From 83ec9d4881d5acf16deabf910b93f2da39659c7a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 17:38:29 -0400 Subject: updated web site to reflect new status in FreeBSD ports. --- website/download.mdwn | 31 ++++++++++--------------------- website/news/FreeBSD-port-available.mdwn | 3 +++ 2 files changed, 13 insertions(+), 21 deletions(-) diff --git a/website/download.mdwn b/website/download.mdwn index 0a891db..9fba263 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,15 +18,15 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is now available in the Debian unstable ("sid") +[monkeysphere is available in the Debian unstable ("sid") distribution](http://packages.debian.org/sid/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting the following lines in `/etc/apt/sources.list.d/monkeysphere.list`: - deb http://archive.monkeysphere.info/debian experimental monkeysphere - deb-src http://archive.monkeysphere.info/debian experimental monkeysphere + deb http://archive.monkeysphere.info/debian experimental monkeysphere + deb-src http://archive.monkeysphere.info/debian experimental monkeysphere The repository is currently signed by [The Monkeysphere archive signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C @@ -36,27 +36,16 @@ configuration after verifying its integrity](/archive-key). ## FreeBSD ## -There is [now a FreeBSD port available](/news/FreeBSD-port-available) -for the Monkeysphere. +There is [a FreeBSD port +available](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere) +for the Monkeysphere, built and tested against FreeBSD 7.1. -While the monkeysphere is not officially included in the ports tree -yet, [a problem -report](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128406) has -been submitted, and the package itself is functional. +You should be able to build and install the latest port with: -The latest version of the ports directory can be found in [the git -repository](/community) under -`packaging/freebsd/security/monkeysphere`. Please [let us -know](/community) if you encounter any problems with it on a FreeBSD -system. - -Until the port is accepted, you should be able to build the latest -port with: - - git clone git://git.monkeysphere.info/monkeysphere - cp -a monkeysphere/packaging/freebsd/security/monkeysphere /usr/ports/security cd /usr/ports/security/monkeysphere - make && make install + make package + +Enjoy! ## Source ## diff --git a/website/news/FreeBSD-port-available.mdwn b/website/news/FreeBSD-port-available.mdwn index a03af4e..fde2b47 100644 --- a/website/news/FreeBSD-port-available.mdwn +++ b/website/news/FreeBSD-port-available.mdwn @@ -1,5 +1,8 @@ [[meta title="FreeBSD port available"]] +Update: [FreeBSD's official ports tree now contains monkeysphere +0.24](FreeBSD-0.24-port-accepted). + There is now a FreeBSD port available for the Monkeysphere. It has been built and tested (so far) on a FreeBSD 7.1 AMD64 system, -- cgit v1.2.3 From 23b12bdbdf959fdc304fa10bae9836dae1e87f49 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 17:38:57 -0400 Subject: Added news announcement of FreeBSD port. --- website/news/FreeBSD-0.24-port-accepted.mdwn | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 website/news/FreeBSD-0.24-port-accepted.mdwn diff --git a/website/news/FreeBSD-0.24-port-accepted.mdwn b/website/news/FreeBSD-0.24-port-accepted.mdwn new file mode 100644 index 0000000..bdd5655 --- /dev/null +++ b/website/news/FreeBSD-0.24-port-accepted.mdwn @@ -0,0 +1,11 @@ +[[meta title="FreeBSD 0.24 port accepted"]] + +FreeBSD's ports tree now contains [a port of the +Monkeysphere](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere), +version 0.24. If you run FreeBSD, [update your ports +tree](http://www.freebsd.org/doc/en/books/handbook/ports-using.html), +and then: + + cd /usr/ports/security/monkeysphere + make package + -- cgit v1.2.3 From 9ea13e47f6d84b277eb819d41ece99c695aab407 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 10 Mar 2009 17:42:57 -0400 Subject: include changelog entry about mktemp portability update. --- packaging/debian/changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 093c157..70fef9f 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -2,6 +2,8 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low * New upstream release: - fix the marginal ui output so that it's not prefixed by the LOG_PREFIX + - use msmktempdir everywhere (avoid unwrapped calls to mktemp for + portability) -- Jameson Graef Rollins Sat, 07 Mar 2009 12:28:13 -0500 -- cgit v1.2.3 From 5b643872cdc78c4e11f1f729fdadba0bcae69ea8 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 11 Mar 2009 16:58:58 -0400 Subject: added a copy of the ExternalValidation spec from the old GnuTLS wiki, pulled from the google cache. needs cleanup --- doc/ExternalValidation.html | 232 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 doc/ExternalValidation.html diff --git a/doc/ExternalValidation.html b/doc/ExternalValidation.html new file mode 100644 index 0000000..d176957 --- /dev/null +++ b/doc/ExternalValidation.html @@ -0,0 +1,232 @@ + +
This is Google's cache of http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation. It is a snapshot of the page as it appeared on Dec 15, 2008 14:31:48 GMT. The current page could have changed in the meantime. Learn more

+
These terms only appear in links pointing to this page: http redmine josefsson org wiki gnutls gnutlsexternalvalidation  
+ + + +GnuTLS - GnuTLSExternalValidation - Redmine + + + + + + + + + + + + + + + + + +
+ + + + +
+ + +
+ + +
+ + + + + + + + +History +
+ + + + + +
+

GnuTLSExternalValidation

+ + +

This page is intended to flesh out ideas to externalize the X.509 chain validation, X.509 private key handling, and possibly also OpenPGP validation and private key handling.

+ + +

It is important to realize that these are different problems, so the solution may be different. Let's first make the goals clear:

+ + +
    +
  • Make it possible to store private keys in a process different from the process that runs the GnuTLS client/server.
    • +
  • Make it possible to perform X.509 chain validation in a different process.
    • +
  • Make it possible to perform OpenPGP key validation in a different process.
    • +
+ + +

One must decide whether the external agent should be responsible for making authentication decisions, authorization decisions, or both. Possibly it should be able to make both kind of decisions. The GnuTLS process can always make further authorization decisions as well.

+ + +

For private keys, there is the PKCS#11 interface. GnuTLS has a branch that supports it. However, PKCS#11 doesn't solve the problem with an external process. It seems better to move the PKCS#11 interface to the external agent, rather than adding PKCS#11 interface to GnuTLS itself. Btw, GnuTLS already has PKCS#11 support on a special branch, and has been tested against the Scute PKCS#11 provider together with a Swedish eID X.509 smartcard.

+ + +

The solution should allow simple integration with GNOME components such as SeaHorse.

+ + +

Private key protocol

+ + +

Possible we should re-use GnuPG's external protocol here? What we need is an IPC protocol that does:

+ + + 
SIGN [ALG] [KEY-ID] [TLS-DATA]
+ + +

Where KEY-ID somehow denotes a key to use, and TLS-DATA is the data that needs to be signed using the TLS algorithm. Given that TLS supports several algorithms, and even RSA is supported in more than one mode, there needs to be an ALG flag to indicate this.

+ + +

X.509 Chain Validation

+ + +

GnuPG's dirmngr has a protocol for doing this, using assuan. Unfortunately, assuan's design criteria state "no protection against DoS needed". This might make it unsuitable for a TLS implementation or other online tool.

+ + +

It is not clear to me whether the trusted CAs should be sent over the IPC, or whether it is something that is assumed to be known by the agent. The latter seems safer, but the former may be useful in some scenarios. (what scenarios?) They aren't mutually incompatible, so maybe we can support both.

+ + +

Thus we need a command to send over a trusted certificate:

+ + + 
TRUSTED [b64pem...]
+ + +

And also send over untrusted certificates provided by the TLS peer:

+ + + 
UNTRUSTED [b64pem...]
+ + +

Finally, a request to perform chain validation on a particular certificate is performed using:

+ + + 
VALIDATE [b64pem...]
+ + +

Generic Certificate Validation

+ + +

It would be nice to be able to hand the agent any kind of certificate (OpenPGP or X.509), or even to be able to hand the agent a raw public key to see if it validates.

+ + +

The crucial request would be:

+ + + 
VALIDATE {LABEL} {CERTTYPE} {PEERNAME} {CERTIFICATE}
+ + +

This says "I'm a program called LABEL. I'm about to send you a certificate of type CERTTYPE. I want you to tell me whether the specified PEERNAME matches one of the names stored in the certificate, and that the matching name in the certificate is cryptographically valid based on your knowledge of trusted certifiers."

+ + +

The agent can respond with VALID or INVALID. We maybe should consider whether INVALID might be implemented as an extensible set of reasons for invalidity (e.g. EXPIRED, NOMATCH, UNTRUSTED, SELFSIGNED, etc): would the potential extensibility from this outweigh the added implementation and semantic complexity?

+ + +

The possible options for CERTTYPE could be:

+ + + + + +

This would allow numerous clients and servers to make use of the validation agent. For example:

+ + +
    +
  • lsh could feed its fetched host keys to the validation agent instead of having to maintain ~/.lsh/host-acls
    • +
  • slapd could use the validation agent to identify the DN of the remote client.
    • +
  • subversion could ask the validation agent to ensure that the OpenPGP certificate offered by a remote https server (using mod_gnutls) is in fact who it claims to be (and the mod_gnutls could validate the identity of the client in the same way).
    • +
+ + +

Additionally, it might be nice to have a command to offer intermediate certificates to the certificate store:

+ + + 
UNTRUSTED {LABEL} {CERTTYPE} {CERTIFICATE}
+ + +

using UNTRUSTED with a RAWPUBKEY certificate wouldn't be a meaningful operation, but it could be used for intermediate X.509 certificates, or for the equivalent OpenPGP certificates (if such things were handy).

+
+ + + + + + +

+Also available in: +HTML +TXT +

+ + + + + + + +
+
+ + + + +
+ + + -- cgit v1.2.3 From a8c28d0a9090264f0ae357b282156615e39d216d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 12 Mar 2009 12:45:09 -0400 Subject: fix small typo in monkeysphere.conf --- etc/monkeysphere.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 20df62b..53adf83 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -21,7 +21,7 @@ # Set whether or not to check keyservers at every monkeysphere # interaction, including all ssh connections if you use the -# monkeysphere-ssh-proxycommand. +# monkeysphere ssh-proxycommand. # NOTE: setting CHECK_KEYSERVER to true will leak information about # the timing and frequency of your ssh connections to the maintainer # of the keyserver. -- cgit v1.2.3 From b90e6a2e17bdc3c7ea94ffe5918c04174fb6f7e4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Mar 2009 10:20:48 -0400 Subject: no need anymore to specify which part of the Debian archive the package is available in --- website/download.mdwn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/download.mdwn b/website/download.mdwn index 9fba263..a9b6cc4 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,8 +18,7 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is available in the Debian unstable ("sid") -distribution](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is available in the Debian archive](http://packages.debian.org/sid/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting -- cgit v1.2.3 From 3f71bfc52f158a76755a7b75362b449439819fa7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Mar 2009 12:01:02 -0400 Subject: modify the ssh_proxycommand marginal ui output so that it better handles the case where the host can not be contacted. the new system attempts to retrieve the host ssh key before any ui output is made. this should make things a little clearer in this corner case, and make things a little more flexible down the line. --- packaging/debian/changelog | 4 +- src/share/m/ssh_proxycommand | 137 +++++++++++++++++++++++-------------------- 2 files changed, 76 insertions(+), 65 deletions(-) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 70fef9f..16e7f21 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,11 +1,11 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low * New upstream release: - - fix the marginal ui output so that it's not prefixed by the LOG_PREFIX + - update/fix the marginal ui output - use msmktempdir everywhere (avoid unwrapped calls to mktemp for portability) - -- Jameson Graef Rollins Sat, 07 Mar 2009 12:28:13 -0500 + -- Jameson Graef Rollins Wed, 18 Mar 2009 11:46:44 -0400 monkeysphere (0.24-1) unstable; urgency=low diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 7ab4bec..2078445 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -36,52 +36,55 @@ output_no_valid_key() { LOG_PREFIX= - cat </dev/null | awk '{ print $2, $3 }') - # FIXME: should we do any checks for failed keyscans, eg. host not - # found? + # retrieve the ssh key being offered by the host + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \ + | awk '{ print $2, $3 }') # get the gpg info for userid gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) - # find all 'pub' and 'sub' lines in the gpg output, which each - # represent a retrieved key for the user ID - echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ - while IFS=: read -r type validity keyid uidfpr usage ; do - case $type in - 'pub'|'sub') - # get the ssh key of the gpg key - sshKeyGPG=$(gpg2ssh "$keyid") - - # if one of keys found matches the one offered by the - # host, then output info - if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then - cat <"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ - awk '{ print $2 }') - rm -f "$sshKeyGPGFile" + sshKeyGPGFile=$(msmktempfile) + printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ + awk '{ print $2 }') + rm -f "$sshKeyGPGFile" - # get the sigs for the matching key - gpgSigOut=$(gpg_user --check-sigs \ - --list-options show-uid-validity \ - "$keyid") + # get the sigs for the matching key + gpgSigOut=$(gpg_user --check-sigs \ + --list-options show-uid-validity \ + "$keyid") - # output the sigs, but only those on the user ID - # we are looking for - echo "$gpgSigOut" | awk ' + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' { if (match($0,"^pub")) { print; } if (match($0,"^uid")) { ok=0; } @@ -89,50 +92,58 @@ if (match($0,"^uid.*'$userID'$")) { ok=1; print; } if (ok) { if (match($0,"^sig")) { print; } } } ' | log info - echo | log info + echo | log info - # output the other user IDs for reference - if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then - cat < Date: Wed, 18 Mar 2009 12:19:48 -0400 Subject: add news note about 0.24 in testing, and update download page. --- website/download.mdwn | 4 ++-- website/news/0.24-accepted-in-Debian-testing.mdwn | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 website/news/0.24-accepted-in-Debian-testing.mdwn diff --git a/website/download.mdwn b/website/download.mdwn index 9fba263..1dd5366 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,8 +18,8 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is available in the Debian unstable ("sid") -distribution](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is available in the Debian testing ("squeeze") +distribution](http://packages.debian.org/testing/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting diff --git a/website/news/0.24-accepted-in-Debian-testing.mdwn b/website/news/0.24-accepted-in-Debian-testing.mdwn new file mode 100644 index 0000000..4222493 --- /dev/null +++ b/website/news/0.24-accepted-in-Debian-testing.mdwn @@ -0,0 +1,10 @@ +[[meta title="Monkeysphere 0.24 accepted in Debian testing"]] + +[Monkeysphere 0.24 is now available in the Debian testing distribution +("squeeze")](http://packages.debian.org/testing/monkeysphere). +Monkeysphere 0.24 is our strongest release yet. If you are running +Debian testing, installing the monkeysphere is now very easy: + + aptitude install monkeysphere + +See the [[download]] page for more information. -- cgit v1.2.3 From 6e0ec7e644ce8459db587bd68536aecdb2107315 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Mar 2009 12:35:55 -0400 Subject: small web tweak. --- website/download.mdwn | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index 1dd5366..09ffbf3 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -19,7 +19,10 @@ Monkeysphere relies on: If you are running a [Debian](http://www.debian.org/) system, the [monkeysphere is available in the Debian testing ("squeeze") -distribution](http://packages.debian.org/testing/monkeysphere). +distribution](http://packages.debian.org/testing/monkeysphere). If +you are running Debian testing, it is easy to install: + + aptitude install monkeysphere You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting -- cgit v1.2.3 From 27ed87fbefd7eedac8381691e1a416a25716efc8 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Mar 2009 12:59:50 -0400 Subject: Revert "small web tweak." This reverts commit 6e0ec7e644ce8459db587bd68536aecdb2107315. --- website/download.mdwn | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/website/download.mdwn b/website/download.mdwn index 09ffbf3..1dd5366 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -19,10 +19,7 @@ Monkeysphere relies on: If you are running a [Debian](http://www.debian.org/) system, the [monkeysphere is available in the Debian testing ("squeeze") -distribution](http://packages.debian.org/testing/monkeysphere). If -you are running Debian testing, it is easy to install: - - aptitude install monkeysphere +distribution](http://packages.debian.org/testing/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting -- cgit v1.2.3 From e83246495fd806b1e6535ee5a4e5acbacb3c175a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Mar 2009 13:11:01 -0400 Subject: small web tweak --- website/download.mdwn | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index 1dd5366..b0c45b8 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -19,7 +19,11 @@ Monkeysphere relies on: If you are running a [Debian](http://www.debian.org/) system, the [monkeysphere is available in the Debian testing ("squeeze") -distribution](http://packages.debian.org/testing/monkeysphere). +distribution](http://packages.debian.org/testing/monkeysphere). If +you are running Debian testing, install the latest monkeysphere +version: + + aptitude install monkeysphere You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting -- cgit v1.2.3 From f57fcf0132eb921a0ee494cb14cca6a13c63c4c4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 18 Mar 2009 14:31:43 -0400 Subject: remove some extraneous invocations of cat. --- src/share/m/gen_subkey | 7 ++----- src/share/m/ssh_proxycommand | 14 +++++++------- src/share/mh/set_expire | 2 +- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/src/share/m/gen_subkey b/src/share/m/gen_subkey index dbd9dd6..a0fa3ce 100644 --- a/src/share/m/gen_subkey +++ b/src/share/m/gen_subkey @@ -44,8 +44,7 @@ Type '$PGRM help' for usage." check_gpg_authentication_subkey "$keyID" # generate the list of commands that will be passed to edit-key - editCommands=$(cat </dev/null) # output header - cat < Date: Sun, 22 Mar 2009 01:40:30 -0400 Subject: Start of macport packaging. --- packaging/macports/Portfile | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 packaging/macports/Portfile diff --git a/packaging/macports/Portfile b/packaging/macports/Portfile new file mode 100644 index 0000000..f9cf7a5 --- /dev/null +++ b/packaging/macports/Portfile @@ -0,0 +1,40 @@ +# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 +# $Id$ + +PortSystem 1.0 + +name monkeysphere +version 0.24 +categories net +maintainers nomaintainer +platforms darwin +description use the OpenPGP web of trust to verify ssh connections + +long_description SSH key-based authentication is tried-and-true, \ + but it lacks a true Public Key Infrastructure for \ + key certification, revocation and expiration. \ + Monkeysphere is a framework that uses the OpenPGP \ + web of trust for these PKI functions. It can be \ + used in both directions: for users to get \ + validated host keys, and for hosts to authenticate \ + users. + +homepage http://web.monkeysphere.info/ +master_sites ??? +distname ${name}_${version} +worksrcdir ${name}-${version} +checksums md5 8590532f4702fa44027a6a583657c9ef + +depends_run bin:ssh:openssh \ + port:gnupg \ + port:perl5.10 \ + port:p5-crypt-rsa \ + port:p5-digest-sha1 \ + port:procmail + +build.target build +destroot.args PREFIX=${destroot}${prefix} \ + CONFDIR=${destroot}${prefix}/etc/monkeysphere \ + DBDIR=${destroot}${prefix}/var/lib/monkeysphere \ + MANDIR=${destroot}${prefix}/share/man \ + DOCDIR=${destroot}${prefix}/share/doc/monkeysphere -- cgit v1.2.3 From a6603e05c8067efca6197ec435696c1a45bcc517 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 22 Mar 2009 19:49:45 -0400 Subject: fix up the debian download section, add a link to the packages.d.o page that lists all suites, including backports --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index a9b6cc4..543d4e9 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,7 +18,7 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is available in the Debian archive](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is available in the Debian archive, and as a backport](http://packages.debian.org/search?keywords=monkeysphere&searchon=names§ion=all&suite=all) You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting -- cgit v1.2.3 From 501f12cbf5e16ac521a27a32541d852fda4be682 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 22 Mar 2009 20:01:07 -0400 Subject: add a news entry about the backports.org availability --- website/news/0.24-available-in-Backports-org.mdwn | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 website/news/0.24-available-in-Backports-org.mdwn diff --git a/website/news/0.24-available-in-Backports-org.mdwn b/website/news/0.24-available-in-Backports-org.mdwn new file mode 100644 index 0000000..e56af89 --- /dev/null +++ b/website/news/0.24-available-in-Backports-org.mdwn @@ -0,0 +1,8 @@ +[[meta title="Monkeysphere 0.24 accepted as a Debian Backport"]] + +[Monkeysphere 0.24 is now available at [Backports.org](http://backports.org). +If you are running Debian stable ("Lenny"), you can install this version +of the monkeysphere package by following the [instructions for installing +backports](http://backports.org/dokuwiki/doku.php?id=instructions). + +See the [[download]] page for more information. -- cgit v1.2.3 From 80fa48160844ace97727896131c67df78ea4bb61 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 22 Mar 2009 20:11:16 -0400 Subject: some more pruning of unnecessary usage of cat for the gnupg scripts. --- packaging/macports/Portfile | 2 +- src/share/ma/add_certifier | 8 +++----- src/share/mh/add_hostname | 8 +++----- src/share/mh/add_revoker | 8 +++----- src/share/mh/revoke_hostname | 8 +++----- 5 files changed, 13 insertions(+), 21 deletions(-) diff --git a/packaging/macports/Portfile b/packaging/macports/Portfile index f9cf7a5..99d0d69 100644 --- a/packaging/macports/Portfile +++ b/packaging/macports/Portfile @@ -20,7 +20,7 @@ long_description SSH key-based authentication is tried-and-true, \ users. homepage http://web.monkeysphere.info/ -master_sites ??? +master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ distname ${name}_${version} worksrcdir ${name}-${version} checksums md5 8590532f4702fa44027a6a583657c9ef diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 544a3f0..402da08 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -153,16 +153,14 @@ gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import # edit-key script to ltsign key # NOTE: *all* user IDs will be ltsigned -ltsignCommand=$(cat < Date: Mon, 23 Mar 2009 14:41:07 -0400 Subject: proposed patch for issue #660, to properly specify host and port number in known_hosts lines. --- src/share/common | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/share/common b/src/share/common index ea872ba..5a11817 100644 --- a/src/share/common +++ b/src/share/common @@ -464,14 +464,19 @@ gpg2ssh() { # output known_hosts line from ssh key ssh2known_hosts() { local host + local port local key - host="$1" + host=${1%%:*} + port=${1##*:} key="$2" - echo -n "$host " - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE}" + # specify the host and port properly for new ssh known_hosts + # format + if [ "$port" != "$host" ] ; then + host="[${host}]:${port}" + fi + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # output authorized_keys line from ssh key @@ -482,41 +487,43 @@ ssh2authorized_keys() { userID="$1" key="$2" - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } # convert key from gpg to ssh known_hosts format gpg2known_hosts() { local host local keyID + local key host="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - echo -n "$host " - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}" + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # convert key from gpg to ssh authorized_keys format gpg2authorized_keys() { local userID local keyID + local key userID="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } ### GPG UTILITIES -- cgit v1.2.3 From ebce95fb2c3f4975adf346899ce3b0ebbe9d2710 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Mar 2009 16:52:53 -0400 Subject: updating debian/changelog --- packaging/debian/changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 16e7f21..82ef1ae 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -4,6 +4,9 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low - update/fix the marginal ui output - use msmktempdir everywhere (avoid unwrapped calls to mktemp for portability) + - clean out some redundant "cat"s + - fix monkeysphere update-known_hosts for sshd running on non-standard + ports -- Jameson Graef Rollins Wed, 18 Mar 2009 11:46:44 -0400 -- cgit v1.2.3 From b701db93e07fa839cf599577b45ccf3ff7b71351 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Mar 2009 16:54:20 -0400 Subject: add FIXME note about IPv6 addresses, and break out hostnames from the last colon, not the first. --- src/share/common | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/share/common b/src/share/common index 5a11817..d6e4949 100644 --- a/src/share/common +++ b/src/share/common @@ -467,7 +467,11 @@ ssh2known_hosts() { local port local key - host=${1%%:*} + # FIXME this does not properly deal with IPv6 hosts using the + # standard port (because it's unclear whether their final + # colon-delimited address section is a port number or an address + # string) + host=${1%:*} port=${1##*:} key="$2" -- cgit v1.2.3 From 3d0033e5b511bb54df9e0120e55a6b551e844003 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Mar 2009 17:03:18 -0400 Subject: improving usage and man page for monkeysphere ssh-proxycommand. --- man/man1/monkeysphere.1 | 2 +- src/monkeysphere | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 327a623..2d97670 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -65,7 +65,7 @@ will be used. The length of the generated key can be specified with the `\-\-length' or `\-l' option. `g' may be used in place of `gen\-subkey'. .TP -.B ssh\-proxycommand +.B ssh\-proxycommand [--no-connect] HOST [PORT] An ssh ProxyCommand that can be used to trigger a monkeysphere update of the ssh known_hosts file for a host that is being connected to with ssh. This works by updating the known_hosts file for the host first, diff --git a/src/monkeysphere b/src/monkeysphere index 2e3bc16..fbc05b4 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -47,7 +47,7 @@ subcommands: update-authorized_keys (a) update authorized_keys file gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) - ssh-proxycommand monkeysphere ssh ProxyCommand + ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand subkey-to-ssh-agent (s) store authentication subkey in ssh-agent version (v) show version number help (h,?) this help -- cgit v1.2.3 From 59fb3a7cd90134c176032d36f2ec0942efa6714d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 24 Mar 2009 15:20:50 -0400 Subject: fixing typo in monkeysphere.1 (thanks, Suno Ano) --- man/man1/monkeysphere.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 2d97670..320cdfd 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -42,8 +42,8 @@ were found but none were acceptable. `k' may be used in place of .B update\-authorized_keys Update the authorized_keys file for the user executing the command (see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all -monkeysphere keys are cleared from the authorized_keys file. Then, or -each user ID in the user's authorized_user_ids file, gpg will be +monkeysphere keys are cleared from the authorized_keys file. Then, +for each user ID in the user's authorized_user_ids file, gpg will be queried for keys associated with that user ID, optionally querying a keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in .BR monkeysphere (7)), -- cgit v1.2.3 From b371a109bbaf7e1d1bd424a0495dafca1284ada9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 24 Mar 2009 15:25:42 -0400 Subject: fix typo in monkeysphere-host.8 (thanks, Suno Ano) --- man/man8/monkeysphere-host.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 3e01105..e96a497 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -27,7 +27,7 @@ Import a pem-encoded ssh secret host key from file FILE. If FILE is `\-', then the key will be imported from stdin. Only RSA keys are supported at the moment. NAME[:PORT] is used to specify the fully-qualified hostname (and port) used in the user ID of the new -OpenPGP key. If PORT is not specified, the no port is added to the +OpenPGP key. If PORT is not specified, then no port is added to the user ID, which means port 22 is assumed. `i' may be used in place of `import\-key'. .TP -- cgit v1.2.3