X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=doc%2FMonkeySpec;h=66f44b05b8b08361392663b3e1e17cd5dbca6d27;hb=71d180394c3357d2a99e9f1fc6a2fa7514552da9;hp=3b565db1aec47a2ce2ba5c603bae6be7b980224b;hpb=4eba4e7e66fc7febb1e7255a649f6b6ad240d653;p=monkeysphere.git diff --git a/doc/MonkeySpec b/doc/MonkeySpec index 3b565db..66f44b0 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -1,59 +1,23 @@ THE MONKEYSPHERE ================ -AGENDA -====== -[x] clowning -[ ] work -[x] jrollins will talk and gesture - in progress - -MONKEYNAMES -=========== - -rhesus, marmoset, howler, langur, tamarin, barbary - -COMPONENTS -========== - -(names in "" are code names until we think of better ones.) - -common components ------------------ -* "rhesus": update known_hosts/authorized_keys files: - - be responsible for removing keys from the file as key revocation - happens - - be responsible for updating a key in the file where there is a key - replacement - - must result in a file that is parsable by the existing ssh client - without errors - - manual management must be allowed without stomping on it - - provide a simple, intelligible, clear policy for key acceptance - -* "langur": policy-editor for viewing/editing policies - -* gpg2ssh: utility to convert gpg keys to ssh - known_hosts/authorized_keys lines - -* ssh2gpg: create openpgp keypair from ssh keypair +Monkeysphere is authentication layer that allows the sysadmin to +perform authorization on OpenPGP user identities instead of on keys. +It also allows end users to authenticate/identify the ssh server they +are connecting to by checking the sysadmin's certification. -server-side components ----------------------- -* "howler": server gpg maintainer - - generates gpg keys for the server - - publishes server gpg keys - - used to specify userids to trust for user authentication +* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH +* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without + modifying the openpgp spec, gpg or openssh +* DESIGN GOALS - authentication, use the existing generic OpenSSH + client, the admin can make it default, although end-user should be + decide to use monkeysphere or not +* DESIGN GOAL - use of monkeysphere should not radically change + connecting-to-server experience -* "tamarin": script to trigger rhesus during attempt to initiate - connection from client +Host identity piece of monkeysphere could be used without buying into +the user authentication component. -client-side components ----------------------- -* "marmoset": script to trigger rhesus during attempt to initiate - connection to server - - runs on connection to a certain host - - triggers update to known_hosts file then makes connection - - proxy-command | pre-hook script | wrapper script - - (ssh_config "LocalCommand" is only run *after* connection) USE CASE ======== @@ -61,79 +25,57 @@ USE CASE Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob Backstory: http://www.conceptlabs.co.uk/alicebob.html -Bob wants to sign on to the computer "mangabey" via monkeysphere -framework. He doesn't yet have access to the machine, but he knows -Alice, who is the admin of magabey. Alice and Bob, being the -contientious netizens that they are, have already published their -personal gpg keys to the web of trust, and being good friends, have -both signed each other's keys and marked each others keys with "full" -trust. - -Alice uses howler to publish a gpg key for magabey with the special -"ssh://magabey" URI userid. Alice signs magabey's gpg key and -publishes her signature. Alice then creates a user "bob" on magabey, -and puts Bob's userid in the auth_user_ids file for user bob on -magabey. tamarin triggers on magabey, which triggers rhesus, which -takes all userids in bob's auth_user_ids file, look on a keyserver to -find the public keys for each user, converts the gpg public keys into -ssh public keys if the key validity is acceptable, and finally insert -those keys into an authorized_keys file for bob. - -Bob now adds the "ssh://magabey" userid to the auth_host_ids file in -his account on his localhost. Bob now goes to connect to bob@magabey. -Bob's ssh client, which is monkeysphere enabled, triggers marmoset, -which triggers rhesus on Bob's computer, which takes all server -userids in his auth_host_ids file, looks on a keyserver to find the -public key for each server (based on the server's URI), converts the -gpg public keys into ssh public keys if the key validity is -acceptable, and finally insert those keys into Bob's known_hosts file. - -On Bob's side, since mangabey's key had "full" validity (since it was -signed by Alice whom he fully trusts), Bob's ssh client deems magabey +Bob wants to sign on to the computer "mangabey.example.org" via +monkeysphere framework. He doesn't yet have access to the machine, +but he knows Alice, who is the admin of mangabey. Alice and Bob, +being the conscientious netizens that they are, have already published +their personal gpg keys to the web of trust, and being good friends, +have both signed each other's keys and marked each others keys with +"full" ownertrust. + +When Alice set up mangabey initially, she published an OpenPGP key for +the machine with the special userid of "ssh://mangabey.example.org". +She also signed mangabey's OpenPGP key and published this +certification to commonly-used keyservers. Alice also configured +mangabey to treat her own key with full ownertrust, so that it knows +how to identify connecting users. + +Now, Alice creates a user account "bob" on mangabey, and puts Bob's +userid ("Bob ") in the authorized_user_ids file for +user bob on mangabey. The monkeysphere automatically (via cron or +inotify hook) takes each userid in bob's authorized_user_ids file, and +looks on a keyserver to find all public keys associated with that user +ID, with the goal of populating the authorized_keys file for +bob@mangabey. + +In particular: for each key found, the server evaluates the calculated +validity of the specified user ID based on the ownertrust rules it has +configured ("trust alice's certifications fully", in this example). +For each key for which the user ID in question is fully-valid, it +extracts all DSA- or RSA-based primary or secondary keys marked with +the authentication usage flag, and converts these OpenPGP public keys +into ssh public keys. These keys are automatically placed into the +authorized_keys file for bob. + +Bob now attempts to connect, by firing up a terminal and invoking: +"ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client +notices that mangabey.example.org isn't already available in bob's +known_hosts file, and fetches the host key for mangabey from the +public keyservers, with the goal of populating Bob's local known_hosts +file. + +In particular: the monkeysphere queries its configured keyservers to +find all public keys with User ID ssh://mangabey.example.org. For +each public key found, it checks the relevant User ID's validity, +converts any authentication-capable OpenPGP public keys into ssh +public keys if the User ID validity is acceptable, and finally insert +those keys into Bob's known_hosts file. + +On Bob's side, since mangabey's key had "full" validity (it was signed +by Alice, whom he fully trusts), Bob's ssh client deems mangabey "known" and no further host key checking is required. -On magabey's side, since Bob's key has "full" validity (since it had -also been signed by Alice whom magabey fully trusts (since Alice told -him to)), Bob is authenticated to log into bob@magabey. - -NOTES -===== - -* Daniel and Elliot lie. -* We will use a distributed VCS, each developer will create their own - git repository and publish it publicly for others to pull from, mail - out -* public project page doesn't perhaps make sense yet -* approximate goal - using the web of trust to authenticate ppl for - SSH -* outline of various components of monkeysphere -* M: what does it mean to be in the monkeysphere? not necessarily a - great coder. -* J: interested in seeing project happen, not in actually doing it. - anybody can contribute as much as they want. -* J: if we put the structure in place to work on monkeysphere then we - don't have to do anything -* D: we are not creating -* understand gpg's keyring better, understanding tools better, - building scripts -* Some debian packages allow automated configuration of config files. - -* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH -* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without - modifying either openpgp and openssh -* DESIGN GOALS - authentication, use the existing generic OpenSSH - client, the admin can make it default, although end-user should be - decide to use monkeysphere or not -* DESIGN GOAL - use of monkeysphere should not radically change - connecting-to-server experience -* GOAL - pick a monkey-related name for each component - -Host identity piece of monkeysphere could be used without buying into -the authorization component. - -Monkeysphere is authentication layer that allows the sysadmin to -perform authorization on user identities instead of on keys, it -additionally allows the sysadmin also to authenticate the server to -the end-user. +On mangabey's side, since Bob's key has "full" validity (it had been +signed by Alice, mangabey's trusted administrator), Bob is +authenticated and therefore authorized to log into his account. -git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere