From f016e55c785648e0032c88c6eed872f663e81e39 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 7 Jun 2008 19:39:55 -0400 Subject: small change to correct usage of howler --- doc/MonkeySpec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/MonkeySpec b/doc/MonkeySpec index 6ac5f11..9ed0724 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -41,7 +41,7 @@ server-side components * "howler": server gpg maintainer - generates gpg keys for the server - publishes server gpg keys - - used to specify userids to trust for user authentication + - used to specify keys to trust for user authentication * "tamarin": script to trigger rhesus during attempt to initiate connection from client -- cgit v1.2.3 From 6c335e70360c7502a2205d21e9f96d4bf2679cbd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Jun 2008 01:50:49 -0400 Subject: small tweak to MonkeySpec --- doc/MonkeySpec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/MonkeySpec b/doc/MonkeySpec index fe5a0bf..54aaa72 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -39,9 +39,9 @@ common components server-side components ---------------------- * "howler": server gpg maintainer - - generates gpg keys for the server - - publishes server gpg keys - - used to specify keys to trust for user authentication + - generate gpg keys for the server + - publish server gpg keys + - give owner trust to keys for user authentication * "tamarin": concept - how to trigger or schedule rhesus at admin defined points (e.g. via cron or during ssh connections). -- cgit v1.2.3 From cfa7c2e402991ebcb41502169ba85d9c1874d7d2 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 11 Jun 2008 15:17:54 -0400 Subject: update README --- doc/README | 73 +++++++++++++++++++++----------------------------------------- 1 file changed, 25 insertions(+), 48 deletions(-) (limited to 'doc') diff --git a/doc/README b/doc/README index d8f1897..427f214 100644 --- a/doc/README +++ b/doc/README @@ -1,36 +1,22 @@ Monkeysphere README =================== -Default files locations (by variable): - -MS_HOME=~/.config/monkeysphere -MS_CONF=$MS_HOME/monkeysphere.conf -AUTH_HOST_FILE=$MS_HOME/auth_host_ids -AUTH_USER_FILE=$MS_HOME/auth_user_ids -GNUPGHOME=~/.gnupg -STAGING_AREA=$MS_HOME - -$STAGING_AREA/host_keys/KEYHASH -$STAGING_AREA/known_hosts -$STAGING_AREA/user_keys/KEYHASH -$STAGING_AREA/authorized_keys - user usage ---------- -For a user to update their ms known_hosts file: +For a user to update their known_hosts file: -$ rhesus --known_hosts +$ monkeysphere update-known_hosts -For a user to update their ms authorized_keys file: +For a user to update their monkeysphere authorized_keys file: -$ rhesus --authorized_keys +$ monkeysphere update-authorized_keys server service publication -------------------------- -To publish a server host key use the "howler" component: +To publish a server host key: -# howler gen-key -# howler publish-key +# monkeysphere-server gen-key +# monkeysphere-server publish-key This will generate the key for server with the service URI (ssh://server.hostname). The server admin should now sign the server @@ -42,38 +28,29 @@ $ gpg --sign-key 'ssh://server.hostname' server authorized_keys maintenance ---------------------------------- -A system can maintain ms authorized_keys files for it's users. Some -different variables need to be defined to help manage this. The way -this is done is by first defining a new MS_HOME: +A system can maintain monkeysphere authorized_keys files for it's +users. -MS_HOME=/etc/monkeysphere - -This directory would then have a monkeysphere.conf which defines the -following variables: +For each user account on the server, the userids of people authorized +to log into that account would be placed in: -AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER" -STAGING_AREA=/var/lib/monkeysphere/stage/$USER -GNUPGHOME=$MS_HOME/gnupg +/etc/monkeysphere/authorized_user_file/USER -For each user account on the server, the userids of people authorized -to log into that account would be placed in the AUTH_USER_FILE for -that user. However, in order for users to become authenticated, the -server must determine that the user keys have "full" validity. This -means that the server must fully trust at least one person whose -signature on the connecting users key would validate the user. This -would generally be the server admin. If the server admin's keyid is -XXXXXXXX, then on the server run: +However, in order for users to become authenticated, the server must +determine that the user keys have "full" validity. This means that +the server must fully trust at least one person whose signature on the +connecting users key would validate the user. This would generally be +the server admin. If the server admin's keyid is XXXXXXXX, then on +the server run: -# howler trust-key XXXXXXXX +# monkeysphere-server trust-keys XXXXXXXX -To update the ms authorized_keys file for user "bob", the system would -then run the following: +To update the monkeysphere authorized_keys file for user "bob", the +system would then run the following: -# USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys +# monkeysphere-server update-users bob -To update the ms authorized_keys file for all users on the the system: +To update the monkeysphere authorized_keys file for all users on the +the system, run the same command with no arguments: -MS_HOME=/etc/monkeysphere -for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do - rhesus --authorized_keys -done +# monkeysphere-server update-users bob -- cgit v1.2.3 From 85dc0c4c46d3367642e4ce547faaadbaf8315f5c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 26 May 2008 23:36:06 -0400 Subject: fixing spelling, fqdns in MonkeySpec examples --- doc/MonkeySpec | 55 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 26 deletions(-) (limited to 'doc') diff --git a/doc/MonkeySpec b/doc/MonkeySpec index 3b565db..b0a0d6a 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -61,40 +61,42 @@ USE CASE Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob Backstory: http://www.conceptlabs.co.uk/alicebob.html -Bob wants to sign on to the computer "mangabey" via monkeysphere -framework. He doesn't yet have access to the machine, but he knows -Alice, who is the admin of magabey. Alice and Bob, being the -contientious netizens that they are, have already published their +Bob wants to sign on to the computer "mangabey.example.org" via +monkeysphere framework. He doesn't yet have access to the machine, +but he knows Alice, who is the admin of magabey. Alice and Bob, being +the conscientious netizens that they are, have already published their personal gpg keys to the web of trust, and being good friends, have both signed each other's keys and marked each others keys with "full" trust. Alice uses howler to publish a gpg key for magabey with the special -"ssh://magabey" URI userid. Alice signs magabey's gpg key and -publishes her signature. Alice then creates a user "bob" on magabey, -and puts Bob's userid in the auth_user_ids file for user bob on -magabey. tamarin triggers on magabey, which triggers rhesus, which -takes all userids in bob's auth_user_ids file, look on a keyserver to -find the public keys for each user, converts the gpg public keys into -ssh public keys if the key validity is acceptable, and finally insert -those keys into an authorized_keys file for bob. - -Bob now adds the "ssh://magabey" userid to the auth_host_ids file in -his account on his localhost. Bob now goes to connect to bob@magabey. -Bob's ssh client, which is monkeysphere enabled, triggers marmoset, -which triggers rhesus on Bob's computer, which takes all server -userids in his auth_host_ids file, looks on a keyserver to find the -public key for each server (based on the server's URI), converts the -gpg public keys into ssh public keys if the key validity is -acceptable, and finally insert those keys into Bob's known_hosts file. +userid of "ssh://mangabey.example.org". Alice signs mangabey's gpg +key and publishes this signature as a certification. Alice then +creates a user "bob" on mangabey, and puts Bob's userid in the +auth_user_ids file for user bob on magabey. tamarin triggers on +mangabey, which invokes rhesus. rhesus takes all userids in bob's +auth_user_ids file, looks on a keyserver to find the public keys for +each user, converts the gpg public keys into ssh public keys if the +key validity is acceptable, and finally inserts those keys into an +authorized_keys file for bob. + +Bob now adds the "ssh://mangabey.example.org" userid to the +auth_host_ids file in his account on his localhost. Bob now goes to +connect to bob@mangabey.example.org. Bob's monkeysphere-enabled ssh +client triggers marmoset, which invokes rhesus on Bob's computer. +rhesus takes all server userids in his auth_host_ids file, looks on a +keyserver to find the public key for each server (based on the +server's URI), converts the gpg public keys into ssh public keys if +the key validity is acceptable, and finally insert those keys into +Bob's known_hosts file. On Bob's side, since mangabey's key had "full" validity (since it was -signed by Alice whom he fully trusts), Bob's ssh client deems magabey +signed by Alice whom he fully trusts), Bob's ssh client deems mangabey "known" and no further host key checking is required. -On magabey's side, since Bob's key has "full" validity (since it had -also been signed by Alice whom magabey fully trusts (since Alice told -him to)), Bob is authenticated to log into bob@magabey. +On mangabey's side, since Bob's key has "full" validity (since it had +also been signed by Alice, mangabey's trusted administrator), Bob is +authenticated and authorized to log into bob@mangabey. NOTES ===== @@ -136,4 +138,5 @@ perform authorization on user identities instead of on keys, it additionally allows the sysadmin also to authenticate the server to the end-user. -git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere +see doc/git-init for more detail on how to pull from the distributed +repositories. -- cgit v1.2.3 From a7275bfcb21bccff64ccc544676406cb6318a021 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 15:12:07 -0400 Subject: added TODO documentation with additional projects. --- doc/TODO | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 doc/TODO (limited to 'doc') diff --git a/doc/TODO b/doc/TODO new file mode 100644 index 0000000..6125fea --- /dev/null +++ b/doc/TODO @@ -0,0 +1,39 @@ +Next-Steps Monkeysphere Projects: +--------------------------------- + +Provide a friendly interactive UI for marginal or failing client-side + hostkey verifications. Handle the common cases smoothly, and + provide good debugging info for the unusual cases. + +Make sure onak properly escapes user IDs with colons in them. + +Build a decent, presentable web site for documentation, evangelism, + etc. Include a mention of how to report trouble or concerns. + +Create ssh2openpgp or convert to full-fledged keytrans. + +Resolve the bugs listed in openpgp2ssh(1):BUGS. + +Understand and document alternate trustdb models. + +Understand and document the output of gpg --check-trustdb: + gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + gpg: depth: 0 valid: 2 signed: 20 trust: 0-, 0q, 0n, 0m, 0f, 2u + gpg: depth: 1 valid: 20 signed: 67 trust: 15-, 0q, 1n, 3m, 1f, 0u + gpg: next trustdb check due at 2008-10-09 + +Understand and document the numeric values between sig! and the keyid + in "gpg --check-sigs $KEYID" . Compare with the details found from + "gpg --with-colons --check-sigs $KEYID". This has to do with trust + signatures. + +Fix gpg's documentation to clarify the difference between validity and + ownertrust. Include better documentation for trust signatures. + +Make it easier to do domain-relative ssh host trust signatures with + gnupg. (e.g. "i trust Jamie McClelland (keyID 76CC057D) to properly + identify ssh servers in the mayfirst.org domain") See: + http://tools.ietf.org/html/rfc4880#section-5.2.3.21 and grep for + "tsign" in gpg(1). + +Fix the order of questions when user does a tsign in gpg or gpg2. -- cgit v1.2.3 From 79e9e7214bcbd4ecf4d555a1be413532b216c2e7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 14:33:19 -0400 Subject: Update man pages and TODO. --- debian/dirs | 1 + debian/monkeysphere.dirs | 1 + doc/TODO | 12 +++++++ man/man1/monkeysphere-ssh-proxycommand.1 | 13 ++++--- man/man1/monkeysphere.1 | 60 +++++++++++--------------------- man/man8/monkeysphere-server.8 | 11 +++--- 6 files changed, 48 insertions(+), 50 deletions(-) (limited to 'doc') diff --git a/debian/dirs b/debian/dirs index bdf0fe0..b458649 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,4 +1,5 @@ var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys usr/bin usr/sbin usr/share diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index 4604eee..bc8abcf 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,4 +1,5 @@ usr/share/monkeysphere var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys etc/monkeysphere etc/monkeysphere/authorized_user_ids diff --git a/doc/TODO b/doc/TODO index 6125fea..905d198 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,6 +1,18 @@ Next-Steps Monkeysphere Projects: --------------------------------- +Handle unknown hosts in such a way that they're not always removed + from known_hosts file. Ask user to lsign the host key? + +Handle multiple multiple hostnames (multiple user IDs?) when + generating host keys with gen-key. + +Make sure alternate ports are handled for known_hosts. + +Add environment variables sections to man pages. + +Script to import private key into ssh agent. + Provide a friendly interactive UI for marginal or failing client-side hostkey verifications. Handle the common cases smoothly, and provide good debugging info for the unusual cases. diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 8392ae8..5fabb91 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -19,13 +19,12 @@ or by adding the following line to your ~/.ssh/config script: .B ProxyCommand monkeysphere-ssh-proxycommand %h %p The script is very simple, and can easily be incorporated into other -ProxyCommand scripts. All it does is first runs - -.B monkeysphere update-known-hosts HOST - -and then - -.B exec nc HOST PORT +ProxyCommand scripts. It first tests to see if the host is in the +known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to +true and "update-known_hosts" is run for the host to check for a host +key for that host. If the host is found in the known_hosts file, +CHECK_KEYSERVER is set to false and "update-known_hosts" is run to +update from the local keychain. Run the following command for more info: diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 95f1e59..8d89071 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -24,25 +24,23 @@ for authentication and encryption of ssh connection. .B update-known_hosts [HOST]... Update the known_hosts file. For each specified host, gpg will be queried for a key associated with the host URI (see HOST URIs), -querying a keyserver if none is found in the user's keychain. search -for a gpg key for the host in the Web of Trust. If a key is found, it -will be added to the host_keys cache (see KEY CACHES) and any ssh keys -for the host will be removed from the user's known_hosts file. If the -found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg -key will be added to the known_hosts file. If no gpg key is found for -the host, then nothing is done. If no hosts are specified, all hosts -listed in the known_hosts file will be processed. `k' may be used in -place of `update-known_hosts'. +querying a keyserver if specified. If a key is found, it will be +converted to an ssh key, and any matching ssh keys will be removed +from the user's known_hosts file. If the found key is acceptable (see +KEY ACCEPTABILITY), then the key will be updated and re-added to the +known_hosts file. If no gpg key is found for the host, then nothing +is done. If no hosts are specified, all hosts listed in the +known_hosts file will be processed. `k' may be used in place of +`update-known_hosts'. .TP .B update-userids [USERID]... Add/update a user ID to the authorized_user_ids file. The user IDs specified should be exact matches to OpenPGP user IDs. For each specified user ID, gpg will be queried for a key associated with that -user ID, querying a keyserver if none is found in the user's keychain. -If a key is found, it will be added to the user_keys cache (see KEY -CACHES) and the user ID will be added to the user's -authorized_user_ids file (if it wasn't already present). `u' may be -used in place of `update-userids'. +user ID, querying a keyserver if specified. If a key is found, the +user ID will be added to the user's authorized_user_ids file (if it +wasn't already present). `u' may be used in place of +`update-userids'. .TP .B remove-userids [USERID]... Remove a user ID from the authorized_user_ids file. The user IDs @@ -50,11 +48,15 @@ specified should be exact matches to OpenPGP user IDs. `r' may be used in place of `remove-userids'. .TP .B update-authorized_keys -Update the monkeysphere authorized_keys file. The monkeysphere -authorized_keys file will be regenerated from the valid keys in the -user_key cache, and the user's independently controlled -authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be -used in place of `update-authorized_keys'. +Update the monkeysphere authorized_keys file. For each user ID in the +user's authorized_user_ids file, gpg will be queried for keys +associated with that user ID, querying a keyserver if specified. If a +key is found, it will be converted to an ssh key, and any matching ssh +keys will be removed from the user's authorized_keys file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the key will be +updated and re-added to the authorized_keys file. If no gpg key is +found for the user ID, then nothing is done. `a' may be used in place +of `update-authorized_keys'. .TP .B gen-subkey KEYID Generate an `a` capable subkey. For the primary key with the @@ -83,21 +85,6 @@ the "authentication" ("a") capability flag. .B validity The key must be "fully" valid, and must not be expired or revoked. -.SH KEY CACHES - -Monkeysphere keeps track of keys in key cache directories. The files -in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where -USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is -the key ID of the primary key. If the user/key ID combo exists in the -Web of Trust but is not acceptable, then the file is empty. If the -primary key has at least one acceptable sub key, then an ssh-style -key, converted from the OpenPGP key, of all acceptable subkeys will be -stored in the cache file, one per line. known_hosts style key lines -will be stored in the host_keys cache files, and authorized_keys style -key lines will be stored in the user_keys cache files. OpenPGP keys -are converted to ssh-style keys with the openpgp2ssh utility (see `man -openpgp2ssh'). - .SH FILES .TP @@ -114,11 +101,6 @@ addition to the authorized_keys file. ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. .TP -~/.config/monkeysphere/user_keys -User keys cache directory. -.TP -~/.config/monkeysphere/host_keys -Host keys cache directory. .SH AUTHOR diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index eafd6a8..5ca248a 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -24,8 +24,11 @@ be used for authentication and encryption of ssh connection. .B update-users [USER]... Update the admin-controlled authorized_keys files for user. For each user specified, update the user's authorized_keys file in -/var/cache/monkeysphere/USER. See `man monkeysphere' for more info. -`k' may be used in place of `update-known_hosts'. +/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' +for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is +set, then a user-controlled authorized_keys file (usually +~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k' +may be used in place of `update-known_hosts'. .TP .B gen-key Generate a gpg key for the host. `g' may be used in place of @@ -66,8 +69,8 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/cache/monkeysphere/USER -User keys cache directories. +/var/cache/monkeysphere/authorized_keys/USER +User authorized_keys file. .SH AUTHOR -- cgit v1.2.3 From a9a56853a27e1dbce3c48af327b0adff0e4c38e0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Jun 2008 23:33:18 -0400 Subject: add george system changelog --- doc/george/changelog | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 doc/george/changelog (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog new file mode 100644 index 0000000..2442061 --- /dev/null +++ b/doc/george/changelog @@ -0,0 +1,19 @@ +****************************************************************************** +* * +* george system log * +* * +****************************************************************************** +* Please add new entries in reverse chronological order whenever you make * +* changes to this system * +****************************************************************************** + + +2008-06-18 - micah + * debootstrap'd debian etch install + * installed /etc/apt/sources.list with local proxy sources for etch, + testing, unstable, backports and volatile + * configured /etc/apt/preferences and apt.conf.d/local-conf to + pin etch, but make testing, sid and backports available + * added backports.org apt-key + * installed openssh-server and openssh-client packages + * added dkg, jrollins, mjgoins ssh public_keys to /root/.ssh/authorized_keys -- cgit v1.2.3 From 8a977a8371f2ea54e3888494e1b474befeba318b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Jun 2008 23:36:22 -0400 Subject: add todo items that we discussed as being important to address at some point --- doc/TODO | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc') diff --git a/doc/TODO b/doc/TODO index 905d198..bf51ae0 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,6 +1,13 @@ Next-Steps Monkeysphere Projects: --------------------------------- +Detail advantages of monkeysphere: detail the race conditions in ssh, + and how the monkeysphere can help you reduce these threat vectors: + threat model reduction diagrams + +Determine how openssh handles multiple processes writing to + known_hosts file (atomic appends?) + Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? -- cgit v1.2.3 From dcba8ebebf480a051f2b872f89ccbe68ad642f61 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:48:37 -0400 Subject: Update to new agreed default host key usage flag (only "a" required for users and hosts). Update TODO file. Some other small changes. --- doc/TODO | 31 +++++++++++++++++++++++++++---- etc/monkeysphere.conf | 6 +++++- src/common | 8 ++++---- src/monkeysphere | 2 +- 4 files changed, 37 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/doc/TODO b/doc/TODO index 905d198..0402b46 100644 --- a/doc/TODO +++ b/doc/TODO @@ -4,13 +4,11 @@ Next-Steps Monkeysphere Projects: Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? -Handle multiple multiple hostnames (multiple user IDs?) when - generating host keys with gen-key. +Handle multiple hostnames (multiple user IDs?) when generating host + keys with gen-key. Make sure alternate ports are handled for known_hosts. -Add environment variables sections to man pages. - Script to import private key into ssh agent. Provide a friendly interactive UI for marginal or failing client-side @@ -49,3 +47,28 @@ Make it easier to do domain-relative ssh host trust signatures with "tsign" in gpg(1). Fix the order of questions when user does a tsign in gpg or gpg2. + +File bug against ssh-keygen about how "-R" option removes comments + from known_hosts file. + +File bug against ssh-keygen to see if we can get it to write to hash a + known_hosts file to/from stdout/stdin. + +Note all threat model reductions (with diagrams). + +Add environment variables sections to man pages. + +Environment variable scoping. + +Move environment variable precedence before conf file. + +Handle lockfiles when modifying known_hosts or authorized_keys. + +When using ssh-proxycommand, if only host keys found are expired or + revoked, then output loud warning with prompt, or fail hard. + +Update monkeysphere-ssh-proxycommand man page with new keyserver + checking policy info. + +Update monkeysphere-ssh-proxycommand man page with info about + no-connect option. diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 17c1a14..f2ba4a7 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -15,7 +15,7 @@ # s = sign # c = certify # a = authentication -#REQUIRED_HOST_KEY_CAPABILITY="e a" +#REQUIRED_HOST_KEY_CAPABILITY="a" #REQUIRED_USER_KEY_CAPABILITY="a" # ssh known_hosts file @@ -27,3 +27,7 @@ # ssh authorized_keys file #AUTHORIZED_KEYS=~/.ssh/known_hosts + +# This overrides other environment variables +# NOTE: there is leakage +#CHECK_KEYRING=true diff --git a/src/common b/src/common index ac43f0a..9b06b1d 100644 --- a/src/common +++ b/src/common @@ -73,7 +73,7 @@ unescape() { } # remove all lines with specified string from specified file -remove_file_line() { +remove_line() { local file local string @@ -395,7 +395,7 @@ remove_userid() { # remove user ID from file log -n " removing user ID '$userID'... " - remove_file_line "$AUTHORIZED_USER_IDS" "^${userID}$" + remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" loge "done." } @@ -416,7 +416,7 @@ process_host_known_hosts() { while read -r ok keyid ; do sshKey=$(gpg2ssh "$keyid") # remove the old host key line - remove_file_line "$KNOWN_HOSTS" "$sshKey" + remove_line "$KNOWN_HOSTS" "$sshKey" # if key OK, add new host line if [ "$ok" -eq '0' ] ; then # hash if specified @@ -449,7 +449,7 @@ process_uid_authorized_keys() { while read -r ok keyid ; do sshKey=$(gpg2ssh "$keyid") # remove the old host key line - remove_file_line "$AUTHORIZED_KEYS" "$sshKey" + remove_line "$AUTHORIZED_KEYS" "$sshKey" # if key OK, add new host line if [ "$ok" -eq '0' ] ; then ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" diff --git a/src/monkeysphere b/src/monkeysphere index 6853f58..a6cecfd 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -115,7 +115,7 @@ AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} -REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} +REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} -- cgit v1.2.3 From 6ee67a218916f6f9c30dfe9787109017c11e8185 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:53:09 -0400 Subject: Update TODO after merge. --- doc/TODO | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/TODO b/doc/TODO index c17ef61..3538fbf 100644 --- a/doc/TODO +++ b/doc/TODO @@ -3,10 +3,10 @@ Next-Steps Monkeysphere Projects: Detail advantages of monkeysphere: detail the race conditions in ssh, and how the monkeysphere can help you reduce these threat vectors: - threat model reduction diagrams + threat model reduction diagrams. Determine how openssh handles multiple processes writing to - known_hosts file (atomic appends?) + known_hosts/authorized_keys files (lockfile, atomic appends?) Handle unknown hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? @@ -61,16 +61,12 @@ File bug against ssh-keygen about how "-R" option removes comments File bug against ssh-keygen to see if we can get it to write to hash a known_hosts file to/from stdout/stdin. -Note all threat model reductions (with diagrams). - Add environment variables sections to man pages. Environment variable scoping. Move environment variable precedence before conf file. -Handle lockfiles when modifying known_hosts or authorized_keys. - When using ssh-proxycommand, if only host keys found are expired or revoked, then output loud warning with prompt, or fail hard. -- cgit v1.2.3 From fadd814ce4351c3869e49d91b31aa5b2efc68a01 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:58:01 -0400 Subject: update george changelog --- doc/george/changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 2442061..5d35355 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,9 @@ * changes to this system * ****************************************************************************** +2008-06-18 - jrollins + * installed less, emacs; + * aptitude update && aptitude dist-upgrade 2008-06-18 - micah * debootstrap'd debian etch install -- cgit v1.2.3 From e158221fd47d035fa3a7a8cd715327714d40d32a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 00:17:38 -0400 Subject: added policy docs about george.riseup.net --- doc/george/policy | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 doc/george/policy (limited to 'doc') diff --git a/doc/george/policy b/doc/george/policy new file mode 100644 index 0000000..6da08e9 --- /dev/null +++ b/doc/george/policy @@ -0,0 +1,32 @@ +Policy for maintaining george.riseup.net +---------------------------------------- + +Riseup graciously provided the MonkeySphere project with a vserver for +testing and public documentation. This is known as george.riseup.net, +for those who are curious about the MonkeySphere. + +george will be maintained as a debian lenny machine, with minimal +packages from experimental as needed for installing and running what +we build elsewhere. + +george will host 3 public-facing services: an ssh daemon on port 22, +an http service on port 80, and an OpenPGP keyserver (the HKP +protocol) on port 11371. + +Administration of george is a shared responsibility across the core +members of the MonkeySphere development team. Administrators will log +changes in their git repositories, in doc/george/changelog (a peer of +this policy file). + +monkeysphere packages installed on george will use unique, tagged +version numbers so we know what we're running. + +We will try to keep the installation as minimal as possible while +still allowing for comfortable day-to-day administration. + + +Outstanding questions: + +Who should have superuser access? + +Who should get regular user accounts? -- cgit v1.2.3 From 70ee9836c30c3264660010156944d3b76e9300b2 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 01:12:30 -0400 Subject: more notes on work on george. --- doc/george/changelog | 16 ++++++++++++++++ doc/george/policy | 1 + 2 files changed, 17 insertions(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 5d35355..8eebe4b 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,22 @@ * changes to this system * ****************************************************************************** +2008-06-19 - dkg + * removed etch sources, switched "testing" to "lenny", added + lenny/updates, removed all contrib and non-free. + + * removed testing pin in /etc/apt/preferences + * ran the upgrade + + * reset emacs22 to emacs22-nox (avoiding dependencies) + + * removed sysklog and klogd because of errors restarting klogd. + Installed syslog-ng in their stead, which still gives errors + related to /proc/kmsg unreadability, but the install completes :/ + + * added experimental, juggled pinning: + experimental: 1, unstable: 2 + 2008-06-18 - jrollins * installed less, emacs; * aptitude update && aptitude dist-upgrade diff --git a/doc/george/policy b/doc/george/policy index 6da08e9..a17a310 100644 --- a/doc/george/policy +++ b/doc/george/policy @@ -24,6 +24,7 @@ version numbers so we know what we're running. We will try to keep the installation as minimal as possible while still allowing for comfortable day-to-day administration. +We will use aptitude for package management where possible. Outstanding questions: -- cgit v1.2.3 From d8dd7e109a119ed66e7a32777f0de34ce69c0928 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 03:04:58 -0400 Subject: added description of steps needed to get host key published for george.riseup.net. --- doc/george/host-key-publication | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 doc/george/host-key-publication (limited to 'doc') diff --git a/doc/george/host-key-publication b/doc/george/host-key-publication new file mode 100644 index 0000000..03e2510 --- /dev/null +++ b/doc/george/host-key-publication @@ -0,0 +1,28 @@ +2008-06-19 02:34:57-0400 +------------------------ + +Adding george's host key to the monkeysphere was more complicated than +it needed to be. + +As the server admin, i did (accepting the defaults where possible): + + monkeysphere-server gen-key + KEYID=$(GNUPGHOME=/etc/monkeysphere/gnupg gpg --with-colons --list-key =ssh://$(hostname --fqdn) | grep ^pub: | cut -f5 -d:) + (umask 077 && GNUPGHOME=/etc/monkeysphere/gnupg gpg --export-secret-key $KEYID | openpgp2ssh $KEYID >/etc/monkeysphere/ssh_host_rsa_key) + # modify /etc/ssh/sshd_config to remove old host keys lines, and + # add new line: HostKey /etc/monkeysphere/ssh_host_rsa_key + /etc/init.d/ssh restart + + KEYSERVER=george.riseup.net monkeysphere-server publish-key + # (needed to publish by hand here because of reasonable sanity checks) + monkeysphere-server show-fingerprint + + # then from a remote host: + gpg --keyserver george.riseup.net --search =ssh://george.riseup.net + gpg --fingerprint --sign-key =ssh://george.riseup.net + KEYID=$(gpg --with-colons --list-key =ssh://george.riseup.net | grep ^pub: | cut -f5 -d:) + gpg --keyserver george.riseup.net --send "$KEYID" + gpg --keyserver george.riseup.net --send "$MYGPGID" + + +How could this have been streamlined? -- cgit v1.2.3 From 1066e96e927e812159274af4b6ca78c6a46881ee Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 03:05:40 -0400 Subject: updated doc/README to match the location of authorized_user_ids that is created by the package. --- doc/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/README b/doc/README index 427f214..7880530 100644 --- a/doc/README +++ b/doc/README @@ -34,7 +34,7 @@ users. For each user account on the server, the userids of people authorized to log into that account would be placed in: -/etc/monkeysphere/authorized_user_file/USER +/etc/monkeysphere/authorized_user_ids/USER However, in order for users to become authenticated, the server must determine that the user keys have "full" validity. This means that -- cgit v1.2.3 From a5066c3a37a84bf47e1e1d6ff8ad755ad5fa9414 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 03:17:01 -0400 Subject: added more documentation about george, and more TODO notes. --- doc/TODO | 25 +++++++++++++++++++++++-- doc/george/changelog | 14 ++++++++++++-- doc/george/user-id-configuration | 21 +++++++++++++++++++++ 3 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 doc/george/user-id-configuration (limited to 'doc') diff --git a/doc/TODO b/doc/TODO index 3538fbf..e2fce0e 100644 --- a/doc/TODO +++ b/doc/TODO @@ -8,12 +8,33 @@ Detail advantages of monkeysphere: detail the race conditions in ssh, Determine how openssh handles multiple processes writing to known_hosts/authorized_keys files (lockfile, atomic appends?) -Handle unknown hosts in such a way that they're not always removed - from known_hosts file. Ask user to lsign the host key? +Handle unverified monkeysphere hosts in such a way that they're not + always removed from known_hosts file. Ask user to lsign the host + key? Handle multiple hostnames (multiple user IDs?) when generating host keys with gen-key. +Work out the details (and describe a full use case) for assigning a + REVOKER during monkeysphere-server gen_key -- how is this set? How + do we export it so it's available when a second-party revocation is + needed? + +Actually enable server hostkey publication. + +Streamline host key generation, publication, verification. See + doc/george/host-key-publication for what dkg went through on + 2008-06-19 + +Streamline authorized_user_ids setup (including question of where + authorized_user_ids files should go). See + doc/george/user-id-configuration for what dkg went through on + 2008-06-19 + +Ensure that authorized_user_ids are under as tight control as ssh + expects from authorized_keys: we don't want monkeysphere to be a + weak link in the filesystem. + Make sure alternate ports are handled for known_hosts. Script to import private key into ssh agent. diff --git a/doc/george/changelog b/doc/george/changelog index 8eebe4b..afea2d0 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -20,8 +20,18 @@ Installed syslog-ng in their stead, which still gives errors related to /proc/kmsg unreadability, but the install completes :/ - * added experimental, juggled pinning: - experimental: 1, unstable: 2 + * added experimental + * juggled pinning: experimental: 1, unstable: 2 + * added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf + + * installed monkeysphere v0.1-1, changed host key, published + them via the local keyserver (see host-key-publication) + + * added local unprivileged user accounts for everyone listed in + /usr/share/doc/monkeysphere/copyright + + * configured authorized_user_ids for every user account based on + my best guess at their OpenPGP User ID. 2008-06-18 - jrollins * installed less, emacs; diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration new file mode 100644 index 0000000..d95279d --- /dev/null +++ b/doc/george/user-id-configuration @@ -0,0 +1,21 @@ +2008-06-19 03:00:58-0400 +------------------------ + +setting up authorized_user_id configuration on george was also more +cumbersome than it needs to be. Here's what i (dkg) did: + + GNUPGHOME=/etc/monkeysphere/gnupg gpg --keyserver subkeys.pgp.net --search dkg@fifthhorseman.net + GNUPGHOME=/etc/monkeysphere/gnupg gpg --fingerprint dkg@fifthhorseman.net + +set up the authorized_user_ids (why are these in /etc/ and not in +people's home directories?) + +echo 'Daniel Kahn Gillmor ' > /etc/monkeysphere/authorized_user_ids/dkg +echo 'Jameson Rollins ' > /etc/monkeysphere/authorized_user_ids/jrollins +echo 'Micah Anderson ' > /etc/monkeysphere/authorized_user_ids/micah +echo 'Matthew Goins ' > /etc/monkeysphere/authorized_user_ids/mjgoins +echo 'Ross Glover ' > /etc/monkeysphere/authorized_user_ids/ross +echo 'Jamie McClelland ' > /etc/monkeysphere/authorized_user_ids/jamie +echo 'mike castleman ' > /etc/monkeysphere/authorized_user_ids/mlcastle +echo 'Elliot Winard ' > /etc/monkeysphere/authorized_user_ids/enw +echo 'Greg Lyle ' > /etc/monkeysphere/authorized_user_ids/greg -- cgit v1.2.3 From d96875037bca527fe2bc88f7cc1a3842e3080f04 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 03:34:46 -0400 Subject: fixed think-o: running a commend with no arguments should have no arguments. --- doc/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/README b/doc/README index 7880530..cda1194 100644 --- a/doc/README +++ b/doc/README @@ -53,4 +53,4 @@ system would then run the following: To update the monkeysphere authorized_keys file for all users on the the system, run the same command with no arguments: -# monkeysphere-server update-users bob +# monkeysphere-server update-users -- cgit v1.2.3 From 86e9e0e3fd03db1770857990882d955954a5265b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 04:00:42 -0400 Subject: re-worked documentation and raised issues in TODO about end user authentication. --- doc/TODO | 26 +++++++++++++++++++ doc/george/user-id-configuration | 56 +++++++++++++++++++++++++++++----------- 2 files changed, 67 insertions(+), 15 deletions(-) (limited to 'doc') diff --git a/doc/TODO b/doc/TODO index e2fce0e..5cd9be9 100644 --- a/doc/TODO +++ b/doc/TODO @@ -35,6 +35,32 @@ Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. +What happens when there are no entries in the authorized_user_ids file + for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp + seems like it gets created and then left there. + +What happens when a user account has no corresponding + /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed + in /var/cache/monkeysphere/authorized_keys/$USER? It looks + currently untouched, which could mean bad things for such a user. + +Consider the default permissions for + /var/cache/monkeysphere/authorized_keys/* (and indeed the whole + directory path leading up to that) + +What should happen when an admin does + "monkeysphere-server update-users not_an_existent_user"? + currently, it adds + /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which + seems rather wrong. + +is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to + avoid collisions? Why not use a real mktemp file? + +As an administrator, how do i reverse the effect of a + "monkeysphere-server trust-keys" that i later decide i should not + have run? + Make sure alternate ports are handled for known_hosts. Script to import private key into ssh agent. diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration index d95279d..d42bfbd 100644 --- a/doc/george/user-id-configuration +++ b/doc/george/user-id-configuration @@ -4,18 +4,44 @@ setting up authorized_user_id configuration on george was also more cumbersome than it needs to be. Here's what i (dkg) did: - GNUPGHOME=/etc/monkeysphere/gnupg gpg --keyserver subkeys.pgp.net --search dkg@fifthhorseman.net - GNUPGHOME=/etc/monkeysphere/gnupg gpg --fingerprint dkg@fifthhorseman.net - -set up the authorized_user_ids (why are these in /etc/ and not in -people's home directories?) - -echo 'Daniel Kahn Gillmor ' > /etc/monkeysphere/authorized_user_ids/dkg -echo 'Jameson Rollins ' > /etc/monkeysphere/authorized_user_ids/jrollins -echo 'Micah Anderson ' > /etc/monkeysphere/authorized_user_ids/micah -echo 'Matthew Goins ' > /etc/monkeysphere/authorized_user_ids/mjgoins -echo 'Ross Glover ' > /etc/monkeysphere/authorized_user_ids/ross -echo 'Jamie McClelland ' > /etc/monkeysphere/authorized_user_ids/jamie -echo 'mike castleman ' > /etc/monkeysphere/authorized_user_ids/mlcastle -echo 'Elliot Winard ' > /etc/monkeysphere/authorized_user_ids/enw -echo 'Greg Lyle ' > /etc/monkeysphere/authorized_user_ids/greg +monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 + +monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor ' +monkeysphere-server update-user-userids jrollins 'Jameson Rollins ' +monkeysphere-server update-user-userids micah 'Micah Anderson ' +monkeysphere-server update-user-userids mjgoins 'Matthew Goins ' +monkeysphere-server update-user-userids ross 'Ross Glover ' +monkeysphere-server update-user-userids jamie 'Jamie McClelland ' +monkeysphere-server update-user-userids mlcastle 'mike castleman ' +monkeysphere-server update-user-userids enw 'Elliot Winard ' +monkeysphere-server update-user-userids greg 'Greg Lyle ' + + +then i added a scheduled: + + monkeysphere-server update-users + +to run hourly via /etc/crontab + +and made sure that root's keys were working with a temporary symlink +(see TODO about that business) + +and then modified /etc/ssh/sshd_config with: + + AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u + + +Some outstanding questions: + + * why are the authorized_user_ids stored in /etc/ and not in people's + home directories? + + * why are authorized_user_ids managed with a special sub-command of + monkeysphere-server, instead of just being hand-managed files, the + way that authorized_keys are in stock openssh? + + * Should we ship a scheduled monkeysphere-server update-users cron + job automatically? + + * why was i not prompted to confirm the trust-keys line, which seems + like the most delicate/sensitive line of all of them? -- cgit v1.2.3 From 0e7b7f17fd635486371798a513067ba747dd47dc Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 04:10:55 -0400 Subject: documented cronjob, and referred to user-id-configuration. --- doc/george/changelog | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index afea2d0..381fa0f 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -31,7 +31,11 @@ /usr/share/doc/monkeysphere/copyright * configured authorized_user_ids for every user account based on - my best guess at their OpenPGP User ID. + my best guess at their OpenPGP User ID (see + user-id-configuration). + + * set up a cronjob (in /etc/crontab) to run "monkeysphere-server + update-users" at 26 minutes past the hour. 2008-06-18 - jrollins * installed less, emacs; -- cgit v1.2.3 From 2e817838052450ec7a8942f24c5190e51bbd31d0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 12:02:33 -0400 Subject: documenting addition of apt repo on george. --- doc/george/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 381fa0f..55d46bc 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,13 @@ * changes to this system * ****************************************************************************** +2008-06-19 - dkg + * installed rsync (for maintaining a public apt repo) + + * configured mathopd to listen on port 80, serving /srv/www as / + and /srv/apt as /debian. We've got nothing in /srv/www at the + moment, though. + 2008-06-19 - dkg * removed etch sources, switched "testing" to "lenny", added lenny/updates, removed all contrib and non-free. -- cgit v1.2.3 From f95798d4fd83cb227b69c136b16b592d997303c6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 12:20:08 -0400 Subject: documenting george debugging steps. --- doc/george/changelog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 55d46bc..6dc3a29 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -13,6 +13,11 @@ * configured mathopd to listen on port 80, serving /srv/www as / and /srv/apt as /debian. We've got nothing in /srv/www at the moment, though. + + * installed lsof and psmisc as sysadmin utilities. sorry for the + bloat! + + * installed strace to try to figure out why onak is segfaulting. 2008-06-19 - dkg * removed etch sources, switched "testing" to "lenny", added -- cgit v1.2.3 From 7019354a75ca19ffd2e10f2e2b3dc89b480156bd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 18:09:41 -0400 Subject: Better handling of unknown users in server update-users. Updated TODO file. --- debian/changelog | 3 ++- doc/TODO | 21 +++------------------ doc/george/user-id-configuration | 7 ------- src/common | 13 ++++++++++--- src/monkeysphere-server | 10 ++++++++-- 5 files changed, 23 insertions(+), 31 deletions(-) (limited to 'doc') diff --git a/debian/changelog b/debian/changelog index 726f262..bd12e1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,8 +9,9 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low /etc/monkeysphere/authorized_user_ids. * Remove {update,remove}-userids functions, since we decided they weren't useful enough to be worth maintaining. + * Better handling of unknown users in server update-users - -- Jameson Graef Rollins Thu, 19 Jun 2008 16:56:32 -0400 + -- Jameson Graef Rollins Thu, 19 Jun 2008 18:08:57 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/doc/TODO b/doc/TODO index 5cd9be9..a82f031 100644 --- a/doc/TODO +++ b/doc/TODO @@ -26,37 +26,22 @@ Streamline host key generation, publication, verification. See doc/george/host-key-publication for what dkg went through on 2008-06-19 -Streamline authorized_user_ids setup (including question of where - authorized_user_ids files should go). See - doc/george/user-id-configuration for what dkg went through on - 2008-06-19 - Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. -What happens when there are no entries in the authorized_user_ids file - for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp - seems like it gets created and then left there. - What happens when a user account has no corresponding /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed in /var/cache/monkeysphere/authorized_keys/$USER? It looks currently untouched, which could mean bad things for such a user. + - if authorized_user_ids is empty, then the user's authorized_keys + file will be also, unless the user-controlled authorized_keys file + is added. I believe this is expected, correct behavior. Consider the default permissions for /var/cache/monkeysphere/authorized_keys/* (and indeed the whole directory path leading up to that) -What should happen when an admin does - "monkeysphere-server update-users not_an_existent_user"? - currently, it adds - /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which - seems rather wrong. - -is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to - avoid collisions? Why not use a real mktemp file? - As an administrator, how do i reverse the effect of a "monkeysphere-server trust-keys" that i later decide i should not have run? diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration index d42bfbd..9a7f4d2 100644 --- a/doc/george/user-id-configuration +++ b/doc/george/user-id-configuration @@ -33,13 +33,6 @@ and then modified /etc/ssh/sshd_config with: Some outstanding questions: - * why are the authorized_user_ids stored in /etc/ and not in people's - home directories? - - * why are authorized_user_ids managed with a special sub-command of - monkeysphere-server, instead of just being hand-managed files, the - way that authorized_keys are in stock openssh? - * Should we ship a scheduled monkeysphere-server update-users cron job automatically? diff --git a/src/common b/src/common index 00ee7b0..e98f1bc 100644 --- a/src/common +++ b/src/common @@ -18,10 +18,17 @@ ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE +ERR=0 +export ERR ######################################################################## ### UTILITY FUNCTIONS +error() { + log "$1" + ERR=${2:-'1'} +} + failure() { echo "$1" >&2 exit ${2:-'1'} @@ -29,12 +36,12 @@ failure() { # write output to stderr log() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 + echo -n "ms: " >&2 + echo "$@" >&2 } loge() { - echo "$@" 1>&2 + echo "$@" >&2 } # cut out all comments(#) and blank lines from standard input diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 154c146..a9a9aed 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -162,6 +162,12 @@ case $COMMAND in for uname in $unames ; do MODE="authorized_keys" + # check all specified users exist + if ! getent passwd | cut -d: -f1 | grep -q "^${uname}$" ; then + error "----- unknown user '$uname' -----" + continue + fi + # set authorized_user_ids variable, # translate ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") @@ -201,8 +207,6 @@ case $COMMAND in log "authorized_keys file updated." done - - log "----- done. -----" ;; 'gen-key'|'g') @@ -237,3 +241,5 @@ case $COMMAND in Type '$PGRM help' for usage." ;; esac + +exit "$ERR" -- cgit v1.2.3 From c6a958a369c58ec78f380fc739d75ff465b61c6a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 20 Jun 2008 14:00:42 -0400 Subject: touched /etc/environment on george. --- doc/george/changelog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 6dc3a29..9992aae 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,10 @@ * changes to this system * ****************************************************************************** +2008-06-20 - dkg + * touched /etc/environment to get rid of some spurious auth.log + entries. + 2008-06-19 - dkg * installed rsync (for maintaining a public apt repo) -- cgit v1.2.3 From 9efdaab59edb2ff4454082f6a36c9dc0d90b8885 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 20 Jun 2008 14:04:28 -0400 Subject: bumped up ssh logging on george. --- doc/george/changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'doc') diff --git a/doc/george/changelog b/doc/george/changelog index 9992aae..c157cec 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -10,6 +10,7 @@ 2008-06-20 - dkg * touched /etc/environment to get rid of some spurious auth.log entries. + * turned up sshd's LogLevel from INFO to DEBUG 2008-06-19 - dkg * installed rsync (for maintaining a public apt repo) -- cgit v1.2.3