From 5001c4b2f12540425be9e74c84beba3096981b21 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 7 Aug 2008 19:05:10 -0400 Subject: fix word duplication --- doc/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/README b/doc/README index cf2f396..684f524 100644 --- a/doc/README +++ b/doc/README @@ -30,7 +30,7 @@ hosts are. This can be done with the monkeysphere-ssh-proxycommand $ monkeysphere update-known_hosts -This will command will check to see if there is an OpenPGP key for +This command will check to see if there is an OpenPGP key for each (non-hashed) host listed in the known_hosts file, and then add the key for that host to the known_hosts file if one is found. This command could be added to a crontab as well, if desired. -- cgit v1.2.3 From dda1c93bc94daa24bf7b0f5671f8a222c0089efd Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 7 Aug 2008 19:19:43 -0400 Subject: alphabetize the options --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a0b7067..0a2f04b 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -236,7 +236,7 @@ gen_key() { revoker= # get options - TEMP=$(getopt -o l:e:r: -l length:,expire:,revoker: -n "$PGRM" -- "$@") + TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") if [ $? != 0 ] ; then exit 1 -- cgit v1.2.3 From 0e27af63f34c5bb75cef059fc9d76887251c1517 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 7 Aug 2008 19:26:33 -0400 Subject: make it so monkeysphere-server will respond to --help --- src/monkeysphere-server | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 0a2f04b..1e5f209 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -56,7 +56,7 @@ subcommands: gpg-authentication-cmd CMD gnupg-authentication command - help (h,?) this help + -h|--help|help (h,?) this help EOF } @@ -699,7 +699,7 @@ case $COMMAND in gpg_authentication_cmd "$@" ;; - 'help'|'h'|'?') + '--help'|'help'|'-h'|'h'|'?') usage ;; -- cgit v1.2.3 From be8136a52f372488802ca50ad4038e3dce52dc17 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Aug 2008 16:09:42 -0400 Subject: new bug about missing known_hosts file --- website/bugs/missing-known_hosts-causes-error.mdwn | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 website/bugs/missing-known_hosts-causes-error.mdwn diff --git a/website/bugs/missing-known_hosts-causes-error.mdwn b/website/bugs/missing-known_hosts-causes-error.mdwn new file mode 100644 index 0000000..8f4e27c --- /dev/null +++ b/website/bugs/missing-known_hosts-causes-error.mdwn @@ -0,0 +1,8 @@ +[[meta title="Missing `~/.ssh/known_hosts` file causes errors from monkeysphere-ssh-proxycommand"]] + +As a user, if you don't have a `~/.ssh/known_hosts` file, +`monkeysphere-ssh-proxycommand` produces some bogus output, like: + + cat: /home/foo/.ssh/known_hosts: No such file or directory + +this should be fixable with a simple test. -- cgit v1.2.3 From 68a626b30117bb7c40e3e3eedb8139f1085b8ca2 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 12 Aug 2008 16:15:37 -0400 Subject: unescape *all* colons, instead of just the first one in encoded user IDs --- src/common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common b/src/common index b4e786b..ff1a220 100644 --- a/src/common +++ b/src/common @@ -68,7 +68,7 @@ check_capability() { # character # FIXME: undo all escape character translation in with-colons gpg output unescape() { - echo "$1" | sed 's/\\x3a/:/' + echo "$1" | sed 's/\\x3a/:/g' } # remove all lines with specified string from specified file -- cgit v1.2.3 From 221b6ca36694b3ec437794a925c7b665a065a74e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 11:51:48 -0400 Subject: switched published URL to dkgs git repo to use the git protocol. --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index f215f80..982f88f 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -32,7 +32,7 @@ The git repo from this web site: [Daniel Kahn Gillmor](http://cmrg.fifthhorseman.net/wiki/dkg): - git clone http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git monkeysphere + git clone git://lair.fifthhorseman.net/~dkg/monkeysphere monkeysphere ## Contact ## -- cgit v1.2.3 From 0b6031739ca8457616b043dc5b5649367271ed9f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 12:01:32 -0400 Subject: updates run on george. --- doc/george/changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index 93f00db..0790f65 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,10 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2008-08-13 - dkg + * aptitude update && aptitude full-upgrade + * restarted services to clear up dependencies on old libraries + 2008-08-07 - dkg * aptitude update && aptitude dist-upgrade * removed debian's experimental from the sources.list -- cgit v1.2.3 From f672b68d7d43e4e8bd57b72a1bf9788dd52e728b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 15:57:31 -0400 Subject: documenting our trouble with (and possible approaches to) handling passphrase-locked secret keys. --- .../bugs/handle-passphrase-locked-secret-keys.mdwn | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 website/bugs/handle-passphrase-locked-secret-keys.mdwn diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn new file mode 100644 index 0000000..a61b5ba --- /dev/null +++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn @@ -0,0 +1,83 @@ +[[meta title="MonkeySphere needs to be able to cleanly export passphrase-locked secret keys from the GPG keyring"]] + +At the moment, the only tool we have to export passphrase-locked +secret keys from the GPG keyring is `gpg` itself (and `gpg2`, which +has roughly the same behavior). + +As a result, we have the `seckey2sshagent` hack, which is unfriendly +and awkward to use. + +Ideally, `openpgp2ssh` would be able to convert passphrase-locked +secret keys into clean subkeys. However, i've tried to do this via +GnuTLS, and that library is not ready for this. + +OpenCDK, which is the component of GnuTLS which reads OpenPGP-style +keys, cannot cope with encrypted secret key material. I have had +[some +success](http://lists.gnu.org/archive/html/gnutls-devel/2008-06/msg00092.html) +in getting GnuTLS's OpenCDK to accept the existence of encrypted +secret key packets, [i learned that OpenCDK as included in GnuTLS is +incapable of dealing with the encrypted packets +themselves](http://lists.gnu.org/archive/html/gnutls-devel/2008-07/msg00012.html). + + +Some possible resolutions: + +--------- + +If we can assume that the passphrase-encrypted key we want to use is +actually a subkey, and if we could fix GnuTLS to ignore the use of the +"gnu-dummy S2K" produced by `gpg --export-secret-subkeys` for the +primary key, then something like the following script should actually +work for reasonable values of `$KEYID`: + + TMPDIR=$(mktemp -d) + uname 077 + mkfifo "$TMPDIR/passphrase" + kname="MonkeySphere Key $KEYID" + mkfifo "$TMPDIR/$kname" + ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & + gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" + (cd "$TMPDIR" && ssh-add -c "$kname") + rm -rf "$TMPDIR" + +--------- + +Ben Laurie and Rachel Willmer's +[OpenPGPSDK](http://openpgp.nominet.org.uk) is a candidate: this is a +C-based library that intends to implement RFC 4880 functionality. + +We could potentially re-write `openpgp2ssh` using this library, and it +*should* be able to handle everything we need from the OpenPGP side +(though it might need to be re-linked to OpenSSL to handle PEM-encoded +exports. + +Concerns: + +* OpenPGPSDK is not in debian yet, and doesn't currently (2008-08-13) + build with gcc 4.2 or 4.3. + +* OpenPGPSDK uses the apache license and appears to link to OpenSSL, + which has a GPL-incompatible license. I think this would mean that + `openpgp2ssh` could not remain GPL (though the rest of the + monkeysphere could). + +--------- + +We could try to use perl. The last time i checked, the pure-perl +OpenPGP implementations all depended on Math::PARI, which [is not in +debian](http://bugs.debian.org/440527). The most likely candidate is +[Crypt::OpenPGP](http://search.cpan.org/~btrott/Crypt-OpenPGP), +despite [some +bugginess](http://cpanratings.perl.org/dist/Crypt-OpenPGP). + +Concerns: + +* the aforementioned buggy reviews + +* there's a lot of dependency chasing to get anything like this + available in debian. + +--------- + +Other alternatives? -- cgit v1.2.3 From dfb394d65acbb060bc6350b7829024fd641aa73d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:20:32 -0400 Subject: suggesting reorganization of monkeysphere-server shortcuts. --- .../reorganize-monkeysphere-server-shortcuts.mdwn | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn diff --git a/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn new file mode 100644 index 0000000..5a4b946 --- /dev/null +++ b/website/bugs/reorganize-monkeysphere-server-shortcuts.mdwn @@ -0,0 +1,19 @@ +[[meta title="Reorganize monkeysphere-server shortcuts"]] + +Currently, `monkeysphere-server` supports three subcommands to adjust +the "identity certifiers": + +* `add-identity-certifier` (`a`) +* `remove-identity-certifier` (`r`) +* `list-identity-certifier` (`l`) + +Since [we also want to be able to add/remove multiple +hostnames](multiple-hostnames), i think we should change the shortcuts +from `a`, `r`, and `l` to `c+`, `c-`, and `c`. + +This would let us create new subcommands like: + +* `add-host-name` (`n+`) +* `revoke-host-name` (`n-`) +* `list-host-names` (`n`) + -- cgit v1.2.3 From 6f34ff65e63588a27a4076ef79f0737ea38cf68b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:49:17 -0400 Subject: making monkeysphere-server publish-key stricter about choice of emitted host key. --- src/monkeysphere-server | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3ca0656..d9b8676 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -372,10 +372,10 @@ publish_server_key() { # FIXME: need to figure out better way to identify host key # dummy command so as not to publish fakes keys during testing # eventually: - #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)" + #gpg_authentication "--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)" echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." echo "The following command should publish the key:" - echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'" + echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)'" exit 255 } -- cgit v1.2.3 From 48bdbc58cfe649c404240b629d9cef5134da5937 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 13 Aug 2008 16:51:39 -0400 Subject: suggesting that we start encouraging host key publication. --- website/bugs/allow-publishing-to-public-keyservers.mdwn | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 website/bugs/allow-publishing-to-public-keyservers.mdwn diff --git a/website/bugs/allow-publishing-to-public-keyservers.mdwn b/website/bugs/allow-publishing-to-public-keyservers.mdwn new file mode 100644 index 0000000..c6c8057 --- /dev/null +++ b/website/bugs/allow-publishing-to-public-keyservers.mdwn @@ -0,0 +1,16 @@ +[[meta title="monkeysphere-server publish-key does not work"]] + +Currently, if you try to run `monkeysphere-server publish-key`, you +can get the following output: + + Really publish key to subkeys.pgp.net? (y/N) y + NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + The following command should publish the key: + monkeysphere-server gpg-authentication-cmd '--keyserver subkeys.pgp.net --send-keys foo.example.org' + +I think we've demonstrated that this system works enough to warrant +using the public keyserver infrastructure. + +I suggest that we should actually enable this feature explicitly. +(leaving in the prompt is fine, though it would be nice to be able to +`--force` it or something). -- cgit v1.2.3