[ ] work
[x] jrollins will talk and gesture - in progress
+MONKEYNAMES
+===========
+
+rhesus, marmoset, howler, langur, tamarin, barbary
+
COMPONENTS
==========
-* client-side componants
-** "Marmoset": update known_hosts file with public key of server(s):
-*** be responsible for removing keys from the file as key revocation happens
-*** be responsible for updating a key in the file where there is a key replacement
-*** must result in a file that is parsable by the existing ssh client without errors
-*** manual management must be allowed without stomping on it
-*** provide a simple, intelligible, clear policy for key acceptance
-*** questions: should this query keyserver & update known host files? (we already
- have awesome tool that queries keyservers and updates a web of trust (gpg)
-** "Howler": simple script that could be placed as a trigger function (in your .ssh/config)
-*** runs on connection to a certain host
-*** triggers update to known_hosts file then makes connection
-*** proxy-command | pre-hook script | wrapper script
-** "Langur": policy-editor for viewing/editing policies
-
-* server-side componants
-** "Rhesus" updates a per-user authorized_keys file, instead of updating a
- known_hosts file from a public key by matching a specified user-id (for given
- user: update authkeys file with public keys derived from authorized_uids
- file)
-*** Needs to operate with the same principles that Marmoset client-side does
-** "Tamarin" triggers Rhesus during an attempt to initiate a connection or a scheduler (or both)
-** "Barbary" - policy editor / viewer
-
-* common componants
-** Create a ssh keypair from a openpgp keypair
-
-from ssh_config(5):
- LocalCommand
- Specifies a command to execute on the local machine after suc‐
- cessfully connecting to the server. The command string extends
- to the end of the line, and is executed with /bin/sh. This
- directive is ignored unless PermitLocalCommand has been enabled.
+(names in "" are code names until we think of better ones.)
+
+common components
+-----------------
+* "rhesus": update known_hosts/authorized_keys files:
+ - be responsible for removing keys from the file as key revocation
+ happens
+ - be responsible for updating a key in the file where there is a key
+ replacement
+ - must result in a file that is parsable by the existing ssh client
+ without errors
+ - manual management must be allowed without stomping on it
+ - provide a simple, intelligible, clear policy for key acceptance
+
+* "langur": policy-editor for viewing/editing policies
+
+* gpg2ssh: utility to convert gpg keys to ssh
+ known_hosts/authorized_keys lines
+
+* ssh2gpg: create openpgp keypair from ssh keypair
+
+server-side components
+----------------------
+* "howler": server gpg maintainer
+ - generate gpg keys for the server
+ - publish server gpg keys
+ - give owner trust to keys for user authentication
+
+* "tamarin": concept - how to trigger or schedule rhesus at admin defined
+ points (e.g. via cron or during ssh connections).
+
+client-side components
+----------------------
+* "marmoset": concept - how to trigger rhesus during attempt to initiate
+ connection to server
+ - runs on connection to a certain host
+ - triggers update to known_hosts file then makes connection
+ - proxy-command | pre-hook script | wrapper script
+ - (ssh_config "LocalCommand" is only run *after* connection)
+
+USE CASE
+========
+
+Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
+Backstory: http://www.conceptlabs.co.uk/alicebob.html
+
+Bob wants to sign on to the computer "mangabey.example.org" via
+monkeysphere framework. He doesn't yet have access to the machine,
+but he knows Alice, who is the admin of mangabey. Alice and Bob,
+being the conscientious netizens that they are, have already published
+their personal gpg keys to the web of trust, and being good friends,
+have both signed each other's keys and marked each others keys with
+"full" ownertrust.
+
+When Alice set up mangabey initially, she used howler to publish a gpg
+key for the machine with the special userid of
+"ssh://mangabey.example.org". She also signed mangabey's gpg key and
+published this certification to commonly-used keyservers. Alice also
+configured mangabey to treat her own key with full ownertrust (could
+this be done as part of the howler invocation?)
+
+Now, Alice creates a user account "bob" on mangabey, and puts Bob's
+userid ("Bob <bob@example.org>") in the authorized_user_ids file for
+user bob on mangabey. tamarin triggers on mangabey either by a
+cronjob or an inotify hook, and invokes rhesus for the "bob" account.
+rhesus automatically takes each userid in bob's authorized_user_ids
+file, and looks on a keyserver to find all public keys associated with
+that user ID, with the goal of populating the authorized_keys file for
+bob@mangabey.
+
+In particular: for each key found, the server evaluates the calculated
+validity of the specified user ID based on the ownertrust rules it has
+configured ("trust alice's certifications fully", in this example).
+For each key for which the user ID in question is fully-valid, it
+extracts all DSA- or RSA-based primary or secondary keys marked with
+usage flags for encrypted communications and authentication, and
+converts these gpg public keys into ssh public keys. Finally, rhesus
+inserts these calculated public keys into the authorized_keys file for
+bob.
+
+Bob now attempts to connect, by firing up a terminal and invoking:
+"ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client
+notices that mangabey.example.org isn't already available in bob's
+known_hosts file, and triggers rhesus (on Bob's computer) to fetch the
+key for mangabey, with the goal of populating Bob's local known_hosts
+file.
+
+In particular: rhesus queries its configured keyservers to find all
+public keys with User ID ssh://mangabey.example.org. For each public
+key found, rhesus checks the relevant User ID's validity, converts any
+"encrypted comms, authentication" gpg public keys into ssh public keys
+if the User ID validity is acceptable, and finally insert those keys
+into Bob's known_hosts file.
+
+On Bob's side, since mangabey's key had "full" validity (it was signed
+by Alice whom he fully trusts), Bob's ssh client deems mangabey
+"known" and no further host key checking is required.
+
+On mangabey's side, since Bob's key has "full" validity (it had been
+signed by Alice, mangabey's trusted administrator), Bob is
+authenticated and therefore authorized to log into his account.
NOTES
=====
+
* Daniel and Elliot lie. <check>
-* We will use a distributed VCS, each developer will create their own git repository and publish it publically for others to pull from, mail out
+* We will use a distributed VCS, each developer will create their own
+ git repository and publish it publicly for others to pull from, mail
+ out
* public project page doesn't perhaps make sense yet
-* approximate goal - using the web of trust to authenticate ppl for SSH
+* approximate goal - using the web of trust to authenticate ppl for
+ SSH
* outline of various components of monkeysphere
-* M: what does it mean to be in the monkeysphere? not necessarily a great coder.
-* J: interested in seeing project happen, not in actually doing it. anybody can contribute as much as they want.
-* J: if we put the structure in place to work on monkeysphere then we don't have to do anything
+* M: what does it mean to be in the monkeysphere? not necessarily a
+ great coder.
+* J: interested in seeing project happen, not in actually doing it.
+ anybody can contribute as much as they want.
+* J: if we put the structure in place to work on monkeysphere then we
+ don't have to do anything
* D: we are not creating
-* understand gpg's keyring better, understanding tools better, building scripts
+* understand gpg's keyring better, understanding tools better,
+ building scripts
* Some debian packages allow automated configuration of config files.
-
* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
-* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without modifying either openpgp and openssh
-* DESIGN GOALS - authentication, use the existing generic OpenSSH client, the admin can make it default, although end-user should be decide to use monkeysphere or not
-* DESIGN GOAL - use of monkeysphere should not radically change connecting-to-server experience
+* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
+ modifying either openpgp and openssh
+* DESIGN GOALS - authentication, use the existing generic OpenSSH
+ client, the admin can make it default, although end-user should be
+ decide to use monkeysphere or not
+* DESIGN GOAL - use of monkeysphere should not radically change
+ connecting-to-server experience
* GOAL - pick a monkey-related name for each component
-Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
-Backstory: http://www.conceptlabs.co.uk/alicebob.html
+Host identity piece of monkeysphere could be used without buying into
+the authorization component.
+
+Monkeysphere is authentication layer that allows the sysadmin to
+perform authorization on user identities instead of on keys, it
+additionally allows the sysadmin also to authenticate the server to
+the end-user.
-* Use Case: Bob wants to sign on to the computer "mangabey" via monkeysphere
- framework. He doesn't have access to the machine, but he knows Alice, who is
- the admin of magabey. Alice creates a user bob and puts bob's userid in the
- auth_user_ids file for bob. Tamarin triggers which causes Rhesus to take all
- the things in the auth_userids file, takes those users, look son a keyserver
- finds the public keys for the users, converts the gpg public keys into ssh
- public keys and inserts those into a user_authorized_keys file. Bob goes to
- connect, bob's ssh client which is monkeysphere enbaled, howler is triggered
- which triggers marmoset which looks out into the web of trust and find an
- OpenPGP key that has a userid that matches the URI of magabey. Marmoset checks
- to see if this key for mangabey has been signed by any keys that you trust
- (based on your policy). Has this key been signed by somebody that you trust?
- If yes, connect, if no: abort or fail-through or whatever. Alice has signed
- this uid, so Marmoset says "OK, this server has been verified" it then
- converts the gpg public key into a ssh public key and then adds this gpg key
- to the known_host file. ssh says, "you" are about to connect to magabey and
- you know this is magabey because alice says so and you trust alice". The gpg
- private key of bob has to be converted (somehow, via agent or something) into
- a ssh private_key. SSH connection happens.
-
-Host identity piece of monkeysphere could be used without buying into the
-authorization component.
-
-Monkeysphere is authentication layer that allows the sysadmin to perform
-authorization on user identities instead of on keys, it additionally allows the
-sysadmin also to authenticate the server to the end-user.
-
-git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere
-
-Fix gpgkey2ssh so that the entire key fingerprint will work, accept full fingerprint, or accept a pipe and do the conversion
-Write manpage for gpgkey2ssh
-gpg private key (start with passwordless) to PEM encoded private key: perl libraries, libopencdk / gnutls, gpgme
-setup remote git repo
-think through / plan merging of known_hosts (& auth_keys?)
-think about policies and their representation
\ No newline at end of file
+see doc/git-init for more detail on how to pull from the distributed
+repositories.
projects / monkeysphere.git / blobdiff