From 7a341471c9c9968fbb020368d88baa1411d95a7c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 26 Oct 2008 03:58:45 -0400 Subject: updated freebsd ports information. --- packaging/freebsd/Makefile | 2 +- packaging/freebsd/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index cc3d93f..7a24dc5 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -6,7 +6,7 @@ # PORTNAME= monkeysphere -PORTVERSION= 0.16~pre +PORTVERSION= 0.16 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index 3495f1a..16e88de 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 6e9489117794fa6afab8935b75cc5ccf -SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = fceab7cc77d9755e6484895ede56701b298ce3649bfcd10288a12803a565b7e5 -SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59721 +MD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49 +SHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 +SIZE (monkeysphere_0.16.orig.tar.gz) = 66062 -- cgit v1.2.3 From 5722f3ce688ce4f71a7f3a4a3aa3d070c3e47014 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 26 Oct 2008 12:09:22 -0400 Subject: add some documentation to the user section about establishing trust --- website/getting-started-user.mdwn | 54 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn index 947c2da..2260256 100644 --- a/website/getting-started-user.mdwn +++ b/website/getting-started-user.mdwn @@ -104,6 +104,60 @@ subkey to your ssh agent by running: FIXME: using the key with a single ssh connection? +Establish trust +--------------- + +Now that you have the above setup, you will need to establish an +acceptable trust path to the admin(s) of a monkeysphere-enabled server +that you will be connecting to. You need to do this because the admin +is certifying the host, and you need a mechanism to validate that +certification. The only way to do that is by indicating who you trust +to certify hosts. This is a two step process: first you must sign the +key, and then you have to indicate a trust level. + +The process of signing another key is outside the scope of this +document, however the gnupg README details the signing process and you +can find good [documentation +](http://www.debian.org/events/keysigning) online detailing this +process. + +If you have signed your admins' key, you need to denote some kind of +trust to that key. To do this you should edit the key and use the +'trust' command. For the Monkeysphere to trust the assertions that are +made about a host, you need full calculated validity to the host +certifiers. This can be done either by giving full trust to one +host-certifying key, or by giving marginal trust to three different +host-certifiers. In the following we demonstrate how to add full trust +validity to a host-certifying key: + + $ gpg --edit-key + Command> trust + pub 2048R/3B757F8C created: 2008-06-19 expires: 2008-11-16 usage: CA + trust: unknown validity: full + [ unknown ] (1). ssh://monkeysphere.info + [ unknown ] (2) ssh://george.riseup.net + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 4 + +Note: Due to a limitation with gnupg, it is not currently possible to +limit the domain scope properly, which means that if you fully trust +an admin, this admin can currently assert host verification for any +hosts. + +Because the Monkeysphre relies on GPG's definition of the OpenPGP web +of trust, it is important to understand [how GPG calculates User ID +validity for a key](/trust-models). + Miscellaneous ------------- -- cgit v1.2.3 From b5d43f9d49d0b1e60c3f3019a2d15728d526e881 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 26 Oct 2008 19:42:15 -0400 Subject: included the full GPG transcript of granting trust in the User QuickStart guide. --- website/getting-started-user.mdwn | 68 ++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 23 deletions(-) diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn index 2260256..5241667 100644 --- a/website/getting-started-user.mdwn +++ b/website/getting-started-user.mdwn @@ -116,8 +116,9 @@ to certify hosts. This is a two step process: first you must sign the key, and then you have to indicate a trust level. The process of signing another key is outside the scope of this -document, however the gnupg README details the signing process and you -can find good [documentation +document, however the [gnupg +README](http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/README?root=GnuPG&view=markup) +details the signing process and you can find good [documentation ](http://www.debian.org/events/keysigning) online detailing this process. @@ -129,30 +130,51 @@ certifiers. This can be done either by giving full trust to one host-certifying key, or by giving marginal trust to three different host-certifiers. In the following we demonstrate how to add full trust validity to a host-certifying key: - - $ gpg --edit-key - Command> trust - pub 2048R/3B757F8C created: 2008-06-19 expires: 2008-11-16 usage: CA - trust: unknown validity: full - [ unknown ] (1). ssh://monkeysphere.info - [ unknown ] (2) ssh://george.riseup.net - - Please decide how far you trust this user to correctly verify other users' keys - (by looking at passports, checking fingerprints from different sources, etc.) - - 1 = I don't know or won't say - 2 = I do NOT trust - 3 = I trust marginally - 4 = I trust fully - 5 = I trust ultimately - m = back to the main menu - - Your decision? 4 + + + $ gpg --edit-key 'Jane Admin' + gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: unknown validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + + Command> trust + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: unknown validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 4 + + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: full validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + Please note that the shown key validity is not necessarily correct + unless you restart the program. + + Command> save + Key not changed so no update needed. + $ Note: Due to a limitation with gnupg, it is not currently possible to limit the domain scope properly, which means that if you fully trust -an admin, this admin can currently assert host verification for any -hosts. +an admin, you'll trust all their certifications. Because the Monkeysphre relies on GPG's definition of the OpenPGP web of trust, it is important to understand [how GPG calculates User ID -- cgit v1.2.3 From bd304148df8d9ec6662fa74f3cc998b11fce2fda Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 26 Oct 2008 19:45:44 -0400 Subject: added notes about recent work on george. --- doc/george/changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index cd9aa90..74daf17 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,11 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2008-10-25 - dkg + * aptitude update && aptitude full-upgrade + * brought monkeysphere up to 0.16-1 + * repointed keyserver usage to pool.sks-keyservers.net + 2008-09-04 - dkg * added two mime-type declarations in /etc/mathopd.conf so .debs and .tar.gz files come out reasonably; restarted mathopd for the -- cgit v1.2.3 From 12dfa2eccb5489021507bf40447c4495decd9fd0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 26 Oct 2008 20:17:13 -0400 Subject: Removed the gnutls component from our APT repo, since gnutls 2.6 is now in debian/unstable. Documented the changes, and changed the warning message that monkeysphere emits too. --- repo/conf/distributions | 8 ++++---- src/monkeysphere | 2 +- website/getting-started-user.mdwn | 19 +++++++------------ website/news/gnutls-2.6-enables-monkeysphere.mdwn | 19 +++++++++++++++++++ website/news/modified-gnutls-2.4.x-available.mdwn | 10 ++++++++++ 5 files changed, 41 insertions(+), 17 deletions(-) create mode 100644 website/news/gnutls-2.6-enables-monkeysphere.mdwn diff --git a/repo/conf/distributions b/repo/conf/distributions index 5ed1ab7..c97310e 100644 --- a/repo/conf/distributions +++ b/repo/conf/distributions @@ -1,10 +1,10 @@ -Origin: The MonkeySphere Project -Label: MonkeySphere/Debian +Origin: The Monkeysphere Project +Label: Monkeysphere/Debian Suite: experimental Codename: experimental Architectures: i386 powerpc amd64 arm source -Components: monkeysphere gnutls -Description: Packages implementing the monkeysphere for debian +Components: monkeysphere +Description: Packages implementing the Monkeysphere for debian SignWith: 2E8DD26C53F1197DDF403E6118E667F1EB8AF314 DscIndices: Sources Release . .gz DebIndices: Packages Release . .gz diff --git a/src/monkeysphere b/src/monkeysphere index 1db4f20..dd689b5 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -172,7 +172,7 @@ function subkey_to_ssh_agent() { if ! test_gnu_dummy_s2k_extension ; then failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys. -You may want to consider patching or upgrading. +You may want to consider patching or upgrading to GnuTLS 2.6 or later. For more details, see: http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html" diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn index 5241667..e0a2dab 100644 --- a/website/getting-started-user.mdwn +++ b/website/getting-started-user.mdwn @@ -87,21 +87,16 @@ Using your OpenPGP authentication key for SSH Once you have created an OpenPGP authentication subkey, you will need to feed it to your ssh agent. -Currently (2008-08-23), gnutls does not support this operation. In order -to take this step, you will need to upgrade to a patched version of -gnutls. You can easily upgrade a Debian system by adding the following -to `/etc/apt/sources.list.d/monkeysphere.list`: - - deb http://archive.monkeysphere.info/debian experimental gnutls - deb-src http://archive.monkeysphere.info/debian experimental gnutls - -Next, run `aptitude update; aptitude install libgnutls26`. - -With the patched gnutls installed, you can feed your authentication -subkey to your ssh agent by running: +The GnuTLS library supports this operation as of version 2.6, but +earlier versions do not. With a recent version of GnuTLS installed, +you can feed your authentication subkey to your ssh agent by running: $ monkeysphere subkey-to-ssh-agent +If you can't (or don't want to) upgrade to GnuTLS 2.6 or later, there +are patches for GnuTLS 2.4 available in [the Monkeysphere git +repo](/community). + FIXME: using the key with a single ssh connection? Establish trust diff --git a/website/news/gnutls-2.6-enables-monkeysphere.mdwn b/website/news/gnutls-2.6-enables-monkeysphere.mdwn new file mode 100644 index 0000000..b7894c5 --- /dev/null +++ b/website/news/gnutls-2.6-enables-monkeysphere.mdwn @@ -0,0 +1,19 @@ +[[meta title="GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys"]] + +We [announced earlier](/news/modified-gnutls-2.4.x-available) that the +Monkeysphere project was providing patched versions of GnuTLS to +support one piece of Monkeysphere functionality. Fortunately, those +patches are no longer needed, because as of [version +2.6](http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3135), +GnuTLS contains the necessary functionality natively. + +Therefore, our project will no longer provide patched copies of +GnuTLS, though we will continue to keep the patch alive in in [our git +repository](/community) until GnuTLS 2.6 has been more widely adopted. + +If you were pulling patched versions of GnuTLS 2.4 from the +Monkeysphere archive, you may prefer to pull GnuTLS 2.6 from [debian's +experimental archive](http://wiki.debian.org/DebianExperimental) (at +least until it GnuTLS 2.6 drops into unstable, which should happen +shortly after the release of +[lenny](http://wiki.debian.org/DebianLenny). diff --git a/website/news/modified-gnutls-2.4.x-available.mdwn b/website/news/modified-gnutls-2.4.x-available.mdwn index 44e08d0..36cfbfc 100644 --- a/website/news/modified-gnutls-2.4.x-available.mdwn +++ b/website/news/modified-gnutls-2.4.x-available.mdwn @@ -1,5 +1,15 @@ [[meta title="Modified GnuTLS 2.4.x available"]] +----- + +**2008-10-25 UPDATE:** [GnuTLS 2.6 has been released, and it contains the +functionality we needed](/news/gnutls-2.6-enables-monkeysphere). +Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with +passphrase-protected authentication subkeys. The information on this +page is now of historical interest only. + +----- + The MonkeySphere project is now making available a patched version of [GnuTLS](http://gnutls.org/) version 2.4.x, which enhances the utility of the `monkeysphere` package by enabling it to read authentication -- cgit v1.2.3 From b1244f1dc98230fc04bde76a89e88d7fa0d08053 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 26 Oct 2008 21:19:34 -0400 Subject: tracking freebsd packaging from anarcat. --- packaging/freebsd/Makefile | 9 ++++++--- packaging/freebsd/TODO | 21 --------------------- packaging/freebsd/pkg-install | 5 +++-- 3 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 packaging/freebsd/TODO diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index 7a24dc5..78ad0d3 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -12,9 +12,6 @@ MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monke # hack for debian orig tarballs DISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz -# comment this out to test the port -IGNORE= this port is not finished yet - MAINTAINER= dkg@fifthhorseman.net COMMENT= use the OpenPGP web of trust to verify ssh connections @@ -43,5 +40,11 @@ post-install: @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \ ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \ fi +.if !defined(PACKAGE_BUILDING) + @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL +.endif + +post-deinstall: + @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL .include diff --git a/packaging/freebsd/TODO b/packaging/freebsd/TODO deleted file mode 100644 index f482457..0000000 --- a/packaging/freebsd/TODO +++ /dev/null @@ -1,21 +0,0 @@ -This port is not ready yet. - -We also need to create the monkeysphere user in the pkg-install and -remove it in pkg-deinstall. To do this, this page has useful tips: - -http://www.freebsd.org/doc/en/books/porters-handbook/dads-uid-and-gids.html - -and we'll have to copy scripts from existing ports that are suggested -above, see: - -http://www.freebsd.org/cgi/cvsweb.cgi/ports/japanese/Wnn6/pkg-install -http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/cvsup-mirror/pkg-install - -or just look around the ports tree for pkg-install files, they are -usually for adding users. - -Finally the pkg-plist needs to be checked. The package hasn't been -installed at all once yet, it only patches and builds. - -The port is therefore marked as IGNORE, which makes it unusable, comment -out the IGNORE line in the Makefile to test. diff --git a/packaging/freebsd/pkg-install b/packaging/freebsd/pkg-install index 940b796..5e520cd 100755 --- a/packaging/freebsd/pkg-install +++ b/packaging/freebsd/pkg-install @@ -24,7 +24,7 @@ POST-INSTALL) GID=${UID} SHELL=/usr/local/bin/bash - if pw group show "${GROUP}" 2>/dev/null; then + if pw group show "${GROUP}" >/dev/null 2>&1; then echo "You already have a group \"${GROUP}\", so I will use it." else if pw groupadd ${GROUP} -g ${GID}; then @@ -35,7 +35,8 @@ POST-INSTALL) fi fi - if oldshell=`pw user show "${USER}" 2>/dev/null`; then + if pw user show "${USER}" >/dev/null 2>&1; then + oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:` if [ x"$oldshell" != x"$SHELL" ]; then echo "You already have a \"${USER}\" user, but its shell is '$oldshell'." echo "This package requires that \"${USER}\"'s shell be '$SHELL'." -- cgit v1.2.3