From 0655d5cbf24a29da4aff7e272e82bfa258b2ceed Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 1 Feb 2009 21:14:22 -0500
Subject: new function to export signatures from core to sphere keyrings.  this
 is so that the sphere does not have to read the core pubring to get the
 certifier ltsigs, and we can therefore keep tighter permissions on the core
 keyring files.  updated some comments/documentation as well.

---
 src/share/ma/add_certifier    | 58 ++++++++++++++++++++++++++++---------------
 src/share/ma/remove_certifier |  8 +++---
 src/share/ma/setup            |  6 ++---
 3 files changed, 44 insertions(+), 28 deletions(-)

(limited to 'src/share/ma')

diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier
index 0c3c647..60a4f9d 100644
--- a/src/share/ma/add_certifier
+++ b/src/share/ma/add_certifier
@@ -3,6 +3,20 @@
 
 # Monkeysphere authentication add-certifier subcommand
 #
+# This function adds a certifier whose signatures will be used to
+# calculate validity of keys used to connect to user accounts on the
+# server.  The specified certifier key is first retrieved from the Web
+# of Trust with the monkeysphere-user-controlled gpg_sphere keyring.
+# Once then new key is retrieved, it is imported into the core
+# keyring.  The gpg_core then ltsigns the key with the desired trust
+# level, and then the key is exported back to the gpg_sphere keyring.
+# The gpg_sphere has ultimate owner trust of the core key, so the core
+# ltsigs on the new certifier key can then be used by gpg_sphere
+# calculate validity for keys inserted in the authorized_keys file.
+#
+# This is all to keep the monkeysphere user that connects to the
+# keyservers from accessing the core secret key.
+#
 # The monkeysphere scripts are written by:
 # Jameson Rollins <jrollins@finestructure.net>
 # Jamie McClelland <jm@mayfirst.org>
@@ -11,9 +25,6 @@
 # They are Copyright 2008-2009, and are all released under the GPL,
 # version 3 or later.
 
-# retrieve key from web of trust, import it into the host keyring, and
-# ltsign the key in the host keyring so that it may certify other keys
-
 add_certifier() {
 
 local domain
@@ -59,7 +70,7 @@ if [ -z "$keyID" ] ; then
     failure "You must specify the key ID of a key to add, or specify a file to read the key from."
 fi
 if [ -f "$keyID" ] ; then
-    echo "Reading key from file '$keyID':"
+    log info "Reading key from file '$keyID':"
     importinfo=$(gpg_sphere "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'"
     # FIXME: if this is tried when the key database is not
     # up-to-date, i got these errors (using set -x):
@@ -96,8 +107,7 @@ if [ -z "$fingerprint" ] ; then
     failure "Key '$keyID' not found."
 fi
 
-echo
-echo "key found:"
+log info -e "\nkey found:"
 gpg_sphere "--fingerprint 0x${fingerprint}!"
 
 echo "Are you sure you want to add the above key as a"
@@ -106,18 +116,24 @@ if [ "${OK/y/Y}" != 'Y' ] ; then
     failure "Identity certifier not added."
 fi
 
-# export the key to the host keyring
+# export the key to the core keyring so that the core can sign the
+# new certifier key
 gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import
 
-if [ "$trust" = marginal ]; then
-    trustval=1
-elif [ "$trust" = full ]; then
-    trustval=2
-else
-    failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
-fi
-
-# ltsign command
+case "$trust" in
+    'marginal')
+	trustval=1
+	;;
+    'full')
+	trustval=2
+	;;
+    *)
+	failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
+	;;
+esac
+
+# this is the gpg "script" that gpg --edit-key will execute for the
+# core to sign certifier.
 # NOTE: *all* user IDs will be ltsigned
 ltsignCommand=$(cat <<EOF
 ltsign
@@ -130,15 +146,17 @@ save
 EOF
     )
 
-# ltsign the key
+# core ltsigns the newly imported certifier key
 if echo "$ltsignCommand" | \
     gpg_core --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
 
-    # update the trustdb for the authentication keyring
+    # transfer the new sigs back to the sphere keyring
+    gpg_core_sphere_sig_transfer
+
+    # update the sphere trustdb
     gpg_sphere "--check-trustdb"
 
-    echo
-    echo "Identity certifier added."
+    log info -e "\nIdentity certifier added."
 else
     failure "Problem adding identify certifier."
 fi
diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier
index 560281d..1164162 100644
--- a/src/share/ma/remove_certifier
+++ b/src/share/ma/remove_certifier
@@ -32,16 +32,16 @@ else
     failure
 fi
 
-# delete the requested key
+# delete the requested key from the sphere keyring
+# FIXME: should this be a revokation instead of a removal?
 if gpg_sphere "--delete-key --batch --yes 0x${keyID}!" ; then
-    # delete key from host keyring as well
+    # delete key from core keyring as well
     gpg_core --delete-key --batch --yes "0x${keyID}!"
 
     # update the trustdb for the authentication keyring
     gpg_sphere "--check-trustdb"
 
-    echo
-    echo "Identity certifier removed."
+    log info -e "\nIdentity certifier removed."
 else
     failure "Problem removing identity certifier."
 fi
diff --git a/src/share/ma/setup b/src/share/ma/setup
index 672a960..229166b 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -34,12 +34,10 @@ EOF
 # Edits will be overwritten.
 no-greeting
 primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
-keyring ${GNUPGHOME_CORE}/pubring.gpg
-
 list-options show-uid-validity
 EOF
 
-    # fingerprint of core key.  this should be empty on unconfigured systems.
+    # get fingerprint of core key.  this should be empty on unconfigured systems.
     local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 
     if [ -z "$CORE_FPR" ] ; then
@@ -57,7 +55,7 @@ EOF
 	# date.
 	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
-	gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key
+	# get fingerprint of core key.  should definitely not be empty at this point
 	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 	if [ -z "$CORE_FPR" ] ; then
 	    failure "Failed to create Monkeysphere authentication trust core!"
-- 
cgit v1.2.3


From 44a499dd669cc20e77e35c2f7ffcbc2a8f08ec29 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 1 Feb 2009 22:48:36 -0500
Subject: Fix a bug in setup where gpg was called instead of gpg_core.  This
 could have caused serious data loss for the running user.  Should note to be
 carefull with this in the future. Also fix ownership on sphere gnupghome.

---
 src/share/ma/setup | 12 ++++++++++--
 tests/basic        |  1 -
 2 files changed, 10 insertions(+), 3 deletions(-)

(limited to 'src/share/ma')

diff --git a/src/share/ma/setup b/src/share/ma/setup
index 229166b..263e5ca 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -15,8 +15,11 @@ setup() {
     # make all needed directories
     mkdir -p "${MADATADIR}"
     mkdir -p "${MATMPDIR}"
-    mkdir -p "${GNUPGHOME_SPHERE}"
     mkdir -p "${GNUPGHOME_CORE}"
+    chmod 700 "${GNUPGHOME_CORE}"
+    mkdir -p "${GNUPGHOME_SPHERE}"
+    chmod 700 "${GNUPGHOME_SPHERE}"
+    mkdir -p "${MADATADIR}"/authorized_keys
 
     # deliberately replace the config files via truncation
     # FIXME: should we be dumping to tmp files and then moving atomically?
@@ -37,6 +40,11 @@ primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
 list-options show-uid-validity
 EOF
 
+    # make sure the monkeysphere user owns everything in th sphere
+    # gnupghome
+    chown -R "$MONKEYPSHER_USER" "${GNUPGHOME_SPHERE}"
+    chgrp -R "$MONKEYPSHER_USER" "${GNUPGHOME_SPHERE}"
+
     # get fingerprint of core key.  this should be empty on unconfigured systems.
     local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 
@@ -53,7 +61,7 @@ EOF
 	# FIXME: pem2openpgp currently sets the A flag and a short
 	# expiration date.  We should set the C flag and no expiration
 	# date.
-	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
+	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
 	# get fingerprint of core key.  should definitely not be empty at this point
 	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
diff --git a/tests/basic b/tests/basic
index 99a881b..4d2266e 100755
--- a/tests/basic
+++ b/tests/basic
@@ -220,7 +220,6 @@ echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
 # set up monkeysphere authentication
 echo "##################################################"
 echo "### setup monkeysphere authentication..."
-mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
 cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
 cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
 AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
-- 
cgit v1.2.3


From c1900d82be5fe3607bac4248033fe92b56dca597 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 1 Feb 2009 23:05:31 -0500
Subject: add some log debug output to ma-setup

---
 src/share/ma/setup | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/share/ma')

diff --git a/src/share/ma/setup b/src/share/ma/setup
index 263e5ca..90f748e 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -49,34 +49,39 @@ EOF
     local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 
     if [ -z "$CORE_FPR" ] ; then
-	log info "Setting up Monkeysphere authentication trust core"
+	log info "Setting up Monkeysphere authentication trust core..."
 
 	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
     
 	local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
 
 	# generate the key with ssh-keygen...
+	log debug "generating ssh key..."
 	ssh-keygen -q -b 1024 -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
 	# and then translate to openpgp encoding and import
 	# FIXME: pem2openpgp currently sets the A flag and a short
 	# expiration date.  We should set the C flag and no expiration
 	# date.
+	log debug "converting ssh key to pgp key and importing into core..."
 	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
 	# get fingerprint of core key.  should definitely not be empty at this point
+	log debug "get core key fingerprint..."
 	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 	if [ -z "$CORE_FPR" ] ; then
 	    failure "Failed to create Monkeysphere authentication trust core!"
 	fi
 	
     else 
-	log verbose "This system has already set up the Monkeysphere authentication trust core"
+	log verbose "This system has already set up the Monkeysphere authentication trust core."
     fi
 
 
     # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
+    log debug "set ultimate owner trust on core key in gpg_sphere..."
     printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
     local ORIG_TRUST
+    log debug "check gpg_sphere owner trust set properly..."
     if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
 	if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
 	    failure "Monkeysphere authentication trust sphere should explicitly trust the core.  It does not have proper ownertrust settings."
@@ -88,7 +93,8 @@ EOF
     # ensure that we're using the extended trust model (1), and that
     # our preferences are reasonable (i.e. 3 marginal OR 1 fully
     # trusted certifications are sufficient to grant full validity.
+    log debug "check trust level of core key..."
     if [ "1:3:1" != $(gpg_sphere --with-colons --fixed-list-mode --list-keys | head -n1 | grep ^tru: cut -f3,6,7 -d:) ] ; then
-	failure "monkeysphere-preference does not have the expected trust model settings"
+	failure "monkeysphere-authentication does not have the expected trust model settings."
     fi
 }
-- 
cgit v1.2.3


From 10c741dac082844fbf9a2fbbfc4322f718c2abea Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Mon, 2 Feb 2009 11:34:26 -0500
Subject: add ability to specify key length of core secret key, so the test
 scripts can specify something smaller than the default.

---
 src/monkeysphere-authentication | 2 ++
 src/share/ma/setup              | 6 +++---
 tests/basic                     | 1 +
 3 files changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/share/ma')

diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index 2316183..4485bd4 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -138,6 +138,7 @@ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
 GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"}
 GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
+CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
 
 # export variables needed in su invocation
 export DATE
@@ -150,6 +151,7 @@ export REQUIRED_USER_KEY_CAPABILITY
 export GNUPGHOME_CORE
 export GNUPGHOME_SPHERE
 export GNUPGHOME
+export CORE_KEYLENGTH
 
 # get subcommand
 COMMAND="$1"
diff --git a/src/share/ma/setup b/src/share/ma/setup
index 90f748e..422cfd3 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -56,13 +56,13 @@ EOF
 	local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
 
 	# generate the key with ssh-keygen...
-	log debug "generating ssh key..."
-	ssh-keygen -q -b 1024 -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
+	log debug "generating ssh key ($CORE_KEYLENGTH bits)..."
+	ssh-keygen -q -b "$CORE_KEYLENGTH" -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
 	# and then translate to openpgp encoding and import
 	# FIXME: pem2openpgp currently sets the A flag and a short
 	# expiration date.  We should set the C flag and no expiration
 	# date.
-	log debug "converting ssh key to pgp key and importing into core..."
+	log debug "converting ssh key to openpgp key and importing into core..."
 	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
 	# get fingerprint of core key.  should definitely not be empty at this point
diff --git a/tests/basic b/tests/basic
index 4d2266e..5e233aa 100755
--- a/tests/basic
+++ b/tests/basic
@@ -132,6 +132,7 @@ export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src/share
 export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami)
 export MONKEYSPHERE_CHECK_KEYSERVER=false
 export MONKEYSPHERE_LOG_LEVEL=DEBUG
+export MONKEYSPHERE_CORE_KEYLENGTH=1024
 
 export SSHD_CONFIG="$TEMPDIR"/sshd_config
 export SOCKET="$TEMPDIR"/ssh-socket
-- 
cgit v1.2.3