authenticate and encrypt ssh connections.
It is free software, developed by:
- Jameson Graef Rollins <jrollins@finestructure.net>
+ Jameson Rollins <jrollins@finestructure.net>
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Jamie McClelland <jamie@mayfirst.org>
Micah Anderson <micah@riseup.net>
# Makefile for monkeysphere
-# (c) 2008-2009 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# © 2008-2010 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Licensed under GPL v3 or later
-MONKEYSPHERE_VERSION = `head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+MONKEYSPHERE_VERSION = `head -n1 changelog | sed 's/.*(\([^-]*\)).*/\1/'`
# these defaults are for debian. porters should probably adjust them
# before calling make install
rm -rf monkeysphere-$(MONKEYSPHERE_VERSION)
mkdir -p monkeysphere-$(MONKEYSPHERE_VERSION)/doc
ln -s ../../website/getting-started-user.mdwn ../../website/getting-started-admin.mdwn ../../doc/TODO ../../doc/MonkeySpec monkeysphere-$(MONKEYSPHERE_VERSION)/doc
- ln -s ../COPYING ../etc ../Makefile ../man ../src ../tests monkeysphere-$(MONKEYSPHERE_VERSION)
+ ln -s ../changelog ../COPYING ../etc ../Makefile ../man ../src ../tests monkeysphere-$(MONKEYSPHERE_VERSION)
echo Monkeysphere $(MONKEYSPHERE_VERSION) > monkeysphere-$(MONKEYSPHERE_VERSION)/VERSION
echo -n "git revision " >> monkeysphere-$(MONKEYSPHERE_VERSION)/VERSION
git rev-parse HEAD >> monkeysphere-$(MONKEYSPHERE_VERSION)/VERSION
install -m 0644 src/share/mh/* $(DESTDIR)$(PREFIX)/share/monkeysphere/mh
install -m 0644 src/share/ma/* $(DESTDIR)$(PREFIX)/share/monkeysphere/ma
install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+ install changelog $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
install -m 0644 etc/monkeysphere.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere.conf$(ETCSUFFIX)
install -m 0644 etc/monkeysphere-host.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-host.conf$(ETCSUFFIX)
install -m 0644 etc/monkeysphere-authentication.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-authentication.conf$(ETCSUFFIX)
releasenote:
./utils/build-releasenote
-test:
- MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/keytrans
+test: test-keytrans test-basic
+
+test-basic:
MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/basic
+test-keytrans:
+ MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/keytrans
+
.PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test
+++ /dev/null
-packaging/debian/changelog
\ No newline at end of file
--- /dev/null
+monkeysphere (0.28.1) unstable; urgency=low
+
+ * Fix man page typo about monkeysphere authorized_keys location
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Thu, 04 Feb 2010 11:57:45 -0500
+
+monkeysphere (0.28) unstable; urgency=low
+
+ * Major rework of monkeysphere-host to handle multiple host keys. We
+ also no longer assume ssh service keys. monkeysphere-host is now a
+ general-purpose host service OpenPGP key management UI.
+ * Rename keys-from-userid command to more accurate keys-for-userid
+ * separate upstream and debian changelogs
+
+ -- Jameson Rollins <jrollins@finestructure.net> Tue, 19 Jan 2010 13:50:31 -0500
+
+monkeysphere (0.27) unstable; urgency=low
+
+ * fixed monkeysphere gen-subkey subcommand that was erroneously creating
+ DSA subkeys due to unannounced change in gpg edit-key UI. Now tests
+ for gpg version (closes MS #1536)
+ * add new monkeysphere keys-from-userid subcommand to output all
+ acceptable keys for a given user ID literal
+
+ -- Jameson Rollins <jrollins@finestructure.net> Mon, 11 Jan 2010 20:54:21 -0500
+
+monkeysphere (0.26) unstable; urgency=low
+
+ * add 'refresh-keys' subcommand to monkeysphere-authentication
+ * improve marginal UI (closes MS #1141)
+ * add MONKEYSPHERE_STRICT_MODES configuration to avoid
+ permission-checking (closes MS #649)
+ * test scripts use STRICT_MODES to avoid failure when built under /tmp
+ * do permissions checks with a perl script instead of non-portable
+ readlink GNUisms
+ * bail on permissions check if we hit the home directory (helpful on Mac
+ OS and other systems with loose /home or /Users (closes MS #675)
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 01 Aug 2009 17:11:05 -0400
+
+monkeysphere (0.25) unstable; urgency=low
+
+ * New upstream release:
+ * update/fix the marginal ui output
+ * use msmktempdir everywhere (avoid unwrapped calls to mktemp for
+ portability)
+ * clean out some redundant "cat"s
+ * fix monkeysphere update-known_hosts for sshd running on non-standard
+ ports
+ * add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
+ * pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
+ (changes dependency to libdigest-sha-perl)
+ * some portability improvements
+ * properly handle translation of keys with fingerprints with leading
+ all-zero bytes.
+ * resolve symlinks when checking paths (thanks Silvio Rhatto)
+ (closes MS #917)
+ * explicitly set and use MONKEYSPHERE_GROUP from system "groups"
+ * monkeysphere-host now uses keytrans to add and revoke hostname
+ (closes MS #422)
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Thu, 16 Jul 2009 22:09:19 -0400
+
+monkeysphere (0.24) unstable; urgency=low
+
+ * fixed how version information is stored/retrieved
+ * now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
+ * no longer needs base64 in PATH
+ * added "test" make target
+ * improved transitions/0.23 script so it no longer fails in common
+ circumstances (Closes: #517779)
+ * RSA only: no longer handles DSA keys
+ * added ability to specify subkeys to add to ssh agent with new
+ MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Tue, 03 Mar 2009 19:38:33 -0500
+
+monkeysphere (0.23) unstable; urgency=low
+
+ "The Golden Bezoar Release"
+
+ * rearchitect UI:
+ - replace monkeysphere-server with monkeysphere-{authentication,host}
+ - fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere
+ * new ability to import existing ssh host key into monkeysphere. So now
+ m-a import-key replaces m-s gen-key.
+ * provide pem2openpgp for translating unencrypted PEM-encoded raw key
+ material into OpenPGP keys (introduces new perl dependencies)
+ * get rid of getopts dependency
+ * added version output option
+ * better checks for the existence of a host private key for
+ monkeysphere-host subcommands that need it.
+ * better checks on validity of existing authentication subkeys when
+ doing monkeysphere gen_subkey.
+ * add transition infrastructure for major changes between releases (see
+ transitions/README.txt)
+ * implement and document two new monkeysphere-host subcommands:
+ revoke-key and add-revoker
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2009 17:51:06 -0500
+
+monkeysphere (0.22) unstable; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * added info log output when a new key is added to known_hosts file.
+ * added some useful output to the ssh-proxycommand for "marginal" cases
+ where keys are found for host but do not have full validity.
+ * force ssh-keygen to read from stdin to get ssh key fingerprint.
+
+ [ Daniel Kahn Gillmor ]
+ * automatically output two copies of the host's public key: one standard
+ ssh public key file, and the other a minimal OpenPGP key with just the
+ latest valid self-sig.
+ * debian/control: corrected alternate dependency from procfile to
+ procmail (which provides /usr/bin/lockfile)
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Fri, 28 Nov 2008 14:23:31 -0500
+
+monkeysphere (0.21) unstable; urgency=low
+
+ * move debian packaging to packaging subdirectory.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 16:14:27 -0500
+
+monkeysphere (0.20) unstable; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * ensure that tempdirs are properly created, bail out otherwise instead
+ of stumbling ahead.
+ * minor fussing with the test script to make it cleaner.
+
+ [ Jameson Graef Rollins ]
+ * clean up Makefile to generate more elegant source tarballs.
+ * make myself the maintainer.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 13:12:57 -0500
+
+monkeysphere (0.19) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * simulating an X11 session in the test script.
+ * updated packaging so that symlinks to config files are correct.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 02:47:49 -0400
+
+monkeysphere (0.18) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix bugs in authorized_{user_ids,keys} file permission checking.
+ * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
+ files.
+ * chown authorized_keys files to `whoami`, for compatibility with test
+ suite.
+ * major improvements to test suite, added more tests.
+
+ [ Daniel Kahn Gillmor ]
+ * update make install to ensure placement of
+ /etc/monkeysphere/gnupg-{host,authentication}.conf
+ * choose either --quick-random or --debug-quick-random depending on
+ which gpg supports for the test suite.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 00:41:38 -0400
+
+monkeysphere (0.17) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix some bugs in, and cleanup, authorized_keys file creation in
+ monkeysphere-server update-users.
+ * Move to using the empty string for not adding a user-controlled
+ authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Oct 2008 02:04:22 -0400
+
+monkeysphere (0.16) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
+ portability.
+ * fixed busted lockfile arrangement, where empty file was being locked
+ * portability fixes in the way we use date, mktemp, hostname, su
+ * stop using /usr/bin/stat, since the syntax appears to be totally
+ unportable
+ * require GNU getopt, and test for getopt failures (look for getopt in
+ /usr/local/bin first, since that's where FreeBSD's GNU-compatible
+ getopt lives.
+ * monkeysphere-server diagnostics now counts problems and suggests a
+ re-run after they have been resolved.
+ * completed basic test suite: this can be run from the git sources or
+ the tarball with: cd tests && ./basic
+
+ [ Jameson Graef Rollins ]
+ * Genericize fs location variables.
+ * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
+ install.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 26 Oct 2008 03:06:18 -0400
+
+monkeysphere (0.15) experimental; urgency=low
+
+ * porting work and packaging simplification: clarifying makefiles,
+ pruning dependencies, etc.
+ * added tests to monkeysphere-server diagnostics
+ * moved monkeysphere(5) to section 7 of the manual
+ * now shipping TODO in /usr/share/doc/monkeysphere
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 19:08:40 -0400
+
+monkeysphere (0.14) experimental; urgency=low
+
+ * changing debian packaging back to format 1.0 so we get automatic
+ tarballs, and easier inclusion in other build networks.
+ * no other source changes.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 13:03:35 -0400
+
+monkeysphere (0.13) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * tweaks in /usr/bin/monkeysphere to handle odd secret keyrings.
+ * updated makefile to reflect the package building technique we've been
+ using for a month now.
+
+ [ Jameson Graef Rollins ]
+ * move location of user config directory to ~/.monkeysphere.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Sep 2008 17:26:10 -0400
+
+monkeysphere (0.12) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Improved output handling. New LOG_LEVEL variable.
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: switched Homepage: and Vcs-Git: to canonicalized
+ upstream hostnames.
+ * updated documentation for new release.
+ * changed my associated e-mail address for this package.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Sep 2008 18:54:29 -0400
+
+monkeysphere (0.11) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * fix bug in trustdb update on add/revoke-hostname.
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: added Build-Depends: git-core for the new packaging
+ format
+ * new subcommand: monkeysphere subkey-to-ssh-agent (relies on a patched
+ GnuTLS to deal with GPG's gnu-dummy S2K extension, but fails cleanly
+ if not found).
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Wed, 20 Aug 2008 11:24:35 -0400
+
+monkeysphere (0.10) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * brown paper bag release: invert test on calculated validity of keys.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 16:22:34 -0400
+
+monkeysphere (0.9) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * implemented "monkeysphere-server extend-key" to adjust expiration
+ date of host key.
+ * removed "monkeysphere-server fingerprint". Use "monkeysphere-server
+ show-key" instead.
+
+ [ Jameson Graef Rollins ]
+ * fixed bug in user id processing that prevented bad primary keys from
+ being properly removed.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 15:42:12 -0400
+
+monkeysphere (0.8) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: switched Vcs-Git to use "centralized" git repo instead
+ of my own.
+ * More monkeysphere-server diagnostics
+ * monkeysphere --gen-subkey now guesses what KeyID you meant.
+ * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey
+ works sensibly under X11
+
+ [ Jameson Graef Rollins ]
+ * fix another bug when known_hosts files are missing.
+ * sort processed keys so that "good" keys are processed after "bad"
+ keys. This will prevent malicious bad keys from causing good keys to
+ be removed from key files.
+ * enabled host key publication.
+ * added checking of gpg.conf for keyserver
+ * new functions to add/revoke host key user IDs
+ * improved list-certifiers function (now non-privileged)
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 12:43:37 -0400
+
+monkeysphere (0.7) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * Added monkeysphere-server diagnostics subcommand.
+ * rebuilding package using Format: 3.0 (git)
+
+ [ Jameson Graef Rollins ]
+ * fix how check for file modification is done.
+ * rework out user id processing is done to provide more verbose log
+ output.
+ * fix bug in monkeysphpere update-authorized_keys subcommand where
+ disallowed keys failed to be remove from authorized_keys file.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 04 Aug 2008 10:47:41 -0400
+
+monkeysphere (0.6) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix bug in return on error of ssh-proxycommand.
+
+ [ Daniel Kahn Gillmor ]
+ * try socat if netcat is not available in proxycommand.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 29 Jul 2008 10:27:20 -0400
+
+monkeysphere (0.5) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * updated READMEs to match current state of code
+
+ [ Jameson Graef Rollins ]
+ * Tweak how empty authorized_user_ids and known_hosts files are handled.
+ * Do not fail when authorized_user_ids or known_hosts file is not found.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 28 Jul 2008 10:50:02 -0400
+
+monkeysphere (0.4) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * New version.
+ * Fixed return code error in openpgp2ssh
+
+ [ Jameson Graef Rollins ]
+ * Privilege separation: use monkeysphere user to handle maintenance of
+ the gnupg authentication keychain for server.
+ * Improved certifier key management.
+ * Fixed variable scoping and config file precedence.
+ * Add options for key generation and add-certifier functions.
+ * Fix return codes for known_host and authorized_keys updating
+ functions.
+ * Add write permission check on authorized_keys, known_hosts, and
+ authorized_user_ids files.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 22 Jul 2008 21:50:17 -0400
+
+monkeysphere (0.3) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * new version.
+
+ [ Jameson Graef Rollins ]
+ * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
+ the more appropriate /var/lib/monkeysphere.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 24 Jun 2008 00:55:29 -0400
+
+monkeysphere (0.2) experimental; urgency=low
+
+ * added lockfile-progs dependency
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:34:05 -0400
+
+monkeysphere (0.2) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * openpgp2ssh now supports specifying keys by full fingerprint.
+
+ [ Jameson Graef Rollins ]
+ * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+ %h/.config/monkeysphere/authorized_user_ids, instead of
+ /etc/monkeysphere/authorized_user_ids.
+ * Remove {update,remove}-userids functions, since we decided they
+ weren't useful enough to be worth maintaining.
+ * Better handling of unknown users in server update-users
+ * Add file locking when modifying known_hosts or authorized_keys
+ * Better failure/prompting for gen-subkey
+ * Add ability to set any owner trust level for keys in server keychain.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 17:03:19 -0400
+
+monkeysphere (0.1) experimental; urgency=low
+
+ * First release of debian package for monkeysphere.
+ * This is experimental -- please report bugs!
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 00:34:53 -0400
+
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2010-01-12 - dkg
+ * aptitude update && aptitude full-upgrade (including monkeysphere
+ 0.27-1)
+
2009-10-26 - dkg
* upgrade nginx in response to DSA-1920-1
.SH DESCRIPTION
\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
-for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
-added to the authorized_keys and known_hosts files used by OpenSSH for
-connection authentication.
+for OpenSSH and TLS key-based authentication. OpenPGP keys are
+tracked via GnuPG, and added to the authorized_keys and known_hosts
+files used by OpenSSH for connection authentication. Monkeysphere can
+also be used by a validation agent to validate TLS connections
+(e.g. https).
\fBmonkeysphere\fP is the Monkeysphere client utility.
Output the ssh fingerprint of a key in your gpg keyring. `f' may be
used in place of `fingerprint'.
.TP
+.B keys\-for\-userid USERID
+Output to stdout all acceptable keys for a given user ID literal.
+`u' may be used in place of `keys\-for\-userid'.
+.TP
.B version
Show the monkeysphere version number. `v' may be used in place of
`version'.
.Sh SYNOPSIS
.Nm pem2openpgp "$USERID" < mykey.pem | gpg \-\-import
.Pp
-.Nm PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authentication,certify pem2openpgp "$USERID" <mykey.pem
+.Nm PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authenticate,certify pem2openpgp "$USERID" <mykey.pem
.Sh DESCRIPTION
.Nm
is a low-level utility for transforming raw, PEM-encoded RSA secret
.SH DESCRIPTION
-\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust
-for ssh authentication. OpenPGP keys are tracked via GnuPG, and added
-to the authorized_keys and known_hosts files used by ssh for
-connection authentication.
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
+for OpenSSH and TLS key-based authentication. OpenPGP keys are
+tracked via GnuPG, and added to the authorized_keys and known_hosts
+files used by OpenSSH for connection authentication. Monkeysphere can
+also be used by a validation agent to validate TLS connections
+(e.g. https).
.SH IDENTITY CERTIFIERS
.SH KEY ACCEPTABILITY
-During known_host and authorized_keys updates, the monkeysphere
-commands work from a set of user IDs to determine acceptable keys for
-ssh authentication. OpenPGP keys are considered acceptable if the
-following criteria are met:
+The monkeysphere commands work from a set of user IDs to determine
+acceptable keys for ssh and TLS authentication. OpenPGP keys are
+considered acceptable if the following criteria are met:
.TP
.B capability
The key must have the `authentication' (`a') usage flag set.
.SH HOST IDENTIFICATION
-The OpenPGP keys for hosts have associated user IDs that use the ssh
-URI specification for the host, i.e. `ssh://host.full.domain[:port]'.
+The OpenPGP keys for hosts have associated `service names` (OpenPGP
+user IDs) that are based on URI specifications for the service. Some
+examples:
+.TP
+.B ssh:
+ssh://host.example.com[:port]
+.TP
+.B https:
+https://host.example.com[:port]
.SH AUTHOR
-.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands"
+.TH MONKEYSPHERE-AUTHENTICATION "8" "January 2010" "monkeysphere" "System Commands"
.SH NAME
.SH DESCRIPTION
\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust
-(WoT) for OpenSSH authentication. OpenPGP keys are tracked via GnuPG,
-and added to the authorized_keys and known_hosts files used by OpenSSH
-for connection authentication.
+(WoT) for key-based authentication. OpenPGP keys are tracked via
+GnuPG, and added to the authorized_keys files used by OpenSSH for
+connection authentication.
\fBmonkeysphere\-authentication\fP is a Monkeysphere server admin
utility for configuring and managing SSH user authentication through
the sshd_config to point to the monkeysphere\-generated
authorized_keys files:
-AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u
+AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
It is recommended to add "monkeysphere\-authentication update\-users"
to a system crontab, so that user keys are kept up-to-date, and key
-.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands"
+.TH MONKEYSPHERE-HOST "8" "January 2010" "monkeysphere" "System Commands"
.SH NAME
-monkeysphere\-host - Monkeysphere host admin tool.
+monkeysphere\-host - Monkeysphere host key administration tool.
.SH SYNOPSIS
.SH DESCRIPTION
\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
-for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
-added to the authorized_keys and known_hosts files used by OpenSSH for
-connection authentication.
+for SSH and TLS key-based authentication.
-\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility for
-managing the host's OpenPGP host key.
+\fBmonkeysphere\-host\fP stores and manages OpenPGP certificates for
+various services offered by the host.
+
+Most subcommands take a KEYID argument, which identifies (by OpenPGP
+key ID (e.g. 0xDEADBEEF) or full OpenPGP fingerprint) which
+certificate is to be operated upon. If only one certificate is
+currently managed by \fBmonkeysphere\-host\fP, the KEYID argument may
+be omitted, and \fBmonkeysphere\-host\fP will operate on it.
.SH SUBCOMMANDS
\fBmonkeysphere\-host\fP takes various subcommands:
.TP
-.B import\-key FILE NAME[:PORT]
-Import a pem-encoded ssh secret host key from file FILE. If FILE is
-`\-', then the key will be imported from stdin. Only RSA keys are
-supported at the moment. NAME[:PORT] is used to specify the
-fully-qualified hostname (and port) used in the user ID of the new
-OpenPGP key. If PORT is not specified, then no port is added to the
-user ID, which means port 22 is assumed. `i' may be used in place of
+.B import\-key FILE SCHEME://HOSTNAME[:PORT]
+Import a PEM-encoded host secret key from file FILE. If FILE is `\-',
+then the key will be imported from stdin. Only RSA keys are supported
+at the moment. SCHEME://HOSTNAME[:PORT] is used to specify the scheme
+(e.g. ssh or https), fully-qualified hostname (and port) used in the
+user ID of the new OpenPGP key (e.g. ssh://example.net or
+https://www.example.net). If PORT is not specified, then no port is
+added to the user ID, which means the default port for that service
+(e.g. 22 for ssh) is assumed. `i' may be used in place of
`import\-key'.
.TP
-.B show\-key
-Output information about host's OpenPGP and SSH keys. `s' may be used
-in place of `show\-key'.
-.TP
-.B set\-expire [EXPIRE]
-Extend the validity of the OpenPGP key for the host until EXPIRE from
-the present. If EXPIRE is not specified, then the user will be
-prompted for the extension term. Expiration is specified as with
-GnuPG (measured from today's date):
+.B show\-keys [KEYID ...]
+Output information about the OpenPGP certificate(s) for services
+offered by the host, including their KEYIDs. If no KEYID is specified
+(or if the special string `--all' is used), output information about
+all certificates managed by \fBmonkeysphere\-host\fP. `s' may be used
+in place of `show\-keys'.
+.TP
+.B set\-expire EXPIRE [KEYID]
+Extend the validity of the OpenPGP certificate specified until EXPIRE
+from the present. Expiration is specified as with GnuPG (measured
+from today's date):
.nf
0 = key does not expire
<n> = key expires in n days
.fi
`e' may be used in place of `set\-expire'.
.TP
-.B add\-hostname HOSTNAME
-Add a hostname user ID to the server host key. `n+' may be used in
-place of `add\-hostname'.
-.TP
-.B revoke\-hostname HOSTNAME
-Revoke a hostname user ID from the server host key. `n\-' may be used
-in place of `revoke\-hostname'.
-.TP
-.B add\-revoker KEYID|FILE
-Add a revoker to the host's OpenPGP key. The key ID will be loaded
-from the keyserver. A file may be loaded instead of pulling the key
-from the keyserver by specifying the path to the file as the argument,
-or by specifying `\-' to load from stdin. `r+' may be be used in place
-of `add-revoker'.
-.TP
-.B revoke\-key
-Generate (with the option to publish) a revocation certificate for the
-host's OpenPGP key. If such a certificate is published, your host key
-will be permanently revoked. This subcommand will ask you a series of
-questions, and then generate a key revocation certificate, sending it
-to stdout. If you explicitly tell it to publish the revocation
-certificate immediately, it will send it to the public keyservers.
-USE WITH CAUTION!
-.TP
-.B publish\-key
-Publish the host's OpenPGP key to the public keyservers. `p' may be
-used in place of `publish-key'. Note that there is no way to remove a
-key from the public keyservers once it is published!
+.B add\-servicename SCHEME://HOSTNAME[:PORT] [KEYID]
+Add a service-specific user ID to the specified certificate. For
+example, the operator of `https://example.net' may wish to add an
+additional servicename of `https://www.example.net' to the certificate
+corresponding to the secret key used by the TLS-enabled web server.
+`add-name' or `n+' may be used in place of `add\-servicename'.
+.TP
+.B revoke\-servicename SCHEME://HOSTNAME[:PORT] [KEYID]
+Revoke a service-specific user ID from the specified certificate.
+`revoke-name' or `n\-' may be used in place of `revoke\-servicename'.
+.TP
+.B add\-revoker REVOKER_KEYID|FILE [KEYID]
+Add a revoker to the specified OpenPGP certificate. The revoker can
+be specified by their own REVOKER_KEYID (in which case it will be
+loaded from an OpenPGP keyserver), or by specifying a path to a file
+containing the revoker's OpenPGP certificate, or by specifying `\-' to
+load from stdin. `r+' may be be used in place of `add-revoker'.
+.TP
+.B revoke\-key [KEYID]
+Generate (with the option to publish) a revocation certificate for
+given OpenPGP certificate. If such a certificate is published, the
+given key will be permanently revoked, and will no longer be accepted
+by monkeysphere-enabled clients. This subcommand will ask you a
+series of questions, and then generate a key revocation certificate,
+sending it to stdout. You might want to store these certificates
+safely offline, to publish in case of compromise). If you explicitly
+tell it to publish the revocation certificate immediately, it will
+send it to the public keyservers. PUBLISH THESE CERTIFICATES ONLY IF
+YOU ARE SURE THE CORRESPONDING KEY WILL NEVER BE RE-USED!
+.TP
+.B publish\-keys [KEYID ...]
+Publish the specified OpenPGP certificates to the public keyservers.
+If the special string `--all' is specified, all of the host's OpenPGP
+certificates will be published. `p' may be used in place of
+`publish-keys'. NOTE: that there is no way to remove a key from the
+public keyservers once it is published!
.TP
.B version
Show the monkeysphere version number. `v' may be used in place of
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
-
-
-Other commands:
.TP
.B diagnostics
Review the state of the monkeysphere server host key and report on
configuration points to the right place, etc. `d' may be used in
place of `diagnostics'.
-.SH SETUP HOST AUTHENTICATION
+.SH SETUP SSH SERVER CERTIFICATES
-To enable host verification via the monkeysphere, an OpenPGP key must
-be made out of the host's ssh key, and the key must be published to
-the Web of Trust. This is not done by default. The first step is to
-import the host's ssh key into a monkeysphere-style OpenPGP key. This
-is done with the import\-key command. When importing a key, you must
-specify the path to the host's ssh RSA key to import, and a hostname
-to use as the key's user ID:
+To enable users to verify your SSH host's key via the monkeysphere, an
+OpenPGP certificate must be made out of the host's RSA ssh key, and
+the certificate must be published to the Web of Trust. Certificate
+publication is not done by default. The first step is to import the
+host's ssh key into a monkeysphere-style OpenPGP certificate. This is
+done with the import\-key command. For example:
-# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org
+# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key ssh://host.example.org
-On most systems, the ssh host RSA key is stored at
+On most systems, sshd's RSA secret key is stored at
/etc/ssh/ssh_host_rsa_key.
-Once the host key has been imported, it must be published to the Web
-of Trust so that users can retrieve the key when sshing to the host.
-The host key is published to the keyserver with the publish\-key
-command:
-
-$ monkeysphere\-host publish\-key
-
-In order for users logging into the system to be able to identify the
-host via the monkeysphere, at least one person (e.g. a server admin)
-will need to sign the host's key. This is done using standard OpenPGP
-keysigning techniques, usually: pull the key from the keyserver,
-verify and sign the key, and then re-publish the signature. Please
-see http://web.monkeysphere.info/signing-host-keys/ for more
-information. Once an admin's signature is published, users logging
-into the host can use it to validate the host's key without having to
-manually check the host key's fingerprint.
+See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES for
+how to make sure your users can verify the ssh service offered by your
+host once the key is imported into \fBmonkeysphere\-host\fP.
+
+.SH SETUP WEB SERVER CERTIFICATES
+
+You can set up your HTTPS-capable web server so that your users can
+verify it via the monkeysphere, without changing your server's
+software at all. You just need access to a (PEM-encoded) version of
+the server's RSA secret key (most secret keys are already stored
+PEM-encoded). The first step is to import the web server's key into a
+monkeysphere-style OpenPGP certificate. This is done with the
+import\-key command. For example:
+
+# monkeysphere\-host import-key /etc/ssl/private/host.example.net-key.pem https://host.example.net
+
+If you don't know where the web server's key is stored on your
+machine, consult the configuration files for your web server.
+Debian-based systems using the `ssl-cert' packages often have a
+default self-signed certificate stored in
+`/etc/ssl/private/ssl-cert-snakeoil.key' ; if you're using that key,
+your users are getting browser warnings about it. You can keep using
+the same key, but help them use the OpenPGP WoT to verify that it does
+belong to your web server by using something like:
+
+# monkeysphere\-host import-key /etc/ssl/private/ssl-cert-snakeoil.key https://$(hostname --fqdn)
+
+If you offer multiple HTTPS websites using the same secret key, you
+should add the additional website names with the `add-servicename'
+subcommand.
+
+See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES (the
+next section) for how to make sure your users can verify the https
+service offered by your host once the key is imported and any extra
+site names have been added. Note that you can add or remove
+additional servicenames at any time, but you'll need to certify any
+new ones separately.
+
+.SH PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES
+
+Once the host key has been imported, the corresponding certificate
+must be published to the Web of Trust so that users can retrieve the
+cert when connecting to the host. The host certificates are published
+to the keyserver with the publish\-key command:
+
+$ monkeysphere\-host publish\-key --all
+
+In order for users accessing the system to be able to identify the
+host's service via the monkeysphere, at least one person (e.g. a
+server admin) will need to sign the host's certificate. This is done
+using standard OpenPGP keysigning techniques. Usually: pull the
+host's OpenPGP certificate from the keyserver, verify and sign it, and
+then re-publish your signature. More than one person can certify any
+certificate. Please see
+http://web.monkeysphere.info/signing-host-keys/ for more information
+and details. Once an admin's signature is published, users accessing
+the host can use the certificate to validate the host's key without
+having to manually check the host key's fingerprint (in the case of
+ssh) or without seeing a nasty "security warning" in their browsers
+(in the case of https).
+
+.SH SECURITY CONSIDERATIONS
+
+Note that \fBmonkeysphere\-host\fP currently caches a copy of all
+imported secret keys (stored in OpenPGP form for future manipulation)
+in /var/lib/monkeysphere/host/secring.gpg. Cleartext backups of this
+file could expose secret key material if not handled sensitively.
.SH ENVIRONMENT
/etc/monkeysphere/monkeysphere\-host.conf
System monkeysphere\-host config file.
.TP
-/var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg
-A world-readable copy of the host's public key in OpenPGP format,
-including all relevant self-signatures.
+/var/lib/monkeysphere/host_keys.pub.pgp
+
+A world-readable copy of the host's OpenPGP certificates in ASCII
+armored format. This includes the certificates (including the public
+keys, servicename-based User IDs, and most recent relevant
+self-signatures) corresponding to every key used by
+Monkeysphere-enabled services on the host.
+.TP
+/var/lib/monkeysphere/host/
+A locked directory (readable only by the superuser) containing copies
+of all imported secret keys (this is the host's GNUPGHOME directory).
.SH AUTHOR
.SH SEE ALSO
.BR monkeysphere (1),
-.BR monkeysphere\-authentication (8),
.BR monkeysphere (7),
.BR gpg (1),
+.BR monkeysphere\-authentication (8),
.BR ssh (1),
.BR sshd (8)
-monkeysphere (0.27-1~pre1) UNRELEASED; urgency=low
+monkeysphere (0.28.1-1~pre1) UNRELEASED; urgency=low
- * New upstream release:
- - fixed monkeysphere gen-subkey subcommand that was erroneously
- creating DSA subkeys due to unannounced change in gpg edit-key UI.
+ [ Jameson Graef Rollins ]
+ * New upstream release
+
+ [ Daniel Kahn Gillmor ]
+ * bumped Standards-Version to 3.8.4 (no changes needed)
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Thu, 04 Feb 2010 12:00:58 -0500
+
+monkeysphere (0.28-1) unstable; urgency=low
+
+ * New upstream release
+ * Separate upstream and debian changelogs
+
+ -- Jameson Rollins <jrollins@finestructure.net> Tue, 19 Jan 2010 13:56:17 -0500
+
+monkeysphere (0.27-1) unstable; urgency=low
+
+ * New upstream release
* updated debian/copyright to match the latest revision of DEP5.
* updated standards version to 3.8.3 (no changes needed)
- * updated Depends to require >=1.4.10 due to gpg UI change.
* add cpio to Build-Depends (used in test suite) (Closes: #562444)
- -- Jameson Graef Rollins <jrollins@finestructure.net> Thu, 24 Dec 2009 12:28:21 -0500
+ -- Jameson Rollins <jrollins@finestructure.net> Mon, 11 Jan 2010 20:54:21 -0500
monkeysphere (0.26-1) unstable; urgency=low
- * New upstream release:
- - add 'refresh-keys' subcommand to monkeysphere-authentication
- - improve marginal UI (closes MS #1141)
- - add MONKEYSPHERE_STRICT_MODES configuration to avoid
- permission-checking (closes MS #649)
- - test scripts use STRICT_MODES to avoid failure when built under /tmp
- (Closes: #527765)
- - do permissions checks with a perl script instead of non-portable
- readlink GNUisms
- - bail on permissions check if we hit the home directory (helpful on
- Mac OS and other systems with loose /home or /Users (closes MS #675)
+ * New upstream release (Closes: #527765)
-- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 01 Aug 2009 17:11:05 -0400
monkeysphere (0.25-1) unstable; urgency=low
- * New upstream release:
- - update/fix the marginal ui output
- - use msmktempdir everywhere (avoid unwrapped calls to mktemp for
- portability)
- - clean out some redundant "cat"s
- - fix monkeysphere update-known_hosts for sshd running on non-standard
- ports
- - add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
- - pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
- (changes dependency to libdigest-sha-perl)
- - some portability improvements
- - properly handle translation of keys with fingerprints with leading
- all-zero bytes.
- - resolve symlinks when checking paths (thanks Silvio Rhatto)
- (closes MS #917)
- - explicitly set and use MONKEYSPHERE_GROUP from system "groups"
- (closes: #534008)
- - monkeysphere-host now uses keytrans to add and revoke hostname
- (closes MS #422)
+ * New upstream release (closes: #534008)
* update Standard-Version to 3.8.2 (no changes needed)
-- Jameson Graef Rollins <jrollins@finestructure.net> Thu, 16 Jul 2009 22:09:19 -0400
monkeysphere (0.24-1) unstable; urgency=low
- * New upstream release:
- - fixed how version information is stored/retrieved
- - now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
- - no longer needs base64 in PATH
- - added "test" make target
- - improved transitions/0.23 script so it no longer fails in common
- circumstances (Closes: #517779)
- - RSA only: no longer handles DSA keys
- - added ability to specify subkeys to add to ssh agent with
- new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
+ * New upstream release (Closes: #517779)
* update/cleanup maintainer scripts
* remove GnuTLS dependency
* remove versioned coreutils | base64 dependency
monkeysphere (0.23.1-1) unstable; urgency=low
- * New Upstrem "Brown Paper Bag" Release:
- - adjusts internal version numbers
+ * New upstrem release ("brown paper bag" to adjust internal version numbers)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2009 18:09:47 -0500
monkeysphere (0.23-1) unstable; urgency=low
- "The Golden Bezoar Release"
-
- * New upstream release.
- * rearchitect UI:
- - replace monkeysphere-server with monkeysphere-{authentication,host}
- - fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere
-
- * new ability to import existing ssh host key into monkeysphere. So now
- m-a import-key replaces m-s gen-key.
- * provide pem2openpgp for translating unencrypted PEM-encoded raw key
- material into OpenPGP keys (introduces new perl dependencies)
- * get rid of getopts dependency
- * added version output option
- * better checks for the existence of a host private key for
- monkeysphere-host subcommands that need it.
- * better checks on validity of existing authentication subkeys when
- doing monkeysphere gen_subkey.
- * add transition infrastructure for major changes between releases (see
- transitions/README.txt)
- * implement and document two new monkeysphere-host subcommands:
- revoke-key and add-revoker
+ * New upstream release: "The Golden Bezoar Release"
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2009 17:51:06 -0500
monkeysphere (0.22-1) unstable; urgency=low
- * New upstream release:
- [ Jameson Graef Rollins ]
-
- - added info log output when a new key is added to known_hosts file.
- - added some useful output to the ssh-proxycommand for "marginal"
- cases where keys are found for host but do not have full validity.
- - force ssh-keygen to read from stdin to get ssh key fingerprint.
-
- [ Daniel Kahn Gillmor ]
-
- - automatically output two copies of the host's public key: one
- standard ssh public key file, and the other a minimal OpenPGP key with
- just the latest valid self-sig.
- - debian/control: corrected alternate dependency from procfile to
+ * New upstream release
+ * debian/control: corrected alternate dependency from procfile to
procmail (which provides /usr/bin/lockfile)
-- Jameson Graef Rollins <jrollins@finestructure.net> Fri, 28 Nov 2008 14:23:31 -0500
monkeysphere (0.21-1) unstable; urgency=low
- * New upstream release:
- - move debian packaging to packaging subdirectory.
+ * New upstream initial release to Debian (Closes: #505806)
* Add debian prerm script, and add debhelper lines to other install
scripts.
- * Initial release to Debian (Closes: #505806)
-- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 16:14:27 -0500
-
-monkeysphere (0.20-1) unstable; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * ensure that tempdirs are properly created, bail out otherwise instead
- of stumbling ahead.
- * minor fussing with the test script to make it cleaner.
-
- [ Jameson Graef Rollins ]
- * clean up Makefile to generate more elegant source tarballs.
- * make myself the maintainer.
-
- -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 13:12:57 -0500
-
-monkeysphere (0.19-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * simulating an X11 session in the test script.
- * updated packaging so that symlinks to config files are correct.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 02:47:49 -0400
-
-monkeysphere (0.18-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix bugs in authorized_{user_ids,keys} file permission checking.
- * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
- files.
- * chown authorized_keys files to `whoami`, for compatibility with test
- suite.
- * major improvements to test suite, added more tests.
-
- [ Daniel Kahn Gillmor ]
- * update make install to ensure placement of
- /etc/monkeysphere/gnupg-{host,authentication}.conf
- * choose either --quick-random or --debug-quick-random depending on
- which gpg supports for the test suite.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 00:41:38 -0400
-
-monkeysphere (0.17-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix some bugs in, and cleanup, authorized_keys file creation in
- monkeysphere-server update-users.
- * Move to using the empty string for not adding a user-controlled
- authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Oct 2008 02:04:22 -0400
-
-monkeysphere (0.16-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
- portability.
- * fixed busted lockfile arrangement, where empty file was being locked
- * portability fixes in the way we use date, mktemp, hostname, su
- * stop using /usr/bin/stat, since the syntax appears to be totally
- unportable
- * require GNU getopt, and test for getopt failures (look for getopt in
- /usr/local/bin first, since that's where FreeBSD's GNU-compatible
- getopt lives.
- * monkeysphere-server diagnostics now counts problems and suggests a
- re-run after they have been resolved.
- * completed basic test suite: this can be run from the git sources or
- the tarball with: cd tests && ./basic
-
- [ Jameson Graef Rollins ]
- * Genericize fs location variables.
- * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
- install.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 26 Oct 2008 03:06:18 -0400
-
-monkeysphere (0.15-1) experimental; urgency=low
-
- * porting work and packaging simplification: clarifying makefiles,
- pruning dependencies, etc.
- * added tests to monkeysphere-server diagnostics
- * moved monkeysphere(5) to section 7 of the manual
- * now shipping TODO in /usr/share/doc/monkeysphere
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 19:08:40 -0400
-
-monkeysphere (0.14-1) experimental; urgency=low
-
- * changing debian packaging back to format 1.0 so we get automatic
- tarballs, and easier inclusion in other build networks.
- * no other source changes.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 13:03:35 -0400
-
-monkeysphere (0.13-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * tweaks in /usr/bin/monkeysphere to handle odd secret keyrings.
- * updated makefile to reflect the package building technique we've been
- using for a month now.
-
- [ Jameson Graef Rollins ]
- * move location of user config directory to ~/.monkeysphere.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Sep 2008 17:26:10 -0400
-
-monkeysphere (0.12-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Improved output handling. New LOG_LEVEL variable.
-
- [ Daniel Kahn Gillmor ]
- * debian/control: switched Homepage: and Vcs-Git: to canonicalized
- upstream hostnames.
- * updated documentation for new release.
- * changed my associated e-mail address for this package.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Sep 2008 18:54:29 -0400
-
-monkeysphere (0.11-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * fix bug in trustdb update on add/revoke-hostname.
-
- [ Daniel Kahn Gillmor ]
- * debian/control: added Build-Depends: git-core for the new packaging
- format
- * new subcommand: monkeysphere subkey-to-ssh-agent (relies on a patched
- GnuTLS to deal with GPG's gnu-dummy S2K extension, but fails cleanly
- if not found).
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Wed, 20 Aug 2008 11:24:35 -0400
-
-monkeysphere (0.10-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * brown paper bag release: invert test on calculated validity of keys.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 16:22:34 -0400
-
-monkeysphere (0.9-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * implemented "monkeysphere-server extend-key" to adjust expiration
- date of host key.
- * removed "monkeysphere-server fingerprint". Use "monkeysphere-server
- show-key" instead.
-
- [ Jameson Graef Rollins ]
- * fixed bug in user id processing that prevented bad primary keys from
- being properly removed.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 15:42:12 -0400
-
-monkeysphere (0.8-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * debian/control: switched Vcs-Git to use "centralized" git repo instead
- of my own.
- * More monkeysphere-server diagnostics
- * monkeysphere --gen-subkey now guesses what KeyID you meant.
- * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey
- works sensibly under X11
-
- [ Jameson Graef Rollins ]
- * fix another bug when known_hosts files are missing.
- * sort processed keys so that "good" keys are processed after "bad"
- keys. This will prevent malicious bad keys from causing good keys to
- be removed from key files.
- * enabled host key publication.
- * added checking of gpg.conf for keyserver
- * new functions to add/revoke host key user IDs
- * improved list-certifiers function (now non-privileged)
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 12:43:37 -0400
-
-monkeysphere (0.7-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * Added monkeysphere-server diagnostics subcommand.
- * rebuilding package using Format: 3.0 (git)
-
- [ Jameson Graef Rollins ]
- * fix how check for file modification is done.
- * rework out user id processing is done to provide more verbose log
- output.
- * fix bug in monkeysphpere update-authorized_keys subcommand where
- disallowed keys failed to be remove from authorized_keys file.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 04 Aug 2008 10:47:41 -0400
-
-monkeysphere (0.6-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix bug in return on error of ssh-proxycommand.
-
- [ Daniel Kahn Gillmor ]
- * try socat if netcat is not available in proxycommand.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 29 Jul 2008 10:27:20 -0400
-
-monkeysphere (0.5-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * updated READMEs to match current state of code
-
- [ Jameson Graef Rollins ]
- * Tweak how empty authorized_user_ids and known_hosts files are handled.
- * Do not fail when authorized_user_ids or known_hosts file is not found.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 28 Jul 2008 10:50:02 -0400
-
-monkeysphere (0.4-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * New version.
- * Fixed return code error in openpgp2ssh
-
- [ Jameson Graef Rollins ]
- * Privilege separation: use monkeysphere user to handle maintenance of
- the gnupg authentication keychain for server.
- * Improved certifier key management.
- * Fixed variable scoping and config file precedence.
- * Add options for key generation and add-certifier functions.
- * Fix return codes for known_host and authorized_keys updating
- functions.
- * Add write permission check on authorized_keys, known_hosts, and
- authorized_user_ids files.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 22 Jul 2008 21:50:17 -0400
-
-monkeysphere (0.3-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * new version.
-
- [ Jameson Graef Rollins ]
- * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
- the more appropriate /var/lib/monkeysphere.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 24 Jun 2008 00:55:29 -0400
-
-monkeysphere (0.2-2) experimental; urgency=low
-
- * added lockfile-progs dependency
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:34:05 -0400
-
-monkeysphere (0.2-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * openpgp2ssh now supports specifying keys by full fingerprint.
-
- [ Jameson Graef Rollins ]
- * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
- %h/.config/monkeysphere/authorized_user_ids, instead of
- /etc/monkeysphere/authorized_user_ids.
- * Remove {update,remove}-userids functions, since we decided they
- weren't useful enough to be worth maintaining.
- * Better handling of unknown users in server update-users
- * Add file locking when modifying known_hosts or authorized_keys
- * Better failure/prompting for gen-subkey
- * Add ability to set any owner trust level for keys in server keychain.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 17:03:19 -0400
-
-monkeysphere (0.1-1) experimental; urgency=low
-
- * First release of debian package for monkeysphere.
- * This is experimental -- please report bugs!
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 00:34:53 -0400
-
Source: monkeysphere
Section: net
Priority: extra
-Maintainer: Jameson Graef Rollins <jrollins@finestructure.net>
-Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Build-Depends: debhelper (>= 7.0), cpio, socat, openssh-server, gnupg (>=1.4.10), libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail
-Standards-Version: 3.8.3
+Maintainer: Jameson Rollins <jrollins@finestructure.net>
+Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Build-Depends: debhelper (>= 7.0), cpio, socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail, openssl
+Standards-Version: 3.8.4
Homepage: http://web.monkeysphere.info/
Vcs-Git: git://git.monkeysphere.info/monkeysphere
Dm-Upload-Allowed: yes
Package: monkeysphere
Architecture: all
-Depends: openssh-client, gnupg (>=1.4.10), libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail, adduser, ${misc:Depends}
+Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail, adduser, ${misc:Depends}
Recommends: netcat | socat, ssh-askpass, cron
Enhances: openssh-client, openssh-server
-Description: use the OpenPGP web of trust to verify ssh connections
+Description: leverage the OpenPGP web of trust for SSH and TLS authentication
SSH key-based authentication is tried-and-true, but it lacks a true
Public Key Infrastructure for key certification, revocation and
expiration. Monkeysphere is a framework that uses the OpenPGP web of
trust for these PKI functions. It can be used in both directions:
for users to get validated host keys, and for hosts to authenticate
- users.
+ users. Current monkeysphere SSH tools are designed to integrate
+ with the OpenSSH implementation of the Secure Shell protocol.
+ .
+ Monkeysphere can also be used by a validation agent to validate TLS
+ connections (e.g. https).
# postinst script for monkeysphere
# Author: Jameson Rollins <jrollins@finestructure.net>
-# Copyright 2008-2009
+# Copyright 2008-2010
set -e
fi
# try all available transitions:
- for trans in 0.23 ; do
+ for trans in 0.23 0.28 ; do
/usr/share/monkeysphere/transitions/$trans || { \
RET=$?
echo "Failed running transition script /usr/share/monkeysphere/transitions/$trans" >&2
subcommands:
update-known_hosts (k) [HOST]... update known_hosts file
update-authorized_keys (a) update authorized_keys file
- gen-subkey (g) [KEYID] generate an authentication subkey
- --length (-l) BITS key length in bits (2048)
ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand
--no-connect do not make TCP connection to host
subkey-to-ssh-agent (s) store authentication subkey in ssh-agent
sshfpr (f) KEYID output ssh fingerprint of gpg key
+
+ keys-for-userid (u) USERID output valid keys for user id literal
+ gen-subkey (g) [KEYID] generate an authentication subkey
+ --length (-l) BITS key length in bits (2048)
+
version (v) show version number
help (h,?) this help
# if authentication key is valid, prompt to continue
if [ "$validity" = 'u' ] ; then
echo "A valid authentication key already exists for primary key '$keyID'." 1>&2
- if [ "$PROMPT" = "true" ] ; then
+ if [ "$PROMPT" != "false" ] ; then
printf "Are you sure you would like to generate another one? (y/N) " >&2
read OK; OK=${OK:N}
if [ "${OK/y/Y}" != 'Y' ] ; then
export LOG_LEVEL
export LOG_PREFIX
+if [ "$#" -eq 0 ] ; then
+ usage
+ failure "Please supply a subcommand."
+fi
+
# get subcommand
COMMAND="$1"
-[ "$COMMAND" ] || $PGRM help
shift
case $COMMAND in
process_authorized_user_ids "$AUTHORIZED_USER_IDS"
;;
- 'import-subkey'|'i')
+ 'import-subkey'|'import'|'i')
source "${MSHAREDIR}/import_subkey"
import_subkey "$@"
;;
gpg_ssh_fingerprint "$@"
;;
- 'version'|'v')
+ 'keys-for-userid'|'u')
+ keys_for_userid "$@"
+ ;;
+
+ 'keys-from-userid')
+ echo "Warning: 'keys-from-userid' is deprecated. Please use 'keys-for-userid' instead." >&2
+ keys_for_userid "$@"
+ ;;
+
+ 'version'|'--version'|'v')
version
;;
- '--help'|'help'|'-h'|'h'|'?')
+ 'help'|'--help'|'-h'|'h'|'?')
usage
;;
*)
failure "Unknown command: '$COMMAND'
-Type '$PGRM help' for usage."
+Try '$PGRM help' for usage."
;;
esac
# export variables needed in su invocation
export DATE
-export MODE
export LOG_LEVEL
export KEYSERVER
export MONKEYSPHERE_USER
export CORE_KEYLENGTH
export LOG_PREFIX
+if [ "$#" -eq 0 ] ; then
+ usage
+ failure "Please supply a subcommand."
+fi
+
# get subcommand
COMMAND="$1"
-[ "$COMMAND" ] || $PGRM help
shift
case $COMMAND in
setup
;;
- 'update-users'|'update-user'|'u')
+ 'update-users'|'update-user'|'update'|'u')
source "${MASHAREDIR}/setup"
setup
source "${MASHAREDIR}/update_users"
update_users "$@"
;;
- 'refresh-keys'|'r')
+ 'refresh-keys'|'refresh'|'r')
source "${MASHAREDIR}/setup"
setup
gpg_sphere "--keyserver $KEYSERVER --refresh-keys"
gpg_sphere "$@"
;;
- 'version'|'v')
+ 'version'|'--version'|'v')
version
;;
*)
failure "Unknown command: '$COMMAND'
-Type '$PGRM help' for usage."
+Try '$PGRM help' for usage."
;;
esac
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
#
-# They are Copyright 2008-2009, and are all released under the GPL,
+# They are Copyright 2008-2010, and are all released under the GPL,
# version 3 or later.
########################################################################
MHDATADIR="${SYSDATADIR}/host"
# host pub key files
-HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.pgp"
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
Monkeysphere host admin tool.
subcommands:
- import-key (i) FILE NAME[:PORT] import existing ssh key to gpg
- show-key (s) output all host key information
- publish-key (p) publish host key to keyserver
- set-expire (e) [EXPIRE] set host key expiration
- add-hostname (n+) NAME[:PORT] add hostname user ID to host key
- revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
- add-revoker (r+) KEYID|FILE add a revoker to the host key
- revoke-key generate and/or publish revocation
- certificate for host key
-
- version (v) show version number
- help (h,?) this help
+ import-key (i) FILE SERVICENAME import PEM-encoded key from file
+ show-keys (s) [KEYID ...] output host key information
+ publish-keys (p) [KEYID ...] publish key(s) to keyserver
+ set-expire (e) EXPIRE [KEYID] set key expiration
+ add-servicename (n+) SERVICENAME [KEYID]
+ add a service name to key
+ revoke-servicename (n-) SERVICENAME [KEYID]
+ revoke a service name from key
+ add-revoker (r+) REVOKER_KEYID|FILE [KEYID]
+ add a revoker to key
+ revoke-key [KEYID] generate and/or publish revocation
+ certificate for key
+
+ version (v) show version number
+ help (h,?) this help
See ${PGRM}(8) for more info.
EOF
GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
}
-# command to list the info about the host key, in colon format, to
-# stdout
-gpg_host_list() {
- gpg_host --list-keys --with-colons --fixed-list-mode \
- --with-fingerprint --with-fingerprint \
- "0x${HOST_FINGERPRINT}!"
-
+# list the info about the a key, in colon format, to stdout
+gpg_host_list_keys() {
+ if [ "$1" ] ; then
+ gpg_host --list-keys --with-colons --fixed-list-mode \
+ --with-fingerprint --with-fingerprint \
+ "$1"
+ else
+ gpg_host --list-keys --with-colons --fixed-list-mode \
+ --with-fingerprint --with-fingerprint
+ fi
}
-# command for edit key scripts, takes scripts on stdin
+# edit key scripts, takes scripts on stdin, and keyID as first input
gpg_host_edit() {
- gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@"
+ gpg_host --command-fd 0 --edit-key "$@"
}
-# export the host public key to the monkeysphere gpg pub key file
-update_gpg_pub_file() {
+# export the monkeysphere OpenPGP pub key file
+update_pgp_pub_file() {
log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
gpg_host --export --armor --export-options export-minimal \
- "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
+ $(gpg_host --list-secret-keys --with-colons --fingerprint | grep ^fpr | cut -f10 -d:) \
+ > "$HOST_KEY_FILE"
}
-# load the host fingerprint into the fingerprint variable, using the
-# export gpg pub key file
-# FIXME: this seems much less than ideal, with all this temp keyring
-# stuff. is there a way we can do this without having to create temp
-# files? what if we stored the fingerprint in MHDATADIR/fingerprint?
-load_fingerprint() {
- if [ -f "$HOST_KEY_FILE" ] ; then
- HOST_FINGERPRINT=$( \
- (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \
- && gpg --quiet --import \
- && gpg --quiet --list-keys --with-colons --with-fingerprint \
- && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
- | grep '^fpr:' | cut -d: -f10 )
- else
- failure "host key gpg pub file not found."
+# check that the service name is well formed. we assume that the
+# service name refers to a host; DNS labels for host names are limited
+# to a very small range of characters (see RFC 1912, section 2.1).
+
+# FIXME: i'm failing to check here for label components that are
+# all-number (e.g. ssh://666.666), which are technically not allowed
+# (though some exist on the 'net, apparently)
+
+# FIXME: this will probably misbehave if raw IP addresses are provided,
+# either IPv4 or IPv6 using the bracket notation.
+
+# FIXME: this doesn't address the use of hashed User IDs.
+
+check_service_name() {
+ local name="$1"
+ local errs=""
+ local scheme
+ local port
+ local assigned_ports
+
+ [ -n "$name" ] || \
+ failure "You must supply a service name to check"
+
+ printf '%s' "$name" | perl -n -e '($str = $_) =~ s/\s//g ; exit !(lc($str) eq $_);' || \
+ failure "Not a valid service name: '$name'
+
+Service names should be canonicalized to all lower-case,
+with no whitespace"
+
+ [[ "$name" =~ ^[a-z0-9./:-]+$ ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names should contain only lower-case ASCII letters
+numbers, dots (.), hyphens (-), slashes (/), and a colon (:).
+If you are using non-ASCII characters (e.g. IDN), you should
+use the canonicalized ASCII (NAMEPREP -> Punycode) representation
+(see RFC 3490)."
+
+ [[ "$name" =~ \. ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names should use fully-qualified domain names (FQDN), but the
+domain name you chose appears to only have the local part. For
+example: don't use 'ssh://foo' ; use 'ssh://foo.example.com' instead."
+
+ [[ "$name" =~ ^[a-z]([a-z0-9-]*[a-z0-9])?://[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.|((\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+))(:[1-9][0-9]{0,4})?$ ]] || \
+ failure "Not a valid service name: '$name'
+
+Service names look like <scheme>://full.example.com[:<portnumber>],
+where <scheme> is something like ssh or https, and <portnumber> is
+a decimal number (supplied only if the service is on a non-standard
+port)."
+
+ scheme=$(cut -f1 -d: <<<"$name")
+ port=$(cut -f3 -d: <<<"$name")
+
+ # check that the scheme name is found in the system services
+ # database
+ available_=$(get_port_for_service "$scheme") || \
+ log error "Error looking up service scheme named '%s'" "$scheme"
+
+ # FIXME: if the service isn't found, or does not have a port, what
+ # should we do? at the moment, we're just warning.
+
+ if [ -n "$port" ]; then
+ # check that the port number is a legitimate port number (> 0, < 65536)
+ [ "$port" -gt 0 ] && [ "$port" -lt 65536 ] || \
+ failure "The given port number should be greater than 0 and
+less than 65536. '$port' is not OK"
+
+ # if the port number is given, and the scheme is in the services
+ # database, check that the port number does *not* match the
+ # default port.
+ if (printf '%s' "$assigned_ports" | grep -q -F -x "$port" ) ; then
+ failure $(printf "The scheme %s uses port number %d by default.
+You should leave off the port number if it is the default" "$scheme" "$port")
+ fi
fi
-}
-
-# load the host fingerprint into the fingerprint variable, using the
-# gpg host secret key
-load_fingerprint_secret() {
- HOST_FINGERPRINT=$( \
- gpg_host --list-secret-key --with-colons --with-fingerprint \
- | grep '^fpr:' | cut -d: -f10 )
-}
-# fail if host key present
-check_host_key() {
- [ ! -s "$HOST_KEY_FILE" ] \
- || failure "An OpenPGP host key already exists."
}
# fail if host key not present
-check_host_no_key() {
+check_no_keys() {
[ -s "$HOST_KEY_FILE" ] \
|| failure "You don't appear to have a Monkeysphere host key on this server.
-Please run 'monkeysphere-host import-key...' first."
+Please run 'monkeysphere-host import-key' import a key."
+}
+
+# key input to functions, outputs full fingerprint of specified key if
+# found
+check_key_input() {
+ local keyID="$1"
+ # array of fingerprints
+ local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
+
+ case ${#fprs[@]} in
+ 0)
+ failure "You don't appear to have any Monkeysphere host keys.
+Please run 'monkeysphere-host import-key' to import a key."
+ ;;
+ 1)
+ :
+ ;;
+ *)
+ if [ -z "$keyID" ] ; then
+ failure "Your host keyring contains multiple keys.
+Please specify one to act on (see 'monkeysphere-host show-keys')."
+ fi
+ ;;
+ esac
+ printf '%s\n' "${fprs[@]}" | grep "${keyID}$" \
+ || failure "Host key '$keyID' not found."
}
# return 0 if user ID was found.
# return 1 if user ID not found.
-find_host_userid() {
- local userID="$1"
+check_key_userid() {
+ local keyID="$1"
+ local userID="$2"
local tmpuidMatch
# match to only "unknown" user IDs (host has no need for ultimate trust)
tmpuidMatch="uid:-:$(echo $userID | gpg_escape)"
# See whether the requsted user ID is present
- gpg_host_list | cut -f1,2,10 -d: | \
+ gpg_host_list_keys "$keyID" | cut -f1,2,10 -d: | \
grep -q -x -F "$tmpuidMatch" 2>/dev/null
}
-# show info about the host key
+prompt_userid_exists() {
+ local userID="$1"
+ local gpgOut
+ local fingerprint
+
+ if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then
+ fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10)
+ if [ "$PROMPT" != "false" ] ; then
+ printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2
+ read OK; OK=${OK:=N}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "Service name not added."
+ fi
+ else
+ log info "Key '%s' is already using the service name '%s'." "$fingerprint" "$userID" >&2
+ fi
+ fi
+}
+
+# run command looped over keys
+multi_key() {
+ local cmd="$1"
+ shift
+ local keys=$@
+ local i=0
+ local key
+
+ check_no_keys
+
+ local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE"))
+
+ if [[ -z "$1" || "$1" == '--all' ]] ; then
+ keys="${fprs[@]}"
+ fi
+
+ for key in $keys ; do
+ if (( i++ > 0 )) ; then
+ echo "##############################"
+ fi
+ "$cmd" "$key"
+ done
+}
+
+# show info about the a key
show_key() {
+ local id="$1"
local GNUPGHOME
- local TMPSSH
+ local fingerprint
+ local tmpssh
local revokers
# tmp gpghome dir
# import the host key into the tmp dir
gpg --quiet --import <"$HOST_KEY_FILE"
- # create the ssh key
- TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
- gpg --export | openpgp2ssh 2>/dev/null >"$TMPSSH"
-
# get the gpg fingerprint
- HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
- | grep '^fpr:' | cut -d: -f10 )
+ if gpg --quiet --list-keys \
+ --with-colons --with-fingerprint "$id" \
+ | grep '^fpr:' | cut -d: -f10 > "$GNUPGHOME"/fingerprint ; then
+ fingerprint=$(cat "$GNUPGHOME"/fingerprint)
+ else
+ failure "ID '$id' not found."
+ fi
+
+ # create the ssh key
+ tmpssh="$GNUPGHOME"/ssh_host_key_rsa_pub
+ gpg --export "$fingerprint" 2>/dev/null \
+ | openpgp2ssh 2>/dev/null >"$tmpssh"
# list the host key info
# FIXME: make no-show-keyring work so we don't have to do the grep'ing
# FIXME: can we show uid validity somehow?
- gpg --list-keys --fingerprint \
- --list-options show-unusable-uids 2>/dev/null \
+ gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \
| grep -v "^${GNUPGHOME}/pubring.gpg$" \
| egrep -v '^-+$'
# list revokers, if there are any
- revokers=$(gpg --list-keys --with-colons --fixed-list-mode \
+ revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \
| awk -F: '/^rvk:/{ print $10 }' )
if [ "$revokers" ] ; then
echo "The following keys are allowed to revoke this host key:"
fi
# list the pgp fingerprint
- echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
+ echo "OpenPGP fingerprint: $fingerprint"
# list the ssh fingerprint
echo -n "ssh fingerprint: "
- ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
+ ssh-keygen -l -f "$tmpssh" | awk '{ print $1, $2, $4 }'
# remove the tmp file
trap - EXIT
export HOST_FINGERPRINT
export LOG_PREFIX
+if [ "$#" -eq 0 ] ; then
+ usage
+ failure "Please supply a subcommand."
+fi
+
# get subcommand
COMMAND="$1"
-[ "$COMMAND" ] || $PGRM help
shift
case $COMMAND in
- 'import-key'|'i')
- check_host_key
+ 'import-key'|'import'|'i')
source "${MHSHAREDIR}/import_key"
import_key "$@"
;;
- 'show-key'|'show'|'s')
- check_host_no_key
- show_key
+ 'show-keys'|'show-key'|'show'|'s')
+ multi_key show_key "$@"
;;
- 'set-expire'|'extend-key'|'e')
- check_host_no_key
- load_fingerprint
+ 'set-expire'|'extend-key'|'extend'|'e')
source "${MHSHAREDIR}/set_expire"
set_expire "$@"
;;
- 'add-hostname'|'add-name'|'n+')
- check_host_no_key
- load_fingerprint
- source "${MHSHAREDIR}/add_hostname"
- add_hostname "$@"
+ 'add-servicename'|'add-hostname'|'add-name'|'n+')
+ source "${MHSHAREDIR}/add_name"
+ add_name "$@"
;;
- 'revoke-hostname'|'revoke-name'|'n-')
- check_host_no_key
- load_fingerprint
- source "${MHSHAREDIR}/revoke_hostname"
- revoke_hostname "$@"
+ 'revoke-servicename'|'revoke-hostname'|'revoke-name'|'n-')
+ source "${MHSHAREDIR}/revoke_name"
+ revoke_name "$@"
;;
'add-revoker'|'r+')
- check_host_no_key
- load_fingerprint
source "${MHSHAREDIR}/add_revoker"
add_revoker "$@"
;;
'revoke-key')
- check_host_no_key
- load_fingerprint
source "${MHSHAREDIR}/revoke_key"
revoke_key "$@"
;;
- 'publish-key'|'publish'|'p')
- check_host_no_key
- load_fingerprint
+ 'publish-keys'|'publish-key'|'publish'|'p')
source "${MHSHAREDIR}/publish_key"
- publish_key
+ multi_key publish_key "$@"
;;
'diagnostics'|'d')
diagnostics
;;
- 'update-gpg-pub-file')
- load_fingerprint_secret
- update_gpg_pub_file
+ 'update-pgp-pub-file')
+ update_pgp_pub_file
;;
- 'version'|'v')
+ 'version'|'--version'|'v')
version
;;
*)
failure "Unknown command: '$COMMAND'
-Type '$PGRM help' for usage."
+Try '$PGRM help' for usage."
;;
esac
keyExpire="$1"
- if [ -z "$keyExpire" -a "$PROMPT" = 'true' ]; then
+ if [ -z "$keyExpire" -a "$PROMPT" != 'false' ]; then
cat >&2 <<EOF
Please specify how long the key should be valid.
0 = key does not expire
fi
}
+# take one argument, a service name. in response, print a series of
+# lines, each with a unique numeric port number that might be
+# associated with that service name. (e.g. in: "https", out: "443")
+# if nothing is found, print nothing, and return 0.
+#
+# return 1 if there was an error in the search somehow
+get_port_for_service() {
+
+ [[ "$1" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ ]] || \
+ failure $(printf "This is not a valid service name: '%s'" "$1")
+ if type getent &>/dev/null ; then
+ # for linux and FreeBSD systems (getent returns 2 if not found, 0 on success, 1 or 3 on various failures)
+ (getent services "$service" || if [ "$?" -eq 2 ] ; then true ; else false; fi) | awk '{ print $2 }' | cut -f1 -d/ | sort -u
+ elif [ -r /etc/services ] ; then
+ # fall back to /etc/services for systems that don't have getent (MacOS?)
+ # FIXME: doesn't handle aliases like "null" (or "http"?), which don't show up at the beginning of the line.
+ awk $(printf '/^%s[[:space:]]/{ print $2 }' "$1") /etc/services | cut -f1 -d/ | sort -u
+ else
+ return 1
+ fi
+}
+
# return the path to the home directory of a user
get_homedir() {
local uname=${1:-`whoami`}
### GPG UTILITIES
+# script to determine if gpg version is equal to or greater than specified version
+is_gpg_version_greater_equal() {
+ local gpgVersion=$(gpg --version | head -1 | awk '{ print $3 }')
+ local latest=$(printf '%s\n%s\n' "$1" "$gpgVersion" \
+ | tr '.' ' ' | sort -g -k1 -k2 -k3 \
+ | tail -1 | tr ' ' '.')
+ [[ "$gpgVersion" == "$latest" ]]
+}
+
# retrieve all keys with given user id from keyserver
# FIXME: need to figure out how to retrieve all matching keys
# (not just first N (5 in this case))
# userid and key policy checking
# the following checks policy on the returned keys
# - checks that full key has appropriate valididy (u|f)
-# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
+# - checks key has specified capability (REQUIRED_KEY_CAPABILITY)
# - checks that requested user ID has appropriate validity
# (see /usr/share/doc/gnupg/DETAILS.gz)
# output is one line for every found key, in the following format:
#
# all log output must go to stderr, as stdout is used to pass the
# flag:sshKey to the calling function.
-#
-# expects global variable: "MODE"
process_user_id() {
local returnCode=0
local userID
userID="$1"
# set the required key capability based on the mode
- if [ "$MODE" = 'known_hosts' ] ; then
- requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
- elif [ "$MODE" = 'authorized_keys' ] ; then
- requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"
- fi
+ requiredCapability=${REQUIRED_KEY_CAPABILITY:="a"}
requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
# fetch the user ID if necessary/requested
# being processed in the key files over "bad" keys (key flag '1')
}
+# output all valid keys for specified user ID literal
+keys_for_userid() {
+ local userID
+ local noKey=
+ local nKeys
+ local nKeysOK
+ local ok
+ local sshKey
+ local tmpfile
+
+ userID="$1"
+
+ log verbose "processing: $userID"
+
+ nKeys=0
+ nKeysOK=0
+
+ IFS=$'\n'
+ for line in $(process_user_id "${userID}") ; do
+ # note that key was found
+ nKeys=$((nKeys+1))
+
+ ok=$(echo "$line" | cut -d: -f1)
+ sshKey=$(echo "$line" | cut -d: -f2)
+
+ if [ -z "$sshKey" ] ; then
+ continue
+ fi
+
+ # if key OK, output key to stdout
+ if [ "$ok" -eq '0' ] ; then
+ # note that key was found ok
+ nKeysOK=$((nKeysOK+1))
+
+ printf '%s\n' "$sshKey"
+ fi
+ done
+
+ # if at least one key was found...
+ if [ "$nKeys" -gt 0 ] ; then
+ # if ok keys were found, return 0
+ if [ "$nKeysOK" -gt 0 ] ; then
+ return 0
+ # else return 2
+ else
+ return 2
+ fi
+ # if no keys were found, return 1
+ else
+ return 1
+ fi
+}
+
# process a single host in the known_host file
process_host_known_hosts() {
local host
local tmpfile
# set the key processing mode
- export MODE='known_hosts'
+ export REQUIRED_KEY_CAPABILITY="$REQUIRED_HOST_KEY_CAPABILITY"
host="$1"
userID="ssh://${host}"
local sshKey
# set the key processing mode
- export MODE='authorized_keys'
+ export REQUIRED_KEY_CAPABILITY="$REQUIRED_USER_KEY_CAPABILITY"
userID="$1"
# fingerprints, one per line:
list_primary_fingerprints() {
local fake=$(msmktempdir)
- GNUPGHOME="$fake" gpg --no-tty --quiet --import
+ trap "rm -rf $fake" EXIT
+ GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null
GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \
awk -F: '/^fpr:/{ print $10 }'
+ trap - EXIT
+ rm -rf "$fake"
+}
+
+# takes an OpenPGP key or set of keys on stdin, a fingerprint or other
+# key identifier as $1, and outputs the gpg-formatted information for
+# the requested keys from the material on stdin
+get_cert_info() {
+ local fake=$(msmktempdir)
+ trap "rm -rf $fake" EXIT
+ GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null
+ GNUPGHOME="$fake" gpg --with-colons --fingerprint --fixed-list-mode --list-keys "$1"
+ trap - EXIT
rm -rf "$fake"
}
my $foundfprstr = Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex();
# left-pad with 0's to bring up to full 40-char (160-bit) fingerprint:
$foundfprstr = sprintf("%040s", $foundfprstr);
+ my $matched = 0;
# is this a match?
if ((!defined($data->{target}->{fpr})) ||
}
$data->{key} = { 'rsa' => $pubkey,
'timestamp' => $key_timestamp };
+ $matched = 1;
}
if ($tag != $packet_types->{seckey} &&
}
return;
}
- if (!defined($data->{key})) {
+ if (!$matched) {
# we don't think the public part of this key matches
if ($readbytes < $packetlen) {
read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n";
return $data->{key}->{rsa};
}
+sub findkeyfprs {
+ my $data = shift;
+ my $instr = shift;
+ my $tag = shift;
+ my $packetlen = shift;
+
+ findkey($data, $instr, $tag, $packetlen);
+ if (defined($data->{key})) {
+ if (defined($data->{key}->{rsa}) && defined($data->{key}->{timestamp})) {
+ $data->{keys}->{fingerprint($data->{key}->{rsa}, $data->{key}->{timestamp})} = $data->{key};
+ } else {
+ die "should have found some key here";
+ }
+ undef($data->{key});
+ }
+};
+
+sub getallprimarykeys {
+ my $instr = shift;
+
+ my $subs = { $packet_types->{pubkey} => \&findkeyfprs,
+ $packet_types->{seckey} => \&findkeyfprs,
+ };
+ my $data = {target => { } };
+
+ packetwalk($instr, $subs, $data);
+
+ if (defined $data->{keys}) {
+ return $data->{keys};
+ } else {
+ return {};
+ }
+}
+
sub adduserid {
my $instr = shift;
my $fpr = shift;
});
print $newuid;
+ } elsif (/^listfprs$/) {
+ my $instream;
+ open($instream,'-');
+ binmode($instream, ":bytes");
+ my $keys = getallprimarykeys($instream);
+ printf("%s\n", join("\n", map { uc(unpack('H*', $_)) } keys(%{$keys})));
} else {
die "Unrecognized subcommand. keytrans subcommands are not a stable interface!\n";
}
local keyID
local editCommands
local fifoDir
+ local keyType
# get options
while true ; do
# check that an authentication subkey does not already exist
check_gpg_authentication_subkey "$keyID"
+ # determine which keyType to use from gpg version
+ keyType=7
+ case $(gpg --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in
+ 1)
+ if is_gpg_version_greater_equal 1.4.10 ; then
+ keyType=8
+ fi
+ ;;
+ 2)
+ if is_gpg_version_greater_equal 2.0.13 ; then
+ keyType=8
+ fi
+ ;;
+ *)
+ keyType=8
+ ;;
+ esac
+
# generate the list of commands that will be passed to edit-key
editCommands="addkey
-8
+$keyType
S
E
A
log info "key found:"
gpg_sphere "--fingerprint 0x${fingerprint}!"
- if [ "$PROMPT" = "true" ] ; then
+ if [ "$PROMPT" != "false" ] ; then
printf "Are you sure you want to add the above key as a certifier\nof users on this system? (Y/n) " >&2
read OK; OK=${OK:-Y}
if [ "${OK/y/Y}" != 'Y' ] ; then
# FIXME: should we be doing a fancier list_certifier output here?
gpg_core --list-key --fingerprint "0x${keyID}!" || failure
-if [ "$PROMPT" = "true" ] ; then
+if [ "$PROMPT" != "false" ] ; then
printf "Really remove the above listed identity certifier? (Y/n) " >&2
read OK; OK=${OK:-Y}
if [ "${OK/y/Y}" != 'Y' ] ; then
unames=$(list_users)
fi
-# set mode
-MODE="authorized_keys"
-
# set gnupg home
GNUPGHOME="$GNUPGHOME_SPHERE"
+++ /dev/null
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere host add-hostname subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-# add hostname user ID to server key
-
-add_hostname() {
-
-local userID
-local fingerprint
-local tmpuidMatch
-local line
-local adduidCommand
-
-if [ -z "$1" ] ; then
- failure "You must specify a hostname to add."
-fi
-
-userID="ssh://${1}"
-
-# test that the desired user ID does not already exist
-find_host_userid "$userID" && \
- failure "Host userID '$userID' already exists."
-
-if [ "$PROMPT" = "true" ] ; then
- printf "The following user ID will be added to the host key:\n %s\nAre you sure you would like to add this user ID? (Y/n) " "$userID" >&2
- read OK; OK=${OK:=Y}
- if [ "${OK/y/Y}" != 'Y' ] ; then
- failure "User ID not added."
- fi
-else
- log debug "adding user ID without prompting."
-fi
-
-# execute edit-key script
-if PEM2OPENPGP_USAGE_FLAGS=authenticate \
- <"$GNUPGHOME_HOST/secring.gpg" \
- "$SYSSHAREDIR/keytrans" adduserid \
- "$HOST_FINGERPRINT" "$userID" | gpg_host --import ; then
- gpg_host --check-trustdb
-
- update_gpg_pub_file
-
- show_key
-
- echo
- echo "NOTE: User ID added to key, but key not published."
- echo "Run '$PGRM publish-key' to publish the new user ID."
-else
- failure "Problem adding user ID."
-fi
-
-}
--- /dev/null
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host add-hostname subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2010, and are all released under the GPL,
+# version 3 or later.
+
+# add servicename user ID to server key
+
+add_name() {
+
+local serviceName
+local keyID
+local fingerprint
+local tmpuidMatch
+local line
+local adduidCommand
+
+if [ -z "$1" ] ; then
+ failure "You must specify a service name to add."
+fi
+serviceName="$1"
+shift
+
+keyID=$(check_key_input "$@")
+
+# test that the desired user ID does not already exist
+check_key_userid "$keyID" "$serviceName" && \
+ failure "Service name '$serviceName' already exists on key '$keyID'."
+
+# test that a key with that user ID does not already exist
+prompt_userid_exists "$serviceName"
+
+check_service_name "$serviceName"
+
+if [ "$PROMPT" != "false" ] ; then
+ printf "The following service name will be added to key '$keyID':\n %s\nAre you sure you would like to add this service name? (Y/n) " "$serviceName" >&2
+ read OK; OK=${OK:=Y}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "Service name not added."
+ fi
+else
+ log debug "adding service name without prompting."
+fi
+
+# execute edit-key script
+if PEM2OPENPGP_USAGE_FLAGS=authenticate \
+ <"$GNUPGHOME_HOST/secring.gpg" \
+ "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \
+ | gpg_host --import ; then
+
+ gpg_host --check-trustdb
+
+ update_pgp_pub_file
+
+ show_key "$keyID"
+
+ echo
+ echo "NOTE: Service name added to key, but key not published."
+ echo "Run '$PGRM publish-key' to publish the new service name."
+else
+ failure "Problem adding service name."
+fi
+
+}
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008, and are all released under the GPL, version 3
-# or later.
+# They are Copyright 2008-2010, and are all released under the GPL,
+# version 3 or later.
# add a revoker to the host key
add_revoker() {
+local revokerKeyID
local keyID
local tmpDir
local fingerprint
local addrevokerCommand
-keyID="$1"
-
# check that key ID or file is specified
-if [ -z "$keyID" ] ; then
+if [ -z "$1" ] ; then
failure "You must specify the key ID of a revoker key, or specify a file to read the key from."
fi
+revokerKeyID="$1"
+shift
+
+keyID=$(check_key_input "$@")
# make a temporary directory for storing keys during import, and set
# the trap to delete it on exit
trap "rm -rf $tmpDir" EXIT
# if file is specified
-if [ -f "$keyID" -o "$keyID" = '-' ] ; then
+if [ -f "$revokerKeyID" -o "$revokerKeyID" = '-' ] ; then
# load the key from stdin
- if [ "$keyID" = '-' ] ; then
+ if [ "$revokerKeyID" = '-' ] ; then
# make a temporary file to hold the key from stdin
- keyID="$tmpDir"/importkey
- log verbose "reading key from stdin..."
- cat > "$keyID"
+ revokerKeyID="$tmpDir"/importkey
+ log verbose "reading revoker key from stdin..."
+ cat > "$revokerKeyID"
# load the key from the file
- elif [ -f "$keyID" ] ; then
- log verbose "reading key from file '$keyID'..."
+ elif [ -f "$revokerKeyID" ] ; then
+ log verbose "reading revoker key from file '$revokerKeyID'..."
fi
# check the key is ok as monkeysphere user before loading
log debug "checking keys in file..."
fingerprint=$(su_monkeysphere_user \
- ". ${SYSSHAREDIR}/common; list_primary_fingerprints" < "$keyID")
+ ". ${SYSSHAREDIR}/common; list_primary_fingerprints" < "$revokerKeyID")
if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
failure "There was not exactly one gpg key in the file."
fi
# load the key
- gpg_host --import <"$keyID" \
- || failure "could not read key from '$keyID'"
+ gpg_host --import <"$revokerKeyID" \
+ || failure "could not read revoker key from '$revokerKeyID'"
-# else, get the key from the keyserver
+# else, get the revoker key from the keyserver
else
# fix permissions and ownership on temporary directory which will
# be used by monkeysphere user for storing the downloaded key
chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_GROUP" "$tmpDir"
# download the key from the keyserver as the monkeysphere user
- log verbose "searching keyserver $KEYSERVER for keyID $keyID..."
- su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --keyserver $KEYSERVER --recv-key 0x${keyID}!" \
- || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
+ log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..."
+ su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --keyserver $KEYSERVER --recv-key 0x${revokerKeyID}!" \
+ || failure "Could not receive a key with this ID from keyserver '$KEYSERVER'."
# get the full fingerprint of new revoker key
log debug "getting fingerprint of revoker key..."
- fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --list-key --with-colons --with-fingerprint 0x${keyID}!" \
+ fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --list-key --with-colons --with-fingerprint ${revokerKeyID}" \
| grep '^fpr:' | cut -d: -f10)
# test that there is only a single fingerprint
failure
fi
- log info "key found:"
+ log info "revoker key found:"
su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --fingerprint 0x${fingerprint}!"
if [ "$PROMPT" = "true" ] ; then
- printf "Are you sure you want to add the above key as a revoker\nof the host key? (Y/n) " >&2
+ printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2
read OK; OK=${OK:-Y}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "revoker not added."
fi
# export the new key to the host keyring
- log debug "loading key into host keyring..."
+ log debug "loading revoker key into host keyring..."
su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --export 0x${fingerprint}!" \
| gpg_host --import
fi
# core ltsigns the newly imported revoker key
log debug "executing add revoker script..."
-if echo "$addrevokerCommand" | gpg_host_edit ; then
+if echo "$addrevokerCommand" | gpg_host_edit "0x${keyID}!" ; then
- update_gpg_pub_file
+ update_pgp_pub_file
log info "Revoker added."
else
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008-2009, and are all released under the GPL,
+# They are Copyright 2008-2010, and are all released under the GPL,
# version 3 or later.
-# check on the status and validity of the key and public certificates
+# check on the status and validity of the host's public certificates (and keys?)
-diagnostics() {
-
-local seckey
-local keysfound
-local curdate
-local warnwindow
-local warndate
-local create
-local expire
-local uid
-local fingerprint
-local badhostkeys
-local problemsfound=0
-
-if ! [ -d "$SYSDATADIR" ] ; then
- echo "! no $SYSDATADIR directory found. Please create it."
- exit
-fi
-
-if ! [ -f "$HOST_KEY_FILE" ] ; then
- echo "No host key gpg pub file found!"
- echo " - Recommendation: run 'monkeysphere-host import-key'"
- exit
-fi
+# global vars for communicating between functions:
-# load the host key fingerprint
-load_fingerprint
-
-seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
-keysfound=$(echo "$seckey" | grep -c ^sec:)
-curdate=$(date +%s)
+MHD_CURDATE=$(date +%s)
# warn when anything is 2 months away from expiration
-warnwindow='2 months'
-warndate=$(advance_date $warnwindow +%s)
-
-if ! id monkeysphere >/dev/null ; then
- echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
- problemsfound=$(($problemsfound+1))
-fi
+MHD_WARNWINDOW='2 months'
+MHD_WARNDATE=$(advance_date $MHD_WARNWINDOW +%s)
+MHD_PROBLEMSFOUND=0
+
+
+diagnose_key() {
+ local fpr="$1"
+ local certinfo
+ local create
+ local expire
+ local uid
+ local keysfound
+ local uiderrs
+ local errcount
+
+ printf "Checking OpenPGP Certificate for key 0x%s\n" "$fpr"
+
+ certinfo=$(get_cert_info "0x$fpr" <"$HOST_KEY_FILE")
+ keysfound=$(grep -c ^pub: <<<"$certinfo")
+
+ if [ "$keysfound" -lt 1 ] ; then
+ printf "! Could not find key with fingerprint 0x%s\n" "$fpr"
+ # FIXME: recommend a way to resolve this!
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1))
+ fi
-echo "Checking host GPG key..."
-if (( "$keysfound" < 1 )); then
- echo "! No host key found. The monkeysphere-host data directory is corrupt?!?!"
- echo " - Recommendation: purge the MHDATADIR ($MHDATADIR) and rerun 'monkeysphere-host import-key'"
- problemsfound=$(($problemsfound+1))
-elif (( "$keysfound" > 1 )); then
- echo "! More than one host key found?"
- # FIXME: recommend a way to resolve this
- problemsfound=$(($problemsfound+1))
-else
- create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
- expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
- fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
+ create=$(echo "$certinfo" | grep ^pub: | cut -f6 -d:)
+ expire=$(echo "$certinfo" | grep ^pub: | cut -f7 -d:)
# check for key expiration:
if [ "$expire" ]; then
- if (( "$expire" < "$curdate" )); then
- echo "! Host key is expired."
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
- problemsfound=$(($problemsfound+1))
- elif (( "$expire" < "$warndate" )); then
- echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
- problemsfound=$(($problemsfound+1))
+ if (( "$expire" < "$MHD_CURDATE" )); then
+ printf "! Host key 0x%s is expired.\n" "$fpr"
+ printf " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire 0x%s'\n" "$fpr"
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1))
+ elif (( "$expire" < "$MHD_WARNDATE" )); then
+ printf "! Host key 0x%s expires in less than %s: %s\n" "$fpr" "$MHD_WARNWINDOW" $(advance_date $(( $expire - $MHD_CURDATE )) seconds +%F)
+ printf " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire %s'\n" "$fpr"
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1))
fi
fi
# and weirdnesses:
- if [ "$create" ] && (( "$create" > "$curdate" )); then
- echo "! Host key was created in the future(?!). Is your clock correct?"
- echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
- problemsfound=$(($problemsfound+1))
+ if [ "$create" ] && (( "$create" > "$MHD_CURDATE" )); then
+ printf "! Host key 0x%s was created in the future(?!): %s. Is your clock correct?\n" "$fpr" $(date -d "1970-01-01 + $create seconds" +%F)
+ printf " - Recommendation: Check your clock (is it really %s?); use NTP?\n" $(date +%F_%T)
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1))
fi
# check for UserID expiration:
- echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
- while IFS=: read create expire uid ; do
- # FIXME: should we be doing any checking on the form
- # of the User ID? Should we be unmangling it somehow?
-
- if [ "$create" ] && (( "$create" > "$curdate" )); then
- echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
- echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
- problemsfound=$(($problemsfound+1))
- fi
- if [ "$expire" ] ; then
- if (( "$expire" < "$curdate" )); then
- echo "! User ID '$uid' is expired."
+ uiderrs=$(printf '%s\n' "$certinfo" | grep ^uid: | cut -d: -f6,7,10 | \
+ while IFS=: read -r create expire uid ; do
+ uid=$(gpg_unescape <<<"$uid")
+
+ check_service_name "$uid"
+ if [ "$create" ] && (( "$create" > "$MHD_CURDATE" )); then
+ printf "! The latest self-sig on User ID '%s' was created in the future(?!): %s.\n - Is your clock correct?\n" "$uid" $(date -d "1970-01-01 + $create seconds" +%F)
+ printf " - Recommendation: Check your clock (is it really %s ?); use NTP?\n" $(date +%F_%T)
+ fi
+ if [ "$expire" ] ; then
+ if (( "$expire" < "$MHD_CURDATE" )); then
+ printf "! User ID '%s' is expired.\n" "$uid"
# FIXME: recommend a way to resolve this
- problemsfound=$(($problemsfound+1))
- elif (( "$expire" < "$warndate" )); then
- echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ elif (( "$expire" < "$MHD_WARNDATE" )); then
+ printf "! User ID '%s' expires in less than %s: %s\n" "%s" "$MHD_WARNWINDOW" $(advance_date $(( $expire - $MHD_CURDATE )) seconds +%F)
# FIXME: recommend a way to resolve this
- problemsfound=$(($problemsfound+1))
+ fi
fi
- fi
- done
+ done)
+ errcount=$(grep -c '^!' <<<"$uiderrs") || \
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+ $errcount ))
+ printf '%s\n' "$uiderrs"
+
+
# FIXME: verify that the host key is properly published to the
# keyservers (do this with the non-privileged user)
# FIXME: propose adding a revoker to the host key if none exist (do we
# have a way to do that after key generation?)
-# FIXME: test (with ssh-keyscan?) that the running ssh
-# daemon is actually offering the monkeysphere host key.
+# FIXME: test (with ssh-keyscan?) that any running ssh daemon is
+# actually offering the monkeysphere host key, if such a key is
+# loaded.
+
+# FIXME: scan /proc/net/tcp and /proc/net/tcp6 to see what
+# known-crypto ports (ssh, https, imaps?, ldaps?, etc) are in use
+# locally. Propose bringing them into the monkeysphere.
+
+# FIXME: ensure that the key is of a reasonable size
+
+# FIXME: ensure that the cert has the right key usage flags
+
+# FIXME: ensure that the key doesn't match any known blacklist
+}
+
+diagnostics() {
+
+MHD_PROBLEMSFOUND=0
+
+
+if ! [ -d "$SYSDATADIR" ] ; then
+ echo "! no $SYSDATADIR directory found. Please create it."
+ exit
+fi
+if ! [ -f "$HOST_KEY_FILE" ] ; then
+ echo "No host OpenPGP certificates file found!"
+ echo " - Recommendation: run 'monkeysphere-host import-key' with a service key"
+ exit
fi
+if ! id monkeysphere >/dev/null ; then
+ echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
+ MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1))
+fi
+
+echo "Checking host OpenPGP certificates..."
+multi_key diagnose_key
+
# FIXME: look at the ownership/privileges of the various keyrings,
# directories housing them, etc (what should those values be? can
# we make them as minimal as possible?)
# report on any cruft from old monkeysphere version
report_cruft
-if [ "$problemsfound" -gt 0 ]; then
- echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
+if [ "$MHD_PROBLEMSFOUND" -gt 0 ]; then
+ echo "When the above $MHD_PROBLEMSFOUND issue"$(if [ "$MHD_PROBLEMSFOUND" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
echo " monkeysphere-host diagnostics"
else
echo "Everything seems to be in order!"
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008-2009 and are all released under the GPL,
+# They are Copyright 2008-2010 and are all released under the GPL,
# version 3 or later.
import_key() {
-local sshKeyFile
-local hostName
-local domain
-local userID
-
-sshKeyFile="$1"
-hostName="$2"
+local keyFile="$1"
+local serviceName="$2"
# check that key file specified
-if [ -z "$sshKeyFile" ] ; then
- failure "Must specify ssh key file to import, or specify '-' for stdin."
+if [ -z "$keyFile" ] ; then
+ failure "Must specify PEM-encoded key file to import, or specify '-' for stdin."
fi
# fail if hostname not specified
-if [ -z "$hostName" ] ; then
- failure "You must specify a fully-qualified domain name for use in the host certificate user ID."
+if [ -z "$serviceName" ] ; then
+ failure "You must specify a service name for use in the OpenPGP certificate user ID."
fi
-userID="ssh://${hostName}"
+# test that a key with that user ID does not already exist
+prompt_userid_exists "$serviceName"
+
+# check that the service name is well formatted
+check_service_name "$serviceName"
# create host home
mkdir -p "${MHDATADIR}"
mkdir -p "${GNUPGHOME_HOST}"
chmod 700 "${GNUPGHOME_HOST}"
-# import ssh key to a private key
-if [ "$sshKeyFile" = '-' ] ; then
- log verbose "importing ssh key from stdin..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+# import pem-encoded key to an OpenPGP private key
+if [ "$keyFile" = '-' ] ; then
+ log verbose "importing key from stdin..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
| gpg_host --import
else
- log verbose "importing ssh key from file '$sshKeyFile'..."
- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
- <"$sshKeyFile" \
+ log verbose "importing key from file '$keyFile'..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+ <"$keyFile" \
| gpg_host --import
fi
-# load the new host fpr into the fpr variable. this is so we can
-# create the gpg pub key file. we have to do this from the secret key
-# ring since we obviously don't have the gpg pub key file yet, since
-# that's what we're trying to produce (see below).
-load_fingerprint_secret
-
-# export to gpg public key to file
-update_gpg_pub_file
+# export to OpenPGP public key to file
+update_pgp_pub_file
log info "host key imported:"
# show info about new key
-show_key
+show_key "$serviceName"
}
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008-2009, and are all released under the GPL, version 3
-# or later.
+# They are Copyright 2008-2010, and are all released under the GPL,
+# version 3 or later.
-# publish server key to keyserver
+# publish keys to keyserver
publish_key() {
+local keyID="$1"
local GNUPGHOME
-if [ "$PROMPT" = "true" ] ; then
- printf "Really publish host key to $KEYSERVER? (Y/n) " >&2
+if [ "$PROMPT" != "false" ] ; then
+ printf "Really publish key '$keyID' to $KEYSERVER? (Y/n) " >&2
read OK; OK=${OK:=Y}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "key not published."
fi
else
- log debug "publishing key without prompting."
+ log debug "publishing key '$keyID' without prompting."
fi
# create a temporary gnupg directory from which to publish the key
# trap to remove tmp dir if break
trap "rm -rf $GNUPGHOME" EXIT
-# import the host key into the tmp dir
+# import the key into the tmp dir
su_monkeysphere_user \
"gpg --quiet --import" <"$HOST_KEY_FILE"
-# publish host key
+# publish key
su_monkeysphere_user \
- "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'"
+ "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'"
# remove the tmp file
trap - EXIT
+++ /dev/null
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere host revoke-hostname subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-# revoke hostname user ID from host key
-
-revoke_hostname() {
-
-local userID
-local fingerprint
-local tmpuidMatch
-local line
-local message
-local revuidCommand
-
-if [ -z "$1" ] ; then
- failure "You must specify a hostname to revoke."
-fi
-
-userID="ssh://${1}"
-
-# make sure the user ID to revoke
-find_host_userid "$userID" || \
- failure "No non-revoked user ID found matching '$userID'."
-
-if [ "$PROMPT" = "true" ] ; then
- printf "The following host key user ID will be revoked:\n %s\nAre you sure you would like to revoke this user ID? (Y/n) " "$userID" >&2
- read OK; OK=${OK:=Y}
- if [ "${OK/y/Y}" != 'Y' ] ; then
- failure "User ID not revoked."
- fi
-else
- log debug "revoking user ID without prompting."
-fi
-
-# actually revoke:
-
-# the gpg secring might not contain the host key we are trying to
-# revoke (let alone any selfsig over that host key), but the plain
-# --export won't contain the secret key. "keytrans revokeuserid"
-# needs access to both pieces, so we feed it both of them.
-
-if (cat "$GNUPGHOME_HOST/secring.gpg" && gpg_host --export "$HOST_FINGERPRINT") | \
- "$SYSSHAREDIR/keytrans" revokeuserid \
- "$HOST_FINGERPRINT" "$userID" | gpg_host --import ; then
- gpg_host --check-trustdb
-
- update_gpg_pub_file
-
- show_key
-
- echo
- echo "NOTE: User ID revoked, but revocation not published."
- echo "Run '$PGRM publish-key' to publish the revocation."
-else
- failure "Problem revoking user ID."
-fi
-
-}
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008-2009, and are all released under the GPL,
+# They are Copyright 2008-2010, and are all released under the GPL,
# version 3 or later.
# revoke host key
revoke_key() {
-# Coming in here, we expect $HOST_FINGERPRINT to be set, and we
-# believe that there is in fact a key.
+ local keyID
+ local publish
+
+ keyID=$(check_key_input "$@")
if [ "$PROMPT" = "false" ] ; then
publish=N
else
cat <<EOF >&2
-This will generate a revocation certificate for your host key
-(fingerprint: $HOST_FINGERPRINT) and
-dump the certificate to standard output.
+This will generate a revocation certificate for key $keyID
+and dump the certificate to standard output.
It can also directly publish the new revocation certificate
to the public keyservers via $KEYSERVER if you want it to.
y
"
- revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${HOST_FINGERPRINT}!" <<<"$revoke_commands" ) \
+ revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${keyID}!" <<<"$revoke_commands" ) \
|| failure "Failed to generate revocation certificate!"
-
else
# note: we're not using the gpg_host function because we actually
# want to use gpg's UI in this case, so we want to omit --no-tty
- revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!") \
+ revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \
|| failure "Failed to generate revocation certificate!"
fi
--- /dev/null
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host revoke-hostname subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2010, and are all released under the GPL,
+# version 3 or later.
+
+# revoke service name user ID from host key
+
+revoke_name() {
+
+local serviceName
+local keyID
+local fingerprint
+local tmpuidMatch
+local line
+local message
+local revuidCommand
+
+if [ -z "$1" ] ; then
+ failure "You must specify a service name to revoke."
+fi
+serviceName="$1"
+shift
+
+keyID=$(check_key_input "$@")
+
+# make sure the user ID to revoke exists
+check_key_userid "$keyID" "$serviceName" || \
+ failure "No non-revoked service name found matching '$serviceName'."
+
+if [ "$PROMPT" != "false" ] ; then
+ printf "The following service name on key '$keyID' will be revoked:\n %s\nAre you sure you would like to revoke this service name? (Y/n) " "$serviceName" >&2
+ read OK; OK=${OK:=Y}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "User ID not revoked."
+ fi
+else
+ log debug "revoking service name without prompting."
+fi
+
+# actually revoke:
+
+# the gpg secring might not contain the host key we are trying to
+# revoke (let alone any selfsig over that host key), but the plain
+# --export won't contain the secret key. "keytrans revokeuserid"
+# needs access to both pieces, so we feed it both of them.
+
+if (cat "$GNUPGHOME_HOST/secring.gpg" && gpg_host --export "$keyID") \
+ | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \
+ | gpg_host --import ; then
+
+ gpg_host --check-trustdb
+
+ update_pgp_pub_file
+
+ show_key "$keyID"
+
+ echo
+ echo "NOTE: Service name revoked, but revocation not published."
+ echo "Run '$PGRM publish-key' to publish the revocation."
+else
+ failure "Problem revoking service name."
+fi
+
+}
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
-# They are Copyright 2008-2009, and are all released under the GPL,
+# They are Copyright 2008-2010, and are all released under the GPL,
# version 3 or later.
set_expire() {
-local extendTo
+local extendBy
+local keyID
+
+if [ -z "$1" ] ; then
+ cat <<EOF >&2
+Must specify expiration. The possibilities are:
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+EOF
+ failure
+fi
+extendBy="$1"
+shift
-# get the new expiration date
-extendTo=$(get_gpg_expiration "$1")
+keyID=$(check_key_input "$@")
-if [ "$PROMPT" = "true" ] ; then
- printf "Are you sure you want to change the expiration on the host key to '%s'? (Y/n) " "$extendTo" >&2
+if [ "$PROMPT" != "false" ] ; then
+ printf "Are you sure you want to change the expiration on key '$keyID' by '%s'? (Y/n) " "$extendBy" >&2
read OK; OK=${OK:-Y}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "expiration not set."
log debug "extending without prompting."
fi
-log info "setting host key expiration to ${extendTo}."
+log info "setting key expiration to ${extendBy}."
-log debug "executing host expire script..."
-gpg_host_edit expire <<EOF
-$extendTo
+log debug "executing key expire script..."
+gpg_host_edit "0x${keyID}!" expire <<EOF
+$extendBy
save
EOF
-update_gpg_pub_file
+update_pgp_pub_file
log info <<EOF
-NOTE: Host key expiration date adjusted, but not yet published.
+NOTE: Key expiration date adjusted, but not yet published.
Run '$PGRM publish-key' to publish the new expiration date.
EOF
--- /dev/null
+#!/bin/bash
+
+# This is a post-install script for monkeysphere, to transition an old
+# (<0.28) setup to the new (>=0.28) setup.
+
+# You should be able to run this script after any version >= 0.23 is
+# installed. This script should be well-behaved, even if it is run
+# repeatedly.
+
+# Written by
+# Jameson Rollins <jrollins@finestructure.net>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# Copyright 2010, released under the GPL, version 3 or later
+
+# any unexpected errors should cause this script to bail:
+set -e
+
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+
+OLD_HOST_KEY_FILE="$SYSDATADIR"/ssh_host_rsa_key.pub.gpg
+if [ -f "$OLD_HOST_KEY_FILE" ] ; then
+ monkeysphere-host update-pgp-pub-file
+ rm -f "$OLD_HOST_KEY_FILE"
+fi
# Jameson Rollins <jrollins@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
#
-# Copyright: 2008-2009
+# Copyright: © 2008-2010
# License: GPL v3 or later
# these tests should all be able to run as a non-privileged user.
# make a client connection to the socket
echo "##### starting ssh client..."
ssh-agent bash -c \
- "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config ${target_hostname:-testhost} true" \
+ "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config ${target_hostname:-testhost.example} true" \
|| RETURN="$?"
# kill the sshd process if it's still running
export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src/share
export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami)
+HOST_KEY_FILE="$MONKEYSPHERE_SYSCONFIGDIR"/host_keys.pub.pgp
+
export MONKEYSPHERE_CHECK_KEYSERVER=false
# example.org does not respond to the HKP port, so this should cause
# any keyserver connection attempts that do happen (they shouldn't!)
echo "##################################################"
echo "### import host key..."
ssh-keygen -b 1024 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
-monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key testhost
+monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
echo
echo "##################################################"
echo "### getting host key fingerprint..."
-HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ )
-echo "$HOSTKEYID"
+SSHHOSTKEYID=$( monkeysphere-host show-keys | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ )
+echo "$SSHHOSTKEYID"
# change host key expiration
echo
echo
echo "##################################################"
echo "### certifying server host key..."
-< "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import
-echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
+< "$HOST_KEY_FILE" gpgadmin --import
+echo y | gpgadmin --command-fd 0 --sign-key "$SSHHOSTKEYID"
# FIXME: add revoker?
monkeysphere-authentication setup
get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
-# add admin as identity certifier for testhost
+# add admin as identity certifier for testhost.example
echo
echo "##################################################"
echo "### adding admin as certifier..."
echo
echo "##################################################"
echo "### export server key to testuser..."
-gpgadmin --armor --export "$HOSTKEYID" | gpg --import
+gpgadmin --armor --export "$SSHHOSTKEYID" | gpg --import
# teach the "server" about the testuser's key
echo
######################################################################
### TESTS
+## see whether keys-for-userid works from the client's perspective:
+echo
+echo "##################################################"
+echo "### testing monkeysphere keys-for-userid ..."
+diff -q <( monkeysphere keys-for-userid ssh://testhost.example ) <( cut -f1,2 -d' ' < "$TEMPDIR"/ssh_host_rsa_key.pub )
+
# connect to test sshd, using monkeysphere ssh-proxycommand to verify
# the identity before connection. This should work in both directions!
echo
echo
echo "##################################################"
-echo "### ssh connection test directly to 'testhost2' without new name..."
-target_hostname=testhost2 ssh_test 255
+echo "### ssh connection test directly to 'testhost2.example' without new name..."
+target_hostname=testhost2.example ssh_test 255
echo
echo "##################################################"
-echo "### add hostname, certify by admin, import by user..."
-monkeysphere-host add-hostname testhost2
-< "$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg gpgadmin --import
-printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
+echo "### add servicename, certify by admin, import by user..."
+monkeysphere-host add-servicename ssh://testhost2.example
+<"$HOST_KEY_FILE" gpgadmin --import
+printf "y\ny\n" | gpgadmin --command-fd 0 --sign-key "$SSHHOSTKEYID"
echo
echo "##################################################"
-echo "### ssh connection test with hostname 'testhost2' added..."
-gpgadmin --export "$HOSTKEYID" | gpg --import
+echo "### ssh connection test with hostname 'testhost2.example' added..."
+gpgadmin --export "$SSHHOSTKEYID" | gpg --import
gpg --check-trustdb
ssh_test
echo
echo "##################################################"
-echo "### ssh connection test directly to 'testhost2' ..."
-gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg
+echo "### ssh connection test directly to 'testhost2.example' ..."
+gpg --import <"$HOST_KEY_FILE"
gpg --check-trustdb
-target_hostname=testhost2 ssh_test
+target_hostname=testhost2.example ssh_test
echo
echo "##################################################"
-echo "### ssh connection test for failure with 'testhost2' revoked..."
-monkeysphere-host revoke-hostname testhost2
-gpg --import <"$MONKEYSPHERE_SYSCONFIGDIR"/ssh_host_rsa_key.pub.gpg
+echo "### ssh connection test for failure with 'testhost2.example' revoked..."
+monkeysphere-host revoke-servicename ssh://testhost2.example
+gpg --import <"$HOST_KEY_FILE"
gpg --check-trustdb
-target_hostname=testhost2 ssh_test 255
+target_hostname=testhost2.example ssh_test 255
# FIXME: addtest: remove admin as id-certifier and check ssh failure
# FIXME: addtest: how do we test that set-expire makes sense after new
-# hostnames have been added?
-
-# FIXME: addtest: revoke the host key and check ssh failure
+# servicenames have been added?
# test to make sure things are OK after the previous tests:
echo
echo
echo "##################################################"
-echo "### revoking host key..."
+echo "### Testing TLS setup..."
+
+openssl req -config "$TESTDIR"/openssl.cnf -x509 -newkey rsa:1024 -subj '/DC=example/DC=testhost/CN=testhost.example/' -days 3 -keyout "$TEMPDIR"/tls_key.pem -nodes >"$TEMPDIR"/tls_cert.pem
+monkeysphere-host import-key "$TEMPDIR"/tls_key.pem https://testhost.example
+
+# FIXME: how can we test this via an https client?
+# We don't currently provide one.
+
+# FIXME: should we test other monkeysphere-host operations somehow now
+# that we have more than one key in the host keyring?
+
+echo
+echo "##################################################"
+echo "### revoking ssh host key..."
# generate the revocation certificate and feed it directly to the test
# user's keyring (we're not publishing to the keyservers)
-monkeysphere-host revoke-key | gpg --import
+monkeysphere-host revoke-key "$SSHHOSTKEYID" | gpg --import
echo
echo "##################################################"
echo "### ssh connection test for failure..."
<(hd "$TEMPDIR"/secret.key) \
<(hd "$TEMPDIR"/converted.secret.key)
-
-KEYID=$(gpg --fingerprint --with-colons --list-keys | grep ^fpr | cut -f10 -d: | cut -b25-40)
+KEYFPR=$(gpg --fingerprint --with-colons --list-keys | grep ^fpr | cut -f10 -d:)
+KEYID=$(printf "%s" "$KEYFPR" | cut -b25-40)
echo "conversions look good!"
diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons --fixed-list-mode | grep -v ^tru)
+echo "##################################################"
+echo "### test working with two primary keys ... "
+
+ssh-keygen -t rsa -b 1024 -N '' -f "$TEMPDIR"/newkey
+
+PEM2OPENPGP_USAGE_FLAGS=authenticate,certify \
+PEM2OPENPGP_TIMESTAMP="$(( $timestamp + 1 ))" pem2openpgp fubar \
+ < "$TEMPDIR"/newkey > "$TEMPDIR"/newkey.gpg
+
+NEWKEYFPR=$(< "$TEMPDIR"/newkey.gpg keytrans listfprs)
+NEWKEYID=$( printf "%s" "$NEWKEYFPR" | cut -b25-40)
+
+< "$TEMPDIR"/newkey.gpg gpg --import
+
+< "$TEMPDIR"/secring.gpg \
+PEM2OPENPGP_TIMESTAMP="$timestamp" \
+ keytrans adduserid "$KEYID" "baz" | gpg --import
+
+cat >"$TEMPDIR"/expectedout <<EOF
+pub:u:1024:1:$KEYID:$timestamp:::u:::scSC:
+uid:u::::$timestamp::E90EC72E68C6C2A0751DADC70F54F60D27B88C3D::monkeymonkey:
+sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x:
+uid:r::::::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest:
+sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x:
+rev:!::1:$KEYID:$revtime::::monkeymonkey:30x:
+uid:u::::$timestamp::EDDC32D783E7F4C7B6982D9AE5DC4A61000648BA::baz:
+sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x:
+pub:-:1024:1:$NEWKEYID:$(($timestamp + 1)):::-:::caCA:
+uid:-::::$(($timestamp + 1))::A0D708F51CC257DEFC01AEDE1E0A5F329DFD8F16::fubar:
+sig:!::1:$NEWKEYID:$(($timestamp + 1))::::fubar:13x:
+EOF
+
+echo "test: diff expected gpg list output"
+diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons --fixed-list-mode | grep -v ^tru)
+
+sort >"$TEMPDIR"/expectedout <<EOF
+$KEYFPR
+$NEWKEYFPR
+EOF
+
+echo "test: diff expected keytrans listfpr output"
+diff -u "$TEMPDIR"/expectedout <( < "$TEMPDIR"/secring.gpg keytrans listfprs | sort )
+
## FIXME: addtest: not testing subkeys at the moment.
--- /dev/null
+# OpenSSL configuration for the purposes of the monkeysphere test suite:
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+[ req ]
+attributes = req_attributes
+x509_extensions = monkeysphere_self_signed
+distinguished_name = req_dn
+attributes = req_attrs
+
+[ monkeysphere_self_signed ]
+
+# Just generate an X.509 cert that is for specific use as a TLS server
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+nsCertType = server
+
+[ req_dn ]
+commonName = Common Name
+commonName_max = 64
+
+[ req_attrs ]
#!/bin/bash
-VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^)]*\)).*/\1/'`
+# script to build a release announcement for the Monkeysphere
+# if you're running this, you probably also want to read through
+# the checklist in utils/preparing-release.
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Copyright: © 2008-2010
+# License: GPL, v3 or later
+
+VERSION=`head -n1 changelog | sed 's/.*(\([^)]*\)).*/\1/'`
{
sed "s/__VERSION__/$VERSION/g" < utils/releasenote.header
- head -n$(( $(grep -n '^ --' packaging/debian/changelog | head -n1 | cut -f1 -d:) - 2 )) packaging/debian/changelog | tail -n+3
+ head -n$(( $(grep -n '^ --' changelog | head -n1 | cut -f1 -d:) - 2 )) changelog | tail -n+3
sed "s/__VERSION__/$VERSION/g" < utils/releasenote.footer
} > "website/news/release-$VERSION.mdwn"
### Notes about preparing a release for the monkeysphere ###
- * make sure that packaging/debian/changelog has a reasonable version
- number.
+ * make sure that changelog and packaging/debian/changelog both have
+ reasonable version numbers.
* have the monkeysphere archive signing key handy!
This command will build an upstream tarball, attach the debian packaging
directory, and build a sample deb.
+If you want to help extend the scope of the Monkeysphere, take a look
+at our
+[list of environments that could make use of the project](/expansion).
+
### Individual developer repositories ###
You might also be interested in the repositories of individual
git clone git://lair.fifthhorseman.net/~dkg/monkeysphere
-[Jameson Graef Rollins](http://cmrg.fifthhorseman.net/wiki/jrollins):
+[Jameson Rollins](http://cmrg.fifthhorseman.net/wiki/jrollins):
git clone git://lair.fifthhorseman.net/~jrollins/monkeysphere
is available](/community) via [git](http://git.or.cz/).
The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.26.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.28.orig.tar.gz)
is also available, and has these checksums:
<pre>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-checksums for the monkeysphere 0.26 release:
+checksums for the monkeysphere 0.28 release:
MD5:
-f0e5fe66a9affd951e601ea5d6188972 monkeysphere_0.26.orig.tar.gz
+b66f671ec48725a0eb55de7de4d7ce6d monkeysphere_0.28.orig.tar.gz
SHA1:
-de0125e43c8c7d7d98f45f9395576ff06e150307 monkeysphere_0.26.orig.tar.gz
+ead634e0ea0a795e8a96812b7397d318a4be54b0 monkeysphere_0.28.orig.tar.gz
SHA256:
-e743a0642f0da5d6ecea6cb3c8ff6c05ac56a094c351a7fdca2a4a707fe05c00 monkeysphere_0.26.orig.tar.gz
+b463577d36d6e8f5eb698d8e3c75d27bcfb3f928628c128f5d342e8a83bef6f2 monkeysphere_0.28.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iQIVAwUBSnSzIRjmZ/HrivMUAQqQdw//SZ5OrjB+FFe/+sRyRBv3YcjSO7Iif8uo
-ZG8LPbba9v0qUT/pOvMTXij2Wm3dFwgphrNCJgYriHx/0MdvPuHpz+TXRIVFRD7Q
-CNHrG9kuf6BFClqyQwqD1/5FMehu8hEWm0DdyEhB5pUcHzo9ExpjFGGImpI/XvZz
-/HWL7hCoZvJ8iBKyZ0dNSbDZA8WcWkYVKbc42sYYpqHM4kVjfQq37vUDBgq78d4d
-rTDiEF1+4kuwZtKKxJq8woN9+/5atpknFcnICSOobeX1PAOkj96yEAczr39pQNam
-3z2YjdQM0tJsGjguYIiYxwUAs38a/p+rX7+PvS5xY85RCLSsgOplnhSLXluXp5fO
-7Ok2FFmimxYcNfsKFaJQiOa3OaRW6u15+sxb7KNC+raNVwyw8fsaDe7eKGx/xQI5
-fnvjFHJDM3HwzBSRNcBZNacsMAfq0jaN4BAalv9nzpcynsG+vkNI6mus9eopC9/n
-9UwhMRpObndSjNoR/Erbh99jv0mvTeqdG9h9Kjbr38TT5qLWSYRftK7FHglZMmzN
-or3lgUs3bTc6bJlWE9YvGlwEduaaEY0us7fW4nPDQhT+OCHCrjCBk1ppA4SzAnE1
-qTUt5Fa7vjLPaefT58qKRXlglUhsbtVabVoeCFKBFvAebm/XS3kPh2P9Qfk6azQ7
-iJM65kCCil0=
-=tyHC
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQIVAwUBS1YAyBjmZ/HrivMUAQqbBBAAqhnDfDZukFUDEN6Y164o/AXMtBO20KUg
+GyrgjgJElQJC2oz9OooNJ60iPSOz/G+Wu5lSMnRqdKU8x50F7ogYE1Gnd+8J3c2G
+1ciDQbLrR7pE2jua7xyfA+SQgg3bSgSN/7Jl61+OosQpcI/WnJvOQWKA6TI+iRGC
+B4g87ZRSRUAVZoFDRY0lBINP70+riGrYm8b2tgp7FbpgVBtUFL8gsmxnPZ7cGYF2
+yTwg9ZCAlDQ6LIZ7DAwb2lUAtAHtlLfAhulr3qLW2SNc95vcJ7Ss7CjgIuCL8qTe
+2zX2fysG7Hgbi0G0GNjv+yomOFlRGWC1Gf3pv0Clmy7cVgIgcP61nE3djFSYa9vk
+k7cKtppNEzoleEjz+dMIOezcXCdLO2g+sQfpaYU5acRp95ouCaXYINS8DYDkaKwj
+Wjra6BSCbClzZYblOJIlCmK4JJPE4EB8NShL/VXSwV8uvtNniGNpGHeHqaKvbT+Y
+RYlCzL+/Ruyv1dQbtiBtErB8yP+psheoQYk6lU7nNy+MTH+R/xXrbHxptSDRQwru
+O1hbfONnEK6JfdVQI4zEBuBz8NVuZPPQqqy1mxLSWMxWKz4GtNbTXOR1tRFVqlxk
+eCTYdhhyIz7gu8EUwvTLZoqKOB6kQWS1ygycFRi/g+DOOXuSpazF5XmutF6HpJx1
+1nK2WBl5loE=
+=164p
-----END PGP SIGNATURE-----
</pre>
--- /dev/null
+[[meta title="Expanding the Monkeysphere"]]
+
+# Expanding the Monkeysphere #
+
+The Monkeysphere currently has implementations that support two
+popular protocols in use on the internet today:
+
+ * SSH: Monkeysphere supports the OpenSSH implementation of the Secure
+ Shell protocol, for authenticating both hosts and users.
+
+ * HTTPS: Monkeysphere supports secure web traffic by allowing users
+ of Mozilla-based browsers (such as
+ [Firefox](http://www.mozilla.com/en-US/firefox) or
+ [Iceweasel](http://wiki.debian.org/Iceweasel)) to authenticate web
+ sites that are not authenticated by the browser's built-in X.509
+ verification. This should work with any HTTPS-capable web server.
+
+But there are many protocols and implementations on the 'net that
+could use the Monkeysphere for key-based authentication but currently
+do not. Here are some examples of places we think it could be useful.
+If you can help with these (or suggest others), please pitch in!
+
+ * HTTPS client authentication: web servers should be able to
+ authenticate clients that use asymmetric crypto. That is, the
+ client holds an RSA secret key, offers a (potentially self-signed)
+ X.509 Cert to the server as part of the TLS handshake, and the
+ server verifies the key material and commonName or subjectAltName
+ in the cert via the OpenPGP web of trust.
+
+ * Other TLS connections: for example, SMTP services using STARTTLS
+ (server-to-server and client-to-server), IMAP or POP daemons (using
+ STARTTLS or a direct TLS wrapper), LDAP servers (or LDAPS), XMPP
+ connections (client-to-server and server-to-server)
+
+ * IRC connections: this could be at the TLS layer, or maybe via some
+ exchange with the NickServ?
+
+ * [OTR](http://www.cypherpunks.ca/otr) client-to-client handshakes.
+
+ * Integration with
+ [OpenPGP Certificates for TLS (RFC 5081)](http://tools.ietf.org/html/rfc5081)
+ -- TLS clients or servers who receive an OpenPGP certificate from
+ their peer should be able to ask some part of the Monkeysphere
+ toolchain if the particular certificate is valid for the
+ connection.
+
+ * [PKINIT](http://tools.ietf.org/html/rfc4556) for
+ [Kerberos](http://web.mit.edu/Kerberos/)
+
Monkeysphere Server Administrator README
========================================
- Note: This documentation is for Monkeysphere version 0.23 or later.
- If you are running a version prior to 0.23, we recommend that you upgrade.
+ Note: This documentation is for Monkeysphere version 0.28 or later.
+ If you are running a version prior to 0.28, we recommend that you upgrade.
As the administrator of an SSH server, you can take advantage of the
Monkeysphere in two ways:
you have the ssh server installed, and that you have generated a host
RSA key. Once that has been done, import the key:
- # monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key server.example.net
+ # monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://server.example.net
This will generate an OpenPGP certificate for the server. The primary
user ID for this certificate will be the ssh service URI for the host,
-(eg. `ssh://server.example.net`). Remember that the name you provide
+(e.g. `ssh://server.example.net`). Remember that the name you provide
here should probably be a fully qualified domain name for the host in
order for your users to find it.
Authors:
Dan Scott,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
-Jameson Graef Rollins <jrollins@finestructure.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Jamie McClelland <jm@mayfirst.org>
License: This stylesheet is licensed under the GNU GPL, version 3 or
--- /dev/null
+[[meta title="Monkeysphere 0.27-1 released!"]]
+
+Monkeysphere 0.27-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ * New upstream release:
+ - fixed monkeysphere gen-subkey subcommand that was erroneously
+ creating DSA subkeys due to unannounced change in gpg edit-key UI.
+ Now tests for gpg version (closes MS #1536)
+ - add new monkeysphere keys-from-userid subcommand to output all
+ acceptable keys for a given user ID literal
+ * updated debian/copyright to match the latest revision of DEP5.
+ * updated standards version to 3.8.3 (no changes needed)
+ * add cpio to Build-Depends (used in test suite) (Closes: #562444)
+</pre>
+
+[[Download]] it now!
--- /dev/null
+[[meta title="Monkeysphere 0.28 released!"]]
+
+Monkeysphere 0.28 has been released.
+
+Notes from the changelog:
+
+<pre>
+ * Major rework of monkeysphere-host to handle multiple host keys. We
+ also no longer assume ssh service keys. monkeysphere-host is now a
+ general-purpose host service OpenPGP key management UI.
+ * Rename keys-from-userid command to more accurate keys-for-userid
+ * separate upstream and debian changelogs
+</pre>
+
+[[Download]] it now!
projects / monkeysphere.git / commitdiff