THE MONKEYSPHERE
================
-AGENDA
-======
-[x] clowning
-[ ] work
-[x] jrollins will talk and gesture - in progress
-
-MONKEYNAMES
-===========
-
-rhesus, marmoset, howler, langur, tamarin, barbary
-
-COMPONENTS
-==========
-
-(names in "" are code names until we think of better ones.)
-
-common components
------------------
-* "rhesus": update known_hosts/authorized_keys files:
- - be responsible for removing keys from the file as key revocation
- happens
- - be responsible for updating a key in the file where there is a key
- replacement
- - must result in a file that is parsable by the existing ssh client
- without errors
- - manual management must be allowed without stomping on it
- - provide a simple, intelligible, clear policy for key acceptance
-
-* "langur": policy-editor for viewing/editing policies
-
-* gpg2ssh: utility to convert gpg keys to ssh
- known_hosts/authorized_keys lines
-
-* ssh2gpg: create openpgp keypair from ssh keypair
+Monkeysphere is authentication layer that allows the sysadmin to
+perform authorization on OpenPGP user identities instead of on keys.
+It also allows end users to authenticate/identify the ssh server they
+are connecting to by checking the sysadmin's certification.
-server-side components
-----------------------
-* "howler": server gpg maintainer
- - generates gpg keys for the server
- - publishes server gpg keys
- - used to specify userids to trust for user authentication
+* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
+* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
+ modifying the openpgp spec, gpg or openssh
+* DESIGN GOALS - authentication, use the existing generic OpenSSH
+ client, the admin can make it default, although end-user should be
+ decide to use monkeysphere or not
+* DESIGN GOAL - use of monkeysphere should not radically change
+ connecting-to-server experience
-* "tamarin": script to trigger rhesus during attempt to initiate
- connection from client
+Host identity piece of monkeysphere could be used without buying into
+the user authentication component.
-client-side components
-----------------------
-* "marmoset": script to trigger rhesus during attempt to initiate
- connection to server
- - runs on connection to a certain host
- - triggers update to known_hosts file then makes connection
- - proxy-command | pre-hook script | wrapper script
- - (ssh_config "LocalCommand" is only run *after* connection)
USE CASE
========
Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
Backstory: http://www.conceptlabs.co.uk/alicebob.html
-Bob wants to sign on to the computer "mangabey" via monkeysphere
-framework. He doesn't yet have access to the machine, but he knows
-Alice, who is the admin of magabey. Alice and Bob, being the
-contientious netizens that they are, have already published their
-personal gpg keys to the web of trust, and being good friends, have
-both signed each other's keys and marked each others keys with "full"
-trust.
-
-Alice uses howler to publish a gpg key for magabey with the special
-"ssh://magabey" URI userid. Alice signs magabey's gpg key and
-publishes her signature. Alice then creates a user "bob" on magabey,
-and puts Bob's userid in the auth_user_ids file for user bob on
-magabey. tamarin triggers on magabey, which triggers rhesus, which
-takes all userids in bob's auth_user_ids file, look on a keyserver to
-find the public keys for each user, converts the gpg public keys into
-ssh public keys if the key validity is acceptable, and finally insert
-those keys into an authorized_keys file for bob.
-
-Bob now adds the "ssh://magabey" userid to the auth_host_ids file in
-his account on his localhost. Bob now goes to connect to bob@magabey.
-Bob's ssh client, which is monkeysphere enabled, triggers marmoset,
-which triggers rhesus on Bob's computer, which takes all server
-userids in his auth_host_ids file, looks on a keyserver to find the
-public key for each server (based on the server's URI), converts the
-gpg public keys into ssh public keys if the key validity is
-acceptable, and finally insert those keys into Bob's known_hosts file.
-
-On Bob's side, since mangabey's key had "full" validity (since it was
-signed by Alice whom he fully trusts), Bob's ssh client deems magabey
+Bob wants to sign on to the computer "mangabey.example.org" via
+monkeysphere framework. He doesn't yet have access to the machine,
+but he knows Alice, who is the admin of mangabey. Alice and Bob,
+being the conscientious netizens that they are, have already published
+their personal gpg keys to the web of trust, and being good friends,
+have both signed each other's keys and marked each others keys with
+"full" ownertrust.
+
+When Alice set up mangabey initially, she published an OpenPGP key for
+the machine with the special userid of "ssh://mangabey.example.org".
+She also signed mangabey's OpenPGP key and published this
+certification to commonly-used keyservers. Alice also configured
+mangabey to treat her own key with full ownertrust, so that it knows
+how to identify connecting users.
+
+Now, Alice creates a user account "bob" on mangabey, and puts Bob's
+userid ("Bob <bob@example.org>") in the authorized_user_ids file for
+user bob on mangabey. The monkeysphere automatically (via cron or
+inotify hook) takes each userid in bob's authorized_user_ids file, and
+looks on a keyserver to find all public keys associated with that user
+ID, with the goal of populating the authorized_keys file for
+bob@mangabey.
+
+In particular: for each key found, the server evaluates the calculated
+validity of the specified user ID based on the ownertrust rules it has
+configured ("trust alice's certifications fully", in this example).
+For each key for which the user ID in question is fully-valid, it
+extracts all DSA- or RSA-based primary or secondary keys marked with
+the authentication usage flag, and converts these OpenPGP public keys
+into ssh public keys. These keys are automatically placed into the
+authorized_keys file for bob.
+
+Bob now attempts to connect, by firing up a terminal and invoking:
+"ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client
+notices that mangabey.example.org isn't already available in bob's
+known_hosts file, and fetches the host key for mangabey from the
+public keyservers, with the goal of populating Bob's local known_hosts
+file.
+
+In particular: the monkeysphere queries its configured keyservers to
+find all public keys with User ID ssh://mangabey.example.org. For
+each public key found, it checks the relevant User ID's validity,
+converts any authentication-capable OpenPGP public keys into ssh
+public keys if the User ID validity is acceptable, and finally insert
+those keys into Bob's known_hosts file.
+
+On Bob's side, since mangabey's key had "full" validity (it was signed
+by Alice, whom he fully trusts), Bob's ssh client deems mangabey
"known" and no further host key checking is required.
-On magabey's side, since Bob's key has "full" validity (since it had
-also been signed by Alice whom magabey fully trusts (since Alice told
-him to)), Bob is authenticated to log into bob@magabey.
-
-NOTES
-=====
-
-* Daniel and Elliot lie. <check>
-* We will use a distributed VCS, each developer will create their own
- git repository and publish it publicly for others to pull from, mail
- out
-* public project page doesn't perhaps make sense yet
-* approximate goal - using the web of trust to authenticate ppl for
- SSH
-* outline of various components of monkeysphere
-* M: what does it mean to be in the monkeysphere? not necessarily a
- great coder.
-* J: interested in seeing project happen, not in actually doing it.
- anybody can contribute as much as they want.
-* J: if we put the structure in place to work on monkeysphere then we
- don't have to do anything
-* D: we are not creating
-* understand gpg's keyring better, understanding tools better,
- building scripts
-* Some debian packages allow automated configuration of config files.
-
-* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
-* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
- modifying either openpgp and openssh
-* DESIGN GOALS - authentication, use the existing generic OpenSSH
- client, the admin can make it default, although end-user should be
- decide to use monkeysphere or not
-* DESIGN GOAL - use of monkeysphere should not radically change
- connecting-to-server experience
-* GOAL - pick a monkey-related name for each component
-
-Host identity piece of monkeysphere could be used without buying into
-the authorization component.
-
-Monkeysphere is authentication layer that allows the sysadmin to
-perform authorization on user identities instead of on keys, it
-additionally allows the sysadmin also to authenticate the server to
-the end-user.
+On mangabey's side, since Bob's key has "full" validity (it had been
+signed by Alice, mangabey's trusted administrator), Bob is
+authenticated and therefore authorized to log into his account.
-git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere
projects / monkeysphere.git / blobdiff