summaryrefslogtreecommitdiff
path: root/doc/MonkeySpec
blob: 45d6cf694ab64b5771cb29f8f6bd114875f66efc (plain) 
    

  1. THE MONKEYSPHERE
    2. 

  2. ================
    3. 

  3. 

  4. AGENDA
    5. 

  5. ======
    6. 

  6. [x] clowning
    7. 

  7. [ ] work
    8. 

  8. [x] jrollins will talk and gesture - in progress
    9. 

  9. 

  10. MONKEYNAMES
    11. 

  11. ===========
    12. 

  12. 

  13. rhesus, marmoset, howler, langur, tamarin, barbary
    14. 

  14. 

  15. COMPONENTS
    16. 

  16. ==========
    17. 

  17. 

  18. (names in "" are code names until we think of better ones.)
    19. 

  19. 

  20. common components
    21. 

  21. -----------------
    22. 

  22. * "rhesus": update known_hosts/authorized_keys files:
    23. 

  23.   - be responsible for removing keys from the file as key revocation
    24. 

  24.     happens
    25. 

  25.   - be responsible for updating a key in the file where there is a key
    26. 

  26.     replacement
    27. 

  27.   - must result in a file that is parsable by the existing ssh client
    28. 

  28.     without errors
    29. 

  29.   - manual management must be allowed without stomping on it
    30. 

  30.   - provide a simple, intelligible, clear policy for key acceptance
    31. 

  31. 

  32. * "langur": policy-editor for viewing/editing policies
    33. 

  33. 

  34. * gpg2ssh: utility to convert gpg keys to ssh
    35. 

  35.   known_hosts/authorized_keys lines
    36. 

  36. 

  37. * ssh2gpg: create openpgp keypair from ssh keypair
    38. 

  38. 

  39. server-side components
    40. 

  40. ----------------------
    41. 

  41. * "howler": service gpg key generator/publisher
    42. 

  42. 

  43. * "tamarin": script to trigger rhesus during attempt to initiate
    44. 

  44.   connection from client
    45. 

  45. 

  46. client-side components
    47. 

  47. ----------------------
    48. 

  48. * "marmoset": script to trigger rhesus during attempt to initiate
    49. 

  49.   connection to server
    50. 

  50.   - runs on connection to a certain host
    51. 

  51.   - triggers update to known_hosts file then makes connection
    52. 

  52.   - proxy-command | pre-hook script | wrapper script
    53. 

  53.   - (ssh_config "LocalCommand" is only run *after* connection)
    54. 

  54. 

  55. USE CASE
    56. 

  56. ========
    57. 

  57. 

  58. Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
    59. 

  59. Backstory: http://www.conceptlabs.co.uk/alicebob.html
    60. 

  60. 

  61. Bob wants to sign on to the computer "mangabey" via monkeysphere
    62. 

  62. framework.  He doesn't yet have access to the machine, but he knows
    63. 

  63. Alice, who is the admin of magabey.  Alice and Bob, being the
    64. 

  64. contientious netizens that they are, have already published their
    65. 

  65. personal gpg keys to the web of trust, and being good friends, have
    66. 

  66. both signed each other's keys and marked each others keys with "full"
    67. 

  67. trust.
    68. 

  68. 

  69. Alice uses howler to publish a gpg key for magabey with the special
    70. 

  70. "ssh://magabey" URI userid.  Alice signs magabey's gpg key and
    71. 

  71. publishes her signature.  Alice then creates a user "bob" on magabey,
    72. 

  72. and puts Bob's userid in the auth_user_ids file for user bob on
    73. 

  73. magabey.  tamarin triggers on magabey, which triggers rhesus, which
    74. 

  74. takes all userids in bob's auth_user_ids file, look on a keyserver to
    75. 

  75. find the public keys for each user, converts the gpg public keys into
    76. 

  76. ssh public keys if the key validity is acceptable, and finally insert
    77. 

  77. those keys into an authorized_keys file for bob.
    78. 

  78. 

  79. Bob now adds the "ssh://magabey" userid to the auth_host_ids file in
    80. 

  80. his account on his localhost.  Bob now goes to connect to bob@magabey.
    81. 

  81. Bob's ssh client, which is monkeysphere enabled, triggers marmoset,
    82. 

  82. which triggers rhesus on Bob's computer, which takes all server
    83. 

  83. userids in his auth_host_ids file, looks on a keyserver to find the
    84. 

  84. public key for each server (based on the server's URI), converts the
    85. 

  85. gpg public keys into ssh public keys if the key validity is
    86. 

  86. acceptable, and finally insert those keys into Bob's known_hosts file.
    87. 

  87. 

  88. On Bob's side, since mangabey's key had "full" validity (since it was
    89. 

  89. signed by Alice whom he fully trusts), Bob's ssh client deems magabey
    90. 

  90. "known" and no further host key checking is required.
    91. 

  91. 

  92. On magabey's side, since Bob's key has "full" validity (since it had
    93. 

  93. also been signed by Alice whom magabey fully trusts (since Alice told
    94. 

  94. him to)), Bob is authenticated to log into bob@magabey.
    95. 

  95. 

  96. NOTES
    97. 

  97. =====
    98. 

  98. 

  99. * Daniel and Elliot lie. <check>
    100. 

  100. * We will use a distributed VCS, each developer will create their own
    101. 

  101.   git repository and publish it publicly for others to pull from, mail
    102. 

  102.   out 
    103. 

  103. * public project page doesn't perhaps make sense yet
    104. 

  104. * approximate goal - using the web of trust to authenticate ppl for
    105. 

  105.   SSH 
    106. 

  106. * outline of various components of monkeysphere
    107. 

  107. * M: what does it mean to be in the monkeysphere?  not necessarily a
    108. 

  108.   great coder.
    109. 

  109. * J: interested in seeing project happen, not in actually doing it.
    110. 

  110.   anybody can contribute as much as they want. 
    111. 

  111. * J: if we put the structure in place to work on monkeysphere then we
    112. 

  112.   don't have to do anything 
    113. 

  113. * D: we are not creating 
    114. 

  114. * understand gpg's keyring better, understanding tools better,
    115. 

  115.   building scripts 
    116. 

  116. * Some debian packages allow automated configuration of config files.
    117. 

  117. 

  118. * GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
    119. 

  119. * SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
    120. 

  120.   modifying either openpgp and openssh 
    121. 

  121. * DESIGN GOALS - authentication, use the existing generic OpenSSH
    122. 

  122.   client, the admin can make it default, although end-user should be
    123. 

  123.   decide to use monkeysphere or not 
    124. 

  124. * DESIGN GOAL - use of monkeysphere should not radically change
    125. 

  125.   connecting-to-server experience 
    126. 

  126. * GOAL - pick a monkey-related name for each component 
    127. 

  127. 

  128. Host identity piece of monkeysphere could be used without buying into
    129. 

  129. the authorization component.
    130. 

  130. 

  131. Monkeysphere is authentication layer that allows the sysadmin to
    132. 

  132. perform authorization on user identities instead of on keys, it
    133. 

  133. additionally allows the sysadmin also to authenticate the server to
    134. 

  134. the end-user.
    135. 

  135. 

  136. git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere
    137.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 09:41:30 +0000