+monkeysphere (0.7-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * Added monkeysphere-server diagnostics subcommand.
+ * rebuilding package using Format: 3.0 (git)
+
+ [ Jameson Graef Rollins ]
+ * fix how check for file modification is done.
+ * rework out user id processing is done to provide more verbose log
+ output.
+ * fix bug in monkeysphpere update-authorized_keys subcommand where
+ disallowed keys failed to be remove from authorized_keys file.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 04 Aug 2008 10:47:41 -0400
+
monkeysphere (0.6-1) experimental; urgency=low
[ Jameson Graef Rollins ]
Homepage: http://monkeysphere.info/
Vcs-Git: http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git
Dm-Upload-Allowed: yes
+Format: 3.0 (git)
Package: monkeysphere
Architecture: any
* *
******************************************************************************
* Please add new entries in reverse chronological order whenever you make *
-* changes to this system *
+* changes to this system (first command at top, last at bottom) *
******************************************************************************
+
+2008-08-03 - dkg
+ * aptitude update && aptitude dist-upgrade
+ * installed iproute
+ * added my User ID to ~webmaster/.config/monkeysphere/authorized_user_ids
+
+2008-08-02 - jrollins
+ * aptitude update && aptitude dist-upgrade
+ * restarted cron, nullmailer, sshd
+ * aptitude install git-core ikiwiki
+ * adduser webmaster
+ * su - webmaster
+ * created a bare repo at ~webmaster/monkeysphere.git. I then
+ pushed into this repo from my working directory on servo to verify
+ that it was accepting.
+ * cloned above repo at ~webmaster/monkeysphere
+ * created ~webmaster/ikiwiki.setup
+ * ikiwiki --setup ikiwiki.setup
+ * linked post-receive to new post-commit hook in monkeysphere.git
+ * changed default keyserver to be pgp.mit.edu (subkeys.pgp.net
+ blows)
+ * updated /etc/skel with ssh and monkeysphere stuff
+ * made authorzied_user_ids file for webmaster and ran
+ "monkeysphere-server u webmaster".
+
2008-06-23 - dkg
* added monkeysphere apt repository to /etc/apt/sources.list
* added dkg's key to apt's list of trusted keys.
/etc/default/ssh in order to make this error go away:
"error writing /proc/self/oom_adj: Operation not permitted"
(c.f. Debian #487325)
-
+
2008-06-20 - dkg
* touched /etc/environment to get rid of some spurious auth.log
entries.
in place of `update-known_hosts'.
.TP
.B update-authorized_keys
-Update the authorized_keys file. For each user ID in the user's
-authorized_user_ids file, gpg will be queried for keys associated with
-that user ID, optionally querying a keyserver. If an acceptable key
-is found (see KEY ACCEPTABILITY in monkeysphere(5)), the key is added
-to the user's authorized_keys file. If a key is found but is
-unacceptable for the user ID, any matching keys are removed from the
-user's authorized_keys file. If no gpg key is found for the user ID,
-nothing is done. This subcommand will exit with a status of 0 if at
-least one acceptable key was found for a user ID, 1 if no matching
-keys were found at all, and 2 if matching keys were found but none
-were acceptable. `a' may be used in place of
+Update the authorized_keys file for the user executing the command
+(see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all
+monkeysphere keys are cleared from the authorized_keys file. Then, or
+each user ID in the user's authorized_user_ids file, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
+monkeysphere(5)), the key is added to the user's authorized_keys file.
+If a key is found but is unacceptable for the user ID, any matching
+keys are removed from the user's authorized_keys file. If no gpg key
+is found for the user ID, nothing is done. This subcommand will exit
+with a status of 0 if at least one acceptable key was found for a user
+ID, 1 if no matching keys were found at all, and 2 if matching keys
+were found but none were acceptable. `a' may be used in place of
`update-authorized_keys'.
.TP
.B gen-subkey KEYID
Publish the host's OpenPGP key to the keyserver. `p' may be used in
place of `publish-key'.
.TP
+.B diagnostics
+Review the state of the server with respect to the MonkeySphere in
+general and report on suggested changes. Among other checks, this
+includes making sure there is a valid host key, that the key is
+published, that the sshd configuration points to the right place, and
+that there are at least some valid identity certifiers. `d' may be
+used in place of `diagnostics'.
+.TP
.B add-identity-certifier KEYID
Instruct system to trust user identity certifications made by KEYID.
Using the `-n' or `--domain' option allows you to indicate that you
return 1
fi
+ if [ ! -e "$file" ] ; then
+ return 1
+ fi
+
# if the string is in the file...
if grep -q -F "$string" "$file" 2> /dev/null ; then
# remove the line with the string, and return 0
fi
}
+# remove all lines with MonkeySphere strings in file
+remove_monkeysphere_lines() {
+ local file
+
+ file="$1"
+
+ if [ -z "$file" ] ; then
+ return 1
+ fi
+
+ if [ ! -e "$file" ] ; then
+ return 1
+ fi
+
+ egrep -v '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' \
+ "$file" | sponge "$file"
+}
+
# translate ssh-style path variables %h and %u
translate_ssh_variables() {
local uname
# if the gpg query return code is not 0, return 1
if [ "$?" -ne 0 ] ; then
- log " - key not found."
+ log " no primary keys found."
return 1
fi
# loop over all lines in the gpg output and process.
- # need to do it this way (as opposed to "while read...") so that
- # variables set in loop will be visible outside of loop
echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
while IFS=: read -r type validity keyid uidfpr usage ; do
# process based on record type
# output a line for the primary key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
- log " * acceptable key found."
- echo "0:${fingerprint}"
+ log " * acceptable primary key."
+ if [ -z "$sshKey" ] ; then
+ log " ! primary key could not be translated."
+ else
+ echo "0:${sshKey}"
+ fi
else
- echo "1:${fingerprint}"
+ log " - unacceptable primary key."
+ if [ -z "$sshKey" ] ; then
+ log " ! primary key could not be translated."
+ else
+ echo "1:${sshKey}"
+ fi
fi
;;
'sub') # sub keys
'fpr') # key fingerprint
fingerprint="$uidfpr"
+ sshKey=$(gpg2ssh "$fingerprint")
+
# if the last key was the pub key, skip
if [ "$lastKey" = pub ] ; then
continue
fi
-
- # output a line for the last subkey
+
+ # output a line for the primary key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
- log " * acceptable key found."
- echo "0:${fingerprint}"
+ log " * acceptable sub key."
+ if [ -z "$sshKey" ] ; then
+ log " ! sub key could not be translated."
+ else
+ echo "0:${sshKey}"
+ fi
else
- echo "1:${fingerprint}"
+ log " - unacceptable sub key."
+ if [ -z "$sshKey" ] ; then
+ log " ! sub key could not be translated."
+ else
+ echo "1:${sshKey}"
+ fi
fi
;;
esac
local nKeys
local nKeysOK
local ok
- local keyid
+ local sshKey
local tmpfile
host="$1"
- log "processing host: $host"
+ log "processing: $host"
userID="ssh://${host}"
nKeys=0
nKeysOK=0
+ IFS=$'\n'
for line in $(process_user_id "ssh://${host}") ; do
# note that key was found
nKeys=$((nKeys+1))
ok=$(echo "$line" | cut -d: -f1)
- keyid=$(echo "$line" | cut -d: -f2)
+ sshKey=$(echo "$line" | cut -d: -f2)
- sshKey=$(gpg2ssh "$keyid")
if [ -z "$sshKey" ] ; then
- log " ! key could not be translated."
continue
fi
local nHosts
local nHostsOK
local nHostsBAD
+ local fileCheck
local host
# the number of hosts specified on command line
# create a lockfile on known_hosts
lockfile-create "$KNOWN_HOSTS"
+ # note pre update file checksum
+ fileCheck="$(cat "$KNOWN_HOSTS" | md5sum)"
+
for host ; do
# process the host
process_host_known_hosts "$host"
lockfile-remove "$KNOWN_HOSTS"
# note if the known_hosts file was updated
- if [ "$nHostsOK" -gt 0 -o "$nHostsBAD" -gt 0 ] ; then
+ if [ "$(cat "$KNOWN_HOSTS" | md5sum)" != "$fileCheck" ] ; then
log "known_hosts file updated."
fi
local nKeys
local nKeysOK
local ok
- local keyid
+ local sshKey
userID="$1"
- log "processing user ID: $userID"
+ log "processing: $userID"
nKeys=0
nKeysOK=0
+ IFS=$'\n'
for line in $(process_user_id "$userID") ; do
# note that key was found
nKeys=$((nKeys+1))
ok=$(echo "$line" | cut -d: -f1)
- keyid=$(echo "$line" | cut -d: -f2)
+ sshKey=$(echo "$line" | cut -d: -f2)
- sshKey=$(gpg2ssh "$keyid")
if [ -z "$sshKey" ] ; then
- log " ! key could not be translated."
continue
fi
local nIDs
local nIDsOK
local nIDsBAD
+ local fileCheck
# the number of ids specified on command line
nIDs="$#"
# create a lockfile on authorized_keys
lockfile-create "$AUTHORIZED_KEYS"
+ # note pre update file checksum
+ fileCheck="$(cat "$AUTHORIZED_KEYS" | md5sum)"
+
+ # remove any monkeysphere lines from authorized_keys file
+ remove_monkeysphere_lines "$AUTHORIZED_KEYS"
+
for userID ; do
# process the user ID, change return code if key not found for
# user ID
lockfile-remove "$AUTHORIZED_KEYS"
# note if the authorized_keys file was updated
- if [ "$nIDsOK" -gt 0 -o "$nIDsBAD" -gt 0 ] ; then
+ if [ "$(cat "$AUTHORIZED_KEYS" | md5sum)" != "$fileCheck" ] ; then
log "authorized_keys file updated."
fi
log "processing authorized_user_ids file..."
- if ! meat "$authorizedUserIDs" ; then
+ if ! meat "$authorizedUserIDs" > /dev/null ; then
log "no user IDs to process."
return
fi
update_authorized_keys "${userIDs[@]}"
}
-
-# EXPERIMENTAL (unused) process userids found in authorized_keys file
-# go through line-by-line, extract monkeysphere userids from comment
-# fields, and process each userid
-# NOT WORKING
-process_authorized_keys() {
- local authorizedKeys
- local userID
- local returnCode
-
- # default return code is 0, and is set to 1 if a key for a user
- # is not found
- returnCode=0
-
- authorizedKeys="$1"
-
- # take all the monkeysphere userids from the authorized_keys file
- # comment field (third field) that starts with "MonkeySphere uid:"
- # FIXME: needs to handle authorized_keys options (field 0)
- meat "$authorizedKeys" | \
- while read -r options keytype key comment ; do
- # if the comment field is empty, assume the third field was
- # the comment
- if [ -z "$comment" ] ; then
- comment="$key"
- fi
-
- if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}' ; then
- continue
- fi
- userID=$(echo "$comment" | awk "{ print $2 }")
- if [ -z "$userID" ] ; then
- continue
- fi
-
- # process the userid
- log "processing userid: '$userID'"
- process_user_id "$userID" > /dev/null || returnCode=1
- done
-
- return "$returnCode"
-}
MonkeySphere server admin tool.
subcommands:
- update-users (u) [USER]... update user authorized_keys files
-
- gen-key (g) [HOSTNAME] generate gpg key for the server
- -l|--length BITS key length in bits (2048)
- -e|--expire EXPIRE date to expire
- -r|--revoker FINGERPRINT add a revoker
- show-fingerprint (f) show server's host key fingerprint
- publish-key (p) publish server's host key to keyserver
-
- add-identity-certifier (a) KEYID import and tsign a certification key
- -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN ()
- -t|--trust TRUST trust level of certifier (full)
- -d|--depth DEPTH trust depth for certifier (1)
- remove-identity-certifier (r) KEYID remove a certification key
- list-identity-certifiers (l) list certification keys
-
- gpg-authentication-cmd CMD gnupg-authentication command
-
- help (h,?) this help
-
+ update-users (u) [USER]... update user authorized_keys files
+
+ gen-key (g) [HOSTNAME] generate gpg key for the server
+ -l|--length BITS key length in bits (2048)
+ -e|--expire EXPIRE date to expire
+ -r|--revoker FINGERPRINT add a revoker
+ show-fingerprint (f) show server's host key fingerprint
+ publish-key (p) publish server's host key to keyserver
+ diagnostics (d) report on the server's monkeysphere status
+
+ add-identity-certifier (a) KEYID import and tsign a certification key
+ -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN
+ -t|--trust TRUST trust level of certifier (full)
+ -d|--depth DEPTH trust depth for certifier (1)
+ remove-identity-certifier (r) KEYID remove a certification key
+ list-identity-certifiers (l) list certification keys
+
+ gpg-authentication-cmd CMD gnupg-authentication command
+
+ help (h,?) this help
EOF
}
exit 255
}
+diagnostics() {
+# * check on the status and validity of the key and public certificates
+ local seckey
+ local keysfound
+ local curdate
+ local warnwindow
+ local warndate
+ local create
+ local expire
+ local uid
+ local fingerprint
+
+ seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
+ keysfound=$(echo "$seckey" | grep -c ^sec:)
+ curdate=$(date +%s)
+ # warn when anything is 2 months away from expiration
+ warnwindow='2 months'
+ warndate=$(date +%s -d "$warnwindow")
+
+ echo "Checking host GPG key..."
+ if (( "$keysfound" < 1 )); then
+ echo "! No host key found."
+ echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ elif (( "$keysfound" > 1 )); then
+ echo "! More than one host key found?"
+ # FIXME: recommend a way to resolve this
+ else
+ create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
+ expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
+ fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
+ # check for key expiration:
+ if [ "$expire" ]; then
+ if (( "$expire" < "$curdate" )); then
+ echo "! Host key is expired."
+ # FIXME: recommend a way to resolve this other than re-keying?
+ elif (( "$expire" < "$warndate" )); then
+ echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
+ # FIXME: recommend a way to resolve this?
+ fi
+ fi
+
+ # and weirdnesses:
+ if [ "$create" ] && (( "$create" > "$curdate" )); then
+ echo "! Host key was created in the future(?!). Is your clock correct?"
+ echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ fi
+
+ # check for UserID expiration:
+ echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
+ while IFS=: read create expire uid ; do
+ # FIXME: should we be doing any checking on the form
+ # of the User ID? Should we be unmangling it somehow?
+
+ if [ "$create" ] && (( "$create" > "$curdate" )); then
+ echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
+ echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ fi
+ if [ "$expire" ] ; then
+ if (( "$expire" < "$curdate" )); then
+ echo "! User ID '$uid' is expired."
+ # FIXME: recommend a way to resolve this
+ elif (( "$expire" < "$warndate" )); then
+ echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
+ # FIXME: recommend a way to resolve this
+ fi
+ fi
+ done
+
+# FIXME: verify that the host key is properly published to the
+# keyservers (do this with the non-privileged user)
+
+# FIXME: check that there are valid, non-expired certifying signatures
+# attached to the host key after fetching from the public keyserver
+# (do this with the non-privileged user as well)
+
+# FIXME: propose adding a revoker to the host key if none exist (do we
+# have a way to do that after key generation?)
+
+ # Ensure that the ssh_host_rsa_key file is present and non-empty:
+ echo "Checking host SSH key..."
+ if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
+ echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
+ else
+ if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
+ echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
+ fi
+
+ # propose changes needed for sshd_config (if any)
+ if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
+ echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
+ echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+ fi
+ fi
+ fi
+
+# FIXME: look at the ownership/privileges of the various keyrings,
+# directories housing them, etc (what should those values be? can
+# we make them as minimal as possible?)
+
+# FIXME: look to see that the ownertrust rules are set properly on the
+# authentication keyring
+
+# FIXME: make sure that at least one identity certifier exists
+
+}
+
# retrieve key from web of trust, import it into the host keyring, and
# ltsign the key in the host keyring so that it may certify other keys
add_certifier() {
publish_server_key
;;
+ 'diagnostics'|'d')
+ diagnostics
+ ;;
+
'add-identity-certifier'|'add-certifier'|'a')
add_certifier "$1"
;;
--- /dev/null
+When executing `monkeysphere-server add-identity-certifier` across a
+link without a pseudo-terminal, it behaves oddly (prompts are created
+that are only halfway-readable, gpg gives error messages about lacking
+access to a `/dev/tty`, etc.
+
+You can try this directly if you have remote ssh access to the
+superuser on a monkeysphere-enabled host, assuming that `$GPGID` is
+set to the full fingerprint of a key you want to add as a trusted
+identity certifier:
+
+ ssh root@example.org monkeysphere-server add-identity-certifier $GPGID
+
+Compare this behavior with:
+
+ ssh -t root@example.org monkeysphere-server add-identity-certifier $GPGID
--- /dev/null
+Consider the following snippet in `~/.ssh/config`:
+
+ Host foo
+ HostKeyAlias bar
+
+for a host which is *not* participating in the monkeysphere.
+
+For such a host, when using `monkeysphere-ssh-proxy-command`, the
+public keyservers will be queried on each attempted ssh connection
+(even after a successful connection).
+
+This appears to be because:
+
+* `ssh` itself will write a line to `~/.ssh/known_hosts`, but it will
+ be labeled with `bar` because of the `HostKeyAlias`.
+
+* `monkeysphere` won't be able to find any mention of it in the
+ keyring (it's not in the monkeysphere)
+
+* `monkeysphere-ssh-proxycommand` won't be able to find it in the
+ `known_hosts` file because it looks for `foo`, which is never
+ matched.
+
+excessive keyserver querying is bad behavior, because it causes delays
+for the users, and puts excessive load on the public keyserver
+infrastructure.
+
+How can we resolve this?
--- /dev/null
+In `~/.ssh/config`, i have:
+
+ HashKnownHosts No
+
+But when `monkeysphere-ssh-proxycommand` adds new hosts to
+`~/.ssh/known_hosts`, they appear to be added in a hashed form,
+instead of in the clear.
+
+fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported
+from sid)
+++ /dev/null
-# Monkeysphere Development #
-
-The Monkeysphere is attempting to use a completely distributed
-development model. Please feel free to clone any of our developer git
-repositories, and send patches, modifications, or merge requests to
-any of the upstream developers.
-
-## Contacts ##
-
-Please feel free to contact any of the Monkeysphere developers with
-any questions, comments, bug reports, requests, etc:
-
-Jameson Graef Rollins <jrollins@phys.columbia.edu>
-##Downloading and Installing##
+## Downloading and Installing ##
If you are running a Debian system, you can install Monkeysphere
by following these directions:
(fingerprint: `0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9`).
To cryptographically verify the packages, you'll want to [add `dkg`'s key to your apt configuration](http://cmrg.fifthhorseman.net/wiki/apt/importing-keys "Instructions for adding dkg's key to apt")
-##git repositories##
+## git repositories ##
-Development is done in an extremely distributed manner using
-[git](http://git.or.cz/). Once you've
-[installed git](http://www.spheredev.org/wiki/Git_for_the_lazy), you can
-clone the repository by doing
+The Monkeysphere is attempting to use a completely distributed
+development model with [git](http://git.or.cz/). Once you've
+[installed git](http://www.spheredev.org/wiki/Git_for_the_lazy), you
+can [git
+clone](http://www.kernel.org/pub/software/scm/git/docs/git-clone.html)
+any of the developer repositories, including:
- git clone http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git/ monkeysphere
+[Jameson Graef Rollins](mailto:jrollins@phys.columbia.edu):
-Other developers have their own repositories, which you can substitute
-for dkg's if you like.
+ git clone http://lair.fifthhorseman.net/~jrollins/git/monkeysphere.git monkeysphere
+
+[Daniel Kahn Gillmor](http://cmrg.fifthhorseman.net/wiki/dkg):
+
+ git clone http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git monkeysphere
+
+## Contact ##
+
+Please feel free to contact any of the Monkeysphere developers with
+any questions, comments, bug reports, requests, etc.
and other features of OpenPGP to other areas of the Internet to help
us securely identify each other while we work online.
-Specifically, the Monkeysphere is a framework to leverage the OpenPGP
+Specifically, monkeysphere is a framework to leverage the OpenPGP
web of trust for OpenSSH authentication. In other words, it allows
you to use your OpenPGP keys when using secure shell to both identify
yourself and the servers you administer or connect to. OpenPGP keys
are tracked via GnuPG, and managed in the `known_hosts` and
`authorized_keys` files used by OpenSSH for connection authentication.
-[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] |
-[[development|dev]]
+[[bugs]] | [[download]] | [[news]] | [[documentation|doc]]
## Conceptual overview ##
--- /dev/null
+# MonkeySphere 0.7-1 released! #
+
+MonkeySphere 0.7-1 has been released. This release contains bugfixes,
+a new `monkeysphere-server diagnostics` subcommand, and marks a
+transition to the new [Git-based debian packaging
+format](http://wiki.debian.org/GitSrc). [[download]] it now!
projects / monkeysphere.git / commitdiff