summaryrefslogtreecommitdiff
path: root/doc/MonkeySpec
blob: 7a19df0d163d90233416f87d2d7a42b60102a287 (plain) 
    

  1. THE MONKEYSPHERE
    2. 

  2. ================
    3. 

  3. 

  4. AGENDA
    5. 

  5. ======
    6. 

  6. [x] clowning
    7. 

  7. [ ] work
    8. 

  8. [x] jrollins will talk and gesture - in progress
    9. 

  9. 

  10. COMPONENTS
    11. 

  11. ==========
    12. 

  12. * client-side componants
    13. 

  13. ** "Marmoset": update known_hosts file with public key of server(s):
    14. 

  14. *** be responsible for removing keys from the file as key revocation happens 
    15. 

  15. *** be responsible for updating a key in the file where there is a key replacement 
    16. 

  16. *** must result in a file that is parsable by the existing ssh client without errors
    17. 

  17. *** manual management must be allowed without stomping on it
    18. 

  18. *** provide a simple, intelligible, clear policy for key acceptance
    19. 

  19. *** questions: should this query keyserver & update known host files? (we already 
    20. 

  20.     have awesome tool that queries keyservers and updates a web of trust (gpg) 
    21. 

  21. ** "Howler": simple script that could be placed as a trigger function (in your .ssh/config)
    22. 

  22. *** runs on connection to a certain host
    23. 

  23. *** triggers update to known_hosts file then makes connection
    24. 

  24. *** proxy-command | pre-hook script | wrapper script
    25. 

  25. ** "Langur": policy-editor for viewing/editing policies
    26. 

  26. 

  27. * server-side componants
    28. 

  28. ** "Rhesus" updates a per-user authorized_keys file, instead of updating a
    29. 

  29.    known_hosts file from a public key by matching a specified user-id (for given
    30. 

  30.    user: update authkeys file with public keys derived from authorized_uids
    31. 

  31.    file)
    32. 

  32. *** Needs to operate with the same principles that Marmoset client-side does 
    33. 

  33. ** "Tamarin" triggers Rhesus during an attempt to initiate a connection or a scheduler (or both)
    34. 

  34. ** "Barbary" - policy editor / viewer
    35. 

  35. 

  36. * common componants
    37. 

  37. ** Create a ssh keypair from a openpgp keypair
    38. 

  38. 

  39. from ssh_config(5):
    40. 

  40.      LocalCommand
    41. 

  41.              Specifies a command to execute on the local machine after suc‐
    42. 

  42.              cessfully connecting to the server.  The command string extends
    43. 

  43.              to the end of the line, and is executed with /bin/sh.  This
    44. 

  44.              directive is ignored unless PermitLocalCommand has been enabled.
    45. 

  45. 

  46. 

  47. NOTES
    48. 

  48. =====
    49. 

  49. * Daniel and Elliot lie. <check>
    50. 

  50. * We will use a distributed VCS, each developer will create their own git repository and publish it publically for others to pull from, mail out
    51. 

  51. * public project page doesn't perhaps make sense yet
    52. 

  52. * approximate goal - using the web of trust to authenticate ppl for SSH
    53. 

  53. * outline of various components of monkeysphere
    54. 

  54. * M: what does it mean to be in the monkeysphere?  not necessarily a great coder.
    55. 

  55. * J: interested in seeing project happen, not in actually doing it.  anybody can contribute as much as they want.
    56. 

  56. * J: if we put the structure in place to work on monkeysphere then we don't have to do anything
    57. 

  57. * D: we are not creating 
    58. 

  58. * understand gpg's keyring better, understanding tools better, building scripts
    59. 

  59. * Some debian packages allow automated configuration of config files.
    60. 

  60. 

  61. 

  62. * GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
    63. 

  63. * SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without modifying either openpgp and openssh
    64. 

  64. * DESIGN GOALS - authentication, use the existing generic OpenSSH client, the admin can make it default, although end-user should be decide to use monkeysphere or not
    65. 

  65. * DESIGN GOAL - use of monkeysphere should not radically change connecting-to-server experience
    66. 

  66. * GOAL - pick a monkey-related name for each component 
    67. 

  67. 

  68. Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
    69. 

  69. Backstory: http://www.conceptlabs.co.uk/alicebob.html
    70. 

  70. 

  71. * Use Case: Bob wants to sign on to the computer "mangabey" via monkeysphere
    72. 

  72.   framework. He doesn't have access to the machine, but he knows Alice, who is
    73. 

  73.   the admin of magabey. Alice creates a user bob and puts bob's userid in the
    74. 

  74.   auth_user_ids file for bob. Tamarin triggers which causes Rhesus to take all
    75. 

  75.   the things in the auth_userids file, takes those users, look son a keyserver
    76. 

  76.   finds the public keys for the users, converts the gpg public keys into ssh
    77. 

  77.   public keys and inserts those into a user_authorized_keys file. Bob goes to
    78. 

  78.   connect, bob's ssh client which is monkeysphere enbaled, howler is triggered
    79. 

  79.   which triggers marmoset which looks out into the web of trust and find an
    80. 

  80.   OpenPGP key that has a userid that matches the URI of magabey. Marmoset checks
    81. 

  81.   to see if this key for mangabey has been signed by any keys that you trust
    82. 

  82.   (based on your policy). Has this key been signed by somebody that you trust?
    83. 

  83.   If yes, connect, if no: abort or fail-through or whatever. Alice has signed 
    84. 

  84.   this uid, so Marmoset says "OK, this server has been verified" it then
    85. 

  85.   converts the gpg public key into a ssh public key and then adds this gpg key
    86. 

  86.   to the known_host file. ssh says, "you" are about to connect to magabey and
    87. 

  87.   you know this is magabey because alice says so and you trust alice". The gpg
    88. 

  88.   private key of bob has to be converted (somehow, via agent or something) into
    89. 

  89.   a ssh private_key. SSH connection happens.
    90. 

  90. 

  91. Host identity piece of monkeysphere could be used without buying into the 
    92. 

  92. authorization component.
    93. 

  93. 

  94. Monkeysphere is authentication layer that allows the sysadmin to perform 
    95. 

  95. authorization on user identities instead of on keys, it additionally allows the 
    96. 

  96. sysadmin also to authenticate the server to the end-user.
    97. 

  97. 

  98. git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere
    99. 

  99. 

  100. Fix gpgkey2ssh so that the entire key fingerprint will work, accept full fingerprint, or accept a pipe and do the conversion
    101. 

  101. Write manpage for gpgkey2ssh
    102. 

  102. gpg private key (start with passwordless) to PEM encoded private key: perl libraries, libopencdk / gnutls, gpgme 
    103. 

  103. setup remote git repo
    104. 

  104. think through / plan merging of known_hosts (& auth_keys?)
    105. 

  105. think about policies and their representation
    106.
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-12 19:10:12 +0000