X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=doc%2FMonkeySpec;h=66f44b05b8b08361392663b3e1e17cd5dbca6d27;hb=9fb7f481e3d09d3b3658cb78bd75c4910fff8c0a;hp=7a19df0d163d90233416f87d2d7a42b60102a287;hpb=186edf2e6dff7c966263d3638c56b41cc5d82fc2;p=monkeysphere.git diff --git a/doc/MonkeySpec b/doc/MonkeySpec index 7a19df0..66f44b0 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -1,105 +1,81 @@ THE MONKEYSPHERE ================ -AGENDA -====== -[x] clowning -[ ] work -[x] jrollins will talk and gesture - in progress +Monkeysphere is authentication layer that allows the sysadmin to +perform authorization on OpenPGP user identities instead of on keys. +It also allows end users to authenticate/identify the ssh server they +are connecting to by checking the sysadmin's certification. -COMPONENTS -========== -* client-side componants -** "Marmoset": update known_hosts file with public key of server(s): -*** be responsible for removing keys from the file as key revocation happens -*** be responsible for updating a key in the file where there is a key replacement -*** must result in a file that is parsable by the existing ssh client without errors -*** manual management must be allowed without stomping on it -*** provide a simple, intelligible, clear policy for key acceptance -*** questions: should this query keyserver & update known host files? (we already - have awesome tool that queries keyservers and updates a web of trust (gpg) -** "Howler": simple script that could be placed as a trigger function (in your .ssh/config) -*** runs on connection to a certain host -*** triggers update to known_hosts file then makes connection -*** proxy-command | pre-hook script | wrapper script -** "Langur": policy-editor for viewing/editing policies +* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH +* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without + modifying the openpgp spec, gpg or openssh +* DESIGN GOALS - authentication, use the existing generic OpenSSH + client, the admin can make it default, although end-user should be + decide to use monkeysphere or not +* DESIGN GOAL - use of monkeysphere should not radically change + connecting-to-server experience -* server-side componants -** "Rhesus" updates a per-user authorized_keys file, instead of updating a - known_hosts file from a public key by matching a specified user-id (for given - user: update authkeys file with public keys derived from authorized_uids - file) -*** Needs to operate with the same principles that Marmoset client-side does -** "Tamarin" triggers Rhesus during an attempt to initiate a connection or a scheduler (or both) -** "Barbary" - policy editor / viewer +Host identity piece of monkeysphere could be used without buying into +the user authentication component. -* common componants -** Create a ssh keypair from a openpgp keypair -from ssh_config(5): - LocalCommand - Specifies a command to execute on the local machine after suc‐ - cessfully connecting to the server. The command string extends - to the end of the line, and is executed with /bin/sh. This - directive is ignored unless PermitLocalCommand has been enabled. +USE CASE +======== +Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob +Backstory: http://www.conceptlabs.co.uk/alicebob.html -NOTES -===== -* Daniel and Elliot lie. -* We will use a distributed VCS, each developer will create their own git repository and publish it publically for others to pull from, mail out -* public project page doesn't perhaps make sense yet -* approximate goal - using the web of trust to authenticate ppl for SSH -* outline of various components of monkeysphere -* M: what does it mean to be in the monkeysphere? not necessarily a great coder. -* J: interested in seeing project happen, not in actually doing it. anybody can contribute as much as they want. -* J: if we put the structure in place to work on monkeysphere then we don't have to do anything -* D: we are not creating -* understand gpg's keyring better, understanding tools better, building scripts -* Some debian packages allow automated configuration of config files. +Bob wants to sign on to the computer "mangabey.example.org" via +monkeysphere framework. He doesn't yet have access to the machine, +but he knows Alice, who is the admin of mangabey. Alice and Bob, +being the conscientious netizens that they are, have already published +their personal gpg keys to the web of trust, and being good friends, +have both signed each other's keys and marked each others keys with +"full" ownertrust. +When Alice set up mangabey initially, she published an OpenPGP key for +the machine with the special userid of "ssh://mangabey.example.org". +She also signed mangabey's OpenPGP key and published this +certification to commonly-used keyservers. Alice also configured +mangabey to treat her own key with full ownertrust, so that it knows +how to identify connecting users. -* GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH -* SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without modifying either openpgp and openssh -* DESIGN GOALS - authentication, use the existing generic OpenSSH client, the admin can make it default, although end-user should be decide to use monkeysphere or not -* DESIGN GOAL - use of monkeysphere should not radically change connecting-to-server experience -* GOAL - pick a monkey-related name for each component +Now, Alice creates a user account "bob" on mangabey, and puts Bob's +userid ("Bob ") in the authorized_user_ids file for +user bob on mangabey. The monkeysphere automatically (via cron or +inotify hook) takes each userid in bob's authorized_user_ids file, and +looks on a keyserver to find all public keys associated with that user +ID, with the goal of populating the authorized_keys file for +bob@mangabey. -Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob -Backstory: http://www.conceptlabs.co.uk/alicebob.html +In particular: for each key found, the server evaluates the calculated +validity of the specified user ID based on the ownertrust rules it has +configured ("trust alice's certifications fully", in this example). +For each key for which the user ID in question is fully-valid, it +extracts all DSA- or RSA-based primary or secondary keys marked with +the authentication usage flag, and converts these OpenPGP public keys +into ssh public keys. These keys are automatically placed into the +authorized_keys file for bob. -* Use Case: Bob wants to sign on to the computer "mangabey" via monkeysphere - framework. He doesn't have access to the machine, but he knows Alice, who is - the admin of magabey. Alice creates a user bob and puts bob's userid in the - auth_user_ids file for bob. Tamarin triggers which causes Rhesus to take all - the things in the auth_userids file, takes those users, look son a keyserver - finds the public keys for the users, converts the gpg public keys into ssh - public keys and inserts those into a user_authorized_keys file. Bob goes to - connect, bob's ssh client which is monkeysphere enbaled, howler is triggered - which triggers marmoset which looks out into the web of trust and find an - OpenPGP key that has a userid that matches the URI of magabey. Marmoset checks - to see if this key for mangabey has been signed by any keys that you trust - (based on your policy). Has this key been signed by somebody that you trust? - If yes, connect, if no: abort or fail-through or whatever. Alice has signed - this uid, so Marmoset says "OK, this server has been verified" it then - converts the gpg public key into a ssh public key and then adds this gpg key - to the known_host file. ssh says, "you" are about to connect to magabey and - you know this is magabey because alice says so and you trust alice". The gpg - private key of bob has to be converted (somehow, via agent or something) into - a ssh private_key. SSH connection happens. +Bob now attempts to connect, by firing up a terminal and invoking: +"ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client +notices that mangabey.example.org isn't already available in bob's +known_hosts file, and fetches the host key for mangabey from the +public keyservers, with the goal of populating Bob's local known_hosts +file. -Host identity piece of monkeysphere could be used without buying into the -authorization component. +In particular: the monkeysphere queries its configured keyservers to +find all public keys with User ID ssh://mangabey.example.org. For +each public key found, it checks the relevant User ID's validity, +converts any authentication-capable OpenPGP public keys into ssh +public keys if the User ID validity is acceptable, and finally insert +those keys into Bob's known_hosts file. -Monkeysphere is authentication layer that allows the sysadmin to perform -authorization on user identities instead of on keys, it additionally allows the -sysadmin also to authenticate the server to the end-user. +On Bob's side, since mangabey's key had "full" validity (it was signed +by Alice, whom he fully trusts), Bob's ssh client deems mangabey +"known" and no further host key checking is required. -git clone http://git.mlcastle.net/monkeysphere.git/ monkeysphere +On mangabey's side, since Bob's key has "full" validity (it had been +signed by Alice, mangabey's trusted administrator), Bob is +authenticated and therefore authorized to log into his account. -Fix gpgkey2ssh so that the entire key fingerprint will work, accept full fingerprint, or accept a pipe and do the conversion -Write manpage for gpgkey2ssh -gpg private key (start with passwordless) to PEM encoded private key: perl libraries, libopencdk / gnutls, gpgme -setup remote git repo -think through / plan merging of known_hosts (& auth_keys?) -think about policies and their representation \ No newline at end of file