From 41b38ace2b23bebf61fbf63cda8d3be005d28385 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 18 Feb 2009 21:30:01 -0500 Subject: added debian/NEWS file so that early adopters are appraised of the changes. --- packaging/debian/NEWS | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 packaging/debian/NEWS diff --git a/packaging/debian/NEWS b/packaging/debian/NEWS new file mode 100644 index 0000000..3fceea2 --- /dev/null +++ b/packaging/debian/NEWS @@ -0,0 +1,22 @@ +monkeysphere (0.23-1) unstable; urgency=low + + * There has been a major interface and data refactoring. Please see the + man pages for details. Major changes are listed here: + * For end users: monkeysphere-ssh-proxycommand is no more. + its functionality has been folded into monkeysphere as a subcommand. + So if you are currently using: + ssh -oProxyCommand='monkeysphere-ssh-proxycommand %h %p' + plese use instead: + ssh -oProxyCommand='monkeysphere ssh-proxycommand %h %p' + * For sysadmins: monkeysphere-server has been split into + monkeysphere-host (for publishing the ssh host key of your machine) + and monkeysphere-authentication (for setting up your machine to + authenticate users via the OpenPGP Web of Trust) + * For too-curious sysadmins: the layout of /var/lib/monkeysphere has + changed dramatically. If you did any tricky tweaking of the files in + there, you probably want to check that your changes have been + preserved after the upgrade. The old files can be found in + /var/lib/monkeysphere/backup-from-0.23-transition. + + -- Daniel Kahn Gillmor Wed, 18 Feb 2009 21:29:22 -0500 + -- cgit v1.2.3 From 0e16b71ee4b4fd47931ee592dd0a469e080fcfbb Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 18 Feb 2009 23:15:57 -0500 Subject: added MONKEYSPHERE_PROMPT to man pages. --- man/man1/monkeysphere.1 | 4 ++++ man/man8/monkeysphere-authentication.8 | 23 +++++++++++++++-------- man/man8/monkeysphere-host.8 | 4 ++++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 0e80047..269462e 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -152,6 +152,10 @@ Whether or not to hash to the known_hosts file entries (`true'). .TP MONKEYSPHERE_AUTHORIZED_KEYS Path to ssh authorized_keys file (~/.ssh/authorized_keys). +.TP +MONKEYSPHERE_PROMPT +If set to `false', monkeysphere will never prompt the user for +confirmation. (true) .SH FILES diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 4d453d3..56543fb 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -131,22 +131,29 @@ The following environment variables will override those specified in the config file (defaults in parentheses): .TP MONKEYSPHERE_MONKEYSPHERE_USER -User to control authentication keychain (monkeysphere). +User to control authentication keychain. (monkeysphere) .TP MONKEYSPHERE_LOG_LEVEL -Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in -increasing order of verbosity. +Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. (INFO) .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (pool.sks-keyservers.net). +OpenPGP keyserver to use. (pool.sks-keyservers.net) .TP MONKEYSPHERE_AUTHORIZED_USER_IDS -Path to user authorized_user_ids file -(%h/.monkeysphere/authorized_user_ids). +Path to user's authorized_user_ids file. %h gets replaced with the +user's homedir, %u with the username. +(%h/.monkeysphere/authorized_user_ids) .TP MONKEYSPHERE_RAW_AUTHORIZED_KEYS -Path to user-controlled authorized_keys file. `-' means not to add -user-controlled file (%h/.ssh/authorized_keys). +Path to regular ssh-style authorized_keys file to append to +monkeysphere-generated authorized_keys. `none' means not to add any +raw authorized_keys file. %h gets replaced with the user's homedir, +%u with the username. (%h/.ssh/authorized_keys) +.TP +MONKEYSPHERE_PROMPT +If set to `false', never prompt the user for confirmation. (true) + .SH FILES diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 330b610..6c97315 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -113,6 +113,10 @@ increasing order of verbosity. .TP MONKEYSPHERE_KEYSERVER OpenPGP keyserver to use (pool.sks-keyservers.net). +.TP +MONKEYSPHERE_PROMPT +If set to `false', never prompt the user for confirmation. (true) + .SH FILES -- cgit v1.2.3 From c52240813df1e56ee5de2f0a78d6af56d653f3b9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 18 Feb 2009 23:17:02 -0500 Subject: normalizing MONKEYSPHERE_PROMPT description in monkeysphere.1 --- man/man1/monkeysphere.1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 269462e..3ed43e1 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -154,8 +154,7 @@ MONKEYSPHERE_AUTHORIZED_KEYS Path to ssh authorized_keys file (~/.ssh/authorized_keys). .TP MONKEYSPHERE_PROMPT -If set to `false', monkeysphere will never prompt the user for -confirmation. (true) +If set to `false', never prompt the user for confirmation. (true) .SH FILES -- cgit v1.2.3 From 1e1956b1abe3701d7af9c068015acee01f30d660 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Feb 2009 00:04:13 -0500 Subject: (untested) overhaul of monkeysphere 0.22 to 0.23 release. --- src/transition_0.22_0.23 | 179 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 137 insertions(+), 42 deletions(-) diff --git a/src/transition_0.22_0.23 b/src/transition_0.22_0.23 index 3328e8c..12ef1d2 100755 --- a/src/transition_0.22_0.23 +++ b/src/transition_0.22_0.23 @@ -1,69 +1,164 @@ #!/bin/bash +# this script should run without any errors. +set -e + # This is a post-install script for monkeysphere, to transition an old -# (<=0.22) setup to the new (>0.22) setup +# (<0.23) setup to the new (>=0.23) setup SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} MADATADIR="${SYSDATADIR}/authentication" MHDATADIR="${SYSDATADIR}/host" -############################################################ -### transfer host setup +STASHDIR="${SYSDATADIR}/backup-from-0.23-transition" -if [ -d "$SYSDATADIR"/gnupg-host ] ; then - if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] ; then +log() { + printf "$@" >&2 +} - # This would be simple, but it would generate a new pgp key, - #and we don't want that, right? - #monkeysphere-host expert import_key "$SYSDATADIR"/ssh_host_rsa_key +# FIXME: implement this function better. here, we only care about +# dots, *and* about reversing the regexification of them. +gpg_unescape_and_unregex() { + sed 's/\\x5c\././g' +} - # create host home - mkdir -p "${MHDATADIR}" - mkdir -p "${MHTMPDIR}" - mkdir -p "${GNUPGHOME_HOST}" - chmod 700 "${GNUPGHOME_HOST}" - # transfer the host secret key from the old home to the new - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \ - GNUPGHOME="$MHDATADIR" gpg --import +is_domain_name() { + printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$' +} - # make sure the ssh_host_rsa_key.pub and ssh_host_rsa_key.pub.gpg - # files exist +# run the authentication setup +monkeysphere-authentication setup - # anything else? +# before 0.23, the old gnupg-host data directory used to contain the +# trust core and the system's ssh host key. - fi - - #rm -rf "$SYSDATADIR"/gnupg-host - -fi +if [ -d "$SYSDATADIR"/gnupg-host ] ; then -############################################################ -### transfer authentication setup +### transfer identity certifiers, if they don't already exist in the +### current setup: + + if [ monkeysphere-authentication list-identity-certifiers | \ + grep -q '^[A-F0-9]{40}:$' ] ; then + log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n' + else + # get the old host keygrip (don't know why there would be more + # than one, but we'll transfer all tsigs made by any key that + # had been given ultimate ownertrust): + for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \ + grep ':6:$' + sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do + + # we're assuming that old id certifiers were only added by old + # versions of m-s c+, which added certifiers by ltsigning + # entire keys. + + # so we'll walk the list of tsigs from the old host key, and + # add those keys as certifiers to the new system. + + # FIXME: if an admin has run "m-s add-id-certifier $foo" + # multiple times for the same $foo, we'll only transfer + # one of those certifications (even if later + # certifications had different parameters). + + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \ + cut -f 1,2,5,8,9,10 -d: | \ + egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ + while IFS=: read -r type validity grip trustparams trustdomain fpr ; do + case $type in + 'fpr') # this is a new key + keyfpr=$fpr + ;; + 'sig') # deal with all trust signatures, including + # regexes if present. + if [ "$keyfpr" ] ; then + trustdepth=${trustparams%% *} + trustlevel=${trustparams##* } + if [ "$trustlevel" -ge 120 ] ; then + truststring=full + elif [ "$trustlevel" -ge 60 ] ; then + truststring=marginal + else + # trust levels below marginal are ignored. + continue + fi + + finaldomain= + if [ "$trustdomain" ] ; then + # FIXME: deal with translating + # $trustdomain back to a domain. + if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then + dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex) + if [ is_domain_name "$dpart" ]; then + finaldomain="--domain $dpart" + else + log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart" + continue + fi + else + log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain" + continue + fi + fi + + CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX) + log "Adding identity certifier with fingerprint %s\n" "$keyfpr" + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY" + MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY" + rm -f "$CERTKEY" + # clear the fingerprint so that we don't + # make additional tsigs on it if more uids + # are present: + $keyfpr= + fi + ;; + esac + done + done + fi -# should we test for something else/better than the existence of this -# directory to know that we should go through the setup? -if [ -d "$SYSDATADIR"/gnupg-authentication ] ; then +### transfer host key information (if present) into the new spot + + if [ -d "${MHDATADIR}" ] ; then + log "Not transferring host key info because host directory already exists.\n" + else + if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then + + # create host home + mkdir -p "${MHDATADIR}" + chmod 0700 "${MHDATADIR}" + + log "importing host key from old monkeysphere installation\n" + GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \ + GNUPGHOME="$MHDATADIR" gpg --import + + monkeysphere-host update-gpg-pub-file + else + log "No host key found in old monkeysphere install; not importing any host key.\n" + fi + fi - # run the authentication setup - monkeysphere-authentication setup - # transfer certifiers - # FIXME: how? - # i think we'll need to run something like - # gpg_core_sphere_sig_transfer after transfering certifiers ltsigs +### get rid of this old stuff, since we've transferred it all: - # do we need to do some sort of transfer of ownertrust? + mkdir -p "$STASHDIR" + chmod 0700 "$STASHDIR" + mv "${SYSDATADIR}/gnupg-host" "$STASHDIR" +fi - # move the authorized_keys directory - mv "$SYSDATADIR"/authorized_keys "$MADATADIR"/ - # do we need to transfer anything else? running update-users will - # regenerate everything else in the sphere keyring, right? +# There is nothing in the old authentication directory that we should +# need to keep around, but it is not unreasonable to transfer keys to +# the new authentication keyring. +if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then - #rm -rf "$SYSDATADIR"/gnupg-authentication + GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \ + monkeysphere-authentication gpg-cmd --import + mkdir -p "$STASHDIR" + chmod 0700 "$STASHDIR" + mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR" fi - -- cgit v1.2.3 From a5d96721e78a06f7dd55071ff3ae61370e00324c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Feb 2009 00:14:20 -0500 Subject: moved directory for monkeysphere-generated authorized_keys files back to its old location at /var/lib/monkeysphere/authorized_keys --- man/man8/monkeysphere-authentication.8 | 2 +- src/share/ma/setup | 2 +- src/share/ma/update_users | 2 +- tests/basic | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 56543fb..38df65d 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -161,7 +161,7 @@ If set to `false', never prompt the user for confirmation. (true) /etc/monkeysphere/monkeysphere-authentication.conf System monkeysphere-authentication config file. .TP -/var/lib/monkeysphere/authentication/authorized_keys/USER +/var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .SH AUTHOR diff --git a/src/share/ma/setup b/src/share/ma/setup index 6969d71..248406f 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -19,7 +19,7 @@ setup() { chmod 700 "${GNUPGHOME_CORE}" mkdir -p "${GNUPGHOME_SPHERE}" chmod 700 "${GNUPGHOME_SPHERE}" - mkdir -p "${MADATADIR}"/authorized_keys + mkdir -p "${SYSDATADIR}"/authorized_keys # deliberately replace the config files via truncation # FIXME: should we be dumping to tmp files and then moving atomically? diff --git a/src/share/ma/update_users b/src/share/ma/update_users index e9e3cc6..092d108 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -35,7 +35,7 @@ MODE="authorized_keys" GNUPGHOME="$GNUPGHOME_SPHERE" # the authorized_keys directory -authorizedKeysDir="${MADATADIR}/authorized_keys" +authorizedKeysDir="${SYSDATADIR}/authorized_keys" # check to see if the gpg trust database has been initialized if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then diff --git a/tests/basic b/tests/basic index 18e3019..9ae9c1c 100755 --- a/tests/basic +++ b/tests/basic @@ -158,7 +158,7 @@ cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG" # write the sshd_config cat <> "$SSHD_CONFIG" HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key -AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authentication/authorized_keys/%u +AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u EOF -- cgit v1.2.3 From f02e0df059f0985cc00e41554cf26b3cb4efa3c1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Feb 2009 00:20:59 -0500 Subject: removing --quiet from this invocation seems to avoid an add-id-certifier failure. --- src/monkeysphere-authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 1def4cd..e8b11a4 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -85,7 +85,7 @@ gpg_sphere() { GNUPGHOME="$GNUPGHOME_SPHERE" export GNUPGHOME - su_monkeysphere_user "gpg --no-greeting --quiet --no-tty $@" + su_monkeysphere_user "gpg --no-greeting --no-tty $@" } # output to stdout the core fingerprint from the gpg core secret -- cgit v1.2.3 From 6a7b42ec39aad2e774255b875af7ab40e80bb872 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Feb 2009 00:35:50 -0500 Subject: catch pipe failures more cleanly during key import --- src/share/ma/add_certifier | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 2f29759..7c1441c 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -84,7 +84,8 @@ if [ -f "$keyID" ] ; then # + failure 'could not read key from '\''/root/dkg.gpg'\''' # + echo 'could not read key from '\''/root/dkg.gpg'\''' - keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) || \ + failure "There were no gpg keys in the file." if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then failure "There was not exactly one gpg key in the file." fi -- cgit v1.2.3 From 68299f9faebcf3c54382aca3d662b35172f6a968 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Feb 2009 00:37:10 -0500 Subject: clean up failure message --- src/share/ma/add_certifier | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 7c1441c..b917a74 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -85,7 +85,7 @@ if [ -f "$keyID" ] ; then # + echo 'could not read key from '\''/root/dkg.gpg'\''' keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) || \ - failure "There were no gpg keys in the file." + failure "There were no gpg keys in the file $keyID." if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then failure "There was not exactly one gpg key in the file." fi -- cgit v1.2.3