From a7275bfcb21bccff64ccc544676406cb6318a021 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 15:12:07 -0400 Subject: added TODO documentation with additional projects. --- doc/TODO | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doc/TODO (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO new file mode 100644 index 0000000..6125fea --- /dev/null +++ b/doc/TODO @@ -0,0 +1,39 @@ +Next-Steps Monkeysphere Projects: +--------------------------------- + +Provide a friendly interactive UI for marginal or failing client-side + hostkey verifications. Handle the common cases smoothly, and + provide good debugging info for the unusual cases. + +Make sure onak properly escapes user IDs with colons in them. + +Build a decent, presentable web site for documentation, evangelism, + etc. Include a mention of how to report trouble or concerns. + +Create ssh2openpgp or convert to full-fledged keytrans. + +Resolve the bugs listed in openpgp2ssh(1):BUGS. + +Understand and document alternate trustdb models. + +Understand and document the output of gpg --check-trustdb: + gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + gpg: depth: 0 valid: 2 signed: 20 trust: 0-, 0q, 0n, 0m, 0f, 2u + gpg: depth: 1 valid: 20 signed: 67 trust: 15-, 0q, 1n, 3m, 1f, 0u + gpg: next trustdb check due at 2008-10-09 + +Understand and document the numeric values between sig! and the keyid + in "gpg --check-sigs $KEYID" . Compare with the details found from + "gpg --with-colons --check-sigs $KEYID". This has to do with trust + signatures. + +Fix gpg's documentation to clarify the difference between validity and + ownertrust. Include better documentation for trust signatures. + +Make it easier to do domain-relative ssh host trust signatures with + gnupg. (e.g. "i trust Jamie McClelland (keyID 76CC057D) to properly + identify ssh servers in the mayfirst.org domain") See: + http://tools.ietf.org/html/rfc4880#section-5.2.3.21 and grep for + "tsign" in gpg(1). + +Fix the order of questions when user does a tsign in gpg or gpg2. -- cgit v1.2.3 From 79e9e7214bcbd4ecf4d555a1be413532b216c2e7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 14:33:19 -0400 Subject: Update man pages and TODO. --- debian/dirs | 1 + debian/monkeysphere.dirs | 1 + doc/TODO | 12 +++++++ man/man1/monkeysphere-ssh-proxycommand.1 | 13 ++++--- man/man1/monkeysphere.1 | 60 +++++++++++--------------------- man/man8/monkeysphere-server.8 | 11 +++--- 6 files changed, 48 insertions(+), 50 deletions(-) (limited to 'doc/TODO') diff --git a/debian/dirs b/debian/dirs index bdf0fe0..b458649 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,4 +1,5 @@ var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys usr/bin usr/sbin usr/share diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index 4604eee..bc8abcf 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,4 +1,5 @@ usr/share/monkeysphere var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys etc/monkeysphere etc/monkeysphere/authorized_user_ids diff --git a/doc/TODO b/doc/TODO index 6125fea..905d198 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,6 +1,18 @@ Next-Steps Monkeysphere Projects: --------------------------------- +Handle unknown hosts in such a way that they're not always removed + from known_hosts file. Ask user to lsign the host key? + +Handle multiple multiple hostnames (multiple user IDs?) when + generating host keys with gen-key. + +Make sure alternate ports are handled for known_hosts. + +Add environment variables sections to man pages. + +Script to import private key into ssh agent. + Provide a friendly interactive UI for marginal or failing client-side hostkey verifications. Handle the common cases smoothly, and provide good debugging info for the unusual cases. diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 8392ae8..5fabb91 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -19,13 +19,12 @@ or by adding the following line to your ~/.ssh/config script: .B ProxyCommand monkeysphere-ssh-proxycommand %h %p The script is very simple, and can easily be incorporated into other -ProxyCommand scripts. All it does is first runs - -.B monkeysphere update-known-hosts HOST - -and then - -.B exec nc HOST PORT +ProxyCommand scripts. It first tests to see if the host is in the +known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to +true and "update-known_hosts" is run for the host to check for a host +key for that host. If the host is found in the known_hosts file, +CHECK_KEYSERVER is set to false and "update-known_hosts" is run to +update from the local keychain. Run the following command for more info: diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 95f1e59..8d89071 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -24,25 +24,23 @@ for authentication and encryption of ssh connection. .B update-known_hosts [HOST]... Update the known_hosts file. For each specified host, gpg will be queried for a key associated with the host URI (see HOST URIs), -querying a keyserver if none is found in the user's keychain. search -for a gpg key for the host in the Web of Trust. If a key is found, it -will be added to the host_keys cache (see KEY CACHES) and any ssh keys -for the host will be removed from the user's known_hosts file. If the -found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg -key will be added to the known_hosts file. If no gpg key is found for -the host, then nothing is done. If no hosts are specified, all hosts -listed in the known_hosts file will be processed. `k' may be used in -place of `update-known_hosts'. +querying a keyserver if specified. If a key is found, it will be +converted to an ssh key, and any matching ssh keys will be removed +from the user's known_hosts file. If the found key is acceptable (see +KEY ACCEPTABILITY), then the key will be updated and re-added to the +known_hosts file. If no gpg key is found for the host, then nothing +is done. If no hosts are specified, all hosts listed in the +known_hosts file will be processed. `k' may be used in place of +`update-known_hosts'. .TP .B update-userids [USERID]... Add/update a user ID to the authorized_user_ids file. The user IDs specified should be exact matches to OpenPGP user IDs. For each specified user ID, gpg will be queried for a key associated with that -user ID, querying a keyserver if none is found in the user's keychain. -If a key is found, it will be added to the user_keys cache (see KEY -CACHES) and the user ID will be added to the user's -authorized_user_ids file (if it wasn't already present). `u' may be -used in place of `update-userids'. +user ID, querying a keyserver if specified. If a key is found, the +user ID will be added to the user's authorized_user_ids file (if it +wasn't already present). `u' may be used in place of +`update-userids'. .TP .B remove-userids [USERID]... Remove a user ID from the authorized_user_ids file. The user IDs @@ -50,11 +48,15 @@ specified should be exact matches to OpenPGP user IDs. `r' may be used in place of `remove-userids'. .TP .B update-authorized_keys -Update the monkeysphere authorized_keys file. The monkeysphere -authorized_keys file will be regenerated from the valid keys in the -user_key cache, and the user's independently controlled -authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be -used in place of `update-authorized_keys'. +Update the monkeysphere authorized_keys file. For each user ID in the +user's authorized_user_ids file, gpg will be queried for keys +associated with that user ID, querying a keyserver if specified. If a +key is found, it will be converted to an ssh key, and any matching ssh +keys will be removed from the user's authorized_keys file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the key will be +updated and re-added to the authorized_keys file. If no gpg key is +found for the user ID, then nothing is done. `a' may be used in place +of `update-authorized_keys'. .TP .B gen-subkey KEYID Generate an `a` capable subkey. For the primary key with the @@ -83,21 +85,6 @@ the "authentication" ("a") capability flag. .B validity The key must be "fully" valid, and must not be expired or revoked. -.SH KEY CACHES - -Monkeysphere keeps track of keys in key cache directories. The files -in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where -USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is -the key ID of the primary key. If the user/key ID combo exists in the -Web of Trust but is not acceptable, then the file is empty. If the -primary key has at least one acceptable sub key, then an ssh-style -key, converted from the OpenPGP key, of all acceptable subkeys will be -stored in the cache file, one per line. known_hosts style key lines -will be stored in the host_keys cache files, and authorized_keys style -key lines will be stored in the user_keys cache files. OpenPGP keys -are converted to ssh-style keys with the openpgp2ssh utility (see `man -openpgp2ssh'). - .SH FILES .TP @@ -114,11 +101,6 @@ addition to the authorized_keys file. ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. .TP -~/.config/monkeysphere/user_keys -User keys cache directory. -.TP -~/.config/monkeysphere/host_keys -Host keys cache directory. .SH AUTHOR diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index eafd6a8..5ca248a 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -24,8 +24,11 @@ be used for authentication and encryption of ssh connection. .B update-users [USER]... Update the admin-controlled authorized_keys files for user. For each user specified, update the user's authorized_keys file in -/var/cache/monkeysphere/USER. See `man monkeysphere' for more info. -`k' may be used in place of `update-known_hosts'. +/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' +for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is +set, then a user-controlled authorized_keys file (usually +~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k' +may be used in place of `update-known_hosts'. .TP .B gen-key Generate a gpg key for the host. `g' may be used in place of @@ -66,8 +69,8 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/cache/monkeysphere/USER -User keys cache directories. +/var/cache/monkeysphere/authorized_keys/USER +User authorized_keys file. .SH AUTHOR -- cgit v1.2.3 From 8a977a8371f2ea54e3888494e1b474befeba318b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Jun 2008 23:36:22 -0400 Subject: add todo items that we discussed as being important to address at some point --- doc/TODO | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index 905d198..bf51ae0 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,6 +1,13 @@ Next-Steps Monkeysphere Projects: --------------------------------- +Detail advantages of monkeysphere: detail the race conditions in ssh, + and how the monkeysphere can help you reduce these threat vectors: + threat model reduction diagrams + +Determine how openssh handles multiple processes writing to + known_hosts file (atomic appends?) + Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? -- cgit v1.2.3 From dcba8ebebf480a051f2b872f89ccbe68ad642f61 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:48:37 -0400 Subject: Update to new agreed default host key usage flag (only "a" required for users and hosts). Update TODO file. Some other small changes. --- doc/TODO | 31 +++++++++++++++++++++++++++---- etc/monkeysphere.conf | 6 +++++- src/common | 8 ++++---- src/monkeysphere | 2 +- 4 files changed, 37 insertions(+), 10 deletions(-) (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index 905d198..0402b46 100644 --- a/doc/TODO +++ b/doc/TODO @@ -4,13 +4,11 @@ Next-Steps Monkeysphere Projects: Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? -Handle multiple multiple hostnames (multiple user IDs?) when - generating host keys with gen-key. +Handle multiple hostnames (multiple user IDs?) when generating host + keys with gen-key. Make sure alternate ports are handled for known_hosts. -Add environment variables sections to man pages. - Script to import private key into ssh agent. Provide a friendly interactive UI for marginal or failing client-side @@ -49,3 +47,28 @@ Make it easier to do domain-relative ssh host trust signatures with "tsign" in gpg(1). Fix the order of questions when user does a tsign in gpg or gpg2. + +File bug against ssh-keygen about how "-R" option removes comments + from known_hosts file. + +File bug against ssh-keygen to see if we can get it to write to hash a + known_hosts file to/from stdout/stdin. + +Note all threat model reductions (with diagrams). + +Add environment variables sections to man pages. + +Environment variable scoping. + +Move environment variable precedence before conf file. + +Handle lockfiles when modifying known_hosts or authorized_keys. + +When using ssh-proxycommand, if only host keys found are expired or + revoked, then output loud warning with prompt, or fail hard. + +Update monkeysphere-ssh-proxycommand man page with new keyserver + checking policy info. + +Update monkeysphere-ssh-proxycommand man page with info about + no-connect option. diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 17c1a14..f2ba4a7 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -15,7 +15,7 @@ # s = sign # c = certify # a = authentication -#REQUIRED_HOST_KEY_CAPABILITY="e a" +#REQUIRED_HOST_KEY_CAPABILITY="a" #REQUIRED_USER_KEY_CAPABILITY="a" # ssh known_hosts file @@ -27,3 +27,7 @@ # ssh authorized_keys file #AUTHORIZED_KEYS=~/.ssh/known_hosts + +# This overrides other environment variables +# NOTE: there is leakage +#CHECK_KEYRING=true diff --git a/src/common b/src/common index ac43f0a..9b06b1d 100644 --- a/src/common +++ b/src/common @@ -73,7 +73,7 @@ unescape() { } # remove all lines with specified string from specified file -remove_file_line() { +remove_line() { local file local string @@ -395,7 +395,7 @@ remove_userid() { # remove user ID from file log -n " removing user ID '$userID'... " - remove_file_line "$AUTHORIZED_USER_IDS" "^${userID}$" + remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" loge "done." } @@ -416,7 +416,7 @@ process_host_known_hosts() { while read -r ok keyid ; do sshKey=$(gpg2ssh "$keyid") # remove the old host key line - remove_file_line "$KNOWN_HOSTS" "$sshKey" + remove_line "$KNOWN_HOSTS" "$sshKey" # if key OK, add new host line if [ "$ok" -eq '0' ] ; then # hash if specified @@ -449,7 +449,7 @@ process_uid_authorized_keys() { while read -r ok keyid ; do sshKey=$(gpg2ssh "$keyid") # remove the old host key line - remove_file_line "$AUTHORIZED_KEYS" "$sshKey" + remove_line "$AUTHORIZED_KEYS" "$sshKey" # if key OK, add new host line if [ "$ok" -eq '0' ] ; then ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" diff --git a/src/monkeysphere b/src/monkeysphere index 6853f58..a6cecfd 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -115,7 +115,7 @@ AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} -REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} +REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} -- cgit v1.2.3 From 6ee67a218916f6f9c30dfe9787109017c11e8185 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:53:09 -0400 Subject: Update TODO after merge. --- doc/TODO | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index c17ef61..3538fbf 100644 --- a/doc/TODO +++ b/doc/TODO @@ -3,10 +3,10 @@ Next-Steps Monkeysphere Projects: Detail advantages of monkeysphere: detail the race conditions in ssh, and how the monkeysphere can help you reduce these threat vectors: - threat model reduction diagrams + threat model reduction diagrams. Determine how openssh handles multiple processes writing to - known_hosts file (atomic appends?) + known_hosts/authorized_keys files (lockfile, atomic appends?) Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? @@ -61,16 +61,12 @@ File bug against ssh-keygen about how "-R" option removes comments File bug against ssh-keygen to see if we can get it to write to hash a known_hosts file to/from stdout/stdin. -Note all threat model reductions (with diagrams). - Add environment variables sections to man pages. Environment variable scoping. Move environment variable precedence before conf file. -Handle lockfiles when modifying known_hosts or authorized_keys. - When using ssh-proxycommand, if only host keys found are expired or revoked, then output loud warning with prompt, or fail hard. -- cgit v1.2.3 From a5066c3a37a84bf47e1e1d6ff8ad755ad5fa9414 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 03:17:01 -0400 Subject: added more documentation about george, and more TODO notes. --- doc/TODO | 25 +++++++++++++++++++++++-- doc/george/changelog | 14 ++++++++++++-- doc/george/user-id-configuration | 21 +++++++++++++++++++++ 3 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 doc/george/user-id-configuration (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index 3538fbf..e2fce0e 100644 --- a/doc/TODO +++ b/doc/TODO @@ -8,12 +8,33 @@ Detail advantages of monkeysphere: detail the race conditions in ssh, Determine how openssh handles multiple processes writing to known_hosts/authorized_keys files (lockfile, atomic appends?) -Handle unknown hosts in such a way that they're not always removed - from known_hosts file. Ask user to lsign the host key? +Handle unverified monkeysphere hosts in such a way that they're not + always removed from known_hosts file. Ask user to lsign the host + key? Handle multiple hostnames (multiple user IDs?) when generating host keys with gen-key. +Work out the details (and describe a full use case) for assigning a + REVOKER during monkeysphere-server gen_key -- how is this set? How + do we export it so it's available when a second-party revocation is + needed? + +Actually enable server hostkey publication. + +Streamline host key generation, publication, verification. See + doc/george/host-key-publication for what dkg went through on + 2008-06-19 + +Streamline authorized_user_ids setup (including question of where + authorized_user_ids files should go). See + doc/george/user-id-configuration for what dkg went through on + 2008-06-19 + +Ensure that authorized_user_ids are under as tight control as ssh + expects from authorized_keys: we don't want monkeysphere to be a + weak link in the filesystem. + Make sure alternate ports are handled for known_hosts. Script to import private key into ssh agent. diff --git a/doc/george/changelog b/doc/george/changelog index 8eebe4b..afea2d0 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -20,8 +20,18 @@ Installed syslog-ng in their stead, which still gives errors related to /proc/kmsg unreadability, but the install completes :/ - * added experimental, juggled pinning: - experimental: 1, unstable: 2 + * added experimental + * juggled pinning: experimental: 1, unstable: 2 + * added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf + + * installed monkeysphere v0.1-1, changed host key, published + them via the local keyserver (see host-key-publication) + + * added local unprivileged user accounts for everyone listed in + /usr/share/doc/monkeysphere/copyright + + * configured authorized_user_ids for every user account based on + my best guess at their OpenPGP User ID. 2008-06-18 - jrollins * installed less, emacs; diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration new file mode 100644 index 0000000..d95279d --- /dev/null +++ b/doc/george/user-id-configuration @@ -0,0 +1,21 @@ +2008-06-19 03:00:58-0400 +------------------------ + +setting up authorized_user_id configuration on george was also more +cumbersome than it needs to be. Here's what i (dkg) did: + + GNUPGHOME=/etc/monkeysphere/gnupg gpg --keyserver subkeys.pgp.net --search dkg@fifthhorseman.net + GNUPGHOME=/etc/monkeysphere/gnupg gpg --fingerprint dkg@fifthhorseman.net + +set up the authorized_user_ids (why are these in /etc/ and not in +people's home directories?) + +echo 'Daniel Kahn Gillmor ' > /etc/monkeysphere/authorized_user_ids/dkg +echo 'Jameson Rollins ' > /etc/monkeysphere/authorized_user_ids/jrollins +echo 'Micah Anderson ' > /etc/monkeysphere/authorized_user_ids/micah +echo 'Matthew Goins ' > /etc/monkeysphere/authorized_user_ids/mjgoins +echo 'Ross Glover ' > /etc/monkeysphere/authorized_user_ids/ross +echo 'Jamie McClelland ' > /etc/monkeysphere/authorized_user_ids/jamie +echo 'mike castleman ' > /etc/monkeysphere/authorized_user_ids/mlcastle +echo 'Elliot Winard ' > /etc/monkeysphere/authorized_user_ids/enw +echo 'Greg Lyle ' > /etc/monkeysphere/authorized_user_ids/greg -- cgit v1.2.3 From 86e9e0e3fd03db1770857990882d955954a5265b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 04:00:42 -0400 Subject: re-worked documentation and raised issues in TODO about end user authentication. --- doc/TODO | 26 +++++++++++++++++++ doc/george/user-id-configuration | 56 +++++++++++++++++++++++++++++----------- 2 files changed, 67 insertions(+), 15 deletions(-) (limited to 'doc/TODO') diff --git a/doc/TODO b/doc/TODO index e2fce0e..5cd9be9 100644 --- a/doc/TODO +++ b/doc/TODO @@ -35,6 +35,32 @@ Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. +What happens when there are no entries in the authorized_user_ids file + for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp + seems like it gets created and then left there. + +What happens when a user account has no corresponding + /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed + in /var/cache/monkeysphere/authorized_keys/$USER? It looks + currently untouched, which could mean bad things for such a user. + +Consider the default permissions for + /var/cache/monkeysphere/authorized_keys/* (and indeed the whole + directory path leading up to that) + +What should happen when an admin does + "monkeysphere-server update-users not_an_existent_user"? + currently, it adds + /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which + seems rather wrong. + +is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to + avoid collisions? Why not use a real mktemp file? + +As an administrator, how do i reverse the effect of a + "monkeysphere-server trust-keys" that i later decide i should not + have run? + Make sure alternate ports are handled for known_hosts. Script to import private key into ssh agent. diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration index d95279d..d42bfbd 100644 --- a/doc/george/user-id-configuration +++ b/doc/george/user-id-configuration @@ -4,18 +4,44 @@ setting up authorized_user_id configuration on george was also more cumbersome than it needs to be. Here's what i (dkg) did: - GNUPGHOME=/etc/monkeysphere/gnupg gpg --keyserver subkeys.pgp.net --search dkg@fifthhorseman.net - GNUPGHOME=/etc/monkeysphere/gnupg gpg --fingerprint dkg@fifthhorseman.net - -set up the authorized_user_ids (why are these in /etc/ and not in -people's home directories?) - -echo 'Daniel Kahn Gillmor ' > /etc/monkeysphere/authorized_user_ids/dkg -echo 'Jameson Rollins ' > /etc/monkeysphere/authorized_user_ids/jrollins -echo 'Micah Anderson ' > /etc/monkeysphere/authorized_user_ids/micah -echo 'Matthew Goins ' > /etc/monkeysphere/authorized_user_ids/mjgoins -echo 'Ross Glover ' > /etc/monkeysphere/authorized_user_ids/ross -echo 'Jamie McClelland ' > /etc/monkeysphere/authorized_user_ids/jamie -echo 'mike castleman ' > /etc/monkeysphere/authorized_user_ids/mlcastle -echo 'Elliot Winard ' > /etc/monkeysphere/authorized_user_ids/enw -echo 'Greg Lyle ' > /etc/monkeysphere/authorized_user_ids/greg +monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 + +monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor ' +monkeysphere-server update-user-userids jrollins 'Jameson Rollins ' +monkeysphere-server update-user-userids micah 'Micah Anderson ' +monkeysphere-server update-user-userids mjgoins 'Matthew Goins ' +monkeysphere-server update-user-userids ross 'Ross Glover ' +monkeysphere-server update-user-userids jamie 'Jamie McClelland ' +monkeysphere-server update-user-userids mlcastle 'mike castleman ' +monkeysphere-server update-user-userids enw 'Elliot Winard ' +monkeysphere-server update-user-userids greg 'Greg Lyle ' + + +then i added a scheduled: + + monkeysphere-server update-users + +to run hourly via /etc/crontab + +and made sure that root's keys were working with a temporary symlink +(see TODO about that business) + +and then modified /etc/ssh/sshd_config with: + + AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u + + +Some outstanding questions: + + * why are the authorized_user_ids stored in /etc/ and not in people's + home directories? + + * why are authorized_user_ids managed with a special sub-command of + monkeysphere-server, instead of just being hand-managed files, the + way that authorized_keys are in stock openssh? + + * Should we ship a scheduled monkeysphere-server update-users cron + job automatically? + + * why was i not prompted to confirm the trust-keys line, which seems + like the most delicate/sensitive line of all of them? -- cgit v1.2.3 From 7019354a75ca19ffd2e10f2e2b3dc89b480156bd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 18:09:41 -0400 Subject: Better handling of unknown users in server update-users. Updated TODO file. --- debian/changelog | 3 ++- doc/TODO | 21 +++------------------ doc/george/user-id-configuration | 7 ------- src/common | 13 ++++++++++--- src/monkeysphere-server | 10 ++++++++-- 5 files changed, 23 insertions(+), 31 deletions(-) (limited to 'doc/TODO') diff --git a/debian/changelog b/debian/changelog index 726f262..bd12e1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,8 +9,9 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low /etc/monkeysphere/authorized_user_ids. * Remove {update,remove}-userids functions, since we decided they weren't useful enough to be worth maintaining. + * Better handling of unknown users in server update-users - -- Jameson Graef Rollins Thu, 19 Jun 2008 16:56:32 -0400 + -- Jameson Graef Rollins Thu, 19 Jun 2008 18:08:57 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/doc/TODO b/doc/TODO index 5cd9be9..a82f031 100644 --- a/doc/TODO +++ b/doc/TODO @@ -26,37 +26,22 @@ Streamline host key generation, publication, verification. See doc/george/host-key-publication for what dkg went through on 2008-06-19 -Streamline authorized_user_ids setup (including question of where - authorized_user_ids files should go). See - doc/george/user-id-configuration for what dkg went through on - 2008-06-19 - Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. -What happens when there are no entries in the authorized_user_ids file - for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp - seems like it gets created and then left there. - What happens when a user account has no corresponding /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed in /var/cache/monkeysphere/authorized_keys/$USER? It looks currently untouched, which could mean bad things for such a user. + - if authorized_user_ids is empty, then the user's authorized_keys + file will be also, unless the user-controlled authorized_keys file + is added. I believe this is expected, correct behavior. Consider the default permissions for /var/cache/monkeysphere/authorized_keys/* (and indeed the whole directory path leading up to that) -What should happen when an admin does - "monkeysphere-server update-users not_an_existent_user"? - currently, it adds - /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which - seems rather wrong. - -is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to - avoid collisions? Why not use a real mktemp file? - As an administrator, how do i reverse the effect of a "monkeysphere-server trust-keys" that i later decide i should not have run? diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration index d42bfbd..9a7f4d2 100644 --- a/doc/george/user-id-configuration +++ b/doc/george/user-id-configuration @@ -33,13 +33,6 @@ and then modified /etc/ssh/sshd_config with: Some outstanding questions: - * why are the authorized_user_ids stored in /etc/ and not in people's - home directories? - - * why are authorized_user_ids managed with a special sub-command of - monkeysphere-server, instead of just being hand-managed files, the - way that authorized_keys are in stock openssh? - * Should we ship a scheduled monkeysphere-server update-users cron job automatically? diff --git a/src/common b/src/common index 00ee7b0..e98f1bc 100644 --- a/src/common +++ b/src/common @@ -18,10 +18,17 @@ ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE +ERR=0 +export ERR ######################################################################## ### UTILITY FUNCTIONS +error() { + log "$1" + ERR=${2:-'1'} +} + failure() { echo "$1" >&2 exit ${2:-'1'} @@ -29,12 +36,12 @@ failure() { # write output to stderr log() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 + echo -n "ms: " >&2 + echo "$@" >&2 } loge() { - echo "$@" 1>&2 + echo "$@" >&2 } # cut out all comments(#) and blank lines from standard input diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 154c146..a9a9aed 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -162,6 +162,12 @@ case $COMMAND in for uname in $unames ; do MODE="authorized_keys" + # check all specified users exist + if ! getent passwd | cut -d: -f1 | grep -q "^${uname}$" ; then + error "----- unknown user '$uname' -----" + continue + fi + # set authorized_user_ids variable, # translate ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") @@ -201,8 +207,6 @@ case $COMMAND in log "authorized_keys file updated." done - - log "----- done. -----" ;; 'gen-key'|'g') @@ -237,3 +241,5 @@ case $COMMAND in Type '$PGRM help' for usage." ;; esac + +exit "$ERR" -- cgit v1.2.3