From 91f880160dba51966ca8940fd42fcd6c8a268c5a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 22:29:39 -0400 Subject: moved monkeysphere(5) to section 7 of the manual. Thanks, Stew! --- debian/monkeysphere.manpages | 2 +- man/man1/monkeysphere-ssh-proxycommand.1 | 1 + man/man1/monkeysphere.1 | 8 ++--- man/man1/openpgp2ssh.1 | 4 +-- man/man5/monkeysphere.5 | 54 -------------------------------- man/man7/monkeysphere.7 | 54 ++++++++++++++++++++++++++++++++ man/man8/monkeysphere-server.8 | 4 +-- 7 files changed, 64 insertions(+), 63 deletions(-) delete mode 100644 man/man5/monkeysphere.5 create mode 100644 man/man7/monkeysphere.7 diff --git a/debian/monkeysphere.manpages b/debian/monkeysphere.manpages index ab99bbf..1490566 100644 --- a/debian/monkeysphere.manpages +++ b/debian/monkeysphere.manpages @@ -1,5 +1,5 @@ man/man1/monkeysphere.1 man/man1/openpgp2ssh.1 man/man1/monkeysphere-ssh-proxycommand.1 -man/man5/monkeysphere.5 +man/man7/monkeysphere.7 man/man8/monkeysphere-server.8 diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 41b2e40..1606a5d 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -66,6 +66,7 @@ Written by Jameson Rollins .SH SEE ALSO .BR monkeysphere (1), +.BR monkeysphere (7), .BR ssh (1), .BR ssh_config (5), .BR netcat (1), diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index cabe953..3ece735 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -25,10 +25,10 @@ connection authentication. Update the known_hosts file. For each specified host, gpg will be queried for a key associated with the host URI (see HOST IDENTIFICATION in -.BR monkeysphere(5)), +.BR monkeysphere(7)), optionally querying a keyserver. If an acceptable key is found for the host (see KEY ACCEPTABILITY in -.BR monkeysphere(5)), +.BR monkeysphere(7)), the key is added to the user's known_hosts file. If a key is found but is unacceptable for the host, any matching keys are removed from the user's known_hosts file. If no gpg key is found for the host, @@ -46,7 +46,7 @@ monkeysphere keys are cleared from the authorized_keys file. Then, or each user ID in the user's authorized_user_ids file, gpg will be queried for keys associated with that user ID, optionally querying a keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in -.BR monkeysphere (5)), +.BR monkeysphere (7)), the key is added to the user's authorized_keys file. If a key is found but is unacceptable for the user ID, any matching keys are removed from the user's authorized_keys file. If no gpg key @@ -127,7 +127,7 @@ Kahn Gillmor .BR monkeysphere-ssh-proxycommand (1), .BR monkeysphere-server (8), -.BR monkeysphere (5), +.BR monkeysphere (7), .BR ssh (1), .BR ssh-add (1), .BR gpg (1) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 281bb0f..89df047 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -38,7 +38,7 @@ converted to the equivalent PEM-encoded private key. .Pp .Nm is part of the -.Xr monkeysphere 5 +.Xr monkeysphere 7 framework for providing a PKI for SSH. .Sh CAVEATS The keys produced by this process are stripped of all identifying @@ -91,6 +91,6 @@ passed in. If you send it more than one primary key, it will silently ignore later ones. .Sh SEE ALSO .Xr monkeysphere 1 , -.Xr monkeysphere 5 , +.Xr monkeysphere 7 , .Xr ssh 1 , .Xr monkeysphere-server 8 diff --git a/man/man5/monkeysphere.5 b/man/man5/monkeysphere.5 deleted file mode 100644 index 50ad2b3..0000000 --- a/man/man5/monkeysphere.5 +++ /dev/null @@ -1,54 +0,0 @@ -.TH MONKEYSPHERE "5" "June 2008" "monkeysphere" "System Frameworks" - -.SH NAME - -monkeysphere \- ssh authentication framework using OpenPGP Web of -Trust - -.SH DESCRIPTION - -\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust -for ssh authentication. OpenPGP keys are tracked via GnuPG, and added -to the authorized_keys and known_hosts files used by ssh for -connection authentication. - -.SH IDENTITY CERTIFIERS - -FIXME: describe identity certifier concept - -.SH KEY ACCEPTABILITY - -During known_host and authorized_keys updates, the monkeysphere -commands work from a set of user IDs to determine acceptable keys for -ssh authentication. OpenPGP keys are considered acceptable if the -following criteria are met: -.TP -.B capability -The key must have the "authentication" ("a") usage flag set. -.TP -.B validity -The key itself must be valid, i.e. it must be well-formed, not -expired, and not revoked. -.TP -.B certification -The relevant user ID must be signed by a trusted identity certifier. - -.SH HOST IDENTIFICATION - -The OpenPGP keys for hosts have associated user IDs that use the ssh -URI specification for the host, i.e. "ssh://host.full.domain[:port]". - -.SH AUTHOR - -Written by Jameson Rollins , Daniel Kahn -Gillmor - -.SH SEE ALSO - -.BR monkeysphere (1), -.BR monkeysphere-server (8), -.BR monkeysphere-ssh-proxycommand (1), -.BR gpg (1), -.BR ssh (1), -.BR http://tools.ietf.org/html/rfc4880, -.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 new file mode 100644 index 0000000..8d7c43a --- /dev/null +++ b/man/man7/monkeysphere.7 @@ -0,0 +1,54 @@ +.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks" + +.SH NAME + +monkeysphere \- ssh authentication framework using OpenPGP Web of +Trust + +.SH DESCRIPTION + +\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust +for ssh authentication. OpenPGP keys are tracked via GnuPG, and added +to the authorized_keys and known_hosts files used by ssh for +connection authentication. + +.SH IDENTITY CERTIFIERS + +FIXME: describe identity certifier concept + +.SH KEY ACCEPTABILITY + +During known_host and authorized_keys updates, the monkeysphere +commands work from a set of user IDs to determine acceptable keys for +ssh authentication. OpenPGP keys are considered acceptable if the +following criteria are met: +.TP +.B capability +The key must have the "authentication" ("a") usage flag set. +.TP +.B validity +The key itself must be valid, i.e. it must be well-formed, not +expired, and not revoked. +.TP +.B certification +The relevant user ID must be signed by a trusted identity certifier. + +.SH HOST IDENTIFICATION + +The OpenPGP keys for hosts have associated user IDs that use the ssh +URI specification for the host, i.e. "ssh://host.full.domain[:port]". + +.SH AUTHOR + +Written by Jameson Rollins , Daniel Kahn +Gillmor + +.SH SEE ALSO + +.BR monkeysphere (1), +.BR monkeysphere-server (8), +.BR monkeysphere-ssh-proxycommand (1), +.BR gpg (1), +.BR ssh (1), +.BR http://tools.ietf.org/html/rfc4880, +.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 46a9727..f207e2c 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -27,7 +27,7 @@ specified account, the user ID's listed in the account's authorized_user_ids file are processed. For each user ID, gpg will be queried for keys associated with that user ID, optionally querying a keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in -monkeysphere(5)), the key is added to the account's +monkeysphere(7)), the key is added to the account's monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys file (usually ~USER/.ssh/authorized_keys) is appended to the @@ -230,6 +230,6 @@ Gillmor .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere (5), +.BR monkeysphere (7), .BR gpg (1), .BR ssh (1) -- cgit v1.2.3 From a29f92ac772552954a976516735887584a661449 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 22:33:43 -0400 Subject: debian/changelog: added note about monkeysphere(5) move. --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 8f0e77a..dcb6d4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ monkeysphere (0.15~pre-1) UNRELEASED; urgency=low * porting work: clarifying makefiles, pruning dependencies, etc. * added tests to monkeysphere-server diagnostics + * moved monkeysphere(5) to section 7 of the manual -- Daniel Kahn Gillmor Thu, 04 Sep 2008 19:08:40 -0400 -- cgit v1.2.3 From a6c9b799bb0d9625507975904c15e540174328f4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:10:18 -0400 Subject: adding make install target --- Makefile | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 8f8cd92..7ab188d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,9 @@ -MONKEYSPHERE_VERSION=`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` +MONKEYSPHERE_VERSION = `head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'` + +# these defaults are for debian. porters should probably adjust them +# before calling make install +ETCPREFIX ?= +PREFIX ?= /usr all: keytrans @@ -24,4 +29,19 @@ clean: # clean up old monkeysphere packages lying around as well. rm -f monkeysphere_* -.PHONY: all clean tarball debian-package +# this target is to be called from the tarball, not from the git +# working dir! +install: all + mkdir -p $(DESTDIR)/$(PREFIX)/bin $(DESTDIR)/$(PREFIX)/sbin $(DESTDIR)/$(PREFIX)/share/monkeysphere + mkdir -p $(DESTDIR)/$(PREFIX)/share/man/man1 $(DESTDIR)/$(PREFIX)/share/man/man7 $(DESTDIR)/$(PREFIX)/share/man/man8 + mkdir -p $(DESTDIR)/$(ETCPREFIX)/etc + mkdir -p $(DESTDIR)/$(PREFIX)/var/lib/monkeysphere/authorized_keys + install src/monkeysphere src/monkeysphere-ssh-proxycommand src/keytrans/openpgp2ssh $(DESTDIR)/$(PREFIX)/bin + install src/monkeysphere-server $(DESTDIR)/$(PREFIX)/sbin + install src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere + install man/man1/* $(DESTDIR)$(PREFIX)/share/man/man1 + install man/man7/* $(DESTDIR)$(PREFIX)/share/man/man7 + install man/man8/* $(DESTDIR)$(PREFIX)/share/man/man8 + install etc/* $(DESTDIR)$(ETCPREFIX)/etc + +.PHONY: all clean tarball debian-package install -- cgit v1.2.3 From c627816ba6e249e2203bbe2cdb7a6ffcb9636135 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:15:35 -0400 Subject: tuning up the make install target. --- Makefile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 7ab188d..691447a 100644 --- a/Makefile +++ b/Makefile @@ -32,16 +32,15 @@ clean: # this target is to be called from the tarball, not from the git # working dir! install: all - mkdir -p $(DESTDIR)/$(PREFIX)/bin $(DESTDIR)/$(PREFIX)/sbin $(DESTDIR)/$(PREFIX)/share/monkeysphere - mkdir -p $(DESTDIR)/$(PREFIX)/share/man/man1 $(DESTDIR)/$(PREFIX)/share/man/man7 $(DESTDIR)/$(PREFIX)/share/man/man8 - mkdir -p $(DESTDIR)/$(ETCPREFIX)/etc - mkdir -p $(DESTDIR)/$(PREFIX)/var/lib/monkeysphere/authorized_keys + mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere + mkdir -p $(DESTDIR)$(PREFIX)/share/man/man1 $(DESTDIR)$(PREFIX)/share/man/man7 $(DESTDIR)$(PREFIX)/share/man/man8 + mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere install src/monkeysphere src/monkeysphere-ssh-proxycommand src/keytrans/openpgp2ssh $(DESTDIR)/$(PREFIX)/bin install src/monkeysphere-server $(DESTDIR)/$(PREFIX)/sbin install src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere install man/man1/* $(DESTDIR)$(PREFIX)/share/man/man1 install man/man7/* $(DESTDIR)$(PREFIX)/share/man/man7 install man/man8/* $(DESTDIR)$(PREFIX)/share/man/man8 - install etc/* $(DESTDIR)$(ETCPREFIX)/etc + install -m 0644 etc/* $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere .PHONY: all clean tarball debian-package install -- cgit v1.2.3 From 75e989ccee39ce99a44898cec16229f74f515efe Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:25:14 -0400 Subject: fixing comment about dates. --- src/monkeysphere | 2 +- src/monkeysphere-server | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere b/src/monkeysphere index 59cb3d6..e8ca9e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -17,7 +17,7 @@ SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} export SHARE . "${SHARE}/common" || exit 1 -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up diff --git a/src/monkeysphere-server b/src/monkeysphere-server index f147201..b609d31 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -20,7 +20,7 @@ export SHARE VARLIB="/var/lib/monkeysphere" export VARLIB -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up -- cgit v1.2.3 From d076f454cf6c576681749ae7f31dec1bc2b52833 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:26:58 -0400 Subject: added new test for /var/lib/monkeysphere in m-s diagnostics. --- src/monkeysphere-server | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b609d31..8139387 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -572,6 +572,10 @@ diagnostics() { echo "! No monkeysphere user found! Please create a monkeysphere system user." fi + if ! [ -d "$VARLIB" ] ; then + echo "! no $VARLIB directory found. Please create it." + fi + echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." -- cgit v1.2.3 From 93a51ab8ec443b64d36bfe2cab5cd0f2f962ae5f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:43:49 -0400 Subject: packaging simplification, TODO cleanup. --- Makefile | 4 +++- debian/monkeysphere.docs | 3 --- debian/monkeysphere.install | 7 ------- debian/monkeysphere.manpages | 5 ----- doc/TODO | 21 --------------------- 5 files changed, 3 insertions(+), 37 deletions(-) delete mode 100644 debian/monkeysphere.docs delete mode 100644 debian/monkeysphere.install delete mode 100644 debian/monkeysphere.manpages diff --git a/Makefile b/Makefile index 691447a..765c3e9 100644 --- a/Makefile +++ b/Makefile @@ -34,10 +34,12 @@ clean: install: all mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere mkdir -p $(DESTDIR)$(PREFIX)/share/man/man1 $(DESTDIR)$(PREFIX)/share/man/man7 $(DESTDIR)$(PREFIX)/share/man/man8 + mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere install src/monkeysphere src/monkeysphere-ssh-proxycommand src/keytrans/openpgp2ssh $(DESTDIR)/$(PREFIX)/bin install src/monkeysphere-server $(DESTDIR)/$(PREFIX)/sbin - install src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere + install -m 0644 src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere + install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere install man/man1/* $(DESTDIR)$(PREFIX)/share/man/man1 install man/man7/* $(DESTDIR)$(PREFIX)/share/man/man7 install man/man8/* $(DESTDIR)$(PREFIX)/share/man/man8 diff --git a/debian/monkeysphere.docs b/debian/monkeysphere.docs deleted file mode 100644 index 398bc5a..0000000 --- a/debian/monkeysphere.docs +++ /dev/null @@ -1,3 +0,0 @@ -doc/getting-started-user.mdwn -doc/getting-started-admin.mdwn -doc/MonkeySpec diff --git a/debian/monkeysphere.install b/debian/monkeysphere.install deleted file mode 100644 index 6dd3dda..0000000 --- a/debian/monkeysphere.install +++ /dev/null @@ -1,7 +0,0 @@ -src/keytrans/openpgp2ssh usr/bin -src/monkeysphere usr/bin -src/monkeysphere-server usr/sbin -src/monkeysphere-ssh-proxycommand usr/bin -src/common usr/share/monkeysphere -etc/monkeysphere.conf etc/monkeysphere -etc/monkeysphere-server.conf etc/monkeysphere diff --git a/debian/monkeysphere.manpages b/debian/monkeysphere.manpages deleted file mode 100644 index 1490566..0000000 --- a/debian/monkeysphere.manpages +++ /dev/null @@ -1,5 +0,0 @@ -man/man1/monkeysphere.1 -man/man1/openpgp2ssh.1 -man/man1/monkeysphere-ssh-proxycommand.1 -man/man7/monkeysphere.7 -man/man8/monkeysphere-server.8 diff --git a/doc/TODO b/doc/TODO index b41d2be..6cc086a 100644 --- a/doc/TODO +++ b/doc/TODO @@ -14,35 +14,14 @@ Work out the details (and describe a full use case) for assigning a do we export it so it's available when a second-party revocation is needed? -Ensure that authorized_user_ids are under as tight control as ssh - expects from authorized_keys: we don't want monkeysphere to be a - weak link in the filesystem. - -Consider the default permissions for - /var/lib/monkeysphere/authorized_keys/* (and indeed the whole - directory path leading up to that) - -Make sure alternate ports are handled for known_hosts. - -Script to import private key into ssh agent. - Provide a friendly interactive UI for marginal or failing client-side hostkey verifications. Handle the common cases smoothly, and provide good debugging info for the unusual cases. -Make sure onak properly escapes user IDs with colons in them. - -Indicate on web site how to report trouble or concerns, and how to - join the project. - -Clean up the style for the web site (pages, icons, etc). - Create ssh2openpgp or convert to full-fledged keytrans. Resolve the bugs listed in openpgp2ssh(1):BUGS. -Document alternate trustdb models. - Understand and document the output of gpg --check-trustdb: gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 20 trust: 0-, 0q, 0n, 0m, 0f, 2u -- cgit v1.2.3 From 650b8394c0248d055544e046c988ac0b3056afe0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 4 Sep 2008 23:46:05 -0400 Subject: update debian/changelog --- debian/changelog | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index dcb6d4a..d032017 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,10 @@ monkeysphere (0.15~pre-1) UNRELEASED; urgency=low - * porting work: clarifying makefiles, pruning dependencies, etc. + * porting work and packaging simplification: clarifying makefiles, + pruning dependencies, etc. * added tests to monkeysphere-server diagnostics * moved monkeysphere(5) to section 7 of the manual + * now shipping TODO in /usr/share/doc/monkeysphere -- Daniel Kahn Gillmor Thu, 04 Sep 2008 19:08:40 -0400 -- cgit v1.2.3 From 9556a2f1659aa6432cc74469a25d401319d74e79 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:09:05 -0400 Subject: more porting tweaks: do not rely on the -w arg to base64, so we can use fourmilab instead of GNU --- src/keytrans/openpgp2ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 427adc8..f16eac5 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -208,7 +208,7 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, const unsi /* variables for the output conversion: */ int pipestatus; int pipefd, child_pid; - char* const b64args[] = {"base64", "--wrap=0", NULL}; + char* const b64args[] = {"sh", "-c", "base64 | tr -c -d '[A-Za-z0-9=+/]'", NULL}; init_datum(&m); init_datum(&e); -- cgit v1.2.3 From 9352a728617d422f5b86100efdcbc72a6d3ca78a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:20:27 -0400 Subject: changed intro to trust model docs. --- website/trust-models.mdwn | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website/trust-models.mdwn b/website/trust-models.mdwn index 8fee5cb..789e3a3 100644 --- a/website/trust-models.mdwn +++ b/website/trust-models.mdwn @@ -6,11 +6,11 @@ Monkeysphere relies on GPG's definition of the OpenPGP web of trust, so it's important to understand how GPG calculates User ID validity for a key. -The basic question asked is: For a given User ID on a specific key, -given some set of valid certifications (signatures), and some explicit -statements about whose certifications you think are trustworthy -(ownertrust), should we consider this User ID to be legitimately -attached to this key (a "valid" User ID)? +The basic question that a trust model tries to answer is: For a given +User ID on a specific key, given some set of valid certifications +(signatures), and some explicit statements about whose certifications +you think are trustworthy (ownertrust), should we consider this User +ID to be legitimately attached to this key (a "valid" User ID)? It's worth noting that there are two integral parts in this calculation: -- cgit v1.2.3 From 2a597cae492b90eb0d66f29ff54a99860247dd3c Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Fri, 5 Sep 2008 00:24:12 -0400 Subject: updating mirrors help file to reflect new rsync approach. --- website/mirrors.mdwn | 82 ++++++++++------------------------------------------ 1 file changed, 15 insertions(+), 67 deletions(-) diff --git a/website/mirrors.mdwn b/website/mirrors.mdwn index 44f50d9..7464519 100644 --- a/website/mirrors.mdwn +++ b/website/mirrors.mdwn @@ -6,93 +6,41 @@ stored in our git repositories and converted into html by We're mirrored on several servers. Rather than using ikiwiki's [pinger/pingee approach to distribution](http://ikiwiki.info/tips/distributed_wikis/), we've -opted for a method that uses ssh. +opted for a simpler rsync of the ikiwiki-produced html files. ## Initial steps to take on the mirror server ## -Add etch-backports to your /etc/apt/sources.list: +Create a new user. - deb http://www.backports.org/debian etch-backports main contrib non-free - -Add the following lines to your /etc/apt/preferences file: - - Package: ikiwiki - Pin: release a=etch-backports - Pin-Priority: 999 - - # needed by ikiwiki - Package: libcgi-formbuilder-perl - Pin: release a=etch-backports - Pin-Priority: 999 - - Package: git-core - Pin: release a=etch-backports - Pin-Priority: 999 - -Install git-core and ikiwiki - - aptitude update; aptitutde install git-core ikiwiki - -Create a new user. Change the new users shell to git-shell: - - adduser -s /usr/bin/git-shell - -Add webmaster@george's public key to this user's ~/.ssh/authorized_keys file - -Add web site configuration that the user has write access to. If you are using Apache, include the following rewrite: +Add web site configuration that the user has write access to. If you are +using Apache, include the following rewrite: RewriteEngine On RewriteCond %{HTTP_HOST} !^(YOURHOSTNAME|web)\.monkeysphere\.info$ [NC] RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/(.*) http://web.monkeysphere.info/$1 [L,R] -Upload and edit ikiwiki.setup.sample from the docs directory - -As the new user, create a git repo +Add webmaster@george's public key to this user's ~/.ssh/authorized_keys +file, restricting that user to rsync (modify path to web directory as +needed): - mkdir monkeysphere.git; cd monkeysphere.git; git init --bare; + command="/usr/bin/rsync --server -vlogDtprz --delete . web/",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0SCD6tAh7g1yyuelIm5zyh5OFX89NNbpNzyp+BxXNxMc/C1BS9SN5KlNDT30WdDbw3X0St0dBBC69TZWYbSUn4+/6BNmYpLH2orhedBv4w2jBLmtVEfnMWa3a11CnIagMEkEz7rBIWpl76WOqzoueQbAAa/7GziVmv+2qdjcDFxHluO+VL/+gEw8BqZc587oiDYkIw3oBnOLaxUWDtaMFKiL8sgdBmPxzc8PgHxL5ezVDJExw5krR4FK7hG7KpBOlSwKQPFy2pPhHSb1ZuFJmp2kr2wfJ0RO7By5s/GbrkJbnGoiJ5W0fUC9YoI82U3svC5saowvoSo19yToJW4QUw== webmaster@george -## Initial Admin steps to take to enable the configuration ## +## Admin steps to take to enable the configuration ## Add a new dns record for SERVERNAME.monkeysphere.info. -Test the ssh connection by logging in as webmaster@george.riseup.net - -Add the new server as a remote on webmaster@george.riseup.net:monkeysphere.git - - cd ~/monkeysphere.git - git add remote SERVERNAME USER@SERVERNAME.monkeysphere.info:/path/to/repo - -Modify ~/monkeysphere.git/config, so the new repo stanza looks like this: - - [remote "SERVERNAME"] - url = USER@SERVERNAME.monkeysphere.info:monkeysphere.git - push = +refs/heads/master - skipDefaultUpdate = true - -Test: - - git push SERVERNAME - - -## Final steps to take on mirror server ## - -At this point, you should have a populated git repo in your -monkeyshere.git directory. - -Change the mode of monkeysphere.git/hooks/post-receive to 755 +If the mirror server is not participating in the monkeysphere, add the +server to webmaster's known host file. - chmod 755 monkesphere.git/hooks/post-receive +Add the new server to ~/mirrors file on george in the format: -Edit the file so that it executes the post-receive hook ikiwiki generates (as -you specified in the ikiwiki.setup file) + username@server:directory -Next, clone the repository: +Test by manually running the git post-receive hook: - clone monkeysphere.git monkeysphere + ~monkeysphere.git/hooks/post-receive -And lastly, run ikiwiki manually to generate the post-receive hook: - ikiwiki --setup ikiwiki.setup -- cgit v1.2.3 From 45fd2830db11cc57bfc45cbf6837e06e57247129 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:25:11 -0400 Subject: implementing Dan Scott small-caps suggestion for nav links. --- website/local.css | 2 ++ website/sidebar.mdwn | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/website/local.css b/website/local.css index 69defae..cb966f8 100644 --- a/website/local.css +++ b/website/local.css @@ -61,12 +61,14 @@ table.sitenav img.logo { table.sitenav a { font-weight: bold; margin-right: 1em; + font-variant: small-caps; } table.sitenav span.selflink { font-weight: bold; text-decoration: underline; margin-right: 1em; + font-variant: small-caps; } div.header { diff --git a/website/sidebar.mdwn b/website/sidebar.mdwn index 33ab8ce..bc5dc69 100644 --- a/website/sidebar.mdwn +++ b/website/sidebar.mdwn @@ -3,11 +3,11 @@ -[[WHY?|why]] -[[DOWNLOAD|download]] -[[DOCUMENTATION|doc]] -[[NEWS|news]] -[[COMMUNITY|community]] -[[BUGS|bugs]] +[[Why?|why]] +[[Download|download]] +[[Documentation|doc]] +[[News|news]] +[[Community|community]] +[[Bugs|bugs]] -- cgit v1.2.3 From eeaa6fa40c74b674602562701b423bd244f2691f Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Fri, 5 Sep 2008 00:27:03 -0400 Subject: adding link to mirrors page. --- website/doc.mdwn | 1 + 1 file changed, 1 insertion(+) diff --git a/website/doc.mdwn b/website/doc.mdwn index 18b48a2..c59119f 100644 --- a/website/doc.mdwn +++ b/website/doc.mdwn @@ -25,3 +25,4 @@ Monkeysphere relies on: ## Other ## * [Similar Projects](/similar) (other attempts at a PKI for SSH) + * [Mirroring the website](/mirrors) -- cgit v1.2.3 From 8f39ffc5491cce5467240050758188958b3d08bd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:36:49 -0400 Subject: more updates for mathopd on george --- doc/george/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/george/changelog b/doc/george/changelog index e570270..cd9aa90 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -18,6 +18,7 @@ make sure they're well-connected to george's web of trust, and then add their User ID to ~monkey/.monkeysphere/authorized_user_ids + * more mime types for mathopd: image/png image/x-icon 2008-09-03 - micah * migrated /home/*/.config/monkeysphere/authorized_user_ids to new -- cgit v1.2.3 From 124108155193780f4b84d7284ab3dcb53200fa97 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:53:00 -0400 Subject: minor formatting tweaks on mirrors page. --- website/mirrors.mdwn | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/website/mirrors.mdwn b/website/mirrors.mdwn index 7464519..5fcc347 100644 --- a/website/mirrors.mdwn +++ b/website/mirrors.mdwn @@ -1,6 +1,8 @@ -[[meta title="Mirroring the web site"]] +[[meta title="Mirroring the Monkeysphere web site"]] -In keeping with the philosophy of distributed development, our web site is +# Mirroring the Monkeysphere web site # + +In keeping with the distributed philosophy of distributed development, our web site is stored in our git repositories and converted into html by [ikiwiki](http://ikiwiki.info/). @@ -20,13 +22,12 @@ using Apache, include the following rewrite: RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/(.*) http://web.monkeysphere.info/$1 [L,R] -Add webmaster@george's public key to this user's ~/.ssh/authorized_keys -file, restricting that user to rsync (modify path to web directory as -needed): +Add `webmaster@george`'s public key to this user's +`~/.ssh/authorized_keys` file, restricting that user to rsync (modify +path to web directory as needed): command="/usr/bin/rsync --server -vlogDtprz --delete . web/",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0SCD6tAh7g1yyuelIm5zyh5OFX89NNbpNzyp+BxXNxMc/C1BS9SN5KlNDT30WdDbw3X0St0dBBC69TZWYbSUn4+/6BNmYpLH2orhedBv4w2jBLmtVEfnMWa3a11CnIagMEkEz7rBIWpl76WOqzoueQbAAa/7GziVmv+2qdjcDFxHluO+VL/+gEw8BqZc587oiDYkIw3oBnOLaxUWDtaMFKiL8sgdBmPxzc8PgHxL5ezVDJExw5krR4FK7hG7KpBOlSwKQPFy2pPhHSb1ZuFJmp2kr2wfJ0RO7By5s/GbrkJbnGoiJ5W0fUC9YoI82U3svC5saowvoSo19yToJW4QUw== webmaster@george - ## Admin steps to take to enable the configuration ## Add a new dns record for SERVERNAME.monkeysphere.info. @@ -34,13 +35,13 @@ Add a new dns record for SERVERNAME.monkeysphere.info. If the mirror server is not participating in the monkeysphere, add the server to webmaster's known host file. -Add the new server to ~/mirrors file on george in the format: +Add the new server to `webmaster@george:~/mirrors` in the format: username@server:directory -Test by manually running the git post-receive hook: - - ~monkeysphere.git/hooks/post-receive - +Test by manually running the git post-receive hook as +`webmaster@george`: + ~/monkeysphere.git/hooks/post-receive +Add a new `A` record into the `web.monkeysphere.info` round robin. -- cgit v1.2.3 From 8765b3cc149c77b225212cfdd6bdbe9de80d76bf Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:55:05 -0400 Subject: prevent page widening on the web site. --- website/local.css | 1 + 1 file changed, 1 insertion(+) diff --git a/website/local.css b/website/local.css index cb966f8..76dc4cc 100644 --- a/website/local.css +++ b/website/local.css @@ -43,6 +43,7 @@ pre { border: 1px solid #aaa; padding: 3px 3px 3px 3px; margin-left: 2em; + overflow: scroll; } table.sitenav { -- cgit v1.2.3 From 5a18c464ad8a4547d7c80aa7a508f55353e004f6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 5 Sep 2008 00:56:04 -0400 Subject: prevent page widening, but nicer. --- website/local.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/local.css b/website/local.css index 76dc4cc..f7a2006 100644 --- a/website/local.css +++ b/website/local.css @@ -43,7 +43,7 @@ pre { border: 1px solid #aaa; padding: 3px 3px 3px 3px; margin-left: 2em; - overflow: scroll; + overflow: auto; } table.sitenav { -- cgit v1.2.3