+monkeysphere (0.8-1) UNRELEASED; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: switched Vcs-Git to use "centralized" git repo instead
+ of my own.
+ * More monkeysphere-server diagnostics
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 07 Aug 2008 13:31:14 -0400
+
monkeysphere (0.7-1) experimental; urgency=low
[ Daniel Kahn Gillmor ]
Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0)
Standards-Version: 3.8.0.1
Homepage: http://monkeysphere.info/
-Vcs-Git: http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git
+Vcs-Git: git://monkeysphere.info/monkeysphere
Dm-Upload-Allowed: yes
Format: 3.0 (git)
always removed from known_hosts file. Ask user to lsign the host
key?
-Handle multiple hostnames (multiple user IDs?) when generating host
- keys with gen-key.
-
Work out the details (and describe a full use case) for assigning a
REVOKER during monkeysphere-server gen_key -- how is this set? How
do we export it so it's available when a second-party revocation is
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2008-08-07 - dkg
+ * aptitude update && aptitude dist-upgrade
+ * removed debian's experimental from the sources.list
+ * removed experimental stanza from /etc/apt/preferences (now the
+ monkeysphere packages should upgrade automatically)
+ * upgraded to monkeysphere 0.7-1
+ * installed runit
+ * set up a public git daemon service to serve git repos from
+ george, using runit. (root-served repos are served from
+ /srv/git, but ~USER/public_git is supported as well, if anyone
+ wants to use that for publication).
+
2008-08-03 - dkg
* aptitude update && aptitude dist-upgrade
* installed iproute
# (see /usr/share/doc/gnupg/DETAILS.gz)
# output is one line for every found key, in the following format:
#
-# flag fingerprint
+# flag:fingerprint
#
# "flag" is an acceptability flag, 0 = ok, 1 = bad
# "fingerprint" is the fingerprint of the key
fi
;;
'uid') # user ids
+ if [ "$lastKey" != pub ] ; then
+ log " - got a user ID after a sub key! user IDs should only follow primary keys!"
+ continue
+ fi
+ # don't bother with a uid if there is no valid or reasonable primary key.
+ if [ "$keyOK" != true ] ; then
+ continue
+ fi
# if an acceptable user ID was already found, skip
if [ "$uidOK" ] ; then
continue
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
log " * acceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated."
+ log " ! primary key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
log " - unacceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated."
+ log " ! primary key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
lastKey=sub
lastKeyOK=
fingerprint=
+
+ # don't bother with sub keys if the primary key is not valid
+ if [ "$keyOK" != true ] ; then
+ continue
+ fi
+ # don't bother with sub keys if no user ID is acceptable:
+ if [ "$uidOK" != true ] ; then
+ continue
+ fi
+
# if sub key validity is not ok, skip
if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
continue
continue
fi
- # output a line for the primary key
+ # output a line for the sub key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
log " * acceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated."
+ log " ! sub key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
log " - unacceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated."
+ log " ! sub key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
---
-I'm not sure I really want to include this hack with the debs. It's really not useful for any kind of regular use. I would rather focus on getting openpgp2ssh to support passprotected keys.
+I'm not sure I really want to include this hack with the debs. It's
+really not useful for any kind of regular use. I would rather focus
+on getting openpgp2ssh to support passprotected keys.
-As another possibility, I was planning on modifying the script so that it could export to a passprotected file. I think this would be a lot more useful. Let me get that working, then let's revist the issue of including it in the packaging.
+As another possibility, I was planning on modifying the script so that
+it could export to a passprotected file. I think this would be a lot
+more useful. Let me get that working, then let's revist the issue of
+including it in the packaging.
--- Big Jimmy.
+-- Big Jimmy
---
-> Ok - sounds good to me. I'm thinking in terms of getting other people to try
-> out the Monkeysphere - maybe the README should just say: we're only half
-> done. You can verify the identity of servers, but we haven't completed the
-> part about verifying you to a server. Then it could say: if you're really
-> interested, you can run this hacky script but we make no guarantees.
+Ok - sounds good to me. I'm thinking in terms of getting other people to try
+out the Monkeysphere - maybe the README should just say: we're only half
+done. You can verify the identity of servers, but we haven't completed the
+part about verifying you to a server. Then it could say: if you're really
+interested, you can run this hacky script but we make no guarantees.
+
-- Sir Jam Jam
--- /dev/null
+[[meta title="Support multiple host names for monkeysphere-enabled servers"]]
+
+Some monkeysphere-enabled hosts answer to multiple host names, but the
+current `monkeysphere-server` only generates a single User ID
+corresponding to a single hostname.
+
+We should make it easier for machines with multiple names to create
+multiple User IDs at `gen-key` time.
+
+We should also make it easy to add new hostnames (and remove outdated
+ones).
+
+For example: `george.riseup.net` is now also known as
+`monkeysphere.info`. It'd be nice to have a convenient way to add
+that hostname to the key without mucking around with gpg directly.
-- Big Jimmy.
-> Maybe we should use George? As you point out - it doesn't actually
-> have to do any user authentication. It seems like a waste to have a
-> virtual machine that does nothing but deny people's ssh connections.
-> And - george is already setup and ready to go.
-> -- Sir Jam Jam
+---
+
+Maybe we should use George? As you point out - it doesn't actually
+have to do any user authentication. It seems like a waste to have a
+virtual machine that does nothing but deny people's ssh connections.
+And - george is already setup and ready to go.
+-- Sir Jam Jam
+
+---
I like the idea of using George for this. There's nothing wrong with
denying people's ssh connections. Also, we could make public user
You can verify george's ssh host key with the monkeysphere
before you connect to the host. Here's how...
+
+--dkg
You can add this repo to your system by putting the following lines in
/etc/apt/sources.list.d/monkeysphere.list:
- deb http://george.riseup.net/debian experimental monkeysphere
- deb-src http://george.riseup.net/debian experimental monkeysphere
+ deb http://monkeysphere.info/debian experimental monkeysphere
+ deb-src http://monkeysphere.info/debian experimental monkeysphere
The repository is currently signed by [Daniel Kahn Gillmor's OpenPGP key](http://fifthhorseman.net/dkg.gpg "dkg's key"), key id D21739E9
(fingerprint: `0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9`).
clone](http://www.kernel.org/pub/software/scm/git/docs/git-clone.html)
any of the developer repositories, including:
+The git repo from this web site:
+
+ git clone git://monkeysphere.info/monkeysphere monkeysphere
+
[Jameson Graef Rollins](http://cmrg.fifthhorseman.net/wiki/jrollins):
git clone http://lair.fifthhorseman.net/~jrollins/git/monkeysphere.git monkeysphere