summaryrefslogtreecommitdiff
path: root/doc/MonkeySpec
blob: 3b565db1aec47a2ce2ba5c603bae6be7b980224b (plain) 
    

  1. THE MONKEYSPHERE
    2. 

  2. ================
    3. 

  3. 

  4. AGENDA
    5. 

  5. ======
    6. 

  6. [x] clowning
    7. 

  7. [ ] work
    8. 

  8. [x] jrollins will talk and gesture - in progress
    9. 

  9. 

  10. MONKEYNAMES
    11. 

  11. ===========
    12. 

  12. 

  13. rhesus, marmoset, howler, langur, tamarin, barbary
    14. 

  14. 

  15. COMPONENTS
    16. 

  16. ==========
    17. 

  17. 

  18. (names in "" are code names until we think of better ones.)
    19. 

  19. 

  20. common components
    21. 

  21. -----------------
    22. 

  22. * "rhesus": update known_hosts/authorized_keys files:
    23. 

  23.   - be responsible for removing keys from the file as key revocation
    24. 

  24.     happens
    25. 

  25.   - be responsible for updating a key in the file where there is a key
    26. 

  26.     replacement
    27. 

  27.   - must result in a file that is parsable by the existing ssh client
    28. 

  28.     without errors
    29. 

  29.   - manual management must be allowed without stomping on it
    30. 

  30.   - provide a simple, intelligible, clear policy for key acceptance
    31. 

  31. 

  32. * "langur": policy-editor for viewing/editing policies
    33. 

  33. 

  34. * gpg2ssh: utility to convert gpg keys to ssh
    35. 

  35.   known_hosts/authorized_keys lines
    36. 

  36. 

  37. * ssh2gpg: create openpgp keypair from ssh keypair
    38. 

  38. 

  39. server-side components
    40. 

  40. ----------------------
    41. 

  41. * "howler": server gpg maintainer
    42. 

  42.   - generates gpg keys for the server
    43. 

  43.   - publishes server gpg keys
    44. 

  44.   - used to specify userids to trust for user authentication
    45. 

  45. 

  46. * "tamarin": script to trigger rhesus during attempt to initiate
    47. 

  47.   connection from client
    48. 

  48. 

  49. client-side components
    50. 

  50. ----------------------
    51. 

  51. * "marmoset": script to trigger rhesus during attempt to initiate
    52. 

  52.   connection to server
    53. 

  53.   - runs on connection to a certain host
    54. 

  54.   - triggers update to known_hosts file then makes connection
    55. 

  55.   - proxy-command | pre-hook script | wrapper script
    56. 

  56.   - (ssh_config "LocalCommand" is only run *after* connection)
    57. 

  57. 

  58. USE CASE
    59. 

  59. ========
    60. 

  60. 

  61. Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
    62. 

  62. Backstory: http://www.conceptlabs.co.uk/alicebob.html
    63. 

  63. 

  64. Bob wants to sign on to the computer "mangabey" via monkeysphere
    65. 

  65. framework.  He doesn't yet have access to the machine, but he knows
    66. 

  66. Alice, who is the admin of magabey.  Alice and Bob, being the
    67. 

  67. contientious netizens that they are, have already published their
    68. 

  68. personal gpg keys to the web of trust, and being good friends, have
    69. 

  69. both signed each other's keys and marked each others keys with "full"
    70. 

  70. trust.
    71. 

  71. 

  72. Alice uses howler to publish a gpg key for magabey with the special
    73. 

  73. "ssh://magabey" URI userid.  Alice signs magabey's gpg key and
    74. 

  74. publishes her signature.  Alice then creates a user "bob" on magabey,
    75. 

  75. and puts Bob's userid in the auth_user_ids file for user bob on
    76. 

  76. magabey.  tamarin triggers on magabey, which triggers rhesus, which
    77. 

  77. takes all userids in bob's auth_user_ids file, look on a keyserver to
    78. 

  78. find the public keys for each user, converts the gpg public keys into
    79. 

  79. ssh public keys if the key validity is acceptable, and finally insert
    80. 

  80. those keys into an authorized_keys file for bob.
    81. 

  81. 

  82. Bob now adds the "ssh://magabey" userid to the auth_host_ids file in
    83. 

  83. his account on his localhost.  Bob now goes to connect to bob@magabey.
    84. 

  84. Bob's ssh client, which is monkeysphere enabled, triggers marmoset,
    85. 

  85. which triggers rhesus on Bob's computer, which takes all server
    86. 

  86. userids in his auth_host_ids file, looks on a keyserver to find the
    87. 

  87. public key for each server (based on the server's URI), converts the
    88. 

  88. gpg public keys into ssh public keys if the key validity is
    89. 

  89. acceptable, and finally insert those keys into Bob's known_hosts file.
    90. 

  90. 

  91. On Bob's side, since mangabey's key had "full" validity (since it was
    92. 

  92. signed by Alice whom he fully trusts), Bob's ssh client deems magabey
    93. 

  93. "known" and no further host key checking is required.
    94. 

  94. 

  95. On magabey's side, since Bob's key has "full" validity (since it had
    96. 

  96. also been signed by Alice whom magabey fully trusts (since Alice told
    97. 

  97. him to)), Bob is authenticated to log into bob@magabey.
    98. 

  98. 

  99. NOTES
    100. 

  100. =====
    101. 

  101. 

  102. * Daniel and Elliot lie. <check>
    103. 

  103. * We will use a distributed VCS, each developer will create their own
    104. 

  104.   git repository and publish it publicly for others to pull from, mail
    105. 

  105.   out 
    106. 

  106. * public project page doesn't perhaps make sense yet
    107. 

  107. * approximate goal - using the web of trust to authenticate ppl for
    108. 

  108.   SSH 
    109. 

  109. * outline of various components of monkeysphere
    110. 

  110. * M: what does it mean to be in the monkeysphere?  not necessarily a
    111. 

  111.   great coder.
    112. 

  112. * J: interested in seeing project happen, not in actually doing it.
    113. 

  113.   anybody can contribute as much as they want. 
    114. 

  114. * J: if we put the structure in place to work on monkeysphere then we
    115. 

  115.   don't have to do anything 
    116. 

  116. * D: we are not creating 
    117. 

  117. * understand gpg's keyring better, understanding tools better,
    118. 

  118.   building scripts 
    119. 

  119. * Some debian packages allow automated configuration of config files.
    120. 

  120. 

  121. * GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
    122. 

  122. * SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
    123. 

  123.   modifying either openpgp and openssh 
    124. 

  124. * DESIGN GOALS - authentication, use the existing generic OpenSSH
    125. 

  125.   client, the admin can make it default, although end-user should be
    126. 

  126.   decide to use monkeysphere or not 
    127. 

  127. * DESIGN GOAL - use of monkeysphere should not radically change
    128. 

  128.   connecting-to-server experience 
    129. 

  129. * GOAL - pick a monkey-related name for each component 
    130. 

  130. 

  131. Host identity piece of monkeysphere could be used without buying into
    132. 

  132. the authorization component.
    133. 

  133. 

  134. Monkeysphere is authentication layer that allows the sysadmin to
    135. 

  135. perform authorization on user identities instead of on keys, it
    136. 

  136. additionally allows the sysadmin also to authenticate the server to
    137. 

  137. the end-user.
    138. 

  138. 

  139. git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere
    140.
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-12 19:18:23 +0000