present in cleartext, however. - -# openpgp2ssh will be able to deal with this based on whether the -# local copy of GnuTLS contains read_s2k support that can handle it. - -# read up on that here: - -# http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html - -echo " ------BEGIN PGP PRIVATE KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -lQCVBEO3YdABBACRqqEnucag4+vyZny2M67Pai5+5suIRRvY+Ly8Ms5MvgCi3EVV -xT05O/+0ShiRaf+QicCOFrhbU9PZzzU+seEvkeW2UCu4dQfILkmj+HBEIltGnHr3 -G0yegHj5pnqrcezERURf2e17gGFWX91cXB9Cm721FPXczuKraphKwCA9PwARAQAB -/gNlAkdOVQG0OURlbW9uc3RyYXRpb24gS2V5IGZvciBTMksgR05VIGV4dGVuc2lv -biAxMDAxIC0tIGdudS1kdW1teYi8BBMBAgAmBQJDt2HQAhsDBQkB4TOABgsJCAcD -AgQVAggDBBYCAwECHgECF4AACgkQQZUwSa4UDezTOQP/TMQXUVrWzHYZGopoPZ2+ -ZS3qddiznBHsgb7MGYg1KlTiVJSroDUBCHIUJvdQKZV9zrzrFl47D07x6hGyUPHV -aZXvuITW8t1o5MMHkCy3pmJ2KgfDvdUxrBvLfgPMICA4c6zA0mWquee43syEW9NY -g3q61iPlQwD1J1kX1wlimLCdAdgEQ7dh0AEEANAwa63zlQbuy1Meliy8otwiOa+a -mH6pxxUgUNggjyjO5qx+rl25mMjvGIRX4/L1QwIBXJBVi3SgvJW1COZxZqBYqj9U -8HVT07mWKFEDf0rZLeUE2jTm16cF9fcW4DQhW+sfYm+hi2sY3HeMuwlUBK9KHfW2 -+bGeDzVZ4pqfUEudABEBAAEAA/0bemib+wxub9IyVFUp7nPobjQC83qxLSNzrGI/ -RHzgu/5CQi4tfLOnwbcQsLELfker2hYnjsLrT9PURqK4F7udrWEoZ1I1LymOtLG/ -4tNZ7Mnul3wRC2tCn7FKx8sGJwGh/3li8vZ6ALVJAyOia5TZ/buX0+QZzt6+hPKk -7MU1WQIA4bUBjtrsqDwro94DvPj3/jBnMZbXr6WZIItLNeVDUcM8oHL807Am97K1 -ueO/f6v1sGAHG6lVPTmtekqPSTWBfwIA7CGFvEyvSALfB8NUa6jtk27NCiw0csql -kuhCmwXGMVOiryKEfegkIahf2bAd/gnWHPrpWp7bUE20v8YoW22I4wIAhnm5Wr5Q -Sy7EHDUxmJm5TzadFp9gq08qNzHBpXSYXXJ3JuWcL1/awUqp3tE1I6zZ0hZ38Ia6 -SdBMN88idnhDPqPoiKUEGAECAA8FAkO3YdACGyAFCQHhM4AACgkQQZUwSa4UDezm -vQP/ZhK+2ly9oI2z7ZcNC/BJRch0/ybQ3haahII8pXXmOThpZohr/LUgoWgCZdXg -vP6yiszNk2tIs8KphCAw7Lw/qzDC2hEORjWO4f46qk73RAgSqG/GyzI4ltWiDhqn -vnQCFl3+QFSe4zinqykHnLwGPMXv428d/ZjkIc2ju8dRsn4= -=CR5w ------END PGP PRIVATE KEY BLOCK----- -" | openpgp2ssh 4129E89D17C1D591 >/dev/null 2>/dev/null - -} - # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent index 4ce14f8..ec596bd 100644 --- a/src/share/m/subkey_to_ssh_agent +++ b/src/share/m/subkey_to_ssh_agent @@ -26,14 +26,6 @@ subkey_to_ssh_agent() { local publine local kname - if ! test_gnu_dummy_s2k_extension ; then - failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys. -You may want to consider patching or upgrading to GnuTLS 2.6 or later. - -For more details, see: - http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html" - fi - # if there's no agent running, don't bother: if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then failure "No ssh-agent available." -- cgit v1.2.3 From 2c427b22f6a780cbf0d4e22fce26071727e985a1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 11:45:38 -0500 Subject: transition to the perl-based keytrans implementation. --- Makefile | 12 +- src/keytrans/Makefile | 15 - src/keytrans/gnutls-helpers.c | 466 ------------------------- src/keytrans/gnutls-helpers.h | 89 ----- src/keytrans/openpgp2ssh.c | 507 --------------------------- src/keytrans/pem2openpgp | 775 ------------------------------------------ src/openpgp2ssh | 1 + src/pem2openpgp | 1 + src/share/keytrans | 775 ++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 783 insertions(+), 1858 deletions(-) delete mode 100644 src/keytrans/Makefile delete mode 100644 src/keytrans/gnutls-helpers.c delete mode 100644 src/keytrans/gnutls-helpers.h delete mode 100644 src/keytrans/openpgp2ssh.c delete mode 100755 src/keytrans/pem2openpgp create mode 120000 src/openpgp2ssh create mode 120000 src/pem2openpgp create mode 100755 src/share/keytrans diff --git a/Makefile b/Makefile index 0284a8a..2c6077e 100755 --- a/Makefile +++ b/Makefile @@ -14,10 +14,8 @@ ETCSUFFIX ?= PREFIX ?= /usr MANPREFIX ?= $(PREFIX)/share/man -all: keytrans - -keytrans: - $(MAKE) -C src/keytrans +# nothing actually needs to be built now. +all: tarball: clean rm -rf monkeysphere-$(MONKEYSPHERE_VERSION) @@ -40,7 +38,6 @@ freebsd-distinfo: ./utils/build-freebsd-distinfo clean: - $(MAKE) -C src/keytrans clean # clean up old monkeysphere packages lying around as well. rm -f monkeysphere_* @@ -52,9 +49,12 @@ install: all installman mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere install -m 0644 VERSION $(DESTDIR)$(PREFIX)/share/monkeysphere - install src/monkeysphere src/keytrans/openpgp2ssh src/keytrans/pem2openpgp $(DESTDIR)$(PREFIX)/bin + install src/monkeysphere $(DESTDIR)$(PREFIX)/bin install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere + install -m 0755 src/share/keytrans $(DESTDIR)$(PREFIX)/share/monkeysphere + ln -s ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/pem2openpgp + ln -s ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2ssh install -m 0744 src/transitions/* $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions install -m 0644 src/transitions/README.txt $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions install -m 0644 src/share/m/* $(DESTDIR)$(PREFIX)/share/monkeysphere/m diff --git a/src/keytrans/Makefile b/src/keytrans/Makefile deleted file mode 100644 index 4d54be7..0000000 --- a/src/keytrans/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -CFLAGS=`libgnutls-config --libs --cflags` -g -Wall --pedantic -CC=gcc - -all: openpgp2ssh - -openpgp2ssh: openpgp2ssh.c gnutls-helpers.o - $(CC) $(CFLAGS) -o openpgp2ssh openpgp2ssh.c gnutls-helpers.o - -.c.o: - $(CC) $(CFLAGS) -c $< - -clean: - rm -f openpgp2ssh *.o - -.PHONY: clean all diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c deleted file mode 100644 index 8d8ec17..0000000 --- a/src/keytrans/gnutls-helpers.c +++ /dev/null @@ -1,466 +0,0 @@ -/* Author: Daniel Kahn Gillmor */ -/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ -/* License: GPL v3 or later */ - -#include "gnutls-helpers.h" -/* for htonl() */ -#include - -/* for setlocale() */ -#include - -/* for isalnum() */ -#include - -/* for exit() */ -#include - -#include - -/* higher levels allow more frivolous error messages through. - this is set with the MONKEYSPHERE_DEBUG variable */ -static int loglevel = 0; - -void err(int level, const char* fmt, ...) { - va_list ap; - if (level > loglevel) - return; - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); - fflush(stderr); -} - -void logfunc(int level, const char* string) { - fprintf(stderr, "GnuTLS Logging (%d): %s\n", level, string); -} - -void init_keyid(gnutls_openpgp_keyid_t keyid) { - memset(keyid, 'x', sizeof(gnutls_openpgp_keyid_t)); -} - - - -void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) -{ - assert(sizeof(out) >= 2*sizeof(keyid)); - hex_print_data((char*)out, (const unsigned char*)keyid, sizeof(keyid)); -} - -/* you must have twice as many bytes in the out buffer as in the in buffer */ -void hex_print_data(char* out, const unsigned char* in, size_t incount) -{ - static const char hex[16] = "0123456789ABCDEF"; - unsigned int inix = 0, outix = 0; - - while (inix < incount) { - out[outix] = hex[(in[inix] >> 4) & 0x0f]; - out[outix + 1] = hex[in[inix] & 0x0f]; - inix++; - outix += 2; - } -} - -unsigned char hex2bin(unsigned char x) { - if ((x >= '0') && (x <= '9')) - return x - '0'; - if ((x >= 'A') && (x <= 'F')) - return 10 + x - 'A'; - if ((x >= 'a') && (x <= 'f')) - return 10 + x - 'a'; - return 0xff; -} - -void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in) { - unsigned int pkix = 0, outkix = 0; - while (pkix < sizeof(printable_keyid)) { - unsigned hi = hex2bin(in[pkix]); - unsigned lo = hex2bin(in[pkix + 1]); - if (hi == 0xff) { - err(0, "character '%c' is not a hex char\n", in[pkix]); - exit(1); - } - if (lo == 0xff) { - err(0, "character '%c' is not a hex char\n", in[pkix + 1]); - exit(1); - } - out[outkix] = lo | (hi << 4); - - pkix += 2; - outkix++; - } -} - -unsigned int hexstring2bin(unsigned char* out, const char* in) { - unsigned int pkix = 0, outkix = 0; - int hi = 0; /* which nybble is it? */ - - while (in[pkix]) { - unsigned char z = hex2bin(in[pkix]); - if (z != 0xff) { - if (!hi) { - if (out) out[outkix] = (z << 4); - hi = 1; - } else { - if (out) out[outkix] |= z; - hi = 0; - outkix++; - } - pkix++; - } - } - return outkix*8 + (hi ? 4 : 0); -} - -int convert_string_to_keyid(gnutls_openpgp_keyid_t out, const char* str) { - printable_keyid p; - int ret; - - ret = convert_string_to_printable_keyid(p, str); - if (ret == 0) - collapse_printable_keyid(out, p); - return ret; -} -int convert_string_to_printable_keyid(printable_keyid pkeyid, const char* str) { - int arglen, x; - arglen = 0; - x = 0; - while ((arglen <= sizeof(printable_keyid)) && - (str[x] != '\0')) { - if (isxdigit(str[x])) { - if (arglen == sizeof(printable_keyid)) { - err(0, "There are more than %d hex digits in the keyid '%s'\n", sizeof(printable_keyid), str); - return 1; - } - pkeyid[arglen] = str[x]; - arglen++; - } - x++; - } - - if (arglen != sizeof(printable_keyid)) { - err(0, "Keyid '%s' is not %d hex digits in length\n", str, sizeof(printable_keyid)); - return 1; - } - return 0; -} - - - -int init_gnutls() { - const char* version = NULL; - const char* debug_string = NULL; - int ret; - - if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { - loglevel = atoi(debug_string); - } - - if (ret = gnutls_global_init(), ret) { - err(0, "Failed to do gnutls_global_init() (error: %d)\n", ret); - return 1; - } - - version = gnutls_check_version(NULL); - - if (version) - err(1, "gnutls version: %s\n", version); - else { - err(0, "no gnutls version found!\n"); - return 1; - } - - gnutls_global_set_log_function(logfunc); - - gnutls_global_set_log_level(loglevel); - err(1, "set log level to %d\n", loglevel); - - return 0; -} - -void init_datum(gnutls_datum_t* d) { - d->data = NULL; - d->size = 0; -} -void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src) { - dest->data = gnutls_realloc(dest->data, src->size); - dest->size = src->size; - memcpy(dest->data, src->data, src->size); -} -int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b) { - if (a->size > b->size) { - err(0,"a is larger\n"); - return 1; - } - if (a->size < b->size) { - err(0,"b is larger\n"); - return -1; - } - return memcmp(a->data, b->data, a->size); -} -void free_datum(gnutls_datum_t* d) { - gnutls_free(d->data); - d->data = NULL; - d->size = 0; -} - -/* read the passed-in string, store in a single datum */ -int set_datum_string(gnutls_datum_t* d, const char* s) { - unsigned int x = strlen(s)+1; - unsigned char* c = NULL; - - c = gnutls_realloc(d->data, x); - if (NULL == c) - return -1; - d->data = c; - d->size = x; - memcpy(d->data, s, x); - return 0; -} - -/* read the passed-in file descriptor until EOF, store in a single - datum */ -int set_datum_fd(gnutls_datum_t* d, int fd) { - unsigned int bufsize = 1024; - unsigned int len = 0; - - FILE* f = fdopen(fd, "r"); - if (bufsize > d->size) { - bufsize = 1024; - d->data = gnutls_realloc(d->data, bufsize); - if (d->data == NULL) { - err(0,"out of memory!\n"); - return -1; - } - d->size = bufsize; - } else { - bufsize = d->size; - } - f = fdopen(fd, "r"); - if (NULL == f) { - err(0,"could not fdopen FD %d\n", fd); - } - clearerr(f); - while (!feof(f) && !ferror(f)) { - if (len == bufsize) { - /* allocate more space by doubling: */ - bufsize *= 2; - d->data = gnutls_realloc(d->data, bufsize); - if (d->data == NULL) { - err(0,"out of memory!\n"); - return -1; - }; - d->size = bufsize; - } - len += fread(d->data + len, 1, bufsize - len, f); - /* err(0,"read %d bytes\n", len); */ - } - if (ferror(f)) { - err(0,"Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); - return -1; - } - - /* touch up buffer size to match reality: */ - d->data = gnutls_realloc(d->data, len); - d->size = len; - return 0; -} - -/* read the file indicated (by name) in the fname parameter. store - its entire contents in a single datum. */ -int set_datum_file(gnutls_datum_t* d, const char* fname) { - struct stat sbuf; - unsigned char* c = NULL; - FILE* file = NULL; - size_t x = 0; - - if (0 != stat(fname, &sbuf)) { - err(0,"failed to stat '%s'\n", fname); - return -1; - } - - c = gnutls_realloc(d->data, sbuf.st_size); - if (NULL == c) { - err(0,"failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); - return -1; - } - - d->data = c; - d->size = sbuf.st_size; - file = fopen(fname, "r"); - if (NULL == file) { - err(0,"failed to open '%s' for reading\n", fname); - return -1; - } - - x = fread(d->data, d->size, 1, file); - if (x != 1) { - err(0,"tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); - fclose(file); - return -1; - } - fclose(file); - return 0; -} - -int write_datum_fd(int fd, const gnutls_datum_t* d) { - if (d->size != write(fd, d->data, d->size)) { - err(0,"failed to write body of datum.\n"); - return -1; - } - return 0; -} - - -int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { - uint32_t len; - int looks_negative = (d->data[0] & 0x80); - unsigned char zero = 0; - - /* if the first bit is 1, then the datum will appear negative in the - MPI encoding style used by OpenSSH. In that case, we'll increase - the length by one, and dump out one more byte */ - - if (looks_negative) { - len = htonl(d->size + 1); - } else { - len = htonl(d->size); - } - if (write(fd, &len, sizeof(len)) != sizeof(len)) { - err(0,"failed to write size of datum.\n"); - return -2; - } - if (looks_negative) { - if (write(fd, &zero, 1) != 1) { - err(0,"failed to write padding byte for MPI.\n"); - return -2; - } - } - return write_datum_fd(fd, d); -} - -int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num) { - unsigned int i; - int ret; - - for (i = 0; i < num; i++) - if (ret = write_datum_fd_with_length(fd, d[i]), ret != 0) - return ret; - - return 0; -} - - -int datum_from_string(gnutls_datum_t* d, const char* str) { - d->size = strlen(str); - d->data = gnutls_realloc(d->data, d->size); - if (d->data == 0) - return ENOMEM; - memcpy(d->data, str, d->size); - return 0; -} - - -int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { - int p[2]; - int ret; - - if (pid == NULL) { - err(0,"bad pointer passed to create_writing_pipe()\n"); - return -1; - } - - if (ret = pipe(p), ret == -1) { - err(0,"failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); - return -1; - } - - *pid = fork(); - if (*pid == -1) { - err(0,"Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); - return -1; - } - if (*pid == 0) { /* this is the child */ - close(p[1]); /* close unused write end */ - - if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ - err(0,"Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); - exit(1); - } - execvp(path, argv); - err(0,"exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); - /* close the open file descriptors */ - close(p[0]); - close(0); - - exit(1); - } else { /* this is the parent */ - close(p[0]); /* close unused read end */ - return p[1]; - } -} - -int validate_ssh_host_userid(const char* userid) { - char* oldlocale = setlocale(LC_ALL, "C"); - - /* choke if userid does not match the expected format - ("ssh://fully.qualified.domain.name") */ - if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { - err(0,"The user ID should start with ssh:// for a host key\n"); - goto fail; - } - /* so that isalnum will work properly */ - userid += strlen("ssh://"); - while (0 != (*userid)) { - if (!isalnum(*userid)) { - err(0,"label did not start with a letter or a digit! (%s)\n", userid); - goto fail; - } - userid++; - while (isalnum(*userid) || ('-' == (*userid))) - userid++; - if (('.' == (*userid)) || (0 == (*userid))) { /* clean end of label: - check last char - isalnum */ - if (!isalnum(*(userid - 1))) { - err(0,"label did not end with a letter or a digit!\n"); - goto fail; - } - if ('.' == (*userid)) /* advance to the start of the next label */ - userid++; - } else { - err(0,"invalid character in domain name: %c\n", *userid); - goto fail; - } - } - /* ensure that the last character is valid: */ - if (!isalnum(*(userid - 1))) { - err(0,"hostname did not end with a letter or a digit!\n"); - goto fail; - } - /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we - make sure that we've got an OK string? */ - - return 0; - - fail: - setlocale(LC_ALL, oldlocale); - return 1; -} - -/* http://tools.ietf.org/html/rfc4880#section-5.5.2 */ -size_t get_openpgp_mpi_size(gnutls_datum_t* d) { - return 2 + d->size; -} - -int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d) { - uint16_t x; - - x = d->size * 8; - x = htons(x); - - write(fd, &x, sizeof(x)); - write(fd, d->data, d->size); - - return 0; -} diff --git a/src/keytrans/gnutls-helpers.h b/src/keytrans/gnutls-helpers.h deleted file mode 100644 index bf54af0..0000000 --- a/src/keytrans/gnutls-helpers.h +++ /dev/null @@ -1,89 +0,0 @@ -/* Author: Daniel Kahn Gillmor */ -/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ -/* License: GPL v3 or later */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Functions to help dealing with GnuTLS for monkeysphere key - translation projects: */ - -/* set everything up, including logging levels. Return 0 on - success */ -int init_gnutls(); - -/* logging and output functions: */ - -void err(int level, const char* fmt, ...); -void logfunc(int level, const char* string); - -/* basic datum manipulations: */ - -void init_datum(gnutls_datum_t* d); -void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src); -int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b); -void free_datum(gnutls_datum_t* d); -int write_datum_fd(int fd, const gnutls_datum_t* d); -int write_datum_fd_with_length(int fd, const gnutls_datum_t* d); -int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num); - -/* set up a datum from a null-terminated string */ -int datum_from_string(gnutls_datum_t* d, const char* str); - -/* keyid manipulations: */ -typedef unsigned char printable_keyid[16]; - -void init_keyid(gnutls_openpgp_keyid_t keyid); -void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid); -void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in); -int convert_string_to_keyid(gnutls_openpgp_keyid_t out, const char* str); -int convert_string_to_printable_keyid(printable_keyid out, const char* str); - -/* you must have twice as many bytes in the out buffer as in the in buffer */ -void hex_print_data(char* out, const unsigned char* in, size_t incount); - -/* expects a null-terminated string as in, containing an even number - of hexadecimal characters. - - returns length in *bits* of raw data as output. - - the out buffer must be at least half as long as in to hold the - output. if out is NULL, no output will be generated, but the - length will still be returned. -*/ -unsigned int hexstring2bin(unsigned char* out, const char* in); - -/* functions to get data into datum objects: */ - -/* read the passed-in string, store in a single datum */ -int set_datum_string(gnutls_datum_t* d, const char* s); - -/* read the passed-in file descriptor until EOF, store in a single - datum */ -int set_datum_fd(gnutls_datum_t* d, int fd); - -/* read the file indicated (by name) in the fname parameter. store - its entire contents in a single datum. */ -int set_datum_file(gnutls_datum_t* d, const char* fname); - -/* set up file descriptor pipe for writing (child process pid gets - stored in pid, fd is returned)*/ -int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]); - -/* return 0 if userid matches the monkeysphere spec for ssh host user IDs */ -int validate_ssh_host_userid(const char* userid); - -/* how many bytes will it take to write out this datum in OpenPGP MPI form? */ -size_t get_openpgp_mpi_size(gnutls_datum_t* d); - -/* write the MPI stored in gnutls_datum_t to file descriptor fd: */ -int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d); diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c deleted file mode 100644 index f16eac5..0000000 --- a/src/keytrans/openpgp2ssh.c +++ /dev/null @@ -1,507 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* for waitpid() */ -#include -#include - -/* - Author: Daniel Kahn Gillmor - Date: 2008-06-12 13:47:41-0400 - License: GPL v3 or later - - monkeysphere key translator: execute this with an OpenPGP key on - stdin, (please indicate the specific keyid that you want as the - first argument if there are subkeys). At the moment, only public - keys and passphraseless secret keys work. - - For secret keys, it will spit out a PEM-encoded version of the key - on stdout, which can be fed into ssh-add like this: - - gpg --export-secret-keys $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin - - For public keys, it will spit out a single line of text that can - (with some massaging) be used in an openssh known_hosts or - authorized_keys file. For example: - - echo server.example.org $(gpg --export $KEYID | openpgp2ssh $KEYID) >> ~/.ssh/known_hosts - - Requirements: I've only built this so far with GnuTLS v2.3.x. - GnuTLS 2.2.x does not contain the appropriate functionality. - - */ - - -/* FIXME: keyid should be const as well */ -int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_openpgp_privkey_t* pgp_privkey, const unsigned char* keyfpr, unsigned int fprlen) { - gnutls_datum_t m, e, d, p, q, u, g, y, x; - gnutls_pk_algorithm_t pgp_algo; - unsigned int pgp_bits; - int ret; - int subkeyidx; - int subkeycount; - int found = 0; - unsigned char fingerprint[20]; - size_t fingerprint_length = sizeof(fingerprint); - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - init_datum(&x); - - subkeycount = gnutls_openpgp_privkey_get_subkey_count(*pgp_privkey); - if (subkeycount < 0) { - err(0,"Could not determine subkey count (got value %d)\n", subkeycount); - return 1; - } - - if ((keyfpr == NULL) && - (subkeycount > 0)) { - err(0,"No key identifier passed in, but there were %d keys to choose from\n", subkeycount + 1); - return 1; - } - - if (keyfpr != NULL) { - ret = gnutls_openpgp_privkey_get_fingerprint(*pgp_privkey, fingerprint, &fingerprint_length); - if (ret) { - err(0,"Could not get fingerprint (error: %d)\n", ret); - return 1; - } - if (fprlen > fingerprint_length) { - err(0, "Requested key identifier is longer than computed fingerprint\n"); - return 1; - } - if (fingerprint_length > fprlen) { - err(0, "Only comparing last %d bits of key fingerprint\n", fprlen*8); - } - } - if ((keyfpr == NULL) || (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0)) { - /* we want to export the primary key: */ - err(0,"exporting primary key\n"); - - /* FIXME: this is almost identical to the block below for subkeys. - This clumsiness seems inherent in the gnutls OpenPGP API, - though. ugh. */ - pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits); - if (pgp_algo < 0) { - err(0, "failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); - return 1; - } - if (pgp_algo == GNUTLS_PK_RSA) { - err(0,"OpenPGP RSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err(0, "failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - - } else if (pgp_algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - } - found = 1; - } else { - /* lets trawl through the subkeys until we find the one we want: */ - for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) { - ret = gnutls_openpgp_privkey_get_subkey_fingerprint(*pgp_privkey, subkeyidx, fingerprint, &fingerprint_length); - if (ret) { - err(0,"Could not get fingerprint of subkey with index %d (error: %d)\n", subkeyidx, ret); - return 1; - } - if (fprlen > fingerprint_length) { - err(0, "Requested key identifier is longer than computed fingerprint\n"); - return 1; - } - if (fingerprint_length > fprlen) { - err(1, "Only comparing last %d bits of key fingerprint\n", fprlen*8); - } - if (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0) { - err(0,"exporting subkey index %d\n", subkeyidx); - - /* FIXME: this is almost identical to the block above for the - primary key. */ - pgp_algo = gnutls_openpgp_privkey_get_subkey_pk_algorithm(*pgp_privkey, subkeyidx, &pgp_bits); - if (pgp_algo < 0) { - err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", pgp_algo); - return pgp_algo; - } else if (pgp_algo == GNUTLS_PK_RSA) { - err(0,"OpenPGP RSA key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_subkey_rsa_raw(*pgp_privkey, subkeyidx, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (pgp_algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_subkey_dsa_raw(*pgp_privkey, subkeyidx, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - } - found = 1; - } - } - } - - if (!found) { - err(0,"Could not find key in input\n"); - return 1; - } - - if (pgp_algo == GNUTLS_PK_RSA) { - ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err(0, "failed to import RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (pgp_algo == GNUTLS_PK_DSA) { - ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to import DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err(0,"OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); - return 1; - } - - ret = gnutls_x509_privkey_fix(*output); - if (ret != 0) { - err(0,"failed to fix up the private key in X.509 format (error: %d)\n", ret); - return 1; - } - - return 0; -} - -/* FIXME: keyid should be const also */ -int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, const unsigned char* keyfpr, size_t fprlen) { - int ret; - int subkeyidx; - int subkeycount; - int found = 0; - gnutls_datum_t m, e, p, q, g, y, algolabel; - unsigned int bits; - gnutls_pk_algorithm_t algo; - const gnutls_datum_t* all[5]; - const char* algoname; - int mpicount; - /* output_data must be at least 2 chars longer than the maximum possible - algorithm name: */ - char output_data[20]; - - unsigned char fingerprint[20]; - size_t fingerprint_length = sizeof(fingerprint); - - /* variables for the output conversion: */ - int pipestatus; - int pipefd, child_pid; - char* const b64args[] = {"sh", "-c", "base64 | tr -c -d '[A-Za-z0-9=+/]'", NULL}; - - init_datum(&m); - init_datum(&e); - init_datum(&p); - init_datum(&q); - init_datum(&g); - init_datum(&algolabel); - - - /* figure out if we've got the right thing: */ - subkeycount = gnutls_openpgp_crt_get_subkey_count(*pgp_crt); - if (subkeycount < 0) { - err(0,"Could not determine subkey count (got value %d)\n", subkeycount); - return 1; - } - - if ((keyfpr == NULL) && - (subkeycount > 0)) { - err(0,"No key identifier passed in, but there were %d keys to choose from\n", subkeycount + 1); - return 1; - } - - if (keyfpr != NULL) { - ret = gnutls_openpgp_crt_get_fingerprint(*pgp_crt, fingerprint, &fingerprint_length); - if (ret) { - err(0,"Could not get key fingerprint (error: %d)\n", ret); - return 1; - } - if (fprlen > fingerprint_length) { - err(0, "Requested key identifier is longer than computed fingerprint\n"); - return 1; - } - if (fingerprint_length > fprlen) { - err(0, "Only comparing last %d bits of key fingerprint\n", fprlen*8); - } - } - if ((keyfpr == NULL) || (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0)) { - /* we want to export the primary key: */ - err(0,"exporting primary key\n"); - - /* FIXME: this is almost identical to the block below for subkeys. - This clumsiness seems inherent in the gnutls OpenPGP API, - though. ugh. */ - algo = gnutls_openpgp_crt_get_pk_algorithm(*pgp_crt, &bits); - if (algo < 0) { - err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - err(0,"OpenPGP RSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_rsa_raw(*pgp_crt, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export RSA certificate parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_dsa_raw(*pgp_crt, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA certificate parameters (error: %d)\n", ret); - return 1; - } - } - found = 1; - - } else { - /* lets trawl through the subkeys until we find the one we want: */ - for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) { - ret = gnutls_openpgp_crt_get_subkey_fingerprint(*pgp_crt, subkeyidx, fingerprint, &fingerprint_length); - if (ret) { - err(0,"Could not get fingerprint of subkey with index %d (error: %d)\n", subkeyidx, ret); - return 1; - } - if (fprlen > fingerprint_length) { - err(0, "Requested key identifier is longer than computed fingerprint\n"); - return 1; - } - if (fingerprint_length > fprlen) { - err(1, "Only comparing last %d bits of key fingerprint\n", fprlen*8); - } - if (memcmp(fingerprint + (fingerprint_length - fprlen), keyfpr, fprlen) == 0) { - err(0,"exporting subkey index %d\n", subkeyidx); - - /* FIXME: this is almost identical to the block above for the - primary key. */ - algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(*pgp_crt, subkeyidx, &bits); - if (algo < 0) { - err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - err(0,"OpenPGP RSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(*pgp_crt, subkeyidx, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export RSA certificate parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(*pgp_crt, subkeyidx, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA certificate parameters (error: %d)\n", ret); - return 1; - } - } - found = 1; - - } - } - } - - if (!found) { - err(0,"Could not find key in input\n"); - return 1; - } - - /* if we made it this far, we've got MPIs, and we've got the - algorithm, so we just need to emit the info */ - if (algo == GNUTLS_PK_RSA) { - algoname = "ssh-rsa"; - mpicount = 3; - - all[0] = &algolabel; - all[1] = &e; - all[2] = &m; - } else if (algo == GNUTLS_PK_DSA) { - algoname = "ssh-dss"; - mpicount = 5; - - all[0] = &algolabel; - all[1] = &p; - all[2] = &q; - all[3] = &g; - all[4] = &y; - } else { - err(0,"Key algorithm was neither DSA nor RSA (it was %d). Can't deal. Sorry!\n", algo); - return 1; - } - - if (ret = datum_from_string(&algolabel, algoname), ret) { - err(0,"couldn't label string (error: %d)\n", ret); - return ret; - } - - snprintf(output_data, sizeof(output_data), "%s ", algoname); - - pipefd = create_writing_pipe(&child_pid, b64args[0], b64args); - if (pipefd < 0) { - err(0,"failed to create a writing pipe (returned %d)\n", pipefd); - return pipefd; - } - - write(1, output_data, strlen(output_data)); - - if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { - err(0,"was not able to write out RSA key data\n"); - return 1; - } - close(pipefd); - if (child_pid != waitpid(child_pid, &pipestatus, 0)) { - err(0,"could not wait for child process to return for some reason.\n"); - return 1; - } - if (pipestatus != 0) { - err(0,"base64 pipe died with return code %d\n", pipestatus); - return pipestatus; - } - - write(1, "\n", 1); - - return 0; -} - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret = 0; - gnutls_x509_privkey_t x509_privkey; - gnutls_openpgp_privkey_t pgp_privkey; - gnutls_openpgp_crt_t pgp_crt; - - char output_data[10240]; - size_t ods = sizeof(output_data); - - unsigned char * fingerprint = NULL; - size_t fpr_size; - char * prettyfpr = NULL; - - init_gnutls(); - - /* figure out what key we should be looking for: */ - if (argv[1] != NULL) { - if (strlen(argv[1]) > 81) { - /* safety check to avoid some sort of wacky overflow situation: - there's no reason that the key id should be longer than twice - a sane fingerprint (one byte between chars, and then another - two at the beginning and end) */ - err(0, "Key identifier is way too long. Please use at most 40 hex digits.\n"); - return 1; - } - - fpr_size = hexstring2bin(NULL, argv[1]); - if (fpr_size > 40*4) { - err(0, "Key identifier is longer than 40 hex digits\n"); - return 1; - } - /* since fpr_size is initially in bits: */ - if (fpr_size % 8 != 0) { - err(0, "Please provide an even number of hex digits for the key identifier\n"); - return 1; - } - fpr_size /= 8; - - fingerprint = malloc(sizeof(unsigned char) * fpr_size); - bzero(fingerprint, sizeof(unsigned char) * fpr_size); - hexstring2bin(fingerprint, argv[1]); - - prettyfpr = malloc(sizeof(unsigned char)*fpr_size*2 + 1); - if (prettyfpr != NULL) { - hex_print_data(prettyfpr, fingerprint, fpr_size); - prettyfpr[sizeof(unsigned char)*fpr_size*2] = '\0'; - err(1, "searching for key with fingerprint '%s'\n", prettyfpr); - free(prettyfpr); - } - - if (fpr_size < 4) { - err(0, "You MUST provide at least 8 hex digits in any key identifier\n"); - return 1; - } - if (fpr_size < 8) - err(0, "You should provide at least 16 hex digits in any key identifier (proceeding with %d digits anyway)\n", fpr_size*2); - - } - - - init_datum(&data); - - /* slurp in the key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err(0,"didn't read file descriptor 0\n"); - return 1; - } - - - if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { - err(0,"Failed to initialized OpenPGP private key (error: %d)\n", ret); - return 1; - } - /* check whether it's a private key or a public key, by trying them: */ - if ((gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_RAW, NULL, 0) == 0) || - (gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0) == 0)) { - /* we're dealing with a private key */ - err(0,"Translating private key\n"); - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err(0,"Failed to initialize X.509 private key for output (error: %d)\n", ret); - return 1; - } - - ret = convert_private_pgp_to_x509(&x509_privkey, &pgp_privkey, fingerprint, fpr_size); - - gnutls_openpgp_privkey_deinit(pgp_privkey); - if (ret) - return ret; - - ret = gnutls_x509_privkey_export (x509_privkey, - GNUTLS_X509_FMT_PEM, - output_data, - &ods); - if (ret == 0) { - write(1, output_data, ods); - } - gnutls_x509_privkey_deinit(x509_privkey); - - } else { - if (ret = gnutls_openpgp_crt_init(&pgp_crt), ret) { - err(0,"Failed to initialized OpenPGP certificate (error: %d)\n", ret); - return 1; - } - - if ((gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW) == 0) || - (gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64) == 0)) { - /* we're dealing with a public key */ - err(0,"Translating public key\n"); - - ret = emit_public_openssh_from_pgp(&pgp_crt, fingerprint, fpr_size); - if (ret != 0) - return ret; - - } else { - /* we have no idea what kind of key this is at all anyway! */ - err(0,"Input does not contain any form of OpenPGP key I recognize.\n"); - return 1; - } - } - - gnutls_global_deinit(); - free(fingerprint); - return 0; -} diff --git a/src/keytrans/pem2openpgp b/src/keytrans/pem2openpgp deleted file mode 100755 index 8bf17fb..0000000 --- a/src/keytrans/pem2openpgp +++ /dev/null @@ -1,775 +0,0 @@ -#!/usr/bin/perl -w -T - -# pem2openpgp: take a PEM-encoded RSA private-key on standard input, a -# User ID as the first argument, and generate an OpenPGP secret key -# and certificate from it. - -# WARNING: the secret key material *will* appear on stdout (albeit in -# OpenPGP form) -- if you redirect stdout to a file, make sure the -# permissions on that file are appropriately locked down! - -# Usage: - -# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg --import - -# Authors: -# Jameson Rollins -# Daniel Kahn Gillmor - -# Started on: 2009-01-07 02:01:19-0500 - -# License: GPL v3 or later (we may need to adjust this given that this -# connects to OpenSSL via perl) - -use strict; -use warnings; -use File::Basename; -use Crypt::OpenSSL::RSA; -use Crypt::OpenSSL::Bignum; -use Crypt::OpenSSL::Bignum::CTX; -use Digest::SHA1; -use MIME::Base64; -use POSIX; - -## make sure all length() and substr() calls use bytes only: -use bytes; - -my $old_format_packet_lengths = { one => 0, - two => 1, - four => 2, - indeterminate => 3, -}; - -# see RFC 4880 section 9.1 (ignoring deprecated algorithms for now) -my $asym_algos = { rsa => 1, - elgamal => 16, - dsa => 17, - }; - -# see RFC 4880 section 9.2 -my $ciphers = { plaintext => 0, - idea => 1, - tripledes => 2, - cast5 => 3, - blowfish => 4, - aes128 => 7, - aes192 => 8, - aes256 => 9, - twofish => 10, - }; - -# see RFC 4880 section 9.3 -my $zips = { uncompressed => 0, - zip => 1, - zlib => 2, - bzip2 => 3, - }; - -# see RFC 4880 section 9.4 -my $digests = { md5 => 1, - sha1 => 2, - ripemd160 => 3, - sha256 => 8, - sha384 => 9, - sha512 => 10, - sha224 => 11, - }; - -# see RFC 4880 section 5.2.3.21 -my $usage_flags = { certify => 0x01, - sign => 0x02, - encrypt_comms => 0x04, - encrypt_storage => 0x08, - encrypt => 0x0c, ## both comms and storage - split => 0x10, # the private key is split via secret sharing - authenticate => 0x20, - shared => 0x80, # more than one person holds the entire private key - }; - -# see RFC 4880 section 4.3 -my $packet_types = { pubkey_enc_session => 1, - sig => 2, - symkey_enc_session => 3, - onepass_sig => 4, - seckey => 5, - pubkey => 6, - sec_subkey => 7, - compressed_data => 8, - symenc_data => 9, - marker => 10, - literal => 11, - trust => 12, - uid => 13, - pub_subkey => 14, - uat => 17, - symenc_w_integrity => 18, - mdc => 19, - }; - -# see RFC 4880 section 5.2.1 -my $sig_types = { binary_doc => 0x00, - text_doc => 0x01, - standalone => 0x02, - generic_certification => 0x10, - persona_certification => 0x11, - casual_certification => 0x12, - positive_certification => 0x13, - subkey_binding => 0x18, - primary_key_binding => 0x19, - key_signature => 0x1f, - key_revocation => 0x20, - subkey_revocation => 0x28, - certification_revocation => 0x30, - timestamp => 0x40, - thirdparty => 0x50, - }; - - -# see RFC 4880 section 5.2.3.1 -my $subpacket_types = { sig_creation_time => 2, - sig_expiration_time => 3, - exportable => 4, - trust_sig => 5, - regex => 6, - revocable => 7, - key_expiration_time => 9, - preferred_cipher => 11, - revocation_key => 12, - issuer => 16, - notation => 20, - preferred_digest => 21, - preferred_compression => 22, - keyserver_prefs => 23, - preferred_keyserver => 24, - primary_uid => 25, - policy_uri => 26, - usage_flags => 27, - signers_uid => 28, - revocation_reason => 29, - features => 30, - signature_target => 31, - embedded_signature => 32, - }; - -# bitstring (see RFC 4880 section 5.2.3.24) -my $features = { mdc => 0x01 - }; - -# bitstring (see RFC 4880 5.2.3.17) -my $keyserver_prefs = { nomodify => 0x80 - }; - -###### end lookup tables ###### - -# FIXME: if we want to be able to interpret openpgp data as well as -# produce it, we need to produce key/value-swapped lookup tables as well. - - -########### Math/Utility Functions ############## - - -# see the bottom of page 43 of RFC 4880 -sub simple_checksum { - my $bytes = shift; - - return unpack("%32W*",$bytes) % 65536; -} - -# calculate the multiplicative inverse of a mod b this is euclid's -# extended algorithm. For more information see: -# http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm the -# arguments here should be Crypt::OpenSSL::Bignum objects. $a should -# be the larger of the two values, and the two values should be -# coprime. - -sub modular_multi_inverse { - my $a = shift; - my $b = shift; - - - my $origdivisor = $b->copy(); - - my $ctx = Crypt::OpenSSL::Bignum::CTX->new(); - my $x = Crypt::OpenSSL::Bignum->zero(); - my $y = Crypt::OpenSSL::Bignum->one(); - my $lastx = Crypt::OpenSSL::Bignum->one(); - my $lasty = Crypt::OpenSSL::Bignum->zero(); - - my $finalquotient; - my $finalremainder; - - while (! $b->is_zero()) { - my ($quotient, $remainder) = $a->div($b, $ctx); - - $a = $b; - $b = $remainder; - - my $temp = $x; - $x = $lastx->sub($quotient->mul($x, $ctx)); - $lastx = $temp; - - $temp = $y; - $y = $lasty->sub($quotient->mul($y, $ctx)); - $lasty = $temp; - } - - if (!$a->is_one()) { - die "did this math wrong.\n"; - } - - # let's make sure that we return a positive value because RFC 4880, - # section 3.2 only allows unsigned values: - - ($finalquotient, $finalremainder) = $lastx->add($origdivisor)->div($origdivisor, $ctx); - - return $finalremainder; -} - - -############ OpenPGP formatting functions ############ - -# make an old-style packet out of the given packet type and body. -# old-style (see RFC 4880 section 4.2) -sub make_packet { - my $type = shift; - my $body = shift; - my $options = shift; - - my $len = length($body); - my $pseudolen = $len; - - # if the caller wants to use at least N octets of packet length, - # pretend that we're using that many. - if (defined $options && defined $options->{'packet_length'}) { - $pseudolen = 2**($options->{'packet_length'} * 8) - 1; - } - if ($pseudolen < $len) { - $pseudolen = $len; - } - - my $lenbytes; - my $lencode; - - if ($pseudolen < 2**8) { - $lenbytes = $old_format_packet_lengths->{one}; - $lencode = 'C'; - } elsif ($pseudolen < 2**16) { - $lenbytes = $old_format_packet_lengths->{two}; - $lencode = 'n'; - } elsif ($pseudolen < 2**31) { - ## not testing against full 32 bits because i don't want to deal - ## with potential overflow. - $lenbytes = $old_format_packet_lengths->{four}; - $lencode = 'N'; - } else { - ## what the hell do we do here? - $lenbytes = $old_format_packet_lengths->{indeterminate}; - $lencode = ''; - } - - return pack('C'.$lencode, 0x80 + ($type * 4) + $lenbytes, $len). - $body; -} - - -# takes a Crypt::OpenSSL::Bignum, returns it formatted as OpenPGP MPI -# (RFC 4880 section 3.2) -sub mpi_pack { - my $num = shift; - - my $val = $num->to_bin(); - my $mpilen = length($val)*8; - -# this is a kludgy way to get the number of significant bits in the -# first byte: - my $bitsinfirstbyte = length(sprintf("%b", ord($val))); - - $mpilen -= (8 - $bitsinfirstbyte); - - return pack('n', $mpilen).$val; -} - -# takes a Crypt::OpenSSL::Bignum, returns an MPI packed in preparation -# for an OpenSSH-style public key format. see: -# http://marc.info/?l=openssh-unix-dev&m=121866301718839&w=2 -sub openssh_mpi_pack { - my $num = shift; - - my $val = $num->to_bin(); - my $mpilen = length($val); - - my $ret = pack('N', $mpilen); - - # if the first bit of the leading byte is high, we should include a - # 0 byte: - if (ord($val) & 0x80) { - $ret = pack('NC', $mpilen+1, 0); - } - - return $ret.$val; -} - -sub openssh_pubkey_pack { - my $key = shift; - - my ($modulus, $exponent) = $key->get_key_parameters(); - - return openssh_mpi_pack(Crypt::OpenSSL::Bignum->new_from_bin("ssh-rsa")). - openssh_mpi_pack($exponent). - openssh_mpi_pack($modulus); -} - -# pull an OpenPGP-specified MPI off of a given stream, returning it as -# a Crypt::OpenSSL::Bignum. -sub read_mpi { - my $instr = shift; - my $readtally = shift; - - my $bitlen; - read($instr, $bitlen, 2) or die "could not read MPI length.\n"; - $bitlen = unpack('n', $bitlen); - $$readtally += 2; - - my $bytestoread = POSIX::floor(($bitlen + 7)/8); - my $ret; - read($instr, $ret, $bytestoread) or die "could not read MPI body.\n"; - $$readtally += $bytestoread; - return Crypt::OpenSSL::Bignum->new_from_bin($ret); -} - - -# FIXME: genericize these to accept either RSA or DSA keys: -sub make_rsa_pub_key_body { - my $key = shift; - my $timestamp = shift; - - my ($n, $e) = $key->get_key_parameters(); - - return - pack('CN', 4, $timestamp). - pack('C', $asym_algos->{rsa}). - mpi_pack($n). - mpi_pack($e); -} - -sub make_rsa_sec_key_body { - my $key = shift; - my $timestamp = shift; - - # we're not using $a and $b, but we need them to get to $c. - my ($n, $e, $d, $p, $q) = $key->get_key_parameters(); - - my $c3 = modular_multi_inverse($p, $q); - - my $secret_material = mpi_pack($d). - mpi_pack($p). - mpi_pack($q). - mpi_pack($c3); - - # according to Crypt::OpenSSL::RSA, the closest value we can get out - # of get_key_parameters is 1/q mod p; but according to sec 5.5.3 of - # RFC 4880, we're actually looking for u, the multiplicative inverse - # of p, mod q. This is why we're calculating the value directly - # with modular_multi_inverse. - - return - pack('CN', 4, $timestamp). - pack('C', $asym_algos->{rsa}). - mpi_pack($n). - mpi_pack($e). - pack('C', 0). # seckey material is not encrypted -- see RFC 4880 sec 5.5.3 - $secret_material. - pack('n', simple_checksum($secret_material)); -} - -# expects an RSA key (public or private) and a timestamp -sub fingerprint { - my $key = shift; - my $timestamp = shift; - - my $rsabody = make_rsa_pub_key_body($key, $timestamp); - - return Digest::SHA1::sha1(pack('Cn', 0x99, length($rsabody)).$rsabody); -} - - -# FIXME: handle DSA keys as well! -sub pem2openpgp { - my $rsa = shift; - my $uid = shift; - my $args = shift; - - $rsa->use_sha1_hash(); - - # see page 22 of RFC 4880 for why i think this is the right padding - # choice to use: - $rsa->use_pkcs1_padding(); - - if (! $rsa->check_key()) { - die "key does not check"; - } - - my $version = pack('C', 4); - # strong assertion of identity: - my $sigtype = pack('C', $sig_types->{positive_certification}); - # RSA - my $pubkey_algo = pack('C', $asym_algos->{rsa}); - # SHA1 - my $hash_algo = pack('C', $digests->{sha1}); - - # FIXME: i'm worried about generating a bazillion new OpenPGP - # certificates from the same key, which could easily happen if you run - # this script more than once against the same key (because the - # timestamps will differ). How can we prevent this? - - # this environment variable (if set) overrides the current time, to - # be able to create a standard key? If we read the key from a file - # instead of stdin, should we use the creation time on the file? - my $timestamp = 0; - if (defined $args->{timestamp}) { - $timestamp = ($args->{timestamp} + 0); - } else { - $timestamp = time(); - } - - my $creation_time_packet = pack('CCN', 5, $subpacket_types->{sig_creation_time}, $timestamp); - - - my $flags = 0; - if (! defined $args->{usage_flags}) { - $flags = $usage_flags->{certify}; - } else { - my @ff = split(",", $args->{usage_flags}); - foreach my $f (@ff) { - if (! defined $usage_flags->{$f}) { - die "No such flag $f"; - } - $flags |= $usage_flags->{$f}; - } - } - - my $usage_packet = pack('CCC', 2, $subpacket_types->{usage_flags}, $flags); - - - # how should we determine how far off to set the expiration date? - # default is no expiration. Specify the timestamp in seconds from the - # key creation. - my $expiration_packet = ''; - if (defined $args->{expiration}) { - my $expires_in = $args->{expiration} + 0; - $expiration_packet = pack('CCN', 5, $subpacket_types->{key_expiration_time}, $expires_in); - } - - - # prefer AES-256, AES-192, AES-128, CAST5, 3DES: - my $pref_sym_algos = pack('CCCCCCC', 6, $subpacket_types->{preferred_cipher}, - $ciphers->{aes256}, - $ciphers->{aes192}, - $ciphers->{aes128}, - $ciphers->{cast5}, - $ciphers->{tripledes} - ); - - # prefer SHA-1, SHA-256, RIPE-MD/160 - my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest}, - $digests->{sha1}, - $digests->{sha256}, - $digests->{ripemd160} - ); - - # prefer ZLIB, BZip2, ZIP - my $pref_zip_algos = pack('CCCCC', 4, $subpacket_types->{preferred_compression}, - $zips->{zlib}, - $zips->{bzip2}, - $zips->{zip} - ); - - # we support the MDC feature: - my $feature_subpacket = pack('CCC', 2, $subpacket_types->{features}, - $features->{mdc}); - - # keyserver preference: only owner modify (???): - my $keyserver_pref = pack('CCC', 2, $subpacket_types->{keyserver_prefs}, - $keyserver_prefs->{nomodify}); - - my $subpackets_to_be_hashed = - $creation_time_packet. - $usage_packet. - $expiration_packet. - $pref_sym_algos. - $pref_hash_algos. - $pref_zip_algos. - $feature_subpacket. - $keyserver_pref; - - my $subpacket_octets = pack('n', length($subpackets_to_be_hashed)); - - my $sig_data_to_be_hashed = - $version. - $sigtype. - $pubkey_algo. - $hash_algo. - $subpacket_octets. - $subpackets_to_be_hashed; - - my $pubkey = make_rsa_pub_key_body($rsa, $timestamp); - my $seckey = make_rsa_sec_key_body($rsa, $timestamp); - - # this is for signing. it needs to be an old-style header with a - # 2-packet octet count. - - my $key_data = make_packet($packet_types->{pubkey}, $pubkey, {'packet_length'=>2}); - - # take the last 8 bytes of the fingerprint as the keyid: - my $keyid = substr(fingerprint($rsa, $timestamp), 20 - 8, 8); - - # the v4 signature trailer is: - - # version number, literal 0xff, and then a 4-byte count of the - # signature data itself. - my $trailer = pack('CCN', 4, 0xff, length($sig_data_to_be_hashed)); - - my $uid_data = - pack('CN', 0xb4, length($uid)). - $uid; - - my $datatosign = - $key_data. - $uid_data. - $sig_data_to_be_hashed. - $trailer; - - my $data_hash = Digest::SHA1::sha1_hex($datatosign); - - my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid); - - my $sig = Crypt::OpenSSL::Bignum->new_from_bin($rsa->sign($datatosign)); - - my $sig_body = - $sig_data_to_be_hashed. - pack('n', length($issuer_packet)). - $issuer_packet. - pack('n', hex(substr($data_hash, 0, 4))). - mpi_pack($sig); - - return - make_packet($packet_types->{seckey}, $seckey). - make_packet($packet_types->{uid}, $uid). - make_packet($packet_types->{sig}, $sig_body); -} - - -sub openpgp2ssh { - my $instr = shift; - my $fpr = shift; - - if (defined $fpr) { - if (length($fpr) < 8) { - die "We need at least 8 hex digits of fingerprint.\n"; - } - $fpr = uc($fpr); - } - - my $packettag; - my $dummy; - my $tag; - - my $key; - - while (! eof($instr)) { - read($instr, $packettag, 1); - $packettag = ord($packettag); - - my $packetlen; - if ( ! (0x80 & $packettag)) { - die "This is not an OpenPGP packet\n"; - } - if (0x40 & $packettag) { - $tag = (0x3f & $packettag); - my $nextlen = 0; - read($instr, $nextlen, 1); - $nextlen = ord($nextlen); - if ($nextlen < 192) { - $packetlen = $nextlen; - } elsif ($nextlen < 224) { - my $newoct; - read($instr, $newoct, 1); - $newoct = ord($newoct); - $packetlen = (($nextlen - 192) << 8) + ($newoct) + 192; - } elsif ($nextlen == 255) { - read($instr, $nextlen, 4); - $packetlen = unpack('N', $nextlen); - } else { - # packet length is undefined. - } - } else { - my $lentype; - $lentype = 0x03 & $packettag; - $tag = ( 0x3c & $packettag ) >> 2; - if ($lentype == 0) { - read($instr, $packetlen, 1) or die "could not read packet length\n"; - $packetlen = unpack('C', $packetlen); - } elsif ($lentype == 1) { - read($instr, $packetlen, 2) or die "could not read packet length\n"; - $packetlen = unpack('n', $packetlen); - } elsif ($lentype == 2) { - read($instr, $packetlen, 4) or die "could not read packet length\n"; - $packetlen = unpack('N', $packetlen); - } else { - # packet length is undefined. - } - } - - if (! defined($packetlen)) { - die "Undefined packet lengths are not supported.\n"; - } - - if ($tag == $packet_types->{pubkey} || - $tag == $packet_types->{pub_subkey} || - $tag == $packet_types->{seckey} || - $tag == $packet_types->{sec_subkey}) { - my $ver; - my $readbytes = 0; - read($instr, $ver, 1) or die "could not read key version\n"; - $readbytes += 1; - $ver = ord($ver); - - if ($ver != 4) { - printf(STDERR "We only work with version 4 keys. This key appears to be version %s.\n", $ver); - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - } else { - - my $timestamp; - read($instr, $timestamp, 4) or die "could not read key timestamp.\n"; - $readbytes += 4; - $timestamp = unpack('N', $timestamp); - - my $algo; - read($instr, $algo, 1) or die "could not read key algorithm.\n"; - $readbytes += 1; - $algo = ord($algo); - if ($algo != $asym_algos->{rsa}) { - printf(STDERR "We only support RSA keys (this key used algorithm %d).\n", $algo); - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - } else { - ## we have an RSA key. - my $modulus = read_mpi($instr, \$readbytes); - my $exponent = read_mpi($instr, \$readbytes); - - my $pubkey = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, $exponent); - my $foundfpr = fingerprint($pubkey, $timestamp); - - my $foundfprstr = Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex(); - - # is this a match? - if ((!defined($fpr)) || - (substr($foundfprstr, -1 * length($fpr)) eq $fpr)) { - if (defined($key)) { - die "Found two matching keys.\n"; - } - $key = $pubkey; - } - - if ($tag == $packet_types->{seckey} || - $tag == $packet_types->{sec_subkey}) { - if (!defined($key)) { # we don't think the public part of - # this key matches - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - } else { - my $s2k; - read($instr, $s2k, 1) or die "Could not read S2K octet.\n"; - $readbytes += 1; - $s2k = ord($s2k); - if ($s2k == 0) { - # secret material is unencrypted - # see http://tools.ietf.org/html/rfc4880#section-5.5.3 - my $d = read_mpi($instr, \$readbytes); - my $p = read_mpi($instr, \$readbytes); - my $q = read_mpi($instr, \$readbytes); - my $u = read_mpi($instr, \$readbytes); - - my $checksum; - read($instr, $checksum, 2) or die "Could not read checksum of secret key material.\n"; - $readbytes += 2; - $checksum = unpack('n', $checksum); - - # FIXME: compare with the checksum! how? the data is - # gone into the Crypt::OpenSSL::Bignum - - $key = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, - $exponent, - $d, - $p, - $q); - - $key->check_key() or die "Secret key is not a valid RSA key.\n"; - } else { - print(STDERR "We cannot handle encrypted secret keys. Skipping!\n") ; - read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; - } - } - } - - } - } - } else { - read($instr, $dummy, $packetlen) or die "Could not skip past this packet!\n"; - } - } - - return $key; -} - - -for (basename($0)) { - if (/^pem2openpgp$/) { - my $rsa; - my $stdin; - - my $uid = shift; - defined($uid) or die "You must specify a user ID string.\n"; - - # FIXME: fail if there is no given user ID; or should we default to - # hostname_long() from Sys::Hostname::Long ? - - - if (defined $ENV{PEM2OPENPGP_NEWKEY}) { - $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); - } else { - $stdin = do { - local $/; # slurp! - ; - }; - - $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); - } - - print pem2openpgp($rsa, - $uid, - { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, - expiration => $ENV{PEM2OPENPGP_EXPIRATION}, - usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, - } - ); - } - elsif (/^openpgp2ssh$/) { - my $fpr = shift; - my $instream; - open($instream,'-'); - binmode($instream, ":bytes"); - my $key = openpgp2ssh($instream, $fpr); - if (defined($key)) { - if ($key->is_private()) { - print $key->get_private_key_string(); - } else { - print "ssh-rsa ".encode_base64(openssh_pubkey_pack($key), '')."\n"; - } - } else { - die "No matching key found.\n"; - } - } - else { - die "Unrecognized keytrans call.\n"; - } -} - diff --git a/src/openpgp2ssh b/src/openpgp2ssh new file mode 120000 index 0000000..edcb6a3 --- /dev/null +++ b/src/openpgp2ssh @@ -0,0 +1 @@ +share/keytrans \ No newline at end of file diff --git a/src/pem2openpgp b/src/pem2openpgp new file mode 120000 index 0000000..edcb6a3 --- /dev/null +++ b/src/pem2openpgp @@ -0,0 +1 @@ +share/keytrans \ No newline at end of file diff --git a/src/share/keytrans b/src/share/keytrans new file mode 100755 index 0000000..8bf17fb --- /dev/null +++ b/src/share/keytrans @@ -0,0 +1,775 @@ +#!/usr/bin/perl -w -T + +# pem2openpgp: take a PEM-encoded RSA private-key on standard input, a +# User ID as the first argument, and generate an OpenPGP secret key +# and certificate from it. + +# WARNING: the secret key material *will* appear on stdout (albeit in +# OpenPGP form) -- if you redirect stdout to a file, make sure the +# permissions on that file are appropriately locked down! + +# Usage: + +# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg --import + +# Authors: +# Jameson Rollins +# Daniel Kahn Gillmor + +# Started on: 2009-01-07 02:01:19-0500 + +# License: GPL v3 or later (we may need to adjust this given that this +# connects to OpenSSL via perl) + +use strict; +use warnings; +use File::Basename; +use Crypt::OpenSSL::RSA; +use Crypt::OpenSSL::Bignum; +use Crypt::OpenSSL::Bignum::CTX; +use Digest::SHA1; +use MIME::Base64; +use POSIX; + +## make sure all length() and substr() calls use bytes only: +use bytes; + +my $old_format_packet_lengths = { one => 0, + two => 1, + four => 2, + indeterminate => 3, +}; + +# see RFC 4880 section 9.1 (ignoring deprecated algorithms for now) +my $asym_algos = { rsa => 1, + elgamal => 16, + dsa => 17, + }; + +# see RFC 4880 section 9.2 +my $ciphers = { plaintext => 0, + idea => 1, + tripledes => 2, + cast5 => 3, + blowfish => 4, + aes128 => 7, + aes192 => 8, + aes256 => 9, + twofish => 10, + }; + +# see RFC 4880 section 9.3 +my $zips = { uncompressed => 0, + zip => 1, + zlib => 2, + bzip2 => 3, + }; + +# see RFC 4880 section 9.4 +my $digests = { md5 => 1, + sha1 => 2, + ripemd160 => 3, + sha256 => 8, + sha384 => 9, + sha512 => 10, + sha224 => 11, + }; + +# see RFC 4880 section 5.2.3.21 +my $usage_flags = { certify => 0x01, + sign => 0x02, + encrypt_comms => 0x04, + encrypt_storage => 0x08, + encrypt => 0x0c, ## both comms and storage + split => 0x10, # the private key is split via secret sharing + authenticate => 0x20, + shared => 0x80, # more than one person holds the entire private key + }; + +# see RFC 4880 section 4.3 +my $packet_types = { pubkey_enc_session => 1, + sig => 2, + symkey_enc_session => 3, + onepass_sig => 4, + seckey => 5, + pubkey => 6, + sec_subkey => 7, + compressed_data => 8, + symenc_data => 9, + marker => 10, + literal => 11, + trust => 12, + uid => 13, + pub_subkey => 14, + uat => 17, + symenc_w_integrity => 18, + mdc => 19, + }; + +# see RFC 4880 section 5.2.1 +my $sig_types = { binary_doc => 0x00, + text_doc => 0x01, + standalone => 0x02, + generic_certification => 0x10, + persona_certification => 0x11, + casual_certification => 0x12, + positive_certification => 0x13, + subkey_binding => 0x18, + primary_key_binding => 0x19, + key_signature => 0x1f, + key_revocation => 0x20, + subkey_revocation => 0x28, + certification_revocation => 0x30, + timestamp => 0x40, + thirdparty => 0x50, + }; + + +# see RFC 4880 section 5.2.3.1 +my $subpacket_types = { sig_creation_time => 2, + sig_expiration_time => 3, + exportable => 4, + trust_sig => 5, + regex => 6, + revocable => 7, + key_expiration_time => 9, + preferred_cipher => 11, + revocation_key => 12, + issuer => 16, + notation => 20, + preferred_digest => 21, + preferred_compression => 22, + keyserver_prefs => 23, + preferred_keyserver => 24, + primary_uid => 25, + policy_uri => 26, + usage_flags => 27, + signers_uid => 28, + revocation_reason => 29, + features => 30, + signature_target => 31, + embedded_signature => 32, + }; + +# bitstring (see RFC 4880 section 5.2.3.24) +my $features = { mdc => 0x01 + }; + +# bitstring (see RFC 4880 5.2.3.17) +my $keyserver_prefs = { nomodify => 0x80 + }; + +###### end lookup tables ###### + +# FIXME: if we want to be able to interpret openpgp data as well as +# produce it, we need to produce key/value-swapped lookup tables as well. + + +########### Math/Utility Functions ############## + + +# see the bottom of page 43 of RFC 4880 +sub simple_checksum { + my $bytes = shift; + + return unpack("%32W*",$bytes) % 65536; +} + +# calculate the multiplicative inverse of a mod b this is euclid's +# extended algorithm. For more information see: +# http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm the +# arguments here should be Crypt::OpenSSL::Bignum objects. $a should +# be the larger of the two values, and the two values should be +# coprime. + +sub modular_multi_inverse { + my $a = shift; + my $b = shift; + + + my $origdivisor = $b->copy(); + + my $ctx = Crypt::OpenSSL::Bignum::CTX->new(); + my $x = Crypt::OpenSSL::Bignum->zero(); + my $y = Crypt::OpenSSL::Bignum->one(); + my $lastx = Crypt::OpenSSL::Bignum->one(); + my $lasty = Crypt::OpenSSL::Bignum->zero(); + + my $finalquotient; + my $finalremainder; + + while (! $b->is_zero()) { + my ($quotient, $remainder) = $a->div($b, $ctx); + + $a = $b; + $b = $remainder; + + my $temp = $x; + $x = $lastx->sub($quotient->mul($x, $ctx)); + $lastx = $temp; + + $temp = $y; + $y = $lasty->sub($quotient->mul($y, $ctx)); + $lasty = $temp; + } + + if (!$a->is_one()) { + die "did this math wrong.\n"; + } + + # let's make sure that we return a positive value because RFC 4880, + # section 3.2 only allows unsigned values: + + ($finalquotient, $finalremainder) = $lastx->add($origdivisor)->div($origdivisor, $ctx); + + return $finalremainder; +} + + +############ OpenPGP formatting functions ############ + +# make an old-style packet out of the given packet type and body. +# old-style (see RFC 4880 section 4.2) +sub make_packet { + my $type = shift; + my $body = shift; + my $options = shift; + + my $len = length($body); + my $pseudolen = $len; + + # if the caller wants to use at least N octets of packet length, + # pretend that we're using that many. + if (defined $options && defined $options->{'packet_length'}) { + $pseudolen = 2**($options->{'packet_length'} * 8) - 1; + } + if ($pseudolen < $len) { + $pseudolen = $len; + } + + my $lenbytes; + my $lencode; + + if ($pseudolen < 2**8) { + $lenbytes = $old_format_packet_lengths->{one}; + $lencode = 'C'; + } elsif ($pseudolen < 2**16) { + $lenbytes = $old_format_packet_lengths->{two}; + $lencode = 'n'; + } elsif ($pseudolen < 2**31) { + ## not testing against full 32 bits because i don't want to deal + ## with potential overflow. + $lenbytes = $old_format_packet_lengths->{four}; + $lencode = 'N'; + } else { + ## what the hell do we do here? + $lenbytes = $old_format_packet_lengths->{indeterminate}; + $lencode = ''; + } + + return pack('C'.$lencode, 0x80 + ($type * 4) + $lenbytes, $len). + $body; +} + + +# takes a Crypt::OpenSSL::Bignum, returns it formatted as OpenPGP MPI +# (RFC 4880 section 3.2) +sub mpi_pack { + my $num = shift; + + my $val = $num->to_bin(); + my $mpilen = length($val)*8; + +# this is a kludgy way to get the number of significant bits in the +# first byte: + my $bitsinfirstbyte = length(sprintf("%b", ord($val))); + + $mpilen -= (8 - $bitsinfirstbyte); + + return pack('n', $mpilen).$val; +} + +# takes a Crypt::OpenSSL::Bignum, returns an MPI packed in preparation +# for an OpenSSH-style public key format. see: +# http://marc.info/?l=openssh-unix-dev&m=121866301718839&w=2 +sub openssh_mpi_pack { + my $num = shift; + + my $val = $num->to_bin(); + my $mpilen = length($val); + + my $ret = pack('N', $mpilen); + + # if the first bit of the leading byte is high, we should include a + # 0 byte: + if (ord($val) & 0x80) { + $ret = pack('NC', $mpilen+1, 0); + } + + return $ret.$val; +} + +sub openssh_pubkey_pack { + my $key = shift; + + my ($modulus, $exponent) = $key->get_key_parameters(); + + return openssh_mpi_pack(Crypt::OpenSSL::Bignum->new_from_bin("ssh-rsa")). + openssh_mpi_pack($exponent). + openssh_mpi_pack($modulus); +} + +# pull an OpenPGP-specified MPI off of a given stream, returning it as +# a Crypt::OpenSSL::Bignum. +sub read_mpi { + my $instr = shift; + my $readtally = shift; + + my $bitlen; + read($instr, $bitlen, 2) or die "could not read MPI length.\n"; + $bitlen = unpack('n', $bitlen); + $$readtally += 2; + + my $bytestoread = POSIX::floor(($bitlen + 7)/8); + my $ret; + read($instr, $ret, $bytestoread) or die "could not read MPI body.\n"; + $$readtally += $bytestoread; + return Crypt::OpenSSL::Bignum->new_from_bin($ret); +} + + +# FIXME: genericize these to accept either RSA or DSA keys: +sub make_rsa_pub_key_body { + my $key = shift; + my $timestamp = shift; + + my ($n, $e) = $key->get_key_parameters(); + + return + pack('CN', 4, $timestamp). + pack('C', $asym_algos->{rsa}). + mpi_pack($n). + mpi_pack($e); +} + +sub make_rsa_sec_key_body { + my $key = shift; + my $timestamp = shift; + + # we're not using $a and $b, but we need them to get to $c. + my ($n, $e, $d, $p, $q) = $key->get_key_parameters(); + + my $c3 = modular_multi_inverse($p, $q); + + my $secret_material = mpi_pack($d). + mpi_pack($p). + mpi_pack($q). + mpi_pack($c3); + + # according to Crypt::OpenSSL::RSA, the closest value we can get out + # of get_key_parameters is 1/q mod p; but according to sec 5.5.3 of + # RFC 4880, we're actually looking for u, the multiplicative inverse + # of p, mod q. This is why we're calculating the value directly + # with modular_multi_inverse. + + return + pack('CN', 4, $timestamp). + pack('C', $asym_algos->{rsa}). + mpi_pack($n). + mpi_pack($e). + pack('C', 0). # seckey material is not encrypted -- see RFC 4880 sec 5.5.3 + $secret_material. + pack('n', simple_checksum($secret_material)); +} + +# expects an RSA key (public or private) and a timestamp +sub fingerprint { + my $key = shift; + my $timestamp = shift; + + my $rsabody = make_rsa_pub_key_body($key, $timestamp); + + return Digest::SHA1::sha1(pack('Cn', 0x99, length($rsabody)).$rsabody); +} + + +# FIXME: handle DSA keys as well! +sub pem2openpgp { + my $rsa = shift; + my $uid = shift; + my $args = shift; + + $rsa->use_sha1_hash(); + + # see page 22 of RFC 4880 for why i think this is the right padding + # choice to use: + $rsa->use_pkcs1_padding(); + + if (! $rsa->check_key()) { + die "key does not check"; + } + + my $version = pack('C', 4); + # strong assertion of identity: + my $sigtype = pack('C', $sig_types->{positive_certification}); + # RSA + my $pubkey_algo = pack('C', $asym_algos->{rsa}); + # SHA1 + my $hash_algo = pack('C', $digests->{sha1}); + + # FIXME: i'm worried about generating a bazillion new OpenPGP + # certificates from the same key, which could easily happen if you run + # this script more than once against the same key (because the + # timestamps will differ). How can we prevent this? + + # this environment variable (if set) overrides the current time, to + # be able to create a standard key? If we read the key from a file + # instead of stdin, should we use the creation time on the file? + my $timestamp = 0; + if (defined $args->{timestamp}) { + $timestamp = ($args->{timestamp} + 0); + } else { + $timestamp = time(); + } + + my $creation_time_packet = pack('CCN', 5, $subpacket_types->{sig_creation_time}, $timestamp); + + + my $flags = 0; + if (! defined $args->{usage_flags}) { + $flags = $usage_flags->{certify}; + } else { + my @ff = split(",", $args->{usage_flags}); + foreach my $f (@ff) { + if (! defined $usage_flags->{$f}) { + die "No such flag $f"; + } + $flags |= $usage_flags->{$f}; + } + } + + my $usage_packet = pack('CCC', 2, $subpacket_types->{usage_flags}, $flags); + + + # how should we determine how far off to set the expiration date? + # default is no expiration. Specify the timestamp in seconds from the + # key creation. + my $expiration_packet = ''; + if (defined $args->{expiration}) { + my $expires_in = $args->{expiration} + 0; + $expiration_packet = pack('CCN', 5, $subpacket_types->{key_expiration_time}, $expires_in); + } + + + # prefer AES-256, AES-192, AES-128, CAST5, 3DES: + my $pref_sym_algos = pack('CCCCCCC', 6, $subpacket_types->{preferred_cipher}, + $ciphers->{aes256}, + $ciphers->{aes192}, + $ciphers->{aes128}, + $ciphers->{cast5}, + $ciphers->{tripledes} + ); + + # prefer SHA-1, SHA-256, RIPE-MD/160 + my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest}, + $digests->{sha1}, + $digests->{sha256}, + $digests->{ripemd160} + ); + + # prefer ZLIB, BZip2, ZIP + my $pref_zip_algos = pack('CCCCC', 4, $subpacket_types->{preferred_compression}, + $zips->{zlib}, + $zips->{bzip2}, + $zips->{zip} + ); + + # we support the MDC feature: + my $feature_subpacket = pack('CCC', 2, $subpacket_types->{features}, + $features->{mdc}); + + # keyserver preference: only owner modify (???): + my $keyserver_pref = pack('CCC', 2, $subpacket_types->{keyserver_prefs}, + $keyserver_prefs->{nomodify}); + + my $subpackets_to_be_hashed = + $creation_time_packet. + $usage_packet. + $expiration_packet. + $pref_sym_algos. + $pref_hash_algos. + $pref_zip_algos. + $feature_subpacket. + $keyserver_pref; + + my $subpacket_octets = pack('n', length($subpackets_to_be_hashed)); + + my $sig_data_to_be_hashed = + $version. + $sigtype. + $pubkey_algo. + $hash_algo. + $subpacket_octets. + $subpackets_to_be_hashed; + + my $pubkey = make_rsa_pub_key_body($rsa, $timestamp); + my $seckey = make_rsa_sec_key_body($rsa, $timestamp); + + # this is for signing. it needs to be an old-style header with a + # 2-packet octet count. + + my $key_data = make_packet($packet_types->{pubkey}, $pubkey, {'packet_length'=>2}); + + # take the last 8 bytes of the fingerprint as the keyid: + my $keyid = substr(fingerprint($rsa, $timestamp), 20 - 8, 8); + + # the v4 signature trailer is: + + # version number, literal 0xff, and then a 4-byte count of the + # signature data itself. + my $trailer = pack('CCN', 4, 0xff, length($sig_data_to_be_hashed)); + + my $uid_data = + pack('CN', 0xb4, length($uid)). + $uid; + + my $datatosign = + $key_data. + $uid_data. + $sig_data_to_be_hashed. + $trailer; + + my $data_hash = Digest::SHA1::sha1_hex($datatosign); + + my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid); + + my $sig = Crypt::OpenSSL::Bignum->new_from_bin($rsa->sign($datatosign)); + + my $sig_body = + $sig_data_to_be_hashed. + pack('n', length($issuer_packet)). + $issuer_packet. + pack('n', hex(substr($data_hash, 0, 4))). + mpi_pack($sig); + + return + make_packet($packet_types->{seckey}, $seckey). + make_packet($packet_types->{uid}, $uid). + make_packet($packet_types->{sig}, $sig_body); +} + + +sub openpgp2ssh { + my $instr = shift; + my $fpr = shift; + + if (defined $fpr) { + if (length($fpr) < 8) { + die "We need at least 8 hex digits of fingerprint.\n"; + } + $fpr = uc($fpr); + } + + my $packettag; + my $dummy; + my $tag; + + my $key; + + while (! eof($instr)) { + read($instr, $packettag, 1); + $packettag = ord($packettag); + + my $packetlen; + if ( ! (0x80 & $packettag)) { + die "This is not an OpenPGP packet\n"; + } + if (0x40 & $packettag) { + $tag = (0x3f & $packettag); + my $nextlen = 0; + read($instr, $nextlen, 1); + $nextlen = ord($nextlen); + if ($nextlen < 192) { + $packetlen = $nextlen; + } elsif ($nextlen < 224) { + my $newoct; + read($instr, $newoct, 1); + $newoct = ord($newoct); + $packetlen = (($nextlen - 192) << 8) + ($newoct) + 192; + } elsif ($nextlen == 255) { + read($instr, $nextlen, 4); + $packetlen = unpack('N', $nextlen); + } else { + # packet length is undefined. + } + } else { + my $lentype; + $lentype = 0x03 & $packettag; + $tag = ( 0x3c & $packettag ) >> 2; + if ($lentype == 0) { + read($instr, $packetlen, 1) or die "could not read packet length\n"; + $packetlen = unpack('C', $packetlen); + } elsif ($lentype == 1) { + read($instr, $packetlen, 2) or die "could not read packet length\n"; + $packetlen = unpack('n', $packetlen); + } elsif ($lentype == 2) { + read($instr, $packetlen, 4) or die "could not read packet length\n"; + $packetlen = unpack('N', $packetlen); + } else { + # packet length is undefined. + } + } + + if (! defined($packetlen)) { + die "Undefined packet lengths are not supported.\n"; + } + + if ($tag == $packet_types->{pubkey} || + $tag == $packet_types->{pub_subkey} || + $tag == $packet_types->{seckey} || + $tag == $packet_types->{sec_subkey}) { + my $ver; + my $readbytes = 0; + read($instr, $ver, 1) or die "could not read key version\n"; + $readbytes += 1; + $ver = ord($ver); + + if ($ver != 4) { + printf(STDERR "We only work with version 4 keys. This key appears to be version %s.\n", $ver); + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } else { + + my $timestamp; + read($instr, $timestamp, 4) or die "could not read key timestamp.\n"; + $readbytes += 4; + $timestamp = unpack('N', $timestamp); + + my $algo; + read($instr, $algo, 1) or die "could not read key algorithm.\n"; + $readbytes += 1; + $algo = ord($algo); + if ($algo != $asym_algos->{rsa}) { + printf(STDERR "We only support RSA keys (this key used algorithm %d).\n", $algo); + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } else { + ## we have an RSA key. + my $modulus = read_mpi($instr, \$readbytes); + my $exponent = read_mpi($instr, \$readbytes); + + my $pubkey = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, $exponent); + my $foundfpr = fingerprint($pubkey, $timestamp); + + my $foundfprstr = Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex(); + + # is this a match? + if ((!defined($fpr)) || + (substr($foundfprstr, -1 * length($fpr)) eq $fpr)) { + if (defined($key)) { + die "Found two matching keys.\n"; + } + $key = $pubkey; + } + + if ($tag == $packet_types->{seckey} || + $tag == $packet_types->{sec_subkey}) { + if (!defined($key)) { # we don't think the public part of + # this key matches + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } else { + my $s2k; + read($instr, $s2k, 1) or die "Could not read S2K octet.\n"; + $readbytes += 1; + $s2k = ord($s2k); + if ($s2k == 0) { + # secret material is unencrypted + # see http://tools.ietf.org/html/rfc4880#section-5.5.3 + my $d = read_mpi($instr, \$readbytes); + my $p = read_mpi($instr, \$readbytes); + my $q = read_mpi($instr, \$readbytes); + my $u = read_mpi($instr, \$readbytes); + + my $checksum; + read($instr, $checksum, 2) or die "Could not read checksum of secret key material.\n"; + $readbytes += 2; + $checksum = unpack('n', $checksum); + + # FIXME: compare with the checksum! how? the data is + # gone into the Crypt::OpenSSL::Bignum + + $key = Crypt::OpenSSL::RSA->new_key_from_parameters($modulus, + $exponent, + $d, + $p, + $q); + + $key->check_key() or die "Secret key is not a valid RSA key.\n"; + } else { + print(STDERR "We cannot handle encrypted secret keys. Skipping!\n") ; + read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; + } + } + } + + } + } + } else { + read($instr, $dummy, $packetlen) or die "Could not skip past this packet!\n"; + } + } + + return $key; +} + + +for (basename($0)) { + if (/^pem2openpgp$/) { + my $rsa; + my $stdin; + + my $uid = shift; + defined($uid) or die "You must specify a user ID string.\n"; + + # FIXME: fail if there is no given user ID; or should we default to + # hostname_long() from Sys::Hostname::Long ? + + + if (defined $ENV{PEM2OPENPGP_NEWKEY}) { + $rsa = Crypt::OpenSSL::RSA->generate_key($ENV{PEM2OPENPGP_NEWKEY}); + } else { + $stdin = do { + local $/; # slurp! + ; + }; + + $rsa = Crypt::OpenSSL::RSA->new_private_key($stdin); + } + + print pem2openpgp($rsa, + $uid, + { timestamp => $ENV{PEM2OPENPGP_TIMESTAMP}, + expiration => $ENV{PEM2OPENPGP_EXPIRATION}, + usage_flags => $ENV{PEM2OPENPGP_USAGE_FLAGS}, + } + ); + } + elsif (/^openpgp2ssh$/) { + my $fpr = shift; + my $instream; + open($instream,'-'); + binmode($instream, ":bytes"); + my $key = openpgp2ssh($instream, $fpr); + if (defined($key)) { + if ($key->is_private()) { + print $key->get_private_key_string(); + } else { + print "ssh-rsa ".encode_base64(openssh_pubkey_pack($key), '')."\n"; + } + } else { + die "No matching key found.\n"; + } + } + else { + die "Unrecognized keytrans call.\n"; + } +} + -- cgit v1.2.3 From 48cb182a7d0265aabed84d74b010ff0b24fa078c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 12:12:18 -0500 Subject: removed base64 invocation in favor of perl to reduce dependency spread. --- src/share/ma/setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/setup b/src/share/ma/setup index e77afff..f991050 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -57,7 +57,7 @@ EOF if [ -z "$CORE_FPR" ] ; then log info "setting up Monkeysphere authentication trust core..." - local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 Date: Sun, 1 Mar 2009 13:19:37 -0500 Subject: tests no longer prompt for bash for inspection unless MONKEYSPHERE_TEST_ALLOW_EXAMINATION=prompt (makes running them in an automated environment cleaner). prune extra PATH in tests --- tests/basic | 2 +- tests/common | 12 +++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/basic b/tests/basic index b1fe9ed..f6d1f3b 100755 --- a/tests/basic +++ b/tests/basic @@ -112,7 +112,7 @@ TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/monkeyspheretest.XXXXXXX") # Use the local copy of executables first, instead of system ones. # This should help us test without installing. -export PATH="$TESTDIR"/../src:"$TESTDIR"/../src/keytrans:"$PATH" +export PATH="$TESTDIR"/../src:"$PATH" export MONKEYSPHERE_SYSDATADIR="$TEMPDIR" export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" diff --git a/tests/common b/tests/common index 30c6a82..e53c31e 100644 --- a/tests/common +++ b/tests/common @@ -3,11 +3,13 @@ failed_cleanup() { # FIXME: can we be more verbose here? echo 'FAILED!' - read -p "press enter to cleanup and remove tmp (or type bash for a subshell to examine): " XX - if [ "$XX" = bash ] ; then - echo "Entering subshell..." - cd "$TEMPDIR" - bash + if [ "$MONKEYSPHERE_TEST_ALLOW_EXAMINATION" = prompt ] ; then + read -p "press enter to cleanup and remove tmp (or type bash for a subshell to examine): " XX + if [ "$XX" = bash ] ; then + echo "Entering subshell..." + cd "$TEMPDIR" + bash + fi fi cleanup -- cgit v1.2.3 From defa3f1f158ee1baccdfdcab7db970380b39dd26 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 13:20:07 -0500 Subject: added "test" target for make --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2c6077e..07e8fb9 100755 --- a/Makefile +++ b/Makefile @@ -76,4 +76,7 @@ installman: releasenote: ./utils/build-releasenote -.PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote +test: + ./tests/basic + +.PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test -- cgit v1.2.3 From 26527731b6b1bbeaa9e2e8a0507c52ca164803ed Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 13:20:32 -0500 Subject: debian packaging overhaul. --- packaging/debian/changelog | 12 ++++++++++-- packaging/debian/control | 6 +++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 46f7863..17e98e7 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,10 +1,18 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low - * update/cleanup mainterscripts * New upstream release: - Fixed how version information is stored/retrieved. + - Now uses perl-based keytrans for both pem2openpgp and openpgp2ssh + - no longer needs base64 in PATH + - added "test" make target + - improved transitions/0.23 script + * update/cleanup mainterscripts + * remove GnuTLS dependency. + * remove versioned coreutils | base64 dependency. + * added Build-Deps for dh_autotest. + * switch to Architecture: all - -- Jameson Graef Rollins Sat, 28 Feb 2009 13:02:57 -0500 + -- Daniel Kahn Gillmor Sun, 01 Mar 2009 11:47:41 -0500 monkeysphere (0.23.1-1) unstable; urgency=low diff --git a/packaging/debian/control b/packaging/debian/control index c20b978..fa2c78a 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -3,15 +3,15 @@ Section: net Priority: extra Maintainer: Jameson Graef Rollins Uploaders: Daniel Kahn Gillmor -Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0) +Build-Depends: debhelper (>= 7.0), socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail Standards-Version: 3.8.0.1 Homepage: http://web.monkeysphere.info/ Vcs-Git: git://git.monkeysphere.info/monkeysphere Dm-Upload-Allowed: yes Package: monkeysphere -Architecture: any -Depends: openssh-client, gnupg, coreutils (>= 6) | base64, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${shlibs:Depends} +Architecture: all +Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${shlibs:Depends} Recommends: netcat | socat, ssh-askpass Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections -- cgit v1.2.3 From 714735a79cd33760a44a7c7356d8d8c44776cc5f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 13:34:01 -0500 Subject: fix two bugs in monkeysphere:check_gpg_sec_key_id that were causing gen_subkey to fail --- src/monkeysphere | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 6db4827..809b1ac 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -69,7 +69,7 @@ check_gpg_sec_key_id() { gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') ;; 1) - gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$keyID" | egrep '^sec:') || failure + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure ;; *) failure "You must specify only a single primary key ID." @@ -86,9 +86,9 @@ check_gpg_sec_key_id() { echo "$gpgSecOut" | cut -d: -f5 ;; *) - echo "Multiple primary secret keys found:" - echo "$gpgSecOut" | cut -d: -f5 - echo "Please specify which primary key to use." + echo "Multiple primary secret keys found:" >&2 + echo "$gpgSecOut" | cut -d: -f5 >&2 + echo "Please specify which primary key to use." >&2 failure ;; esac -- cgit v1.2.3 From 15d752f93a3a9807430fe8b3cd6e16f3cede8e7c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 13:40:12 -0500 Subject: updating header comments in keytrans now that it serves two purposes. --- src/share/keytrans | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/share/keytrans b/src/share/keytrans index 8bf17fb..8b2e2ea 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -1,5 +1,15 @@ #!/usr/bin/perl -w -T +# keytrans: this is an RSA key translation utility; it is capable of +# transforming RSA keys (both public keys and secret keys) between +# several popular representations, including OpenPGP, PEM-encoded +# PKCS#1 DER, and OpenSSH-style public key lines. + +# How it behaves depends on the name under which it is invoked. The +# two implementations currently are: pem2openpgp and openpgp2ssh. + + + # pem2openpgp: take a PEM-encoded RSA private-key on standard input, a # User ID as the first argument, and generate an OpenPGP secret key # and certificate from it. @@ -12,6 +22,23 @@ # pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg --import + + + +# openpgp2ssh: take a stream of OpenPGP packets containing public or +# secret key material on standard input, and a Key ID (or fingerprint) +# as the first argument. Find the matching key in the input stream, +# and emit it on stdout in an OpenSSH-compatible format. If the input +# key is an OpenPGP public key (either primary or subkey), the output +# will be an OpenSSH single-line public key. If the input key is an +# OpenPGP secret key, the output will be a PEM-encoded RSA key. + +# Example usage: + +# gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \ +# openpgp2ssh $KEYID | ssh-add /dev/stdin + + # Authors: # Jameson Rollins # Daniel Kahn Gillmor -- cgit v1.2.3 From 5de3fdc4fc82f56175f52f6e46065f56e858d97c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 13:54:25 -0500 Subject: fix openpgp2ssh man page to reflect new implementation. --- man/man1/openpgp2ssh.1 | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 8374a9f..9b0d1a4 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -28,13 +28,13 @@ fingerprint of the key or subkey desired, but will accept as few as the last 8 digits of the fingerprint as a key ID. .Pp -If the input contains an OpenPGP RSA or DSA public key, it will be -converted to the OpenSSH-style single-line keystring, prefixed with -the key type. This format is suitable (with minor alterations) for +If the input contains an OpenPGP RSA public key, it will be converted +to the OpenSSH-style single-line keystring, prefixed with the key type +(ssh-rsa). This format is suitable (with minor alterations) for insertion into known_hosts files and authorized_keys files. .Pp -If the input contains an OpenPGP RSA or DSA secret key, it will be -converted to the equivalent PEM-encoded private key. +If the input contains an OpenPGP RSA secret key, it will be converted +to the equivalent PEM-encoded private key. .Pp .Nm is part of the @@ -47,15 +47,10 @@ intentional, since ssh attaches no inherent significance to these features. .Pp .Nm -only works with RSA or DSA keys, because those are the -only ones which work with ssh. -.Pp -Assuming a valid key type, though, -.Nm -will produce output for -any requested key. This means, among other things, that it will -happily export revoked keys, unverifiable keys, expired keys, etc. -Make sure you do your own key validation before using this tool! +will produce output for any requested RSA key. This means, among +other things, that it will happily export revoked keys, unverifiable +keys, expired keys, etc. Make sure you do your own key validation +before using this tool! .Sh EXAMPLES .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin .Pp @@ -72,6 +67,14 @@ and this man page were written by Daniel Kahn Gillmor . .Sh BUGS .Nm +only works with RSA keys. DSA keys are the only other key type +available in both OpenPGP and SSH, but they are currently unsupported +by this utility. +.Pp +.Nm +only accepts raw OpenPGP packets on standard input. It does not +accept ASCII-armored input. +.Nm Currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by lsh(1) and putty(1). @@ -80,15 +83,6 @@ Secret key output is currently not passphrase-protected. .Pp .Nm currently cannot handle passphrase-protected secret keys on input. -.Pp -Key identifiers consisting of an odd number of hex digits are not -accepted. Users who use a key ID with a standard length of 8, 16, or -40 hex digits should not be affected by this. -.Pp -.Nm -only acts on keys associated with the first primary key -passed in. If you send it more than one primary key, it will silently -ignore later ones. .Sh SEE ALSO .Xr pem2openpgp 1 , .Xr monkeysphere 1 , -- cgit v1.2.3 From 183d64eed7eb9724ca6c96f656cb02f475158d0e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 14:02:35 -0500 Subject: normalizing failure invocations in check_gpg_sec_key_id(). --- src/monkeysphere | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 809b1ac..2d54376 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -86,10 +86,10 @@ check_gpg_sec_key_id() { echo "$gpgSecOut" | cut -d: -f5 ;; *) - echo "Multiple primary secret keys found:" >&2 - echo "$gpgSecOut" | cut -d: -f5 >&2 - echo "Please specify which primary key to use." >&2 - failure + local seckeys=$(echo "$gpgSecOut" | cut -d: -f5) + failure "Multiple primary secret keys found: +$seckeys +Please specify which primary key to use." ;; esac } -- cgit v1.2.3 From ebd776722e0fd6dfacc79146c368d148f0e266cb Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 14:53:37 -0500 Subject: break out default variables into their own file: defaultenv this allows the common file to be sourced without reseting variables to their defaults, which was causing a problem with su_monkeysphere_user. also added some more debug messages. --- Makefile | 1 + src/monkeysphere | 3 ++- src/monkeysphere-authentication | 3 ++- src/monkeysphere-host | 3 ++- src/share/common | 34 +++++++++------------------------- src/share/ma/update_users | 1 + tests/basic | 1 - 7 files changed, 17 insertions(+), 29 deletions(-) diff --git a/Makefile b/Makefile index 07e8fb9..9873d32 100755 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ install: all installman install src/monkeysphere $(DESTDIR)$(PREFIX)/bin install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere + install -m 0644 src/share/defaultenv $(DESTDIR)$(PREFIX)/share/monkeysphere install -m 0755 src/share/keytrans $(DESTDIR)$(PREFIX)/share/monkeysphere ln -s ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/pem2openpgp ln -s ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2ssh diff --git a/src/monkeysphere b/src/monkeysphere index 2d54376..8d59d08 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -18,7 +18,8 @@ PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR -. "${SYSSHAREDIR}/common" || exit 1 +. "${SYSSHAREDIR}/defaultenv" +. "${SYSSHAREDIR}/common" # sharedir for host functions MSHAREDIR="${SYSSHAREDIR}/m" diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index c5c48d5..3344f38 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -21,7 +21,8 @@ PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR -. "${SYSSHAREDIR}/common" || exit 1 +. "${SYSSHAREDIR}/defaultenv" +. "${SYSSHAREDIR}/common" SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 9e4a8c4..b9a15ae 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -21,7 +21,8 @@ PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR -. "${SYSSHAREDIR}/common" || exit 1 +. "${SYSSHAREDIR}/defaultenv" +. "${SYSSHAREDIR}/common" SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR diff --git a/src/share/common b/src/share/common index a9d23b2..1cdd549 100644 --- a/src/share/common +++ b/src/share/common @@ -13,28 +13,6 @@ # all-caps variables are meant to be user supplied (ie. from config # file) and are considered global -######################################################################## -### COMMON VARIABLES - -# managed directories -SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} -export SYSCONFIGDIR - -# default log level -LOG_LEVEL="INFO" - -# default keyserver -KEYSERVER="pool.sks-keyservers.net" - -# whether or not to check keyservers by defaul -CHECK_KEYSERVER="true" - -# default monkeysphere user -MONKEYSPHERE_USER="monkeysphere" - -# default about whether or not to prompt -PROMPT="true" - ######################################################################## ### UTILITY FUNCTIONS @@ -461,6 +439,7 @@ check_key_file_permissions() { # return zero if all clear, or go to next path if [ "$path" = '/' ] ; then + log debug "path ok." return 0 else check_key_file_permissions "$uname" $(dirname "$path") @@ -926,7 +905,8 @@ process_known_hosts() { failure "known_hosts file '$KNOWN_HOSTS' does not exist." fi - log debug "processing known_hosts file..." + log debug "processing known_hosts file:" + log debug " $KNOWN_HOSTS" hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') @@ -1014,6 +994,9 @@ update_authorized_keys() { nIDsOK=0 nIDsBAD=0 + log debug "updating authorized_keys file:" + log debug " $AUTHORIZED_KEYS" + # check permissions on the authorized_keys file path check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure @@ -1087,11 +1070,12 @@ process_authorized_user_ids() { failure "authorized_user_ids file '$authorizedUserIDs' does not exist." fi + log debug "processing authorized_user_ids file:" + log debug " $authorizedUserIDs" + # check permissions on the authorized_user_ids file path check_key_file_permissions "$USER" "$authorizedUserIDs" || failure - log debug "processing authorized_user_ids file..." - if ! meat "$authorizedUserIDs" > /dev/null ; then log debug " no user IDs to process." return diff --git a/src/share/ma/update_users b/src/share/ma/update_users index c180b56..3a5c006 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -80,6 +80,7 @@ for uname in $unames ; do # translating ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") if [ -s "$authorizedUserIDs" ] ; then + log debug "authorized_user_ids file found." # check permissions on the authorized_user_ids file path if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then # copy user authorized_user_ids file to temporary diff --git a/tests/basic b/tests/basic index f6d1f3b..7277168 100755 --- a/tests/basic +++ b/tests/basic @@ -275,7 +275,6 @@ monkeysphere-authentication update-users $(whoami) # FIXME: this is maybe not failing properly for: # ms: improper group or other writability on path '/tmp'. - ###################################################################### ### TESTS -- cgit v1.2.3 From 23969f7aadf7611ed73d300b23c8fbfca91cb66a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 15:27:36 -0500 Subject: explicity set the USER variable, since it's needed for checking file permissions. add/modify some debug messages. --- src/monkeysphere | 3 +++ src/share/common | 14 ++++++++------ src/share/ma/update_users | 1 + 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 8d59d08..aa9276c 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -189,6 +189,9 @@ export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" export LOG_LEVEL +# explicitly set the USER variable, for checking file permissions +export USER=$(whoami) + # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." diff --git a/src/share/common b/src/share/common index 1cdd549..c6d6b8e 100644 --- a/src/share/common +++ b/src/share/common @@ -427,13 +427,15 @@ check_key_file_permissions() { # return 1 if path has invalid owner if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then - log error "improper ownership on path '$path'." + log error "improper ownership on path '$path':" + log error " $owner != ($uname|root)" return 1 fi # return 2 if path has group or other writability if is_write "$gAccess" || is_write "$oAccess" ; then - log error "improper group or other writability on path '$path'." + log error "improper group or other writability on path '$path':" + log error " group: $gAccess, other: $oAcess" return 2 fi @@ -667,14 +669,14 @@ process_user_id() { if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then log verbose " * acceptable primary key." if [ -z "$sshKey" ] ; then - log error " ! primary key could not be translated (not RSA or DSA?)." + log error " ! primary key could not be translated (not RSA?)." else echo "0:${sshKey}" fi else log debug " - unacceptable primary key." if [ -z "$sshKey" ] ; then - log debug " ! primary key could not be translated (not RSA or DSA?)." + log debug " ! primary key could not be translated (not RSA?)." else echo "1:${sshKey}" fi @@ -725,14 +727,14 @@ process_user_id() { if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then log verbose " * acceptable sub key." if [ -z "$sshKey" ] ; then - log error " ! sub key could not be translated (not RSA or DSA?)." + log error " ! sub key could not be translated (not RSA?)." else echo "0:${sshKey}" fi else log debug " - unacceptable sub key." if [ -z "$sshKey" ] ; then - log debug " ! sub key could not be translated (not RSA or DSA?)." + log debug " ! sub key could not be translated (not RSA?)." else echo "1:${sshKey}" fi diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 3a5c006..195e982 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -88,6 +88,7 @@ for uname in $unames ; do cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" # export needed variables + export USER="$uname" export AUTHORIZED_KEYS export TMP_AUTHORIZED_USER_IDS -- cgit v1.2.3 From 7c8c631cd755ccab6bf61bfaf54a00538b93ba3e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 15:31:03 -0500 Subject: use 'which' instead of 'type' in postrm, so lintian doesn't complain. --- packaging/debian/monkeysphere.postrm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/debian/monkeysphere.postrm b/packaging/debian/monkeysphere.postrm index e70a1b1..878b913 100755 --- a/packaging/debian/monkeysphere.postrm +++ b/packaging/debian/monkeysphere.postrm @@ -9,7 +9,7 @@ case $1 in purge) # delete monkeysphere user # http://wiki.debian.org/AccountHandlingInMaintainerScripts - if type deluser >/dev/null 2>&1; then + if which deluser >/dev/null 2>&1 ; then deluser --quiet --system monkeysphere > /dev/null || true else echo >&2 "not removing monkeysphere system account because deluser command was not found" -- cgit v1.2.3 From 033b2e76b81746e91f2f15580125164a8821bf0d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 15:48:21 -0500 Subject: add defaultenv file that was missed in ebd776722e0fd6dfacc79146c368d148f0e266cb --- src/share/defaultenv | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 src/share/defaultenv diff --git a/src/share/defaultenv b/src/share/defaultenv new file mode 100644 index 0000000..b54a518 --- /dev/null +++ b/src/share/defaultenv @@ -0,0 +1,29 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Shared sh variables for the monkeysphere +# +# Written by +# Jameson Rollins +# +# Copyright 2009, released under the GPL, version 3 or later + +# managed directories +SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} +export SYSCONFIGDIR + +# default log level +LOG_LEVEL="INFO" + +# default keyserver +KEYSERVER="pool.sks-keyservers.net" + +# whether or not to check keyservers by defaul +CHECK_KEYSERVER="true" + +# default monkeysphere user +MONKEYSPHERE_USER="monkeysphere" + +# default about whether or not to prompt +PROMPT="true" + -- cgit v1.2.3 From 750314da835f95fa4db35e5715508c6a551dfac9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 16:28:29 -0500 Subject: touching up changelog; switch ${shlibs:Depends} to ${misc:Depends} to mollify lintian. --- packaging/debian/changelog | 3 ++- packaging/debian/control | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 17e98e7..bef3c03 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -6,7 +6,8 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low - no longer needs base64 in PATH - added "test" make target - improved transitions/0.23 script - * update/cleanup mainterscripts + - RSA only: no longer handles DSA keys + * update/cleanup maintainer scripts * remove GnuTLS dependency. * remove versioned coreutils | base64 dependency. * added Build-Deps for dh_autotest. diff --git a/packaging/debian/control b/packaging/debian/control index fa2c78a..6706cb9 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -11,7 +11,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: all -Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${shlibs:Depends} +Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${misc:Depends} Recommends: netcat | socat, ssh-askpass Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections -- cgit v1.2.3 From 7b64ab42881f4702b6a7800dc06c94a742109fda Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 17:11:59 -0500 Subject: switched $USER to $FILE_OWNER; new name is more semantically clear and less likely to collide with other common uses of $USER. --- src/monkeysphere | 4 ++-- src/share/common | 6 +++--- src/share/ma/update_users | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index aa9276c..1641d32 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -189,8 +189,8 @@ export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" export LOG_LEVEL -# explicitly set the USER variable, for checking file permissions -export USER=$(whoami) +# explicitly set the FILE_OWNER variable, for checking file permissions +export FILE_OWNER=$(whoami) # get subcommand COMMAND="$1" diff --git a/src/share/common b/src/share/common index c6d6b8e..dd5dc16 100644 --- a/src/share/common +++ b/src/share/common @@ -846,7 +846,7 @@ update_known_hosts() { (umask 0022 && touch "$KNOWN_HOSTS") # check permissions on the known_hosts file path - check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure + check_key_file_permissions "$FILE_OWNER" "$KNOWN_HOSTS" || failure # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" @@ -1000,7 +1000,7 @@ update_authorized_keys() { log debug " $AUTHORIZED_KEYS" # check permissions on the authorized_keys file path - check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure + check_key_file_permissions "$FILE_OWNER" "$AUTHORIZED_KEYS" || failure # create a lockfile on authorized_keys lock create "$AUTHORIZED_KEYS" @@ -1076,7 +1076,7 @@ process_authorized_user_ids() { log debug " $authorizedUserIDs" # check permissions on the authorized_user_ids file path - check_key_file_permissions "$USER" "$authorizedUserIDs" || failure + check_key_file_permissions "$FILE_OWNER" "$authorizedUserIDs" || failure if ! meat "$authorizedUserIDs" > /dev/null ; then log debug " no user IDs to process." diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 195e982..a48bbd1 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -88,7 +88,7 @@ for uname in $unames ; do cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" # export needed variables - export USER="$uname" + export FILE_OWNER="$uname" export AUTHORIZED_KEYS export TMP_AUTHORIZED_USER_IDS -- cgit v1.2.3 From a9e9b3ae93b43b00700c379937895017bb530b08 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 18:05:11 -0500 Subject: refer to the m-h set-expire instead of m-h extend-key in m-h diagnostics. --- src/share/mh/diagnostics | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index 2f65f89..3746020 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -63,11 +63,11 @@ else if [ "$expire" ]; then if (( "$expire" < "$curdate" )); then echo "! Host key is expired." - echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'" problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'" problemsfound=$(($problemsfound+1)) fi fi -- cgit v1.2.3 From c7ad73e5b9516c74a1e049322b89076f4878ddba Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 19:56:41 -0500 Subject: proposed fix for issue 630; since m-a u operates on a saved copy of the users authorized_user_ids file, we should only check filesystem permissions against the monkeysphere user, not the target user. --- src/share/ma/update_users | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/share/ma/update_users b/src/share/ma/update_users index a48bbd1..67fabb2 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -88,12 +88,11 @@ for uname in $unames ; do cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" # export needed variables - export FILE_OWNER="$uname" export AUTHORIZED_KEYS export TMP_AUTHORIZED_USER_IDS # process authorized_user_ids file, as monkeysphere user - su_monkeysphere_user \ + FILE_OWNER="$MONKEYSPHERE_USER" su_monkeysphere_user \ ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" \ || returnCode="$?" else -- cgit v1.2.3 From 01cc7607ee14feb1b8ebc91c9a9e5bed92f7a413 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 20:33:16 -0500 Subject: include bug number for fixing transition script issues. --- packaging/debian/changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index bef3c03..8b3b922 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -5,7 +5,8 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low - Now uses perl-based keytrans for both pem2openpgp and openpgp2ssh - no longer needs base64 in PATH - added "test" make target - - improved transitions/0.23 script + - improved transitions/0.23 script so it no longer fails in common + circumstances (Closes: #517779) - RSA only: no longer handles DSA keys * update/cleanup maintainer scripts * remove GnuTLS dependency. -- cgit v1.2.3 From a102b1533984b638094727f36f64a56ed5586553 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:11:58 -0500 Subject: moved set -e from the shebang line to an explicit setting in maintainer scripts to pacify lintian --pedantic. --- packaging/debian/monkeysphere.postinst | 4 +++- packaging/debian/monkeysphere.postrm | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/packaging/debian/monkeysphere.postinst b/packaging/debian/monkeysphere.postinst index bbb02cf..6b12ee8 100755 --- a/packaging/debian/monkeysphere.postinst +++ b/packaging/debian/monkeysphere.postinst @@ -1,10 +1,12 @@ -#!/bin/sh -e +#!/bin/sh # postinst script for monkeysphere # Author: Jameson Rollins # Copyright 2008-2009 +set -e + VARLIB="/var/lib/monkeysphere" case $1 in diff --git a/packaging/debian/monkeysphere.postrm b/packaging/debian/monkeysphere.postrm index 878b913..d789012 100755 --- a/packaging/debian/monkeysphere.postrm +++ b/packaging/debian/monkeysphere.postrm @@ -1,10 +1,12 @@ -#!/bin/sh -e +#!/bin/sh # postrm script for monkeysphere # Author: Jameson Rollins # Copyright 2008-2009 +set -e + case $1 in purge) # delete monkeysphere user -- cgit v1.2.3 From 547b84f3861c0d376818c0f04bfe6f79e5845606 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:12:49 -0500 Subject: point explicitly to GPL v3 in debian/copyright (satisfies lintian --pedantic) --- packaging/debian/copyright | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/debian/copyright b/packaging/debian/copyright index 4c25286..c85128f 100644 --- a/packaging/debian/copyright +++ b/packaging/debian/copyright @@ -21,4 +21,4 @@ License: GPL-3+ (at your option) any later version. . On Debian systems, the complete text of the GNU General Public License - can be found in file "/usr/share/common-licenses/GPL". + version 3 can be found in file "/usr/share/common-licenses/GPL-3". -- cgit v1.2.3 From 9c4477a176fe355dad00f36ac22fd8c470fc8b64 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:17:45 -0500 Subject: syntactic cleanup on monkeysphere.1 (thanks, lintian -I) --- man/man1/monkeysphere.1 | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 887b5df..7cc4fe0 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -21,7 +21,7 @@ connection authentication. \fBmonkeysphere\fP takes various subcommands: .TP -.B update-known_hosts [HOST]... +.B update\-known_hosts [HOST]... Update the known_hosts file. For each specified host, gpg will be queried for a key associated with the host URI (see HOST IDENTIFICATION in @@ -37,9 +37,9 @@ known_hosts file will be processed. This subcommand will exit with a status of 0 if at least one acceptable key was found for a specified host, 1 if no matching keys were found at all, and 2 if matching keys were found but none were acceptable. `k' may be used in place of -`update-known_hosts'. +`update\-known_hosts'. .TP -.B update-authorized_keys +.B update\-authorized_keys Update the authorized_keys file for the user executing the command (see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all monkeysphere keys are cleared from the authorized_keys file. Then, or @@ -54,18 +54,18 @@ is found for the user ID, nothing is done. This subcommand will exit with a status of 0 if at least one acceptable key was found for a user ID, 1 if no matching keys were found at all, and 2 if matching keys were found but none were acceptable. `a' may be used in place of -`update-authorized_keys'. +`update\-authorized_keys'. .TP -.B gen-subkey [KEYID] +.B gen\-subkey [KEYID] Generate an authentication subkey for a private key in your GnuPG keyring. KEYID is the key ID for the primary key for which the subkey with "authentication" capability will be generated. If no key ID is specified, but only one key exists in the secret keyring, that key will be used. The length of the generated key can be specified with -the `--length` or `-l` option. `g' may be used in place of -`gen-subkey'. +the `\-\-length' or `\-l' option. `g' may be used in place of +`gen\-subkey'. .TP -.B ssh-proxycommand +.B ssh\-proxycommand An ssh ProxyCommand that can be used to trigger a monkeysphere update of the ssh known_hosts file for a host that is being connected to with ssh. This works by updating the known_hosts file for the host first, @@ -78,16 +78,16 @@ more info). This command is meant to be run as the ssh "ProxyCommand". This can either be done by specifying the proxy command on the command line: -.B ssh -o ProxyCommand="monkeysphere ssh-proxycommand %h %p" ... +.B ssh \-o ProxyCommand="monkeysphere ssh\-proxycommand %h %p" ... or by adding the following line to your ~/.ssh/config script: -.B ProxyCommand monkeysphere ssh-proxycommand %h %p +.B ProxyCommand monkeysphere ssh\-proxycommand %h %p The script can easily be incorporated into other ProxyCommand scripts -by calling it with the "--no-connect" option, i.e.: +by calling it with the "\-\-no\-connect" option, i.e.: -.B monkeysphere ssh-proxycommand --no-connect "$HOST" "$PORT" +.B monkeysphere ssh\-proxycommand \-\-no\-connect "$HOST" "$PORT" This will run everything except the final exec of netcat to make the TCP connection to the host. In this way this command can be added to @@ -114,14 +114,14 @@ MONKEYSPHERE_CHECK_KEYSERVER environment variable to either `true' or either always or never check the keyserver for host key updates. .TP -.B subkey-to-ssh-agent [ssh-add arguments] +.B subkey\-to\-ssh\-agent [ssh\-add arguments] Push all authentication-capable subkeys in your GnuPG secret keyring into your running ssh-agent. Additional arguments are passed through to -.BR ssh-add (1). +.BR ssh\-add (1). For example, to remove the authentication subkeys, pass an additional -`-d' argument. To require confirmation on each use of the key, pass -`-c'. `s' may be used in place of `subkey-to-ssh-agent'. +`\-d' argument. To require confirmation on each use of the key, pass +`\-c'. `s' may be used in place of `subkey\-to\-ssh\-agent'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -140,22 +140,22 @@ MONKEYSPHERE_GNUPGHOME, GNUPGHOME GnuPG home directory (~/.gnupg). .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (subkeys.pgp.net). +OpenPGP keyserver to use (pool.sks-keyservers.net). .TP MONKEYSPHERE_CHECK_KEYSERVER -Whether or not to check keyserver when making gpg queries (`true'). +Whether or not to check keyserver when making gpg queries (true). .TP MONKEYSPHERE_KNOWN_HOSTS Path to ssh known_hosts file (~/.ssh/known_hosts). .TP MONKEYSPHERE_HASH_KNOWN_HOSTS -Whether or not to hash to the known_hosts file entries (`true'). +Whether or not to hash to the known_hosts file entries (true). .TP MONKEYSPHERE_AUTHORIZED_KEYS Path to ssh authorized_keys file (~/.ssh/authorized_keys). .TP MONKEYSPHERE_PROMPT -If set to `false', never prompt the user for confirmation. (true) +If set to `false', never prompt the user for confirmation (true). .SH FILES @@ -178,9 +178,9 @@ Daniel Kahn Gillmor .SH SEE ALSO -.BR monkeysphere-host (8), -.BR monkeysphere-authentication (8), +.BR monkeysphere\-host (8), +.BR monkeysphere\-authentication (8), .BR monkeysphere (7), .BR ssh (1), -.BR ssh-add (1), +.BR ssh\-add (1), .BR gpg (1) -- cgit v1.2.3 From aa03928a5317996d9d87ba733048b2c010641a3b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:23:40 -0500 Subject: syntactic cleanup of keytrans-related man pages. --- man/man1/openpgp2ssh.1 | 21 ++++++++++++--------- man/man1/pem2openpgp.1 | 10 +++++----- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 9b0d1a4..304a442 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -1,5 +1,5 @@ .\" -*- nroff -*- -.Dd $Mdocdate: June 11, 2008 $ +.Dd $Mdocdate: March 1, 2009 $ .Dt OPENPGP2SSH 1 .Os .Sh NAME @@ -8,9 +8,9 @@ openpgp2ssh .Sh SYNOPSIS .Nm openpgp2ssh < mykey.gpg .Pp -.Nm gpg --export $KEYID | openpgp2ssh $KEYID +.Nm gpg \-\-export $KEYID | openpgp2ssh $KEYID .Pp -.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID +.Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID .Sh DESCRIPTION .Nm takes an OpenPGP-formatted primary key and associated @@ -30,7 +30,7 @@ ID. .Pp If the input contains an OpenPGP RSA public key, it will be converted to the OpenSSH-style single-line keystring, prefixed with the key type -(ssh-rsa). This format is suitable (with minor alterations) for +(`ssh\-rsa'). This format is suitable (with minor alterations) for insertion into known_hosts files and authorized_keys files. .Pp If the input contains an OpenPGP RSA secret key, it will be converted @@ -52,14 +52,14 @@ other things, that it will happily export revoked keys, unverifiable keys, expired keys, etc. Make sure you do your own key validation before using this tool! .Sh EXAMPLES -.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin +.Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID | ssh\-add \-c /dev/stdin .Pp This pushes the secret key into the active -.Xr ssh-agent 1 . +.Xr ssh\-agent 1 . Tools such as .Xr ssh 1 which know how to talk to the -.Xr ssh-agent 1 +.Xr ssh\-agent 1 can now rely on the key. .Sh AUTHOR .Nm @@ -77,7 +77,9 @@ accept ASCII-armored input. .Nm Currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by -lsh(1) and putty(1). +.Xr lsh 1 +and +.Xr putty 1 . .Pp Secret key output is currently not passphrase-protected. .Pp @@ -88,4 +90,5 @@ currently cannot handle passphrase-protected secret keys on input. .Xr monkeysphere 1 , .Xr monkeysphere 7 , .Xr ssh 1 , -.Xr monkeysphere-server 8 +.Xr monkeysphere-authentication 8 , +.Xr monkeysphere-host 8 diff --git a/man/man1/pem2openpgp.1 b/man/man1/pem2openpgp.1 index ae75b11..45fd1ee 100644 --- a/man/man1/pem2openpgp.1 +++ b/man/man1/pem2openpgp.1 @@ -1,12 +1,12 @@ .\" -*- nroff -*- -.Dd $Mdocdate: January 25, 2009 $ +.Dd $Mdocdate: March 1, 2009 $ .Dt PEM2OPENPGP 1 .Os .Sh NAME pem2openpgp .Nd translate PEM-encoded RSA keys to OpenPGP certificates .Sh SYNOPSIS -.Nm pem2openpgp "$USERID" < mykey.pem | gpg --import +.Nm pem2openpgp "$USERID" < mykey.pem | gpg \-\-import .Pp .Nm PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authentication,certify pem2openpgp "$USERID" . .Sh BUGS -Only handles RSA keys at the moment. It would be nice to handle DSA +Only handles RSA keys at the moment. It might be nice to handle DSA keys as well. .Pp Currently only creates certificates with a single User ID. Should be @@ -81,5 +81,5 @@ https://labs.riseup.net/code/projects/show/monkeysphere .Xr monkeysphere 1 , .Xr monkeysphere 7 , .Xr ssh 1 , -.Xr monkeysphere-host 8 , -.Xr monkeysphere-authentication 8 +.Xr monkeysphere\-host 8 , +.Xr monkeysphere\-authentication 8 -- cgit v1.2.3 From 603a1e22e97e3948750eb85f39eb8bdc5b308684 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:41:33 -0500 Subject: more manpage cleanup. --- man/man1/monkeysphere.1 | 2 +- man/man7/monkeysphere.7 | 14 +++--- man/man8/monkeysphere-authentication.8 | 88 +++++++++++++++++----------------- man/man8/monkeysphere-host.8 | 67 +++++++++++++------------- 4 files changed, 88 insertions(+), 83 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 7cc4fe0..f6f583d 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -2,7 +2,7 @@ .SH NAME -monkeysphere \- Monkeysphere client user interface +monkeysphere - Monkeysphere client user interface .SH SYNOPSIS diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index d54bd5a..f5a2371 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -1,8 +1,8 @@ -.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks" +.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks" .SH NAME -monkeysphere \- ssh authentication framework using OpenPGP Web of +monkeysphere - ssh authentication framework using OpenPGP Web of Trust .SH DESCRIPTION @@ -50,7 +50,7 @@ ssh authentication. OpenPGP keys are considered acceptable if the following criteria are met: .TP .B capability -The key must have the "authentication" ("a") usage flag set. +The key must have the `authentication' (`a') usage flag set. .TP .B validity The key itself must be valid, i.e. it must be well-formed, not @@ -62,7 +62,7 @@ The relevant user ID must be signed by a trusted identity certifier. .SH HOST IDENTIFICATION The OpenPGP keys for hosts have associated user IDs that use the ssh -URI specification for the host, i.e. "ssh://host.full.domain[:port]". +URI specification for the host, i.e. `ssh://host.full.domain[:port]'. .SH AUTHOR @@ -73,11 +73,11 @@ Daniel Kahn Gillmor .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere-host (8), -.BR monkeysphere-authentication (8), +.BR monkeysphere\-host (8), +.BR monkeysphere\-authentication (8), .BR openpgp2ssh (1), .BR pem2openpgp (1), .BR gpg (1), .BR http://tools.ietf.org/html/rfc4880, .BR ssh (1), -.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ +.BR http://tools.ietf.org/wg/secsh/draft\-ietf\-secsh\-scp\-sftp\-ssh\-uri/ diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index a52e9ab..eb34a71 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -1,27 +1,28 @@ -.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands" .SH NAME -monkeysphere-authentication \- Monkeysphere authentication admin tool. +monkeysphere\-authentication - Monkeysphere authentication admin tool. .SH SYNOPSIS -.B monkeysphere-authentication \fIsubcommand\fP [\fIargs\fP] +.B monkeysphere\-authentication \fIsubcommand\fP [\fIargs\fP] .SH DESCRIPTION -\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust for -OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the -authorized_keys and known_hosts files used by OpenSSH for connection -authentication. +\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust +(WoT) for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, +and added to the authorized_keys and known_hosts files used by OpenSSH +for connection authentication. -\fBmonkeysphere-authentication\fP is a Monkeysphere server admin utility. +\fBmonkeysphere\-authentication\fP is a Monkeysphere server admin +utility for configuring SSH user authentication through the WoT. .SH SUBCOMMANDS -\fBmonkeysphere-authentication\fP takes various subcommands: +\fBmonkeysphere\-authentication\fP takes various subcommands: .TP -.B update-users [ACCOUNT]... +.B update\-users [ACCOUNT]... Rebuild the monkeysphere-controlled authorized_keys files. For each specified account, the user ID's listed in the account's authorized_user_ids file are processed. For each user ID, gpg will be @@ -33,29 +34,29 @@ RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys file (usually ~USER/.ssh/authorized_keys) is appended to the monkeysphere-controlled authorized_keys file. If no accounts are specified, then all accounts on the system are processed. `u' may be -used in place of `update-users'. +used in place of `update\-users'. .TP -.B add-id-certifier KEYID|FILE +.B add\-id\-certifier KEYID|FILE Instruct system to trust user identity certifications made by KEYID. The key ID will be loaded from the keyserver. A file may be loaded instead of pulling the key from the keyserver by specifying the path -to the file as the argument, or by specifying `-` to load from stdin. -Using the `-n' or `--domain' option allows you to indicate that you +to the file as the argument, or by specifying `\-' to load from stdin. +Using the `\-n' or `\-\-domain' option allows you to indicate that you only trust the given KEYID to make identifications within a specific domain (e.g. "trust KEYID to certify user identities within the @example.org domain"). A certifier trust level can be specified with -the `-t' or `--trust' option (possible values are `marginal' and +the `\-t' or `\-\-trust' option (possible values are `marginal' and `full' (default is `full')). A certifier trust depth can be specified -with the `-d' or `--depth' option (default is 1). `c+' may be used in -place of `add-id-certifier'. +with the `-d' or `\-\-depth' option (default is 1). `c+' may be used in +place of `add\-id\-certifier'. .TP -.B remove-id-certifier KEYID +.B remove\-id\-certifier KEYID Instruct system to ignore user identity certifications made by KEYID. -`c-' may be used in place of `remove-id-certifier'. +`c-' may be used in place of `remove\-id\-certifier'. .TP -.B list-id-certifiers +.B list\-id\-certifiers List key IDs trusted by the system to certify user identities. `c' -may be used in place of `list-id-certifiers'. +may be used in place of `list\-id\-certifiers'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -67,30 +68,30 @@ show version number Other commands: .TP .B setup -Setup the server for Monkeysphere user authentication. This command -is idempotent and run automatically by the other commands, and should -therefore not usually need to be run manually. `s' may be used in -place of `setup'. +Setup the server in preparation for Monkeysphere user authentication. +This command is idempotent and run automatically by the other +commands, and should therefore not usually need to be run manually. +`s' may be used in place of `setup'. .TP .B diagnostics Review the state of the server with respect to authentication. `d' may be used in place of `diagnostics'. .TP -.B gpg-cmd +.B gpg\-cmd Execute a gpg command, as the monkeysphere user, on the monkeysphere -authentication "sphere" keyring. This takes a single argument -(multiple gpg arguments need to be quoted). Use this command with -caution, as modifying the authentication sphere keyring can affect ssh -user authentication. +authentication `sphere' keyring. This takes a single argument +(i.e. multiple gpg arguments need to be quoted all together). Use +this command with caution, as modifying the authentication sphere +keyring can affect ssh user authentication. .SH SETUP USER AUTHENTICATION If the server will handle user authentication through monkeysphere-generated authorized_keys files, the server must be told which keys will act as identity certifiers. This is done with the -\fBadd-id-certifier\fP command: +\fBadd\-id\-certifier\fP command: -$ monkeysphere-authentication add-id-certifier KEYID +$ monkeysphere\-authentication add\-id\-certifier KEYID where KEYID is the key ID of the server admin, or whoever's certifications should be acceptable to the system for the purposes of @@ -98,21 +99,21 @@ authenticating remote users. You can run this command multiple times to indicate that multiple certifiers are trusted. You may also specify a filename instead of a key ID, as long as the file contains a single OpenPGP public key. Certifiers can be removed with the -\fBremove-id-certifier\fP command, and listed with the -\fBlist-id-certifiers\fP command. +\fBremove\-id\-certifier\fP command, and listed with the +\fBlist\-id\-certifiers\fP command. Remote users will then be granted access to a local account based on the appropriately-signed and valid keys associated with user IDs listed in that account's authorized_user_ids file. By default, the authorized_user_ids file for an account is ~/.monkeysphere/authorized_user_ids. This can be changed in the -monkeysphere-authentication.conf file. +monkeysphere\-authentication.conf file. -The \fBupdate-users\fP command can then be used to generate +The \fBupdate\-users\fP command can then be used to generate authorized_keys file for local accounts based on the authorized user IDs listed in the account's authorized_user_ids file: -$ monkeysphere-authentication update-users USER +$ monkeysphere\-authentication update\-users USER Not specifying USER will cause all accounts on the system to updated. sshd can then use these monkeysphere generated authorized_keys files @@ -122,8 +123,8 @@ user authentication by setting the following in the sshd_config: AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u -It is recommended to add "monkeysphere-authentication update-users" to a -system crontab, so that user keys are kept up-to-date, and key +It is recommended to add "monkeysphere\-authentication update-users" +to a system crontab, so that user keys are kept up-to-date, and key revocations and expirations can be processed in a timely manner. .SH ENVIRONMENT @@ -139,7 +140,7 @@ Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in increasing order of verbosity. (INFO) .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use. (pool.sks-keyservers.net) +OpenPGP keyserver to use. (pool.sks\-keyservers.net) .TP MONKEYSPHERE_AUTHORIZED_USER_IDS Path to user's authorized_user_ids file. %h gets replaced with the @@ -159,7 +160,7 @@ If set to `false', never prompt the user for confirmation. (true) .SH FILES .TP -/etc/monkeysphere/monkeysphere-authentication.conf +/etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP /var/lib/monkeysphere/authorized_keys/USER @@ -175,7 +176,8 @@ Matthew Goins .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere-host (8), +.BR monkeysphere\-host (8), .BR monkeysphere (7), .BR gpg (1), -.BR ssh (1) +.BR ssh (1), +.BR sshd (8) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index c457711..4cf660d 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -1,12 +1,12 @@ -.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands" .SH NAME -monkeysphere-host \- Monkeysphere host admin tool. +monkeysphere\-host - Monkeysphere host admin tool. .SH SYNOPSIS -.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP] +.B monkeysphere\-host \fIsubcommand\fP [\fIargs\fP] .SH DESCRIPTION @@ -15,29 +15,29 @@ for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. -\fBmonkeysphere-host\fP is a Monkeysphere server admin utility. +\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility. .SH SUBCOMMANDS -\fBmonkeysphere-host\fP takes various subcommands: +\fBmonkeysphere\-host\fP takes various subcommands: .TP -.B import-key FILE NAME[:PORT] +.B import\-key FILE NAME[:PORT] Import a pem-encoded ssh secret host key from file FILE. If FILE -is '-', then the key will be imported from stdin. NAME[:PORT] is used +is `\-', then the key will be imported from stdin. NAME[:PORT] is used to specify the fully-qualified hostname (and port) used in the user ID of the new OpenPGP key. If PORT is not specified, the no port is added to the user ID, which means port 22 is assumed. `i' may be used -in place of `import-key'. +in place of `import\-key'. .TP -.B show-key +.B show\-key Output information about host's OpenPGP and SSH keys. `s' may be used -in place of `show-key'. +in place of `show\-key'. .TP -.B extend-key [EXPIRE] +.B set\-expire [EXPIRE] Extend the validity of the OpenPGP key for the host until EXPIRE from the present. If EXPIRE is not specified, then the user will be prompted for the extension term. Expiration is specified as with -GnuPG: +GnuPG (measured from today's date): .nf 0 = key does not expire = key expires in n days @@ -45,24 +45,24 @@ GnuPG: m = key expires in n months y = key expires in n years .fi -`e' may be used in place of `extend-key'. +`e' may be used in place of `set\-expire'. .TP -.B add-hostname HOSTNAME +.B add\-hostname HOSTNAME Add a hostname user ID to the server host key. `n+' may be used in -place of `add-hostname'. +place of `add\-hostname'. .TP -.B revoke-hostname HOSTNAME -Revoke a hostname user ID from the server host key. `n-' may be used -in place of `revoke-hostname'. +.B revoke\-hostname HOSTNAME +Revoke a hostname user ID from the server host key. `n\-' may be used +in place of `revoke\-hostname'. .TP -.B add-revoker KEYID|FILE +.B add\-revoker KEYID|FILE Add a revoker to the host's OpenPGP key. The key ID will be loaded from the keyserver. A file may be loaded instead of pulling the key from the keyserver by specifying the path to the file as the argument, -or by specifying `-` to load from stdin. `r+' may be be used in place +or by specifying `\-' to load from stdin. `r+' may be be used in place of `add-revoker'. .TP -.B revoke-key +.B revoke\-key Generate (with the option to publish) a revocation certificate for the host's OpenPGP key. If such a certificate is published, your host key will be permanently revoked. This subcommand will ask you a series of @@ -71,9 +71,10 @@ to stdout. If you explicitly tell it to publish the revocation certificate immediately, it will send it to the public keyservers. USE WITH CAUTION! .TP -.B publish-key -Publish the host's OpenPGP key to the keyserver. `p' may be used in -place of `publish-key'. +.B publish\-key +Publish the host's OpenPGP key to the public keyservers. `p' may be +used in place of `publish-key'. Note that there is no way to remove a +key from the public keyservers once it is published! .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -98,7 +99,7 @@ To enable host verification via the monkeysphere, the host's key must be published to the Web of Trust. This is not done by default. To publish the host key to the keyservers, run the following command: -$ monkeysphere-host publish-key +$ monkeysphere\-host publish\-key In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) @@ -118,7 +119,7 @@ Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in increasing order of verbosity. .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (pool.sks-keyservers.net). +OpenPGP keyserver to use (pool.sks\-keyservers.net). .TP MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) @@ -127,12 +128,12 @@ If set to `false', never prompt the user for confirmation. (true) .SH FILES .TP -/etc/monkeysphere/monkeysphere-host.conf +/etc/monkeysphere/monkeysphere\-host.conf System monkeysphere-host config file. .TP -/var/lib/monkeysphere/host/ssh_host_rsa_key -Copy of the host's private key in ssh format, suitable for use by -sshd. +/var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg +A world-readable copy of the host's public key in OpenPGP format, +including all relevant self-signatures. .SH AUTHOR @@ -144,7 +145,9 @@ Matthew Goins .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere-authentication (8), +.BR monkeysphere\-authentication (8), .BR monkeysphere (7), .BR gpg (1), -.BR ssh (1) +.BR ssh (1), +.BR sshd (8), + -- cgit v1.2.3 From 13e7b0e3c0f4522382445c6ae77b090e68f4c8e4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 1 Mar 2009 22:45:05 -0500 Subject: caught a couple more hyphen/minus clarifications. --- man/man8/monkeysphere-authentication.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index eb34a71..cfd13e7 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -47,12 +47,12 @@ domain (e.g. "trust KEYID to certify user identities within the @example.org domain"). A certifier trust level can be specified with the `\-t' or `\-\-trust' option (possible values are `marginal' and `full' (default is `full')). A certifier trust depth can be specified -with the `-d' or `\-\-depth' option (default is 1). `c+' may be used in +with the `\-d' or `\-\-depth' option (default is 1). `c+' may be used in place of `add\-id\-certifier'. .TP .B remove\-id\-certifier KEYID Instruct system to ignore user identity certifications made by KEYID. -`c-' may be used in place of `remove\-id\-certifier'. +`c\-' may be used in place of `remove\-id\-certifier'. .TP .B list\-id\-certifiers List key IDs trusted by the system to certify user identities. `c' -- cgit v1.2.3 From 04d3ff158b70e20bc4dc42678aa836498e670cce Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Mar 2009 23:20:53 -0500 Subject: small formatting change to man pages, for consistency. --- man/man1/monkeysphere.1 | 18 +++++++++--------- man/man8/monkeysphere-host.8 | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index f6f583d..6972583 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -133,29 +133,29 @@ The following environment variables will override those specified in the monkeysphere.conf configuration file (defaults in parentheses): .TP MONKEYSPHERE_LOG_LEVEL -Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, -in increasing order of verbosity. +Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, +in increasing order of verbosity. (INFO) .TP MONKEYSPHERE_GNUPGHOME, GNUPGHOME -GnuPG home directory (~/.gnupg). +GnuPG home directory. (~/.gnupg) .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (pool.sks-keyservers.net). +OpenPGP keyserver to use. (pool.sks-keyservers.net) .TP MONKEYSPHERE_CHECK_KEYSERVER -Whether or not to check keyserver when making gpg queries (true). +Whether or not to check keyserver when making gpg queries. (true) .TP MONKEYSPHERE_KNOWN_HOSTS -Path to ssh known_hosts file (~/.ssh/known_hosts). +Path to ssh known_hosts file. (~/.ssh/known_hosts) .TP MONKEYSPHERE_HASH_KNOWN_HOSTS -Whether or not to hash to the known_hosts file entries (true). +Whether or not to hash to the known_hosts file entries. (true) .TP MONKEYSPHERE_AUTHORIZED_KEYS -Path to ssh authorized_keys file (~/.ssh/authorized_keys). +Path to ssh authorized_keys file. (~/.ssh/authorized_keys) .TP MONKEYSPHERE_PROMPT -If set to `false', never prompt the user for confirmation (true). +If set to `false', never prompt the user for confirmation. (true) .SH FILES diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 4cf660d..6198a65 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -115,11 +115,11 @@ The following environment variables will override those specified in the config file (defaults in parentheses): .TP MONKEYSPHERE_LOG_LEVEL -Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in -increasing order of verbosity. +Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. (INFO) .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (pool.sks\-keyservers.net). +OpenPGP keyserver to use. (pool.sks\-keyservers.net) .TP MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) -- cgit v1.2.3 From 18d6d63571d18c50a4c943742c6cebbb100d4277 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 12:40:28 -0500 Subject: get rid of FILE_OWNER variable, in favor of just using $(whoami) when running check_key_file_permissions in update_known_hosts, update_authorized_keys, and process_authorized_user_ids. this is fine, since the policy is just that a user is always updating their own files. closes monkeysphere bug #630. --- src/monkeysphere | 3 --- src/share/common | 6 +++--- src/share/ma/update_users | 2 +- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 1641d32..8d59d08 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -189,9 +189,6 @@ export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" export LOG_LEVEL -# explicitly set the FILE_OWNER variable, for checking file permissions -export FILE_OWNER=$(whoami) - # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." diff --git a/src/share/common b/src/share/common index dd5dc16..83f2d6f 100644 --- a/src/share/common +++ b/src/share/common @@ -846,7 +846,7 @@ update_known_hosts() { (umask 0022 && touch "$KNOWN_HOSTS") # check permissions on the known_hosts file path - check_key_file_permissions "$FILE_OWNER" "$KNOWN_HOSTS" || failure + check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" @@ -1000,7 +1000,7 @@ update_authorized_keys() { log debug " $AUTHORIZED_KEYS" # check permissions on the authorized_keys file path - check_key_file_permissions "$FILE_OWNER" "$AUTHORIZED_KEYS" || failure + check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure # create a lockfile on authorized_keys lock create "$AUTHORIZED_KEYS" @@ -1076,7 +1076,7 @@ process_authorized_user_ids() { log debug " $authorizedUserIDs" # check permissions on the authorized_user_ids file path - check_key_file_permissions "$FILE_OWNER" "$authorizedUserIDs" || failure + check_key_file_permissions $(whoami) "$authorizedUserIDs" || failure if ! meat "$authorizedUserIDs" > /dev/null ; then log debug " no user IDs to process." diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 67fabb2..3a5c006 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -92,7 +92,7 @@ for uname in $unames ; do export TMP_AUTHORIZED_USER_IDS # process authorized_user_ids file, as monkeysphere user - FILE_OWNER="$MONKEYSPHERE_USER" su_monkeysphere_user \ + su_monkeysphere_user \ ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" \ || returnCode="$?" else -- cgit v1.2.3 From 8cabd14f454708cdb0310d77e4897e860fc87ecc Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 12:42:48 -0500 Subject: very small tweaks to usages. --- src/monkeysphere-authentication | 2 +- src/monkeysphere-host | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 3344f38..db658ae 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -56,7 +56,7 @@ subcommands: update-users (u) [USER]... update user authorized_keys files add-id-certifier (c+) [KEYID|FILE] import and tsign a certification key - --domain (-n) DOMAIN limit ID certifications to DOMAIN + --domain (-n) DOMAIN limit ID certifications to DOMAIN (*) --trust (-t) TRUST trust level of certifier (full) --depth (-d) DEPTH trust depth for certifier (1) remove-id-certifier (c-) KEYID remove a certification key diff --git a/src/monkeysphere-host b/src/monkeysphere-host index b9a15ae..c03fb27 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -58,7 +58,7 @@ subcommands: set-expire (e) [EXPIRE] set host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID - add-revoker (r+) [KEYID|FILE] add a revoker to the host key + add-revoker (r+) [KEYID|FILE] add a revoker to the host key revoke-key generate and/or publish revocation certificate for host key -- cgit v1.2.3 From bd5aac0e2eae2dd73c35b6bbb2e79ef48c98ca21 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 12:45:48 -0500 Subject: fix remove_monkeysphere_line function to properly handle empty files. --- src/share/common | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/share/common b/src/share/common index 83f2d6f..83120d1 100644 --- a/src/share/common +++ b/src/share/common @@ -354,12 +354,15 @@ remove_monkeysphere_lines() { file="$1" - if [ -z "$file" ] ; then + # return error if file does not exist + if [ ! -e "$file" ] ; then return 1 fi - if [ ! -e "$file" ] ; then - return 1 + # just return ok if the file is empty, since there aren't any + # lines to remove + if [ ! -s "$file" ] ; then + return 0 fi tempfile=$(mktemp "${file}.XXXXXXX") || \ -- cgit v1.2.3 From 05c96da9d1774a1b9ca6782384a4317671bcd622 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 2 Mar 2009 13:02:35 -0500 Subject: usage review/tweaks for m-a and m-h --- src/monkeysphere-authentication | 18 +++++++++--------- src/monkeysphere-host | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index db658ae..ae4f3f4 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -53,17 +53,17 @@ usage: $PGRM [options] [args] Monkeysphere authentication admin tool. subcommands: - update-users (u) [USER]... update user authorized_keys files + update-users (u) [USER]... update user authorized_keys files - add-id-certifier (c+) [KEYID|FILE] import and tsign a certification key - --domain (-n) DOMAIN limit ID certifications to DOMAIN (*) - --trust (-t) TRUST trust level of certifier (full) - --depth (-d) DEPTH trust depth for certifier (1) - remove-id-certifier (c-) KEYID remove a certification key - list-id-certifiers (c) list certification keys + add-id-certifier (c+) KEYID|FILE import and tsign a certification key + [--domain (-n) DOMAIN] limit ID certifications to DOMAIN + [--trust (-t) TRUST] trust level of certifier (default: full) + [--depth (-d) DEPTH] trust depth for certifier (default: 1) + remove-id-certifier (c-) KEYID remove a certification key + list-id-certifiers (c) list certification keys - version (v) show version number - help (h,?) this help + version (v) show version number + help (h,?) this help See ${PGRM}(8) for more info. EOF diff --git a/src/monkeysphere-host b/src/monkeysphere-host index c03fb27..7fb3980 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -58,7 +58,7 @@ subcommands: set-expire (e) [EXPIRE] set host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID - add-revoker (r+) [KEYID|FILE] add a revoker to the host key + add-revoker (r+) KEYID|FILE add a revoker to the host key revoke-key generate and/or publish revocation certificate for host key -- cgit v1.2.3 From 4cf60ae41b38e76a5c30de991b470c80abbc57e4 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 13:21:22 -0500 Subject: expanded/clarified setup examples --- man/man8/monkeysphere-authentication.8 | 26 ++++++++++--------- man/man8/monkeysphere-host.8 | 46 +++++++++++++++++++++++----------- 2 files changed, 45 insertions(+), 27 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index cfd13e7..dfa7444 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -16,7 +16,8 @@ and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. \fBmonkeysphere\-authentication\fP is a Monkeysphere server admin -utility for configuring SSH user authentication through the WoT. +utility for configuring and managing SSH user authentication through +the WoT. .SH SUBCOMMANDS @@ -102,24 +103,26 @@ single OpenPGP public key. Certifiers can be removed with the \fBremove\-id\-certifier\fP command, and listed with the \fBlist\-id\-certifiers\fP command. -Remote users will then be granted access to a local account based on -the appropriately-signed and valid keys associated with user IDs -listed in that account's authorized_user_ids file. By default, the +Remote users will be granted access to local accounts based on the +appropriately-signed and valid keys associated with user IDs listed in +that account's authorized_user_ids file. By default, the authorized_user_ids file for an account is ~/.monkeysphere/authorized_user_ids. This can be changed in the monkeysphere\-authentication.conf file. -The \fBupdate\-users\fP command can then be used to generate -authorized_keys file for local accounts based on the authorized user -IDs listed in the account's authorized_user_ids file: +The \fBupdate\-users\fP command is used to generate authorized_keys +files for local accounts based on the authorized user IDs listed in +the account's authorized_user_ids file: $ monkeysphere\-authentication update\-users USER Not specifying USER will cause all accounts on the system to updated. -sshd can then use these monkeysphere generated authorized_keys files -to grant access to user accounts for remote users. You must also tell -sshd to look at the monkeysphere-generated authorized_keys file for -user authentication by setting the following in the sshd_config: +The ssh server can then use these monkeysphere\-generated +authorized_keys files to grant access to user accounts for remote +users. In order for sshd to look at the monkeysphere\-generated +authorized_keys file for user authentication, the AuthorizedKeysFile +parameter must be set in the sshd_config to point to the +monkeysphere\-generated authorized_keys files: AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u @@ -156,7 +159,6 @@ raw authorized_keys file. %h gets replaced with the user's homedir, MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) - .SH FILES .TP diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 6198a65..8968cd7 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -15,19 +15,21 @@ for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. -\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility. +\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility for +managing the host's OpenPGP host key. .SH SUBCOMMANDS \fBmonkeysphere\-host\fP takes various subcommands: .TP .B import\-key FILE NAME[:PORT] -Import a pem-encoded ssh secret host key from file FILE. If FILE -is `\-', then the key will be imported from stdin. NAME[:PORT] is used -to specify the fully-qualified hostname (and port) used in the user ID -of the new OpenPGP key. If PORT is not specified, the no port is -added to the user ID, which means port 22 is assumed. `i' may be used -in place of `import\-key'. +Import a pem-encoded ssh secret host key from file FILE. If FILE is +`\-', then the key will be imported from stdin. Only RSA keys are +supported at the moment. NAME[:PORT] is used to specify the +fully-qualified hostname (and port) used in the user ID of the new +OpenPGP key. If PORT is not specified, the no port is added to the +user ID, which means port 22 is assumed. `i' may be used in place of +`import\-key'. .TP .B show\-key Output information about host's OpenPGP and SSH keys. `s' may be used @@ -95,9 +97,23 @@ place of `diagnostics'. .SH SETUP HOST AUTHENTICATION -To enable host verification via the monkeysphere, the host's key must -be published to the Web of Trust. This is not done by default. To -publish the host key to the keyservers, run the following command: +To enable host verification via the monkeysphere, an OpenPGP key must +be made out of the host's ssh key, and the key must be published to +the Web of Trust. This is not done by default. The first step is to +import the host's ssh key into a monkeysphere OpenPGP key. This is +done with the import\-key command. When importing a key, you must +specify the path to the host's ssh RSA key to import, and a hostname +to use as the key's user ID: + +$ monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org + +On most systems, the ssh host RSA key is stored at +/etc/ssh/ssh_host_rsa_key. + +Once the host key has been imported, it must be published to the Web +of Trust so that users can retrieve the key when sshing to the host. +The host key is published to the keyserver with the publish\-key +command: $ monkeysphere\-host publish\-key @@ -105,9 +121,11 @@ In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) will need to sign the host's key. This is done using standard OpenPGP keysigning techniques, usually: pull the key from the keyserver, -verify and sign the key, and then re-publish the signature. Once an -admin's signature is published, users logging into the host can use it -to validate the host's key. +verify and sign the key, and then re-publish the signature. Please +see http://web.monkeysphere.info/signing-host-keys/ for more +information. Once an admin's signature is published, users logging +into the host can use it to validate the host's key without having to +manually check the hosts key's fingerprint. .SH ENVIRONMENT @@ -124,7 +142,6 @@ OpenPGP keyserver to use. (pool.sks\-keyservers.net) MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) - .SH FILES .TP @@ -150,4 +167,3 @@ Matthew Goins .BR gpg (1), .BR ssh (1), .BR sshd (8), - -- cgit v1.2.3 From 0dc0bc5817f4eb4a0e996d4dfed97b0822a29216 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 2 Mar 2009 13:47:08 -0500 Subject: more man page tweaking. --- man/man8/monkeysphere-authentication.8 | 29 +++++++++++++++-------------- man/man8/monkeysphere-host.8 | 14 +++++++------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index dfa7444..a28922c 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -92,7 +92,7 @@ monkeysphere-generated authorized_keys files, the server must be told which keys will act as identity certifiers. This is done with the \fBadd\-id\-certifier\fP command: -$ monkeysphere\-authentication add\-id\-certifier KEYID +# monkeysphere\-authentication add\-id\-certifier KEYID where KEYID is the key ID of the server admin, or whoever's certifications should be acceptable to the system for the purposes of @@ -103,7 +103,7 @@ single OpenPGP public key. Certifiers can be removed with the \fBremove\-id\-certifier\fP command, and listed with the \fBlist\-id\-certifiers\fP command. -Remote users will be granted access to local accounts based on the +A remote user will be granted access to a local account based on the appropriately-signed and valid keys associated with user IDs listed in that account's authorized_user_ids file. By default, the authorized_user_ids file for an account is @@ -111,22 +111,22 @@ authorized_user_ids file for an account is monkeysphere\-authentication.conf file. The \fBupdate\-users\fP command is used to generate authorized_keys -files for local accounts based on the authorized user IDs listed in -the account's authorized_user_ids file: +files for a local account based on the user IDs listed in the +account's authorized_user_ids file: -$ monkeysphere\-authentication update\-users USER +# monkeysphere\-authentication update\-users USER Not specifying USER will cause all accounts on the system to updated. -The ssh server can then use these monkeysphere\-generated -authorized_keys files to grant access to user accounts for remote -users. In order for sshd to look at the monkeysphere\-generated -authorized_keys file for user authentication, the AuthorizedKeysFile -parameter must be set in the sshd_config to point to the -monkeysphere\-generated authorized_keys files: +The ssh server can use these monkeysphere-generated authorized_keys +files to grant access to user accounts for remote users. In order for +sshd to look at the monkeysphere-generated authorized_keys file for +user authentication, the AuthorizedKeysFile parameter must be set in +the sshd_config to point to the monkeysphere\-generated +authorized_keys files: AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u -It is recommended to add "monkeysphere\-authentication update-users" +It is recommended to add "monkeysphere\-authentication update\-users" to a system crontab, so that user keys are kept up-to-date, and key revocations and expirations can be processed in a timely manner. @@ -170,7 +170,7 @@ Monkeysphere-generated user authorized_keys files. .SH AUTHOR -Written by: +This man page was written by: Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins @@ -182,4 +182,5 @@ Matthew Goins .BR monkeysphere (7), .BR gpg (1), .BR ssh (1), -.BR sshd (8) +.BR sshd (8), +.BR sshd_config (5) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 8968cd7..c03b675 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -100,12 +100,12 @@ place of `diagnostics'. To enable host verification via the monkeysphere, an OpenPGP key must be made out of the host's ssh key, and the key must be published to the Web of Trust. This is not done by default. The first step is to -import the host's ssh key into a monkeysphere OpenPGP key. This is -done with the import\-key command. When importing a key, you must +import the host's ssh key into a monkeysphere-style OpenPGP key. This +is done with the import\-key command. When importing a key, you must specify the path to the host's ssh RSA key to import, and a hostname to use as the key's user ID: -$ monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org +# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org On most systems, the ssh host RSA key is stored at /etc/ssh/ssh_host_rsa_key. @@ -125,7 +125,7 @@ verify and sign the key, and then re-publish the signature. Please see http://web.monkeysphere.info/signing-host-keys/ for more information. Once an admin's signature is published, users logging into the host can use it to validate the host's key without having to -manually check the hosts key's fingerprint. +manually check the host key's fingerprint. .SH ENVIRONMENT @@ -146,7 +146,7 @@ If set to `false', never prompt the user for confirmation. (true) .TP /etc/monkeysphere/monkeysphere\-host.conf -System monkeysphere-host config file. +System monkeysphere\-host config file. .TP /var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg A world-readable copy of the host's public key in OpenPGP format, @@ -154,7 +154,7 @@ including all relevant self-signatures. .SH AUTHOR -Written by: +This man page was written by: Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins @@ -166,4 +166,4 @@ Matthew Goins .BR monkeysphere (7), .BR gpg (1), .BR ssh (1), -.BR sshd (8), +.BR sshd (8) -- cgit v1.2.3 From d86b79c54bca47211511fc18f3d626cf3b30fcb1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 2 Mar 2009 14:17:35 -0500 Subject: added a prerm script to explicitly fail if someone attempts to downgrade to anything before 0.23 --- packaging/debian/monkeysphere.prerm | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 packaging/debian/monkeysphere.prerm diff --git a/packaging/debian/monkeysphere.prerm b/packaging/debian/monkeysphere.prerm new file mode 100755 index 0000000..1a5135a --- /dev/null +++ b/packaging/debian/monkeysphere.prerm @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# prerm script for monkeysphere + +# the only thing we're doing here is making sure that the local +# administrator is not trying to downgrade to a version below 0.23, +# since there was such a major reorganization of system data during +# the transition to 0.23. + +# Author: Daniel Kahn Gillmor +# Copyright 2009 + +set -e + +case "$1" in + upgrade) + if dpkg --compare-versions "$2" lt 0.23 ; then + cat >&2 < Date: Mon, 2 Mar 2009 14:26:43 -0500 Subject: don't reference tests for key publication in m-h diagnostics man entry. --- man/man8/monkeysphere-host.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index c03b675..3e01105 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -91,7 +91,7 @@ Other commands: .B diagnostics Review the state of the monkeysphere server host key and report on suggested changes. Among other checks, this includes making sure -there is a valid host key, that the key is published, that the sshd +there is a valid host key, that the key is not expired, that the sshd configuration points to the right place, etc. `d' may be used in place of `diagnostics'. -- cgit v1.2.3 From 6fb913f396e513148dd270c1ecca8eda537e50c6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 15:35:06 -0500 Subject: added ability to specify subkeys to add to agent with MONKEYSPHERE_SUBKEYS_FOR_AGENT variable. --- packaging/debian/changelog | 4 ++- src/share/m/subkey_to_ssh_agent | 55 +++++++++++++++++++++++++++-------------- 2 files changed, 39 insertions(+), 20 deletions(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 8b3b922..786d410 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -8,13 +8,15 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low - improved transitions/0.23 script so it no longer fails in common circumstances (Closes: #517779) - RSA only: no longer handles DSA keys + - added ability to specify subkeys to add to ssh agent with + new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable * update/cleanup maintainer scripts * remove GnuTLS dependency. * remove versioned coreutils | base64 dependency. * added Build-Deps for dh_autotest. * switch to Architecture: all - -- Daniel Kahn Gillmor Sun, 01 Mar 2009 11:47:41 -0500 + -- Jameson Graef Rollins Mon, 02 Mar 2009 15:33:44 -0500 monkeysphere (0.23.1-1) unstable; urgency=low diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent index ec596bd..aa647a6 100644 --- a/src/share/m/subkey_to_ssh_agent +++ b/src/share/m/subkey_to_ssh_agent @@ -37,26 +37,34 @@ subkey_to_ssh_agent() { if [ "$sshaddresponse" = "2" ]; then failure "Could not connect to ssh-agent" fi - - # get list of secret keys (to work around bug - # https://bugs.g10code.com/gnupg/issue945): - secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ - --fingerprint | \ - grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') - - if [ -z "$secretkeys" ]; then - failure "You have no secret keys in your keyring! + + # if the MONKEYSPHERE_SUBKEYS_FOR_AGENT variable is set, use the + # keys specified there + if [ "$MONKEYSPHERE_SUBKEYS_FOR_AGENT" ] ; then + authsubkeys="$MONKEYSPHERE_SUBKEYS_FOR_AGENT" + + # otherwise find all authentication-capable subkeys and use those + else + # get list of secret keys + # (to work around bug https://bugs.g10code.com/gnupg/issue945): + secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint | \ + grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') + + if [ -z "$secretkeys" ]; then + failure "You have no secret keys in your keyring! You might want to run 'gpg --gen-key'." - fi + fi - authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ - --fingerprint --fingerprint $secretkeys | \ - cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ - grep '^fpr::' | cut -f3 -d: | sort -u) - - if [ -z "$authsubkeys" ]; then - failure "no authentication-capable subkeys available. -You might want to 'monkeysphere gen-subkey'" + authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint $secretkeys | \ + cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ + grep '^fpr::' | cut -f3 -d: | sort -u) + + if [ -z "$authsubkeys" ]; then + failure "no authentication-capable subkeys available. +You might want to run 'monkeysphere gen-subkey'." + fi fi workingdir=$(msmktempdir) @@ -68,7 +76,16 @@ You might want to 'monkeysphere gen-subkey'" # through to ssh-add. should we limit it to known ones? For # example: -d or -c and/or -t - for subkey in $authsubkeys; do + for subkey in $authsubkeys; do + # test that the subkey has proper capability + capability=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint "0x${subkey}!" \ + | egrep -B 1 "^fpr:::::::::${subkey}:$" | grep "^ssb:" | cut -d: -f12) + if ! check_capability "$capability" 'a' ; then + log error "Did not find authentication-capable subkey with key ID '$subkey'." + continue + fi + # choose a label by which this key will be known in the agent: # we are labelling the key by User ID instead of by # fingerprint, but filtering out all / characters to make sure -- cgit v1.2.3 From f422913545040510e4ff4a794a00c5af8986cfc1 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Mar 2009 15:41:08 -0500 Subject: update man page for subkey-to-ssh-agent, to add info about MONKEYSPHERE_SUBKEYS_FOR_AGENT --- man/man1/monkeysphere.1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 6972583..327a623 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -121,7 +121,10 @@ to .BR ssh\-add (1). For example, to remove the authentication subkeys, pass an additional `\-d' argument. To require confirmation on each use of the key, pass -`\-c'. `s' may be used in place of `subkey\-to\-ssh\-agent'. +`\-c'. The MONKEYSPHERE_SUBKEYS_FOR_AGENT environment can be used to +specify the full fingerprints of specific keys to add to the agent +(space separated), instead of adding them all. `s' may be used in +place of `subkey\-to\-ssh\-agent'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -156,6 +159,10 @@ Path to ssh authorized_keys file. (~/.ssh/authorized_keys) .TP MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) +.TP +MONKEYSPHERE_SUBKEYS_FOR_AGENT +A space-separated list of authentication-capable subkeys to add to the +ssh agent with subkey-to-ssh-agent. .SH FILES -- cgit v1.2.3 From 964d1c805c5866ea7f4a2c38808ccc3a5db490f5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 2 Mar 2009 17:42:33 -0500 Subject: quieting down the transition script (and m-a setup). --- src/share/ma/setup | 4 ++-- src/transitions/0.23 | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/src/share/ma/setup b/src/share/ma/setup index f991050..b453f3c 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -82,7 +82,7 @@ EOF # ensure that the authentication sphere checker has absolute ownertrust on the expected key. log debug "setting ultimate owner trust on core key in gpg_sphere..." - printf "%s:6:\n" "$CORE_FPR" | gpg_sphere "--import-ownertrust" + printf "%s:6:\n" "$CORE_FPR" | gpg_sphere "--import-ownertrust" 2>&1 | log verbose gpg_sphere "--export-ownertrust" 2>&1 | log debug # check the owner trust @@ -101,7 +101,7 @@ EOF # our preferences are reasonable (i.e. 3 marginal OR 1 fully # trusted certifications are sufficient to grant full validity. log debug "checking trust model for authentication ..." - local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" \ + local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" 2>/dev/null \ | head -n1 | grep "^tru:" | cut -d: -f3,6,7) log debug "sphere trust model: $TRUST_MODEL" if [ "$TRUST_MODEL" != '1:3:1' ] ; then diff --git a/src/transitions/0.23 b/src/transitions/0.23 index b0c967a..4410ae8 100755 --- a/src/transitions/0.23 +++ b/src/transitions/0.23 @@ -71,7 +71,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then # get the old host keygrip (don't know why there would be more # than one, but we'll transfer all tsigs made by any key that # had been given ultimate ownertrust): - for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-ownertrust | \ + for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-ownertrust | \ grep ':6:$' | \ sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do @@ -87,7 +87,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then # one of those certifications (even if later # certifications had different parameters). - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ cut -f 1,2,5,8,9,10 -d: | \ egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ while IFS=: read -r type validity grip trustparams trustdomain fpr ; do @@ -129,7 +129,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX) log "Adding identity certifier with fingerprint %s\n" "$keyfpr" - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY" rm -f "$CERTKEY" # clear the fingerprint so that we don't @@ -149,9 +149,9 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then log "Not transferring host key info because host directory already exists.\n" else if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then - FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) + FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) # create host home mkdir -p $(dirname "$MHDATADIR") @@ -168,12 +168,12 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then # FIXME: if all self-sigs are expired, then the secret key import may # fail anyway. How should we deal with that? - if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys && \ - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export "$FPR") | \ + if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-secret-keys && \ + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "$FPR") | \ GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --import ; then : we are in good shape! else - if ! GNUPGHOME="$NEWDATADIR" gpg --list-secret-key >/dev/null ; then + if ! GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --list-secret-key >/dev/null ; then log "The old host key (%s) was not imported properly.\n" "$FPR" exit 1 fi @@ -202,8 +202,9 @@ fi # the new authentication keyring. if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then - GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --no-permission-warning --export | \ - monkeysphere-authentication gpg-cmd --import || \ + GNUPGHOME="${SYSDATADIR}/gnupg-authentication" \ + gpg --quiet --no-tty --no-permission-warning --export 2>/dev/null | \ + monkeysphere-authentication gpg-cmd --import 2>/dev/null || \ log "No OpenPGP certificates imported into monkeysphere-authentication trust sphere.\n" mkdir -p "$STASHDIR" -- cgit v1.2.3 From 0ae1b83bf02bdec7b26e87e16a393b007941f871 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 2 Mar 2009 17:49:53 -0500 Subject: clearer error reporting for transition scripts in postinst. --- packaging/debian/monkeysphere.postinst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/packaging/debian/monkeysphere.postinst b/packaging/debian/monkeysphere.postinst index 6b12ee8..4e81167 100755 --- a/packaging/debian/monkeysphere.postinst +++ b/packaging/debian/monkeysphere.postinst @@ -21,8 +21,15 @@ case $1 in monkeysphere fi - # try to transition from to 0.23: - /usr/share/monkeysphere/transitions/0.23 + # try all available transitions: + for trans in 0.23 ; do + /usr/share/monkeysphere/transitions/$trans || { \ + RET=$? + echo "Failed running transition script /usr/share/monkeysphere/transitions/$trans" >&2 + exit $RET + } + done + # setup monkeysphere authentication monkeysphere-authentication setup -- cgit v1.2.3 From cf04c38691c1fa80ad9ac65175e034fbff7ab0c3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 00:13:11 -0500 Subject: transitions/0.23: when backing up old gnupg-{host,authentication}, timestamp backups so that they are relatively unique: this makes collisions less likely if the script gets run twice (failing the first time), and helps record the history of the cleanup as well --- src/transitions/0.23 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/transitions/0.23 b/src/transitions/0.23 index 4410ae8..3964558 100755 --- a/src/transitions/0.23 +++ b/src/transitions/0.23 @@ -193,7 +193,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then mkdir -p "$STASHDIR" chmod 0700 "$STASHDIR" - mv "${SYSDATADIR}/gnupg-host" "$STASHDIR" + mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"/gnupg-host.$(date '+%F_%T%z') fi @@ -209,5 +209,5 @@ if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then mkdir -p "$STASHDIR" chmod 0700 "$STASHDIR" - mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR" + mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"/gnupg-authentication.$(date '+%F_%T%z') fi -- cgit v1.2.3 From b94c148b51a53f47ac2513af0e400cc9234bc3dd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 01:15:50 -0500 Subject: quieted down m-a add_certifier: there is no reason why the admin should be shown gpg noise. --- src/monkeysphere-authentication | 2 +- src/share/ma/add_certifier | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index ae4f3f4..b0dcc88 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -100,7 +100,7 @@ core_fingerprint() { gpg_core_sphere_sig_transfer() { log debug "exporting core local sigs to sphere..." gpg_core --export-options export-local-sigs --export | \ - gpg_sphere "--import-options import-local-sigs --import" + gpg_sphere "--import-options import-local-sigs --import" 2>&1 | log debug } ######################################################################## diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 6f85ecf..544a3f0 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -108,7 +108,7 @@ if [ -f "$keyID" -o "$keyID" = '-' ] ; then fi # load the key - gpg_sphere "--import" <"$keyID" \ + gpg_sphere "--import" <"$keyID" 2>/dev/null \ || failure "could not read key from '$keyID'" # else, get the key from the keyserver -- cgit v1.2.3 From 91fee4b8616ce94be3b18f58b8d361d784ce92a6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 3 Mar 2009 11:56:00 -0500 Subject: fix to logging to prefix all log output with log prefix, and allow changing of log prefix. --- src/monkeysphere | 1 + src/monkeysphere-authentication | 1 + src/monkeysphere-host | 1 + src/share/common | 7 +++---- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 8d59d08..f721108 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -182,6 +182,7 @@ AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=$AUTHORIZED_KEYS} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"} REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} +LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} # export GNUPGHOME and make sure gpg home exists with proper # permissions diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index b0dcc88..85ff04f 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -129,6 +129,7 @@ REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"} GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} +LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} # export variables needed in su invocation export DATE diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 7fb3980..b052ca1 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -230,6 +230,7 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} # other variables GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} +LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} # export variables needed in su invocation export DATE diff --git a/src/share/common b/src/share/common index 83120d1..ea872ba 100644 --- a/src/share/common +++ b/src/share/common @@ -76,11 +76,10 @@ log() { fi if [ "$priority" = "$level" -a "$output" = 'true' ] ; then if [ "$1" ] ; then - echo -n "ms: " >&2 - echo "$@" >&2 + echo "$@" else - cat >&2 - fi + cat + fi | sed 's/^/'"${LOG_PREFIX}"'/' >&2 fi done } -- cgit v1.2.3 From 67b161359716a7b6c5d15a67687fb31d93677d36 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:14:12 -0500 Subject: put explicit licensing information in the website CSS after discussion with other authors. --- website/local.css | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/website/local.css b/website/local.css index de0f196..b2d86c7 100644 --- a/website/local.css +++ b/website/local.css @@ -1,3 +1,22 @@ +/* CSS for web.monkeysphere.info + +Copyright: 2008,2009 + +Authors: +Dan Scott, +Daniel Kahn Gillmor , +Jameson Graef Rollins , +Jamie McClelland + +License: This stylesheet is licensed under the GNU GPL, version 3 or +later (your choice). + +The full text of the GPL can be found at: + + http://www.gnu.org/licenses/gpl.html + + */ + h1 { -moz-border-radius: 4px; background-color: #B67B4E; -- cgit v1.2.3 From 94775ba19827cabcf3a4c594c456c6d86ee4c31c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:38:39 -0500 Subject: test adding license and copyright info to the main page on the wiki via meta tags. --- website/index.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/index.mdwn b/website/index.mdwn index 4abeea0..3d83561 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,4 +1,6 @@ [[meta title="The Monkeysphere Project"]] +[[meta license="Content on this wiki is licensed under the GPL version 3 or later"]] +[[meta copyright="All content on this wiki is copyright by the author of that content."]] # The Monkeysphere Project # -- cgit v1.2.3 From af7489a531cc425491981695485c064d9a8f2306 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:46:53 -0500 Subject: trying markdown in the meta tags. --- website/index.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/index.mdwn b/website/index.mdwn index 3d83561..9756d28 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,6 +1,6 @@ [[meta title="The Monkeysphere Project"]] [[meta license="Content on this wiki is licensed under the GPL version 3 or later"]] -[[meta copyright="All content on this wiki is copyright by the author of that content."]] +[[meta copyright="All content on this wiki is copyright by the author of that content. Use [git](community) to learn who the authors are."]] # The Monkeysphere Project # -- cgit v1.2.3 From cfaf97ab875f5e0044d03d22b27d03f30102b286 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:48:35 -0500 Subject: clarified content/licensing on main page of web site. --- website/index.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/index.mdwn b/website/index.mdwn index 9756d28..9c545fb 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,6 +1,6 @@ [[meta title="The Monkeysphere Project"]] -[[meta license="Content on this wiki is licensed under the GPL version 3 or later"]] -[[meta copyright="All content on this wiki is copyright by the author of that content. Use [git](community) to learn who the authors are."]] +[[meta license="All content on this wiki is licensed under the GPL version 3 or later"]] +[[meta copyright="All content on this wiki is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]] # The Monkeysphere Project # -- cgit v1.2.3 From fd6af6d66a7dd2d743671d77980c057f39c31314 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:54:59 -0500 Subject: refer to web.monkeysphere.info as "web site" instead of "wiki" to distinguish it from our more general public-access wiki/ticket tracking on labs.riseup. --- website/index.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/index.mdwn b/website/index.mdwn index 9c545fb..70edb1f 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,6 +1,6 @@ [[meta title="The Monkeysphere Project"]] -[[meta license="All content on this wiki is licensed under the GPL version 3 or later"]] -[[meta copyright="All content on this wiki is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]] +[[meta license="All content on this web site is licensed under the GPL version 3 or later"]] +[[meta copyright="All content on this web site is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]] # The Monkeysphere Project # -- cgit v1.2.3 From e8cc9816d9b4e0b9398d8e1fec1061dfd5dc360f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 15:56:41 -0500 Subject: allowed for exceptions in licensing so if there is individual content that needs a specific other license, we can do so. --- website/index.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/index.mdwn b/website/index.mdwn index 70edb1f..ba121a2 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,5 +1,5 @@ [[meta title="The Monkeysphere Project"]] -[[meta license="All content on this web site is licensed under the GPL version 3 or later"]] +[[meta license="Unless otherwise noted, all content on this web site is licensed under the GPL version 3 or later"]] [[meta copyright="All content on this web site is copyright by the author of that content. [Look in the revision control system](community) for details about who authored a particular piece of content."]] # The Monkeysphere Project # -- cgit v1.2.3 From 1b543b6b4a08210958feff80c2de08bf5ae7b977 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 3 Mar 2009 16:22:50 -0500 Subject: update dependencies in web site. --- website/download.mdwn | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/website/download.mdwn b/website/download.mdwn index db25be6..1d42f19 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -11,17 +11,15 @@ administrator](/getting-started-admin). Monkeysphere relies on: - * [GnuTLS](http://gnutls.org/) - * version 2.4 or later for general use - * [version 2.6 or later](/news/gnutls-2.6-enables-monkeysphere) to use the `monkeysphere subkey-to-ssh-agent` subcommand. * [OpenSSH](http://openssh.com/) * [GnuPG](http://gnupg.org/) + * [Perl](http://www.perl.org/) (including the [libcrypt-openssl-rsa](http://perl-openssl.sourceforge.net/) and libdigest-sha1 libraries) ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is now available in the unstable -("sid") distribution](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is now available in the Debian unstable ("sid") +distribution](http://packages.debian.org/sid/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting @@ -36,11 +34,6 @@ signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C verify the packages, you'll want to [add this key to your apt configuration after verifying its integrity](/archive-key). -To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will -also need [version 2.6 of -GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is available in -Debian experimental. - ## FreeBSD ## There is [now a FreeBSD port available](/news/FreeBSD-port-available) @@ -65,12 +58,6 @@ port with: cd /usr/ports/security/monkeysphere make && make install -To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will -also need [version 2.6 of -GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is [slated to be -available after the 7.1 ports slush is -over](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127330). - ## Source ## For those that would like to download the source directly, [the source -- cgit v1.2.3 From b7052678f26e5dbd3eac8a7ed56a25b746acbffd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 16:31:48 -0500 Subject: updated Perl dependency links to point to CPAN --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index 1d42f19..ac50a5c 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -13,7 +13,7 @@ Monkeysphere relies on: * [OpenSSH](http://openssh.com/) * [GnuPG](http://gnupg.org/) - * [Perl](http://www.perl.org/) (including the [libcrypt-openssl-rsa](http://perl-openssl.sourceforge.net/) and libdigest-sha1 libraries) + * [Perl](http://www.perl.org/) (including the [Crypt::OpenSSL::RSA](http://search.cpan.org/dist/Crypt-OpenSSL-RSA/) and [Digest::SHA1](http://search.cpan.org/dist/Digest-SHA1/) modules and their dependencies) ## Debian ## -- cgit v1.2.3 From 75c24f110ed8509519a8377eefdcc2be8a61b04a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 3 Mar 2009 19:40:35 -0500 Subject: add cron to Recommends --- packaging/debian/changelog | 13 +++++++------ packaging/debian/control | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 786d410..245be1b 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,8 +1,8 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low * New upstream release: - - Fixed how version information is stored/retrieved. - - Now uses perl-based keytrans for both pem2openpgp and openpgp2ssh + - fixed how version information is stored/retrieved + - now uses perl-based keytrans for both pem2openpgp and openpgp2ssh - no longer needs base64 in PATH - added "test" make target - improved transitions/0.23 script so it no longer fails in common @@ -11,12 +11,13 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low - added ability to specify subkeys to add to ssh agent with new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable * update/cleanup maintainer scripts - * remove GnuTLS dependency. - * remove versioned coreutils | base64 dependency. - * added Build-Deps for dh_autotest. + * remove GnuTLS dependency + * remove versioned coreutils | base64 dependency + * added Build-Deps for dh_autotest * switch to Architecture: all + * added cron to Recommends - -- Jameson Graef Rollins Mon, 02 Mar 2009 15:33:44 -0500 + -- Jameson Graef Rollins Tue, 03 Mar 2009 19:38:33 -0500 monkeysphere (0.23.1-1) unstable; urgency=low diff --git a/packaging/debian/control b/packaging/debian/control index 6706cb9..616a95a 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -12,7 +12,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: all Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${misc:Depends} -Recommends: netcat | socat, ssh-askpass +Recommends: netcat | socat, ssh-askpass, cron Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections SSH key-based authentication is tried-and-true, but it lacks a true -- cgit v1.2.3 From e41e47bde4fe94e1503a9210dd3fef0c68bd491f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 21:56:17 -0500 Subject: prepare for 0.24 release --- packaging/debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 245be1b..873b058 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,4 +1,4 @@ -monkeysphere (0.24~pre-1) UNRELEASED; urgency=low +monkeysphere (0.24-1) unstable; urgency=low * New upstream release: - fixed how version information is stored/retrieved -- cgit v1.2.3 From 468c49b6fed363f509fc86dfd8241b705ec6c096 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Mar 2009 22:05:09 -0500 Subject: prepare release notes for 0.24 --- website/download.mdwn | 36 ++++++++++++++++++------------------ website/news/release-0.24-1.mdwn | 26 ++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 18 deletions(-) create mode 100644 website/news/release-0.24-1.mdwn diff --git a/website/download.mdwn b/website/download.mdwn index ac50a5c..0a891db 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -64,38 +64,38 @@ For those that would like to download the source directly, [the source is available](/community) via [git](http://git.or.cz/). The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.23.1.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.24.orig.tar.gz) is also available, and has these checksums: 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.23.1 release:
+checksums for the monkeysphere 0.24 release:
 
 MD5:
-9ab4a35052b41d6468a4ab4758fd23b2  monkeysphere_0.23.1.orig.tar.gz
+8590532f4702fa44027a6a583657c9ef  monkeysphere_0.24.orig.tar.gz
 
 SHA1:
-1e3004505b5c2cda98194d1241f76303b154aac6  monkeysphere_0.23.1.orig.tar.gz
+45b26ada094705e56eeff1117a28162e04226cc7  monkeysphere_0.24.orig.tar.gz
 
 SHA256:
-998b8f8f0c498aa7d58eed6519c23ab9808cb8b622f97f8aa47865b718024d6c  monkeysphere_0.23.1.orig.tar.gz
+2a58cee998ddb1b21b953826fc746a743e17d94e6fa34ac9cbee4262873b5c5f  monkeysphere_0.24.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSaCKiRjmZ/HrivMUAQLA3A//Tn5R4TI//yPF6T0+swIHH9VnYhFIjitV
-pzm0aWQ/MfygAm24S64edudva6Mgnm5GsDmHzv9Kg0n12+NtCc+VTIH56aMwKO9J
-riT2BalxTny0UaMeIU2gsJP0H5GuEbFWknFMcKGwIKhEuiDKgF/QJNJKNNokBL55
-rivnxKrBKy5f2o2th+RxopA2jzVfUNKWtPlJz52vYyMGn7qkWdWY6zhm48PvHt1P
-9cR3Llzu6uQflVk/PaMZmsW/q8WFEp/9Igsws1GTac4XPl0N5FFwdYmOZRLwu2sF
-k5y7sdH+tZt+sKKuMYTloulj7nq27Zi3THrlqUuanvibWPVLiBTdnIV47fg17YsO
-Pr4UTeOEIxKRsJXTwYhFmToxrO5ehRo7DcPU4Y6+YaaNnneMdR8ZF0FbNmvpkLrU
-wYoT6nkCn/81Wde7G0bc2Lo6RlXPEhRfACQuLkokv2+bbzcsWn16s4TLIJLBi9Ev
-XQ4we8zp16h1wWSssXOk19iEDFIMcJ7lrc37ItEbdmOXdlyG6FlDZWWo9vyR8LDH
-AXEqjSNm0T2o1OjUwmUWSws+Y3cyhNlYMpAtq3u67qkMCBW3zEH4GhDvG6kcvt32
-NizDUn8ClMR4m7znlR3eNlnavYVMETuUutHeGq0lB2N008kbT2S+Ciz539ady7sg
-s2QqAl6xNzo=
-=JCyh
+iQIVAwUBSa3ushjmZ/HrivMUAQJGvxAAsc3phUKrWOSdItr7uaIsRsXo3BN/MT8Z
+e+ZJXpQo5roehyaTZR2H4hdUVObepqXmpwfrbmxORQ+mZa7WFKUT9hjdDrh5AyDH
+V4UA/b+4N0VQZYqvfDezA22o6V3HRmrdoaz90LY/8Yfe1YSteUdaO1fQhDOsoHTL
+MVOwhy+pcbjxd5cbLv1NcUb4FbAWoKS4zCQvYgC83u7LcB6irOekWU8rL6PR1qoC
+UebWYg2n2dafnPy4WuQ38DAetPwhTFrCG36YwkkNBkV23sPUMCiDJcDVictIWgdK
+emMhOLyC/G8PldLUYzwSqNMGdy8rLhiYf6Xo4e8dVsava14bbgqn1CXGQieibMYs
+IUyEvkPrxVc5ZUKHi0sNJ2yREMJVY5YYQFFirgv795fP6Rf6oGjjffDKPa5l80Ei
+M0mspn0TdnJtJ8BbbsE76tcT1vTB3hu2VOqDYZeo+3SjT8UGXPRlIcnzAhxt3x5+
+huYnNuaQb1b9+LP6dbb+dSWA3gYMbkXPZu6KXcr+ob4mHIdTPQysXFp2sobq4Dyt
+UeVxInuBQ1iEvQb9MxgbrerNf90yi7flMxxFV0HabrnxLSrufDJy4ai8pIbZBhpw
+v5xIHVkplfXB7zb1JcQKtA93LrKDvCpHMc6ZiVmveEgsRlqzw5UV/zcc4ENDR8gN
+NpxJjlFqEsc=
+=7/gS
 -----END PGP SIGNATURE-----
diff --git a/website/news/release-0.24-1.mdwn b/website/news/release-0.24-1.mdwn new file mode 100644 index 0000000..733df25 --- /dev/null +++ b/website/news/release-0.24-1.mdwn @@ -0,0 +1,26 @@ +[[meta title="Monkeysphere 0.24-1 released!"]] + +Monkeysphere 0.24-1 has been released. + +Notes from the changelog: + +
+  * New upstream release:
+    - fixed how version information is stored/retrieved
+    - now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
+    - no longer needs base64 in PATH
+    - added "test" make target
+    - improved transitions/0.23 script so it no longer fails in common
+      circumstances (Closes: #517779)
+    - RSA only: no longer handles DSA keys
+    - added ability to specify subkeys to add to ssh agent with
+      new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
+  * update/cleanup maintainer scripts
+  * remove GnuTLS dependency
+  * remove versioned coreutils | base64 dependency
+  * added Build-Deps for dh_autotest
+  * switch to Architecture: all
+  * added cron to Recommends
+
+ +[[Download]] it now! -- cgit v1.2.3 From 6b4f7702969176aad8e587f3fe39dabc0a458134 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 9 Mar 2009 22:02:17 -0400 Subject: updating FreeBSD port for 0.24 --- packaging/freebsd/security/monkeysphere/Makefile | 2 +- packaging/freebsd/security/monkeysphere/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index 24f9b2b..7049aba 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -6,7 +6,7 @@ # PORTNAME= monkeysphere -PORTVERSION= 0.22 +PORTVERSION= 0.24 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs diff --git a/packaging/freebsd/security/monkeysphere/distinfo b/packaging/freebsd/security/monkeysphere/distinfo index d6c6e5e..a0a9df9 100644 --- a/packaging/freebsd/security/monkeysphere/distinfo +++ b/packaging/freebsd/security/monkeysphere/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.22.orig.tar.gz) = 2bb00c86323409b98aff53f94d9ce0a6 -SHA256 (monkeysphere_0.22.orig.tar.gz) = 2566facda807a67a4d2d6de3833cccfa0b78b454909e8d25f47a235a9e621b24 -SIZE (monkeysphere_0.22.orig.tar.gz) = 70245 +MD5 (monkeysphere_0.24.orig.tar.gz) = 8590532f4702fa44027a6a583657c9ef +SHA256 (monkeysphere_0.24.orig.tar.gz) = 2a58cee998ddb1b21b953826fc746a743e17d94e6fa34ac9cbee4262873b5c5f +SIZE (monkeysphere_0.24.orig.tar.gz) = 86044 -- cgit v1.2.3 From 02ef7e000ee2ed085135905c7fecf2a342ae7fc5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 9 Mar 2009 22:39:41 -0400 Subject: update freebsd Makefile to reflect reorganization of Monkeysphere, and transition to perl. --- packaging/freebsd/security/monkeysphere/Makefile | 26 ++++++++++-------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index 7049aba..f625db6 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -15,16 +15,15 @@ DISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz MAINTAINER= dkg@fifthhorseman.net COMMENT= use the OpenPGP web of trust to verify ssh connections -LIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls -RUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \ - gpg:${PORTSDIR}/security/gnupg1 \ +RUN_DEPENDS= gpg:${PORTSDIR}/security/gnupg1 \ lockfile:${PORTSDIR}/mail/procmail \ - /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \ - bash:${PORTSDIR}/shells/bash + bash:${PORTSDIR}/shells/bash \ + ${SITE_PERL}/${PERL_ARCH}/Crypt/OpenSSL/RSA.pm:${PORTSDIR}/security/p5-Crypt-OpenSSL-RSA \ + ${SITE_PERL}/${PERL_ARCH}/Digest/SHA1.pm:${PORTSDIR}/security/p5-Digest-SHA1 -MAN1= monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1 +MAN1= monkeysphere.1 openpgp2ssh.1 pem2openpgp.1 MAN7= monkeysphere.7 -MAN8= monkeysphere-server.8 +MAN8= monkeysphere-host.8 monkeysphere-authentication.8 MANCOMPRESSED= yes MAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample @@ -34,17 +33,14 @@ post-patch: find . -iname '*.orig' -delete post-install: - @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-host.conf ]; then \ - ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-host.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-host.conf ; \ - fi - @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ]; then \ - ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ; \ - fi @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \ fi - @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \ - ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \ + @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf ]; then \ + ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf ; \ + fi + @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf ]; then \ + ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf ; \ fi .if !defined(PACKAGE_BUILDING) @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL -- cgit v1.2.3 From ffc22c69eb3376d0e7576f2be2e79e6a94375398 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 9 Mar 2009 22:56:17 -0400 Subject: More FreeBSD packaging work: removing gnutls patches -- not needed for monkeysphere; updating maintainer scripts. --- ...patch-lib__opencdk__opencdk__use-GNU-dummy.diff | 144 --------------------- .../freebsd/security/monkeysphere/pkg-deinstall | 4 +- .../freebsd/security/monkeysphere/pkg-install | 16 +-- packaging/freebsd/security/monkeysphere/pkg-plist | 47 +++++-- 4 files changed, 42 insertions(+), 169 deletions(-) delete mode 100644 packaging/freebsd/security/gnutls/files/patch-lib__opencdk__opencdk__use-GNU-dummy.diff diff --git a/packaging/freebsd/security/gnutls/files/patch-lib__opencdk__opencdk__use-GNU-dummy.diff b/packaging/freebsd/security/gnutls/files/patch-lib__opencdk__opencdk__use-GNU-dummy.diff deleted file mode 100644 index 2450bc3..0000000 --- a/packaging/freebsd/security/gnutls/files/patch-lib__opencdk__opencdk__use-GNU-dummy.diff +++ /dev/null @@ -1,144 +0,0 @@ ---- ./lib/opencdk/opencdk.h.orig 2008-06-30 16:45:51.000000000 -0400 -+++ ./lib/opencdk/opencdk.h 2008-08-21 19:23:44.000000000 -0400 -@@ -214,7 +214,11 @@ - enum cdk_s2k_type_t { - CDK_S2K_SIMPLE = 0, - CDK_S2K_SALTED = 1, -- CDK_S2K_ITERSALTED = 3 -+ CDK_S2K_ITERSALTED = 3, -+ CDK_S2K_GNU_EXT = 101 -+ /* GNU S2K extensions: refer to DETAILS from GnuPG: -+ http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/doc/DETAILS?root=GnuPG -+ */ - }; - - ---- ./lib/opencdk/read-packet.c.orig 2008-06-30 16:45:51.000000000 -0400 -+++ ./lib/opencdk/read-packet.c 2008-08-21 19:30:09.000000000 -0400 -@@ -78,10 +78,35 @@ - } - - --static int -+/* read about S2K at http://tools.ietf.org/html/rfc4880#section-3.7.1 */ -+static cdk_error_t - read_s2k (cdk_stream_t inp, cdk_s2k_t s2k) - { -- return CDK_Not_Implemented; -+ size_t nread; -+ -+ s2k->mode = cdk_stream_getc (inp); -+ s2k->hash_algo = cdk_stream_getc (inp); -+ if (s2k->mode == CDK_S2K_SIMPLE) -+ return 0; -+ else if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED) -+ { -+ if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread)) -+ return CDK_Inv_Packet; -+ if (nread != DIM (s2k->salt)) -+ return CDK_Inv_Packet; -+ -+ if (s2k->mode == CDK_S2K_ITERSALTED) -+ s2k->count = cdk_stream_getc (inp); -+ } -+ else if (s2k->mode == CDK_S2K_GNU_EXT) -+ { -+ /* GNU extensions to the S2K : read DETAILS from gnupg */ -+ return 0; -+ } -+ else -+ return CDK_Not_Implemented; -+ -+ return 0; - } - - -@@ -194,6 +219,7 @@ - static cdk_error_t - read_symkey_enc (cdk_stream_t inp, size_t pktlen, cdk_pkt_symkey_enc_t ske) - { -+ cdk_error_t ret; - cdk_s2k_t s2k; - size_t minlen; - size_t nread, nleft; -@@ -213,7 +239,9 @@ - return CDK_Out_Of_Core; - - ske->cipher_algo = cdk_stream_getc (inp); -- s2k->mode = cdk_stream_getc (inp); -+ ret = read_s2k(inp, s2k); -+ if (ret != 0) -+ return ret; - switch (s2k->mode) - { - case CDK_S2K_SIMPLE : minlen = 0; break; -@@ -225,18 +253,6 @@ - return CDK_Inv_Packet; - } - -- s2k->hash_algo = cdk_stream_getc (inp); -- if (s2k->mode == CDK_S2K_SALTED || s2k->mode == CDK_S2K_ITERSALTED) -- { -- if (stream_read (inp, s2k->salt, DIM (s2k->salt), &nread)) -- return CDK_Inv_Packet; -- if (nread != DIM (s2k->salt)) -- return CDK_Inv_Packet; -- -- if (s2k->mode == CDK_S2K_ITERSALTED) -- s2k->count = cdk_stream_getc (inp); -- } -- - ske->seskeylen = pktlen - 4 - minlen; - /* We check if there is an encrypted session key and if it fits into - the buffer. The maximal key length is 256-bit. */ -@@ -421,14 +437,19 @@ - rc = read_s2k (inp, sk->protect.s2k); - if (rc) - return rc; -- sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo); -- if (!sk->protect.ivlen) -- return CDK_Inv_Packet; -- rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread); -- if (rc) -- return rc; -- if (nread != sk->protect.ivlen) -- return CDK_Inv_Packet; -+ /* refer to --export-secret-subkeys in gpg(1) */ -+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT) -+ sk->protect.ivlen = 0; -+ else { -+ sk->protect.ivlen = gcry_cipher_get_algo_blklen (sk->protect.algo); -+ if (!sk->protect.ivlen) -+ return CDK_Inv_Packet; -+ rc = stream_read (inp, sk->protect.iv, sk->protect.ivlen, &nread); -+ if (rc) -+ return rc; -+ if (nread != sk->protect.ivlen) -+ return CDK_Inv_Packet; -+ } - } - else - sk->protect.algo = sk->s2k_usage; -@@ -476,6 +497,22 @@ - return CDK_Out_Of_Core; - if (stream_read (inp, sk->encdata, sk->enclen, &nread)) - return CDK_Inv_Packet; -+ /* Handle the GNU S2K extensions we know (just gnu-dummy right now): */ -+ if (sk->protect.s2k->mode == CDK_S2K_GNU_EXT) { -+ unsigned char gnumode; -+ if ((sk->enclen < strlen("GNU") + 1) || -+ (0 != memcmp("GNU", sk->encdata, strlen("GNU")))) -+ return CDK_Inv_Packet; -+ gnumode = sk->encdata[strlen("GNU")]; -+ /* we only handle gnu-dummy (mode 1). -+ mode 2 should refer to external smart cards. -+ */ -+ if (gnumode != 1) -+ return CDK_Inv_Packet; -+ /* gnu-dummy should have no more data */ -+ if (sk->enclen != strlen("GNU") + 1) -+ return CDK_Inv_Packet; -+ } - nskey = cdk_pk_get_nskey (sk->pk->pubkey_algo); - if (!nskey) - return CDK_Inv_Algo; diff --git a/packaging/freebsd/security/monkeysphere/pkg-deinstall b/packaging/freebsd/security/monkeysphere/pkg-deinstall index 3000878..3e69eab 100755 --- a/packaging/freebsd/security/monkeysphere/pkg-deinstall +++ b/packaging/freebsd/security/monkeysphere/pkg-deinstall @@ -4,9 +4,9 @@ # monkeysphere's debian/monkeysphere.postrm) # Author: Daniel Kahn Gillmor -# Copyright 2008 +# Copyright 2008,2009 -# FIXME: is /var/lib/monkeysphere the right place for this stuff on +# FIXME: is /var/monkeysphere the right place for this stuff on # FreeBSD? VARLIB="/var/monkeysphere" diff --git a/packaging/freebsd/security/monkeysphere/pkg-install b/packaging/freebsd/security/monkeysphere/pkg-install index 70d37b5..435c69a 100755 --- a/packaging/freebsd/security/monkeysphere/pkg-install +++ b/packaging/freebsd/security/monkeysphere/pkg-install @@ -5,9 +5,9 @@ # debian/monkeysphere.postinst) # Author: Daniel Kahn Gillmor -# Copyright 2008 +# Copyright 2008,2009 -# FIXME: is /var/lib/monkeysphere the right place for this stuff on +# FIXME: is /var/monkeysphere the right place for this stuff on # FreeBSD? # PostgreSQL puts its data in /usr/local/pgsql/data @@ -57,16 +57,8 @@ POST-INSTALL) fi fi - ## set up the cache directories, and link them to the config files: + ## set up the monkeysphere authentication cache directory: - install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host - ln -sf "$ETCDIR"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf - - install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication - ln -sf "$ETCDIR"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf - - install -d "$VARLIB"/tmp "$VARLIB"/authorized_keys - - monkeysphere-server diagnostics + monkeysphere-authentication setup ;; esac diff --git a/packaging/freebsd/security/monkeysphere/pkg-plist b/packaging/freebsd/security/monkeysphere/pkg-plist index 9d9d40a..b52f998 100644 --- a/packaging/freebsd/security/monkeysphere/pkg-plist +++ b/packaging/freebsd/security/monkeysphere/pkg-plist @@ -1,24 +1,49 @@ -sbin/monkeysphere-server +sbin/monkeysphere-host +sbin/monkeysphere-authentication share/doc/monkeysphere/TODO share/doc/monkeysphere/MonkeySpec share/doc/monkeysphere/getting-started-user.mdwn share/doc/monkeysphere/getting-started-admin.mdwn bin/openpgp2ssh -bin/monkeysphere-ssh-proxycommand +bin/pem2openpgp bin/monkeysphere +share/monkeysphere/mh +share/monkeysphere/mh/publish_key +share/monkeysphere/mh/import_key +share/monkeysphere/mh/set_expire +share/monkeysphere/mh/diagnostics +share/monkeysphere/mh/add_hostname +share/monkeysphere/mh/add_revoker +share/monkeysphere/mh/revoke_hostname +share/monkeysphere/mh/revoke_key +share/monkeysphere/keytrans +share/monkeysphere/defaultenv +share/monkeysphere/VERSION +share/monkeysphere/transitions +share/monkeysphere/transitions/0.23 +share/monkeysphere/transitions/README.txt +share/monkeysphere/ma +share/monkeysphere/ma/list_certifiers +share/monkeysphere/ma/add_certifier +share/monkeysphere/ma/update_users +share/monkeysphere/ma/setup +share/monkeysphere/ma/remove_certifier +share/monkeysphere/ma/diagnostics share/monkeysphere/common +share/monkeysphere/m +share/monkeysphere/m/gen_subkey +share/monkeysphere/m/ssh_proxycommand +share/monkeysphere/m/subkey_to_ssh_agent +share/monkeysphere/m/import_subkey @unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi etc/monkeysphere/monkeysphere.conf.sample @exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi -@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi -etc/monkeysphere/monkeysphere-server.conf.sample -@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi -@unexec if cmp -s %D/etc/monkeysphere/gnupg-host.conf.sample %D/etc/monkeysphere/gnupg-host.conf; then rm -f %D/etc/monkeysphere/gnupg-host.conf; fi -etc/monkeysphere/gnupg-host.conf.sample -@exec if [ ! -f %D/etc/monkeysphere/gnupg-host.conf ] ; then cp -p %D/%F %B/gnupg-host.conf; fi -@unexec if cmp -s %D/etc/monkeysphere/gnupg-authentication.conf.sample %D/etc/monkeysphere/gnupg-authentication.conf; then rm -f %D/etc/monkeysphere/gnupg-authentication.conf; fi -etc/monkeysphere/gnupg-authentication.conf.sample -@exec if [ ! -f %D/etc/monkeysphere/gnupg-authentication.conf ] ; then cp -p %D/%F %B/gnupg-authentication.conf; fi +@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-host.conf.sample %D/etc/monkeysphere/monkeysphere-host.conf; then rm -f %D/etc/monkeysphere/monkeysphere-host.conf; fi +etc/monkeysphere/monkeysphere-host.conf.sample +@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-host.conf ] ; then cp -p %D/%F %B/monkeysphere-host.conf; fi +@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-authentication.conf.sample %D/etc/monkeysphere/monkeysphere-authentication.conf; then rm -f %D/etc/monkeysphere/monkeysphere-authentication.conf; fi +etc/monkeysphere/monkeysphere-authentication.conf.sample +@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-authentication.conf ] ; then cp -p %D/%F %B/monkeysphere-authentication.conf; fi @dirrm share/doc/monkeysphere @dirrm share/monkeysphere @dirrm etc/monkeysphere -- cgit v1.2.3 From e63549bb6a927d737546a74ba8a912a9b60c979e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 00:43:04 -0400 Subject: FreeBSD porting: using in-place sed to replace paths. Using pack("%32U",...) for checksum, which seems to work for both perl 5.8 and 5.10 --- packaging/freebsd/security/monkeysphere/Makefile | 19 ++++- .../security/monkeysphere/files/patch-etclocation | 54 ------------- .../monkeysphere/files/patch-sharelocation | 33 -------- .../monkeysphere/files/patch-src_share_keytrans | 11 +++ .../security/monkeysphere/files/patch-varlocation | 90 ---------------------- 5 files changed, 28 insertions(+), 179 deletions(-) delete mode 100644 packaging/freebsd/security/monkeysphere/files/patch-etclocation delete mode 100644 packaging/freebsd/security/monkeysphere/files/patch-sharelocation create mode 100644 packaging/freebsd/security/monkeysphere/files/patch-src_share_keytrans delete mode 100644 packaging/freebsd/security/monkeysphere/files/patch-varlocation diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index f625db6..46a1d01 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -28,9 +28,24 @@ MANCOMPRESSED= yes MAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample -# get rid of cruft after the patching: +# use proper system paths for FreeBSD instead of debian's: post-patch: - find . -iname '*.orig' -delete + @${REINPLACE_CMD} -e 's|/etc/monkeysphere|/usr/local/etc/monkeysphere|g' \ + ${WRKSRC}/src/share/defaultenv \ + ${WRKSRC}/src/transitions/0.23 \ + ${WRKSRC}/man/man1/monkeysphere.1 \ + ${WRKSRC}/man/man8/monkeysphere-authentication.8 \ + ${WRKSRC}/man/man8/monkeysphere-host.8 \ + ${WRKSRC}/etc/monkeysphere-authentication.conf + @${REINPLACE_CMD} -e 's|/var/lib/monkeysphere|/var/monkeysphere|g' \ + ${WRKSRC}/src/transitions/0.23 \ + ${WRKSRC}/man/man1/monkeysphere.1 \ + ${WRKSRC}/man/man8/monkeysphere-authentication.8 \ + ${WRKSRC}/man/man8/monkeysphere-host.8 \ + ${WRKSRC}/src/monkeysphere-host \ + ${WRKSRC}/src/monkeysphere-authentication \ + ${WRKSRC}/doc/getting-started-admin.mdwn + post-install: @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ diff --git a/packaging/freebsd/security/monkeysphere/files/patch-etclocation b/packaging/freebsd/security/monkeysphere/files/patch-etclocation deleted file mode 100644 index 2ab3ac0..0000000 --- a/packaging/freebsd/security/monkeysphere/files/patch-etclocation +++ /dev/null @@ -1,54 +0,0 @@ -diff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf -index c001f2d..d33fd36 100644 ---- etc/monkeysphere-server.conf -+++ etc/monkeysphere-server.conf -@@ -17,7 +17,7 @@ - # authorized_keys file. '%h' will be replaced by the home directory - # of the user, and %u will be replaced by the username of the user. - # For purely admin-controlled authorized_user_ids, you might put them --# in /etc/monkeysphere/authorized_user_ids/%u, for instance. -+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u, for instance. - #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" - - # Whether to add user controlled authorized_keys file to -diff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1 -index 3ece735..09320d2 100644 ---- man/man1/monkeysphere.1 -+++ man/man1/monkeysphere.1 -@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_keys). - ~/.monkeysphere/monkeysphere.conf - User monkeysphere config file. - .TP --/etc/monkeysphere/monkeysphere.conf -+/usr/local/etc/monkeysphere/monkeysphere.conf - System-wide monkeysphere config file. - .TP - ~/.monkeysphere/authorized_user_ids -diff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 -index f207e2c..360408e 100644 ---- man/man8/monkeysphere-server.8 -+++ man/man8/monkeysphere-server.8 -@@ -203,10 +203,10 @@ User to control authentication keychain (monkeysphere). - .SH FILES - - .TP --/etc/monkeysphere/monkeysphere-server.conf -+/usr/local/etc/monkeysphere/monkeysphere-server.conf - System monkeysphere-server config file. - .TP --/etc/monkeysphere/monkeysphere.conf -+/usr/local/etc/monkeysphere/monkeysphere.conf - System-wide monkeysphere config file. - .TP - /var/lib/monkeysphere/authorized_keys/USER ---- src/common.orig 2008-10-12 14:58:00.000000000 -0400 -+++ src/common 2008-10-25 17:40:34.000000000 -0400 -@@ -16,7 +16,7 @@ - ### COMMON VARIABLES - - # managed directories --SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} -+SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"} - export SYSCONFIGDIR - - ######################################################################## diff --git a/packaging/freebsd/security/monkeysphere/files/patch-sharelocation b/packaging/freebsd/security/monkeysphere/files/patch-sharelocation deleted file mode 100644 index e41c479..0000000 --- a/packaging/freebsd/security/monkeysphere/files/patch-sharelocation +++ /dev/null @@ -1,33 +0,0 @@ ---- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400 -+++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400 -@@ -13,7 +13,7 @@ - ######################################################################## - PGRM=$(basename $0) - --SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} -+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} - export SYSSHAREDIR - . "${SYSSHAREDIR}/common" || exit 1 - ---- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400 -+++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400 -@@ -13,7 +13,7 @@ - ######################################################################## - PGRM=$(basename $0) - --SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} -+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} - export SYSSHAREDIR - . "${SYSSHAREDIR}/common" || exit 1 - ---- src/monkeysphere-ssh-proxycommand.orig -+++ src/monkeysphere-ssh-proxycommand -@@ -16,7 +16,7 @@ - ######################################################################## - PGRM=$(basename $0) - --SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} -+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} - export SYSSHAREDIR - . "${SYSSHAREDIR}/common" || exit 1 - diff --git a/packaging/freebsd/security/monkeysphere/files/patch-src_share_keytrans b/packaging/freebsd/security/monkeysphere/files/patch-src_share_keytrans new file mode 100644 index 0000000..9d584ac --- /dev/null +++ b/packaging/freebsd/security/monkeysphere/files/patch-src_share_keytrans @@ -0,0 +1,11 @@ +--- src/share/keytrans 2009-03-01 13:39:50.000000000 -0500 ++++ src/share/keytrans 2009-03-10 00:39:53.681890554 -0400 +@@ -199,7 +199,7 @@ + sub simple_checksum { + my $bytes = shift; + +- return unpack("%32W*",$bytes) % 65536; ++ return unpack("%32U*",$bytes) % 65536; + } + + # calculate the multiplicative inverse of a mod b this is euclid's diff --git a/packaging/freebsd/security/monkeysphere/files/patch-varlocation b/packaging/freebsd/security/monkeysphere/files/patch-varlocation deleted file mode 100644 index c4d8dcd..0000000 --- a/packaging/freebsd/security/monkeysphere/files/patch-varlocation +++ /dev/null @@ -1,90 +0,0 @@ -diff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 -index f207e2c..29c7b6a 100644 ---- man/man8/monkeysphere-server.8 -+++ man/man8/monkeysphere-server.8 -@@ -128,7 +128,7 @@ command to push the key to a keyserver. You must also modify the - sshd_config on the server to tell sshd where the new server host key - is located: - --HostKey /var/lib/monkeysphere/ssh_host_rsa_key -+HostKey /var/monkeysphere/ssh_host_rsa_key - - In order for users logging into the system to be able to verify the - host via the monkeysphere, at least one person (e.g. a server admin) -@@ -170,7 +170,7 @@ users. You must also tell sshd to look at the monkeysphere-generated - authorized_keys file for user authentication by setting the following - in the sshd_config: - --AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u -+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u - - It is recommended to add "monkeysphere-server update-users" to a - system crontab, so that user keys are kept up-to-date, and key -@@ -209,17 +209,17 @@ System monkeysphere-server config file. - /etc/monkeysphere/monkeysphere.conf - System-wide monkeysphere config file. - .TP --/var/lib/monkeysphere/authorized_keys/USER -+/var/monkeysphere/authorized_keys/USER - Monkeysphere-generated user authorized_keys files. - .TP --/var/lib/monkeysphere/ssh_host_rsa_key -+/var/monkeysphere/ssh_host_rsa_key - Copy of the host's private key in ssh format, suitable for use by - sshd. - .TP --/var/lib/monkeysphere/gnupg-host -+/var/monkeysphere/gnupg-host - Monkeysphere host GNUPG home directory. - .TP --/var/lib/monkeysphere/gnupg-authentication -+/var/monkeysphere/gnupg-authentication - Monkeysphere authentication GNUPG home directory. - - .SH AUTHOR -diff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn -index 6c8ad53..67fdda1 100644 ---- doc/getting-started-admin.mdwn -+++ doc/getting-started-admin.mdwn -@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections, put the - following line in `/etc/ssh/sshd_config` (be sure to remove references - to any other keys): - -- HostKey /var/lib/monkeysphere/ssh_host_rsa_key -+ HostKey /var/monkeysphere/ssh_host_rsa_key - - FIXME: should we just suggest symlinks in the filesystem here instead? - -@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate using the - OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again, - making sure that no other AuthorizedKeysFile directive exists): - -- AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u -+ AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u - - And then read the section below about how to ensure these files are - maintained. You'll need to restart `sshd` to have your changes take ---- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400 -+++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400 -@@ -17,7 +17,7 @@ - export SYSSHAREDIR - . "${SYSSHAREDIR}/common" || exit 1 - --SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} -+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"} - export SYSDATADIR - - # UTC date in ISO 8601 format if needed ---- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400 -+++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400 -@@ -4,8 +4,8 @@ - # It is highly recommended that you - # DO NOT MODIFY - # these variables. --primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg --keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg -+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg -+keyring /var/monkeysphere/gnupg-host/pubring.gpg - - # PGP keyserver to use for PGP queries. - keyserver hkp://pgp.mit.edu -- cgit v1.2.3 From 4be67d246780ed85bc45c730f374100949fa61e9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 00:44:29 -0400 Subject: FreeBSD porting: do one more path translation. --- packaging/freebsd/security/monkeysphere/Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index 46a1d01..c54f56c 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -45,7 +45,10 @@ post-patch: ${WRKSRC}/src/monkeysphere-host \ ${WRKSRC}/src/monkeysphere-authentication \ ${WRKSRC}/doc/getting-started-admin.mdwn - + @${REINPLACE_CMD} -e 's|/usr/share/monkeysphere|/usr/local/share/monkeysphere|g' \ + ${WRKSRC}/src/monkeysphere-host \ + ${WRKSRC}/src/monkeysphere-authentication \ + ${WRKSRC}/src/monkeysphere post-install: @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ -- cgit v1.2.3 From 9e9966f07914d394771aa33900f5b86576318a23 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 01:08:59 -0400 Subject: FreeBSD: clean up some portlint warnings. --- packaging/freebsd/security/monkeysphere/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index c54f56c..4fad979 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -10,10 +10,11 @@ PORTVERSION= 0.24 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs -DISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz +DISTNAME= ${PORTNAME}_${DISTVERSION} +EXTRACT_SUFX= .orig.tar.gz MAINTAINER= dkg@fifthhorseman.net -COMMENT= use the OpenPGP web of trust to verify ssh connections +COMMENT= Use the OpenPGP web of trust to verify ssh connections RUN_DEPENDS= gpg:${PORTSDIR}/security/gnupg1 \ lockfile:${PORTSDIR}/mail/procmail \ -- cgit v1.2.3 From e6c5dca14f7e694d77621e671202464bba41666a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 01:18:16 -0400 Subject: FreeBSD packaging: use tabs for variable declarations in Makefile --- packaging/freebsd/security/monkeysphere/Makefile | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index 4fad979..ba293ea 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -5,18 +5,18 @@ # $FreeBSD$ # -PORTNAME= monkeysphere -PORTVERSION= 0.24 -CATEGORIES= security -MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ +PORTNAME= monkeysphere +PORTVERSION= 0.24 +CATEGORIES= security +MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs -DISTNAME= ${PORTNAME}_${DISTVERSION} -EXTRACT_SUFX= .orig.tar.gz +DISTNAME= ${PORTNAME}_${DISTVERSION} +EXTRACT_SUFX= .orig.tar.gz -MAINTAINER= dkg@fifthhorseman.net -COMMENT= Use the OpenPGP web of trust to verify ssh connections +MAINTAINER= dkg@fifthhorseman.net +COMMENT= Use the OpenPGP web of trust to verify ssh connections -RUN_DEPENDS= gpg:${PORTSDIR}/security/gnupg1 \ +RUN_DEPENDS= gpg:${PORTSDIR}/security/gnupg1 \ lockfile:${PORTSDIR}/mail/procmail \ bash:${PORTSDIR}/shells/bash \ ${SITE_PERL}/${PERL_ARCH}/Crypt/OpenSSL/RSA.pm:${PORTSDIR}/security/p5-Crypt-OpenSSL-RSA \ @@ -25,9 +25,9 @@ RUN_DEPENDS= gpg:${PORTSDIR}/security/gnupg1 \ MAN1= monkeysphere.1 openpgp2ssh.1 pem2openpgp.1 MAN7= monkeysphere.7 MAN8= monkeysphere-host.8 monkeysphere-authentication.8 -MANCOMPRESSED= yes +MANCOMPRESSED= yes -MAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample +MAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample # use proper system paths for FreeBSD instead of debian's: post-patch: -- cgit v1.2.3 From db21b3340c2b7ade19eaecb306814fc0e54666f1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 02:06:25 -0400 Subject: cleaning up a lingering non-portable mktemp invocation. --- .../security/monkeysphere/files/patch-src_monkeysphere-host | 11 +++++++++++ src/monkeysphere-host | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 packaging/freebsd/security/monkeysphere/files/patch-src_monkeysphere-host diff --git a/packaging/freebsd/security/monkeysphere/files/patch-src_monkeysphere-host b/packaging/freebsd/security/monkeysphere/files/patch-src_monkeysphere-host new file mode 100644 index 0000000..9414c73 --- /dev/null +++ b/packaging/freebsd/security/monkeysphere/files/patch-src_monkeysphere-host @@ -0,0 +1,11 @@ +--- src/monkeysphere-host ++++ src/monkeysphere-host +@@ -103,7 +103,7 @@ update_gpg_pub_file() { + load_fingerprint() { + if [ -f "$HOST_KEY_FILE" ] ; then + HOST_FINGERPRINT=$( \ +- (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \ ++ (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \ + && gpg --quiet --import \ + && gpg --quiet --list-keys --with-colons --with-fingerprint \ + && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \ diff --git a/src/monkeysphere-host b/src/monkeysphere-host index b052ca1..6136399 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -103,7 +103,7 @@ update_gpg_pub_file() { load_fingerprint() { if [ -f "$HOST_KEY_FILE" ] ; then HOST_FINGERPRINT=$( \ - (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \ + (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \ && gpg --quiet --import \ && gpg --quiet --list-keys --with-colons --with-fingerprint \ && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \ -- cgit v1.2.3 From 53c9fcabe2881cbb7e231ab9ec7270e54a211845 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 02:07:15 -0400 Subject: FreeBSD porting: trying to make sure package cleanup goes smoothly. --- packaging/freebsd/security/monkeysphere/Makefile | 1 + packaging/freebsd/security/monkeysphere/pkg-plist | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index ba293ea..b6cacaf 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -12,6 +12,7 @@ MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkey # hack for debian orig tarballs DISTNAME= ${PORTNAME}_${DISTVERSION} EXTRACT_SUFX= .orig.tar.gz +WRKSRC= work/${PORTNAME}-${DISTVERSION} MAINTAINER= dkg@fifthhorseman.net COMMENT= Use the OpenPGP web of trust to verify ssh connections diff --git a/packaging/freebsd/security/monkeysphere/pkg-plist b/packaging/freebsd/security/monkeysphere/pkg-plist index b52f998..95afa01 100644 --- a/packaging/freebsd/security/monkeysphere/pkg-plist +++ b/packaging/freebsd/security/monkeysphere/pkg-plist @@ -7,7 +7,6 @@ share/doc/monkeysphere/getting-started-admin.mdwn bin/openpgp2ssh bin/pem2openpgp bin/monkeysphere -share/monkeysphere/mh share/monkeysphere/mh/publish_key share/monkeysphere/mh/import_key share/monkeysphere/mh/set_expire @@ -19,10 +18,8 @@ share/monkeysphere/mh/revoke_key share/monkeysphere/keytrans share/monkeysphere/defaultenv share/monkeysphere/VERSION -share/monkeysphere/transitions share/monkeysphere/transitions/0.23 share/monkeysphere/transitions/README.txt -share/monkeysphere/ma share/monkeysphere/ma/list_certifiers share/monkeysphere/ma/add_certifier share/monkeysphere/ma/update_users @@ -30,7 +27,6 @@ share/monkeysphere/ma/setup share/monkeysphere/ma/remove_certifier share/monkeysphere/ma/diagnostics share/monkeysphere/common -share/monkeysphere/m share/monkeysphere/m/gen_subkey share/monkeysphere/m/ssh_proxycommand share/monkeysphere/m/subkey_to_ssh_agent @@ -45,5 +41,9 @@ etc/monkeysphere/monkeysphere-host.conf.sample etc/monkeysphere/monkeysphere-authentication.conf.sample @exec if [ ! -f %D/etc/monkeysphere/monkeysphere-authentication.conf ] ; then cp -p %D/%F %B/monkeysphere-authentication.conf; fi @dirrm share/doc/monkeysphere +@dirrm share/monkeysphere/transitions +@dirrm share/monkeysphere/mh +@dirrm share/monkeysphere/ma +@dirrm share/monkeysphere/m @dirrm share/monkeysphere @dirrm etc/monkeysphere -- cgit v1.2.3 From 309e0854c96d9f2702fec433af049ad7d41d8e71 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 02:14:36 -0400 Subject: FreeBSD packaging: make sure to clean up cruft after in-place sed replacement. --- packaging/freebsd/security/monkeysphere/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index b6cacaf..f2484b5 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -51,6 +51,8 @@ post-patch: ${WRKSRC}/src/monkeysphere-host \ ${WRKSRC}/src/monkeysphere-authentication \ ${WRKSRC}/src/monkeysphere + # and clean up cruft from the sed replacements: + find ${WRKSRC} -name '*.bak' -delete post-install: @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ -- cgit v1.2.3 From 69b3e256e2017d5664ef37d06aae5e5bcf446575 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 02:33:29 -0400 Subject: FreeBSD packaging: revert to simpler hack for debian tarballs; use ${FIND} instead of find --- packaging/freebsd/security/monkeysphere/Makefile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/packaging/freebsd/security/monkeysphere/Makefile b/packaging/freebsd/security/monkeysphere/Makefile index f2484b5..65d71f4 100644 --- a/packaging/freebsd/security/monkeysphere/Makefile +++ b/packaging/freebsd/security/monkeysphere/Makefile @@ -10,9 +10,7 @@ PORTVERSION= 0.24 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs -DISTNAME= ${PORTNAME}_${DISTVERSION} -EXTRACT_SUFX= .orig.tar.gz -WRKSRC= work/${PORTNAME}-${DISTVERSION} +DISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz MAINTAINER= dkg@fifthhorseman.net COMMENT= Use the OpenPGP web of trust to verify ssh connections @@ -52,7 +50,7 @@ post-patch: ${WRKSRC}/src/monkeysphere-authentication \ ${WRKSRC}/src/monkeysphere # and clean up cruft from the sed replacements: - find ${WRKSRC} -name '*.bak' -delete + ${FIND} ${WRKSRC} -name '*.bak' -delete post-install: @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ -- cgit v1.2.3