From c33b2a86d47a536b20bce8cb15ee5c23dd9eaec7 Mon Sep 17 00:00:00 2001 From: Jameson Rollins Date: Mon, 8 Mar 2010 23:36:45 -0500 Subject: fix my email address --- man/man1/monkeysphere.1 | 2 +- man/man7/monkeysphere.7 | 2 +- man/man8/monkeysphere-authentication.8 | 2 +- man/man8/monkeysphere-host.8 | 2 +- src/monkeysphere | 2 +- src/share/ma/list_certifiers | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 6abd36c..4d8eab6 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -201,7 +201,7 @@ added to the given user's authorized_keys file. .SH AUTHOR Written by: -Jameson Rollins , +Jameson Rollins , Daniel Kahn Gillmor .SH SEE ALSO diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index e4c2bf0..666b831 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -75,7 +75,7 @@ https://host.example.com[:port] .SH AUTHOR Written by: -Jameson Rollins , +Jameson Rollins , Daniel Kahn Gillmor .SH SEE ALSO diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index b2dfbdf..8732157 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -189,7 +189,7 @@ added to the given user's authorized_keys file. .SH AUTHOR This man page was written by: -Jameson Rollins , +Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 4735940..00ea777 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -226,7 +226,7 @@ of all imported secret keys (this is the host's GNUPGHOME directory). .SH AUTHOR This man page was written by: -Jameson Rollins , +Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins diff --git a/src/monkeysphere b/src/monkeysphere index e268058..7c92852 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -3,7 +3,7 @@ # monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: -# Jameson Rollins +# Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor # Micah Anderson diff --git a/src/share/ma/list_certifiers b/src/share/ma/list_certifiers index 38a3222..789eb9d 100644 --- a/src/share/ma/list_certifiers +++ b/src/share/ma/list_certifiers @@ -4,7 +4,7 @@ # Monkeysphere authentication list-certifiers subcommand # # The monkeysphere scripts are written by: -# Jameson Rollins +# Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor # -- cgit v1.2.3 From 3f7d3ab53390e4b69694cbddfdd97ebb14fa7790 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Mar 2010 00:47:48 -0500 Subject: fixed monkeysphere.7 synopsis to be less ssh-specific --- man/man7/monkeysphere.7 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index 666b831..4d1deca 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -1,9 +1,8 @@ -.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks" +.TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks" .SH NAME -monkeysphere - ssh authentication framework using OpenPGP Web of -Trust +monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust .SH DESCRIPTION -- cgit v1.2.3 From 298e62bbdd6cb8865e046072f32a38130caa8f96 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Mar 2010 01:04:56 -0500 Subject: added website stubs about validation agent --- website/validation-agent.mdwn | 32 ++++++++++++++++++++++++++++++++ website/validation-agent/protocol.mdwn | 23 +++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 website/validation-agent.mdwn create mode 100644 website/validation-agent/protocol.mdwn diff --git a/website/validation-agent.mdwn b/website/validation-agent.mdwn new file mode 100644 index 0000000..d95e7d4 --- /dev/null +++ b/website/validation-agent.mdwn @@ -0,0 +1,32 @@ +[[!meta title="Monkeysphere Validation Agent"]] + +# Monkeysphere Validation Agent # + +The Monkeysphere Validation Agent offers a local service for systems +to validate certificates (both X.509 and OpenPGP) and other public +keys in their proper contexts. + +Among other reasons, having a validation agent is a good thing +because: + +* Multiple tools can rely on the same PKI (e.g. the user's web browser + and the user's ssh client). +* A single validation agent can present a consistent UI to the user + (when used in an end-user context), or provide a unified trust model + to various services (when used in a server-side context). +* Authentication/certificate validation code can potentially be + isolated to a protected environment. + +## Implementations ## + +There are currently two implementations of the validation agent: + + * msva-perl + * msva-ruby + +## Protocol ## + +The Monkeysphere Validation Agent protocol (MSVA) is defined as a +minimal HTTP server with JSON-encapsulated requests and responses. +You may want to read [more protocol details](protocol). + diff --git a/website/validation-agent/protocol.mdwn b/website/validation-agent/protocol.mdwn new file mode 100644 index 0000000..e816996 --- /dev/null +++ b/website/validation-agent/protocol.mdwn @@ -0,0 +1,23 @@ +[[!meta title="Validation Agent Protocol"]] + +# Validation Agent Protocol # + +In its current form, the validation agent is conceived of as a +minimalistic HTTP server that accepts two different requests: + + GET / -- initial contact query, protocol version compatibility. + (no query parameters) + (returns: protoversion, server, available) + + POST /reviewcert -- request validation of a certificate + (query parameters: uid, context, pkc) + (returns: valid, message) + +Query parameters are posted as a JSON blob (*not* as +www-form-encoded). + +The variables that are returned are application/json as well. + +* PKC means: public key carrier: raw key, OpenPGP cert, or X.509 cert +* UID means: User ID (like in OpenPGP) +* context refers to the setting in which the certificate is offered. For example, "https" means: "this certificate was offered by an HTTPS server" -- cgit v1.2.3 From ae9d399c0873f2444f7297a00a77b04076b8021c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Mar 2010 01:22:15 -0500 Subject: website: link the MSVA protocol back to the overview of the agent --- website/validation-agent/protocol.mdwn | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/validation-agent/protocol.mdwn b/website/validation-agent/protocol.mdwn index e816996..4e6811a 100644 --- a/website/validation-agent/protocol.mdwn +++ b/website/validation-agent/protocol.mdwn @@ -2,8 +2,9 @@ # Validation Agent Protocol # -In its current form, the validation agent is conceived of as a -minimalistic HTTP server that accepts two different requests: +In its current form, the +[Monkeysphere Validation Agent](/validation-agent) is conceived of as +a minimalistic HTTP server that accepts two different requests: GET / -- initial contact query, protocol version compatibility. (no query parameters) -- cgit v1.2.3 From 952b13be0cd27271e49fd8499bb56f43ca5c3827 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Mar 2010 11:30:20 -0500 Subject: update george changelog with my changes --- doc/george/changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index d15814c..ffb7cb0 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -6,6 +6,11 @@ * Please add new entries in reverse chronological order whenever you make * * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2010-03-09 - micah + * setup /srv/micah.monkeysphere.info + * replaced /etc/mathopd.conf virtual for daniel with one for me + * removed /srv/daniel.monkeysphere.info - not used + 2010-03-08 - mjgoins * Adding self to webmaster's authorized_user_ids * updating ikiwiki to use the version from lenny backports -- cgit v1.2.3 From 9fb7f481e3d09d3b3658cb78bd75c4910fff8c0a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 10 Mar 2010 00:17:35 -0500 Subject: update zimmermann changelog about minor MS config change to the keyserver --- doc/zimmermann/changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/zimmermann/changelog b/doc/zimmermann/changelog index 8dedf58..3ad3903 100644 --- a/doc/zimmermann/changelog +++ b/doc/zimmermann/changelog @@ -7,6 +7,10 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2010-03-10 - micah + * Updated /etc/monkeysphere/*.conf to use zimmermann + for the keyserver + 2008-11-29 - dkg * zimmermann now uses an X.509 certificate signed by the MF/PL CA for its HTTPS connection. -- cgit v1.2.3 From f49a056587718a95df2c65d47ceeef2b84334016 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 10 Mar 2010 00:29:43 -0500 Subject: retroactively added notes to changelog for zimmermann --- doc/zimmermann/changelog | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/doc/zimmermann/changelog b/doc/zimmermann/changelog index 3ad3903..f3e8171 100644 --- a/doc/zimmermann/changelog +++ b/doc/zimmermann/changelog @@ -11,10 +11,28 @@ * Updated /etc/monkeysphere/*.conf to use zimmermann for the keyserver +2010-03-09 - dkg + * transferred the https://z.m.o key from /root/.gnupg into the + monkeysphere-host keyring with: + + gpg --export-secret-keys | GNUPGHOME=/var/lib/monkeysphere/host gpg --import + + * used undocumented "monkeysphere-host update-pgp-pub-file" to + refresh the output of m-h s. + +2010-02-19 - dkg + * upgraded to monkeysphere 0.28-1~bpo50+1 (includes gnupg from + backports.org) + +2010-02-?? - dkg + * manually created an OpenPGP certificate for zimmermann's https + RSA key, stored in /root/.gnupg; published it to the keyserver + network, certified it myself. + 2008-11-29 - dkg * zimmermann now uses an X.509 certificate signed by the MF/PL CA for its HTTPS connection. - + 2008-11-19 - dkg * added 10 SKS peers as a result of feedback from sks-devel. * set localtime to America/New_York via dpkg-reconfigure tzdata @@ -24,7 +42,7 @@ * made nginx proxy plain ol' HTTP on port 80 also so that SKS does not need to try to listen on a privileged port. * turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf - + 2008-11-19 - mlc * aptitude install nginx * get rid of /etc/nginx/sites-enabled/default -- cgit v1.2.3 From 5fa86c5e80710f5a89c87be0b5d5b17d72e85c14 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 01:59:06 -0500 Subject: added new X session validation agent initialization script --- .../debian/70monkeysphere_use_validation_agent | 30 ++++++++++++++++++++++ packaging/debian/changelog | 5 +++- packaging/debian/control | 1 + 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 packaging/debian/70monkeysphere_use_validation_agent diff --git a/packaging/debian/70monkeysphere_use_validation_agent b/packaging/debian/70monkeysphere_use_validation_agent new file mode 100644 index 0000000..1390859 --- /dev/null +++ b/packaging/debian/70monkeysphere_use_validation_agent @@ -0,0 +1,30 @@ +# /etc/X11/Xsession.d/70monkeysphere_use_validation_agent + +# This is a script to be sourced by Xsession. It wraps the session +# startup argument with a monkeysphere-validation-agent nested +# process, if available and none already exist. + +# Enable this system-wide by adding a line to +# /etc/X11/Xsession.options that reads: +# use-monkeysphere-validation-agent + +# Note that there is some weird interaction between this and +# dbus-session at the moment: dbus-launch can start the msva just +# fine, but if msva tries to start dbus-launch, dbus-launch fails +# with: + +# Failed to waitpid() for babysitter intermediate process: No child processes + +# So this is placed at position 70 -- *before* the dbus Xsession +# startup script, which is at 75 as of 2010-03-12, when i wrote this. + +# Author: Daniel Kahn Gillmor + +STARTMSVA= +MSVAGENT=/usr/bin/monkeysphere-validation-agent + +if grep -qs ^use-monkeysphere-validation-agent "$OPTIONFILE"; then + if [ -x "$MSVAGENT" ] && [ -z "$MONKEYSPHERE_VALIDATION_AGENT_SOCKET" ]; then + STARTUP="$MSVAGENT $STARTUP" + fi +fi diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 10429fe..6152a6e 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -6,8 +6,11 @@ monkeysphere (0.29~pre1-1) UNRELEASED; urgency=low [ Daniel Kahn Gillmor ] * bumped Standards-Version to 3.8.4 (no changes needed) * indicated bash dependency on version 3.2 or later (see MS #1687) + * including /etc/Xsession.d/70monkeysphere_use_validation_agent so that + administrators can start up a validation agent by default for each X + session by adding a single line to /etc/X11/Xsession.options. - -- Daniel Kahn Gillmor Thu, 18 Feb 2010 12:40:56 -0500 + -- Daniel Kahn Gillmor Fri, 12 Mar 2010 01:57:39 -0500 monkeysphere (0.28-1) unstable; urgency=low diff --git a/packaging/debian/control b/packaging/debian/control index 9a32642..6cd0143 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -28,6 +28,7 @@ Depends: openssh-client, adduser, ${misc:Depends} Recommends: netcat | socat, ssh-askpass, cron +Suggests: monkeysphere-validation-agent Enhances: openssh-client, openssh-server Description: leverage the OpenPGP web of trust for SSH and TLS authentication SSH key-based authentication is tried-and-true, but it lacks a true -- cgit v1.2.3 From 6a4e2466e6fb91d060c2d94717abd9922f624d35 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 02:25:07 -0500 Subject: initialize msva in Xsession based on monkeysphere.conf instead of /etc/X11/Xsession.d --- .../debian/70monkeysphere_use_validation_agent | 23 ++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/packaging/debian/70monkeysphere_use_validation_agent b/packaging/debian/70monkeysphere_use_validation_agent index 1390859..7c7a030 100644 --- a/packaging/debian/70monkeysphere_use_validation_agent +++ b/packaging/debian/70monkeysphere_use_validation_agent @@ -4,9 +4,9 @@ # startup argument with a monkeysphere-validation-agent nested # process, if available and none already exist. -# Enable this system-wide by adding a line to -# /etc/X11/Xsession.options that reads: -# use-monkeysphere-validation-agent +# Enable this system-wide by setting +# MONKEYSPHERE_USE_VALIDATION_AGENT=true in +# /etc/monkeysphere/monkeysphere.conf # Note that there is some weird interaction between this and # dbus-session at the moment: dbus-launch can start the msva just @@ -22,9 +22,16 @@ STARTMSVA= MSVAGENT=/usr/bin/monkeysphere-validation-agent - -if grep -qs ^use-monkeysphere-validation-agent "$OPTIONFILE"; then - if [ -x "$MSVAGENT" ] && [ -z "$MONKEYSPHERE_VALIDATION_AGENT_SOCKET" ]; then - STARTUP="$MSVAGENT $STARTUP" - fi +MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf +MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" + +if [ -x "$MSVAGENT" ] ; then + USEMSVAGENT=$(sh -c " +. '$MSSYSCONFIG' 2>/dev/null +. '$MSUSERCONFIG' 2>/dev/null || : +printf '%s' "'"$MONKEYSPHERE_USE_VALIDATION_AGENT"') + + if [ "$USEMSVAGENT" == "true" ] ; then + STARTUP="$MSVAGENT $STARTUP" + fi fi -- cgit v1.2.3 From 93dd8e30ae877ac3ee2e73a8303e3e797e27b944 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 02:30:03 -0500 Subject: documenting USE_VALIDATION_AGENT in configuration --- etc/monkeysphere.conf | 4 ++++ packaging/debian/70monkeysphere_use_validation_agent | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 53adf83..3a06e8a 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -36,3 +36,7 @@ # The path to the SSH authorized_keys file. #AUTHORIZED_KEYS=~/.ssh/authorized_keys + +# Set to true to enable validation agent during X session startup +# where available. +#USE_VALIDATION_AGENT=false diff --git a/packaging/debian/70monkeysphere_use_validation_agent b/packaging/debian/70monkeysphere_use_validation_agent index 7c7a030..1335458 100644 --- a/packaging/debian/70monkeysphere_use_validation_agent +++ b/packaging/debian/70monkeysphere_use_validation_agent @@ -26,10 +26,10 @@ MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" if [ -x "$MSVAGENT" ] ; then - USEMSVAGENT=$(sh -c " + USEMSVAGENT=$(sh -c "USE_VALIDATION_AGENT= . '$MSSYSCONFIG' 2>/dev/null . '$MSUSERCONFIG' 2>/dev/null || : -printf '%s' "'"$MONKEYSPHERE_USE_VALIDATION_AGENT"') +printf '%s' "'"$USE_VALIDATION_AGENT"') if [ "$USEMSVAGENT" == "true" ] ; then STARTUP="$MSVAGENT $STARTUP" -- cgit v1.2.3 From 78c1dbc047888e29daf42fe9a5ded7b91c3880e8 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 02:34:06 -0500 Subject: installing /etc/X11/Xsession.d/70monkeysphere_use_validation_agent --- packaging/debian/changelog | 4 ++-- packaging/debian/monkeysphere.dirs | 2 ++ packaging/debian/monkeysphere.install | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 packaging/debian/monkeysphere.install diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 6152a6e..d971ee6 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -7,8 +7,8 @@ monkeysphere (0.29~pre1-1) UNRELEASED; urgency=low * bumped Standards-Version to 3.8.4 (no changes needed) * indicated bash dependency on version 3.2 or later (see MS #1687) * including /etc/Xsession.d/70monkeysphere_use_validation_agent so that - administrators can start up a validation agent by default for each X - session by adding a single line to /etc/X11/Xsession.options. + administrators and users can choose to start up a validation agent for + each X session using monkeysphere.conf -- Daniel Kahn Gillmor Fri, 12 Mar 2010 01:57:39 -0500 diff --git a/packaging/debian/monkeysphere.dirs b/packaging/debian/monkeysphere.dirs index e07fb2c..3e39efe 100644 --- a/packaging/debian/monkeysphere.dirs +++ b/packaging/debian/monkeysphere.dirs @@ -8,3 +8,5 @@ usr/share/man/man1 usr/share/man/man7 usr/share/man/man8 etc/monkeysphere +etc/X11 +etc/X11/Xsession.d diff --git a/packaging/debian/monkeysphere.install b/packaging/debian/monkeysphere.install new file mode 100644 index 0000000..8e5b3f4 --- /dev/null +++ b/packaging/debian/monkeysphere.install @@ -0,0 +1 @@ +debian/70monkeysphere_use_validation_agent etc/X11/Xsession.d -- cgit v1.2.3 From ab7d1c7f6c168b44e965cac34b550489e14580e9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 16:47:58 -0500 Subject: renaming Xsession config file to match existing pattern (underscore only separates package from description) --- .../debian/70monkeysphere_use-validation-agent | 37 ++++++++++++++++++++++ .../debian/70monkeysphere_use_validation_agent | 37 ---------------------- packaging/debian/monkeysphere.install | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) create mode 100644 packaging/debian/70monkeysphere_use-validation-agent delete mode 100644 packaging/debian/70monkeysphere_use_validation_agent diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent new file mode 100644 index 0000000..1335458 --- /dev/null +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -0,0 +1,37 @@ +# /etc/X11/Xsession.d/70monkeysphere_use_validation_agent + +# This is a script to be sourced by Xsession. It wraps the session +# startup argument with a monkeysphere-validation-agent nested +# process, if available and none already exist. + +# Enable this system-wide by setting +# MONKEYSPHERE_USE_VALIDATION_AGENT=true in +# /etc/monkeysphere/monkeysphere.conf + +# Note that there is some weird interaction between this and +# dbus-session at the moment: dbus-launch can start the msva just +# fine, but if msva tries to start dbus-launch, dbus-launch fails +# with: + +# Failed to waitpid() for babysitter intermediate process: No child processes + +# So this is placed at position 70 -- *before* the dbus Xsession +# startup script, which is at 75 as of 2010-03-12, when i wrote this. + +# Author: Daniel Kahn Gillmor + +STARTMSVA= +MSVAGENT=/usr/bin/monkeysphere-validation-agent +MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf +MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" + +if [ -x "$MSVAGENT" ] ; then + USEMSVAGENT=$(sh -c "USE_VALIDATION_AGENT= +. '$MSSYSCONFIG' 2>/dev/null +. '$MSUSERCONFIG' 2>/dev/null || : +printf '%s' "'"$USE_VALIDATION_AGENT"') + + if [ "$USEMSVAGENT" == "true" ] ; then + STARTUP="$MSVAGENT $STARTUP" + fi +fi diff --git a/packaging/debian/70monkeysphere_use_validation_agent b/packaging/debian/70monkeysphere_use_validation_agent deleted file mode 100644 index 1335458..0000000 --- a/packaging/debian/70monkeysphere_use_validation_agent +++ /dev/null @@ -1,37 +0,0 @@ -# /etc/X11/Xsession.d/70monkeysphere_use_validation_agent - -# This is a script to be sourced by Xsession. It wraps the session -# startup argument with a monkeysphere-validation-agent nested -# process, if available and none already exist. - -# Enable this system-wide by setting -# MONKEYSPHERE_USE_VALIDATION_AGENT=true in -# /etc/monkeysphere/monkeysphere.conf - -# Note that there is some weird interaction between this and -# dbus-session at the moment: dbus-launch can start the msva just -# fine, but if msva tries to start dbus-launch, dbus-launch fails -# with: - -# Failed to waitpid() for babysitter intermediate process: No child processes - -# So this is placed at position 70 -- *before* the dbus Xsession -# startup script, which is at 75 as of 2010-03-12, when i wrote this. - -# Author: Daniel Kahn Gillmor - -STARTMSVA= -MSVAGENT=/usr/bin/monkeysphere-validation-agent -MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf -MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" - -if [ -x "$MSVAGENT" ] ; then - USEMSVAGENT=$(sh -c "USE_VALIDATION_AGENT= -. '$MSSYSCONFIG' 2>/dev/null -. '$MSUSERCONFIG' 2>/dev/null || : -printf '%s' "'"$USE_VALIDATION_AGENT"') - - if [ "$USEMSVAGENT" == "true" ] ; then - STARTUP="$MSVAGENT $STARTUP" - fi -fi diff --git a/packaging/debian/monkeysphere.install b/packaging/debian/monkeysphere.install index 8e5b3f4..63a2dd7 100644 --- a/packaging/debian/monkeysphere.install +++ b/packaging/debian/monkeysphere.install @@ -1 +1 @@ -debian/70monkeysphere_use_validation_agent etc/X11/Xsession.d +debian/70monkeysphere_use-validation-agent etc/X11/Xsession.d -- cgit v1.2.3 From 6a7ea8d275687ae75c1e06e73934922ba63fe61a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 16:53:37 -0500 Subject: made Xsession script POSIX-compliant, simplified it --- packaging/debian/70monkeysphere_use-validation-agent | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent index 1335458..4723f5c 100644 --- a/packaging/debian/70monkeysphere_use-validation-agent +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -26,12 +26,12 @@ MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" if [ -x "$MSVAGENT" ] ; then - USEMSVAGENT=$(sh -c "USE_VALIDATION_AGENT= -. '$MSSYSCONFIG' 2>/dev/null -. '$MSUSERCONFIG' 2>/dev/null || : -printf '%s' "'"$USE_VALIDATION_AGENT"') + USEMSVAGENT=$(USE_VALIDATION_AGENT= +. "$MSSYSCONFIG" 2>/dev/null +. "$MSUSERCONFIG" 2>/dev/null || : +printf '%s' "$USE_VALIDATION_AGENT") - if [ "$USEMSVAGENT" == "true" ] ; then + if [ "$USEMSVAGENT" = "true" ] ; then STARTUP="$MSVAGENT $STARTUP" fi fi -- cgit v1.2.3 From 04793ed7a56034e5d8290385155e9960afda6a29 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 17:01:28 -0500 Subject: add note about dbus communication for msva --- packaging/debian/70monkeysphere_use-validation-agent | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent index 4723f5c..2f9a4bf 100644 --- a/packaging/debian/70monkeysphere_use-validation-agent +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -18,6 +18,10 @@ # So this is placed at position 70 -- *before* the dbus Xsession # startup script, which is at 75 as of 2010-03-12, when i wrote this. +# this is also good, because it means that the MSVA will learn about +# the dbus session parameters, in case we want the agent to use dbus +# to communicate with the user. + # Author: Daniel Kahn Gillmor STARTMSVA= -- cgit v1.2.3 From 8a85f739799a73c1f866a5aa6abee70b8bd029df Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 17:02:16 -0500 Subject: fixing comment in Xsession script --- packaging/debian/70monkeysphere_use-validation-agent | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent index 2f9a4bf..d6758c8 100644 --- a/packaging/debian/70monkeysphere_use-validation-agent +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -1,4 +1,4 @@ -# /etc/X11/Xsession.d/70monkeysphere_use_validation_agent +# /etc/X11/Xsession.d/70monkeysphere_use-validation-agent # This is a script to be sourced by Xsession. It wraps the session # startup argument with a monkeysphere-validation-agent nested -- cgit v1.2.3 From 166f4db3b70b4eb491ea27bbb569dde098f6aa63 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 12 Mar 2010 17:06:39 -0500 Subject: further consolidating Xsession script --- packaging/debian/70monkeysphere_use-validation-agent | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/packaging/debian/70monkeysphere_use-validation-agent b/packaging/debian/70monkeysphere_use-validation-agent index d6758c8..c3135a8 100644 --- a/packaging/debian/70monkeysphere_use-validation-agent +++ b/packaging/debian/70monkeysphere_use-validation-agent @@ -24,18 +24,15 @@ # Author: Daniel Kahn Gillmor -STARTMSVA= MSVAGENT=/usr/bin/monkeysphere-validation-agent MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf" if [ -x "$MSVAGENT" ] ; then - USEMSVAGENT=$(USE_VALIDATION_AGENT= + if [ "$(USE_VALIDATION_AGENT= . "$MSSYSCONFIG" 2>/dev/null . "$MSUSERCONFIG" 2>/dev/null || : -printf '%s' "$USE_VALIDATION_AGENT") - - if [ "$USEMSVAGENT" = "true" ] ; then +printf '%s' "$USE_VALIDATION_AGENT")" = "true" ] ; then STARTUP="$MSVAGENT $STARTUP" fi fi -- cgit v1.2.3 From e8fb019cc59ec878e7c1636d798216d18b9e7863 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 13 Mar 2010 23:49:53 -0500 Subject: clarifying defaults for CHECK_KEYSERVER in monkeysphere.conf --- etc/monkeysphere.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 3a06e8a..bcda433 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -21,11 +21,12 @@ # Set whether or not to check keyservers at every monkeysphere # interaction, including all ssh connections if you use the -# monkeysphere ssh-proxycommand. +# monkeysphere ssh-proxycommand. Leave unset for default behavior +# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. # NOTE: setting CHECK_KEYSERVER to true will leak information about # the timing and frequency of your ssh connections to the maintainer # of the keyserver. -#CHECK_KEYSERVER=true +#CHECK_KEYSERVER= # The path to the SSH known_hosts file. #KNOWN_HOSTS=~/.ssh/known_hosts -- cgit v1.2.3 From 8ab97c9c35f502005c23eb7adb3a8a0177f11630 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 00:36:57 -0500 Subject: keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER (Closes: MS #1997); finesse description of CHECK_KEYSERVER in monkeysphere.conf (see: MS #2014) --- changelog | 2 ++ etc/monkeysphere.conf | 8 ++++---- src/monkeysphere | 1 + 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/changelog b/changelog index cba8b4e..e29cbaf 100644 --- a/changelog +++ b/changelog @@ -3,6 +3,8 @@ monkeysphere (0.29~pre1) UNRELEASED; urgency=low * Fix man page typo about monkeysphere authorized_keys location * Monkeysphere should work properly even if the user has "armor" in their gpg.conf (closes MS #1625) + * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER + environment variable (and defaults to true) -- Daniel Kahn Gillmor Thu, 18 Feb 2010 12:38:43 -0500 diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index bcda433..ce6e82a 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -23,10 +23,10 @@ # interaction, including all ssh connections if you use the # monkeysphere ssh-proxycommand. Leave unset for default behavior # (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. -# NOTE: setting CHECK_KEYSERVER to true will leak information about -# the timing and frequency of your ssh connections to the maintainer -# of the keyserver. -#CHECK_KEYSERVER= +# NOTE: setting CHECK_KEYSERVER explicitly to true will leak +# information about the timing and frequency of your ssh connections +# to the maintainer of the keyserver. +#CHECK_KEYSERVER=true # The path to the SSH known_hosts file. #KNOWN_HOSTS=~/.ssh/known_hosts diff --git a/src/monkeysphere b/src/monkeysphere index 7c92852..a763151 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -276,6 +276,7 @@ case $COMMAND in ;; 'keys-for-userid'|'u') + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} keys_for_userid "$@" ;; -- cgit v1.2.3 From 24da4d0207c8d3c7586871dac3eea9d2a0b864c3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 03:06:32 -0400 Subject: enable use of hkps (closes: MS #1749) --- man/man8/monkeysphere-authentication.8 | 5 +++++ src/share/ma/setup | 1 + 2 files changed, 6 insertions(+) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 8732157..ea9debd 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -177,6 +177,11 @@ false may expose users to abuse by other users on the system. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +If monkeysphere-authentication is configured to query an hkps +keyserver, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +.TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .TP diff --git a/src/share/ma/setup b/src/share/ma/setup index 6c75fef..f965487 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -43,6 +43,7 @@ EOF # Edits will be overwritten. no-greeting list-options show-uid-validity +keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt EOF # make sure the monkeysphere user owns everything in the sphere -- cgit v1.2.3 From dc52882f7ecf895377bfbf65833c6a699be4ab28 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 09:50:57 -0400 Subject: warn if keyserver query fails (Closes: MS #1750) --- src/share/common | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/share/common b/src/share/common index 37f5305..cabc378 100644 --- a/src/share/common +++ b/src/share/common @@ -581,6 +581,10 @@ gpg_fetch_userid() { --search ="$userID" &>/dev/null returnCode="$?" + if [ "$returnCode" != 0 ] ; then + log error "Failure ($returnCode) searching keyserver $KEYSERVER for user id '$userID'" + fi + return "$returnCode" } -- cgit v1.2.3 From 733d920b94909b19022276f7288b70afa14713bd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 10:07:46 -0400 Subject: cleaning up monkeysphere-host show-key output --- src/monkeysphere-host | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 12e7bad..d615230 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -268,7 +268,7 @@ multi_key() { for key in $keys ; do if (( i++ > 0 )) ; then - echo "##############################" + printf "\n" fi "$cmd" "$key" done @@ -309,8 +309,9 @@ show_key() { # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ - | grep -v "^${GNUPGHOME}/pubring.gpg$" \ - | egrep -v '^-+$' + | grep -v "^${GNUPGHOME}/pubring.gpg$" \ + | egrep -v '^-+$' \ + | grep -v '^$' # list revokers, if there are any revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ @@ -320,7 +321,6 @@ show_key() { for key in $revokers ; do echo "revoker: $key" done - echo fi # list the pgp fingerprint -- cgit v1.2.3 From 42f7fec024d11c2ff20299f73254eda5b06ed181 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 10:21:31 -0400 Subject: fixing an error message in monkeysphere-host --- src/monkeysphere-host | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index d615230..f5374bd 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -239,7 +239,7 @@ prompt_userid_exists() { if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10) if [ "$PROMPT" != "false" ] ; then - printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2 + printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$userID" "$fingerprint" >&2 read OK; OK=${OK:=N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Service name not added." -- cgit v1.2.3 From 39d013c4d307d6a844f8dc2deabf42adc0a8a388 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 10:46:18 -0400 Subject: avoid checking trustdb from monkeysphere-host (Closes: MS #1957) --- src/monkeysphere-host | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index f5374bd..2c19331 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -74,7 +74,7 @@ EOF # function to interact with the gpg keyring gpg_host() { - GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@" + GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trust-db --no-greeting --quiet --no-tty "$@" } # list the info about the a key, in colon format, to stdout -- cgit v1.2.3 From 3d46f5954da2bc9a2dd8d2ce35713136149c2983 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Mar 2010 16:09:42 -0400 Subject: fix typo --- src/monkeysphere-host | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 2c19331..a5db8c1 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -74,7 +74,7 @@ EOF # function to interact with the gpg keyring gpg_host() { - GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trust-db --no-greeting --quiet --no-tty "$@" + GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trustdb --no-greeting --quiet --no-tty "$@" } # list the info about the a key, in colon format, to stdout -- cgit v1.2.3