-MONKEYSPHERE_VERSION=`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+MONKEYSPHERE_VERSION = `head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+
+# these defaults are for debian. porters should probably adjust them
+# before calling make install
+ETCPREFIX ?=
+PREFIX ?= /usr
all: keytrans
# clean up old monkeysphere packages lying around as well.
rm -f monkeysphere_*
-.PHONY: all clean tarball debian-package
+# this target is to be called from the tarball, not from the git
+# working dir!
+install: all
+ mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere
+ mkdir -p $(DESTDIR)$(PREFIX)/share/man/man1 $(DESTDIR)$(PREFIX)/share/man/man7 $(DESTDIR)$(PREFIX)/share/man/man8
+ mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+ mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere
+ install src/monkeysphere src/monkeysphere-ssh-proxycommand src/keytrans/openpgp2ssh $(DESTDIR)/$(PREFIX)/bin
+ install src/monkeysphere-server $(DESTDIR)/$(PREFIX)/sbin
+ install -m 0644 src/common $(DESTDIR)/$(PREFIX)/share/monkeysphere
+ install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+ install man/man1/* $(DESTDIR)$(PREFIX)/share/man/man1
+ install man/man7/* $(DESTDIR)$(PREFIX)/share/man/man7
+ install man/man8/* $(DESTDIR)$(PREFIX)/share/man/man8
+ install -m 0644 etc/* $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere
+
+.PHONY: all clean tarball debian-package install
monkeysphere (0.15~pre-1) UNRELEASED; urgency=low
- * porting work: clarifying makefiles, pruning dependencies, etc.
+ * porting work and packaging simplification: clarifying makefiles,
+ pruning dependencies, etc.
* added tests to monkeysphere-server diagnostics
+ * moved monkeysphere(5) to section 7 of the manual
+ * now shipping TODO in /usr/share/doc/monkeysphere
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 19:08:40 -0400
+++ /dev/null
-doc/getting-started-user.mdwn
-doc/getting-started-admin.mdwn
-doc/MonkeySpec
+++ /dev/null
-src/keytrans/openpgp2ssh usr/bin
-src/monkeysphere usr/bin
-src/monkeysphere-server usr/sbin
-src/monkeysphere-ssh-proxycommand usr/bin
-src/common usr/share/monkeysphere
-etc/monkeysphere.conf etc/monkeysphere
-etc/monkeysphere-server.conf etc/monkeysphere
+++ /dev/null
-man/man1/monkeysphere.1
-man/man1/openpgp2ssh.1
-man/man1/monkeysphere-ssh-proxycommand.1
-man/man5/monkeysphere.5
-man/man8/monkeysphere-server.8
do we export it so it's available when a second-party revocation is
needed?
-Ensure that authorized_user_ids are under as tight control as ssh
- expects from authorized_keys: we don't want monkeysphere to be a
- weak link in the filesystem.
-
-Consider the default permissions for
- /var/lib/monkeysphere/authorized_keys/* (and indeed the whole
- directory path leading up to that)
-
-Make sure alternate ports are handled for known_hosts.
-
-Script to import private key into ssh agent.
-
Provide a friendly interactive UI for marginal or failing client-side
hostkey verifications. Handle the common cases smoothly, and
provide good debugging info for the unusual cases.
-Make sure onak properly escapes user IDs with colons in them.
-
-Indicate on web site how to report trouble or concerns, and how to
- join the project.
-
-Clean up the style for the web site (pages, icons, etc).
-
Create ssh2openpgp or convert to full-fledged keytrans.
Resolve the bugs listed in openpgp2ssh(1):BUGS.
-Document alternate trustdb models.
-
Understand and document the output of gpg --check-trustdb:
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 20 trust: 0-, 0q, 0n, 0m, 0f, 2u
make sure they're well-connected to george's web of trust, and
then add their User ID to
~monkey/.monkeysphere/authorized_user_ids
+ * more mime types for mathopd: image/png image/x-icon
2008-09-03 - micah
* migrated /home/*/.config/monkeysphere/authorized_user_ids to new
.SH SEE ALSO
.BR monkeysphere (1),
+.BR monkeysphere (7),
.BR ssh (1),
.BR ssh_config (5),
.BR netcat (1),
Update the known_hosts file. For each specified host, gpg will be
queried for a key associated with the host URI (see HOST
IDENTIFICATION in
-.BR monkeysphere(5)),
+.BR monkeysphere(7)),
optionally querying a keyserver.
If an acceptable key is found for the host (see KEY ACCEPTABILITY in
-.BR monkeysphere(5)),
+.BR monkeysphere(7)),
the key is added to the user's known_hosts file. If a key is found
but is unacceptable for the host, any matching keys are removed from
the user's known_hosts file. If no gpg key is found for the host,
each user ID in the user's authorized_user_ids file, gpg will be
queried for keys associated with that user ID, optionally querying a
keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
-.BR monkeysphere (5)),
+.BR monkeysphere (7)),
the key is added to the user's authorized_keys file.
If a key is found but is unacceptable for the user ID, any matching
keys are removed from the user's authorized_keys file. If no gpg key
.BR monkeysphere-ssh-proxycommand (1),
.BR monkeysphere-server (8),
-.BR monkeysphere (5),
+.BR monkeysphere (7),
.BR ssh (1),
.BR ssh-add (1),
.BR gpg (1)
.Pp
.Nm
is part of the
-.Xr monkeysphere 5
+.Xr monkeysphere 7
framework for providing a PKI for SSH.
.Sh CAVEATS
The keys produced by this process are stripped of all identifying
ignore later ones.
.Sh SEE ALSO
.Xr monkeysphere 1 ,
-.Xr monkeysphere 5 ,
+.Xr monkeysphere 7 ,
.Xr ssh 1 ,
.Xr monkeysphere-server 8
+++ /dev/null
-.TH MONKEYSPHERE "5" "June 2008" "monkeysphere" "System Frameworks"
-
-.SH NAME
-
-monkeysphere \- ssh authentication framework using OpenPGP Web of
-Trust
-
-.SH DESCRIPTION
-
-\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust
-for ssh authentication. OpenPGP keys are tracked via GnuPG, and added
-to the authorized_keys and known_hosts files used by ssh for
-connection authentication.
-
-.SH IDENTITY CERTIFIERS
-
-FIXME: describe identity certifier concept
-
-.SH KEY ACCEPTABILITY
-
-During known_host and authorized_keys updates, the monkeysphere
-commands work from a set of user IDs to determine acceptable keys for
-ssh authentication. OpenPGP keys are considered acceptable if the
-following criteria are met:
-.TP
-.B capability
-The key must have the "authentication" ("a") usage flag set.
-.TP
-.B validity
-The key itself must be valid, i.e. it must be well-formed, not
-expired, and not revoked.
-.TP
-.B certification
-The relevant user ID must be signed by a trusted identity certifier.
-
-.SH HOST IDENTIFICATION
-
-The OpenPGP keys for hosts have associated user IDs that use the ssh
-URI specification for the host, i.e. "ssh://host.full.domain[:port]".
-
-.SH AUTHOR
-
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
-
-.SH SEE ALSO
-
-.BR monkeysphere (1),
-.BR monkeysphere-server (8),
-.BR monkeysphere-ssh-proxycommand (1),
-.BR gpg (1),
-.BR ssh (1),
-.BR http://tools.ietf.org/html/rfc4880,
-.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/
--- /dev/null
+.TH MONKEYSPHERE "7" "June 2008" "monkeysphere" "System Frameworks"
+
+.SH NAME
+
+monkeysphere \- ssh authentication framework using OpenPGP Web of
+Trust
+
+.SH DESCRIPTION
+
+\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust
+for ssh authentication. OpenPGP keys are tracked via GnuPG, and added
+to the authorized_keys and known_hosts files used by ssh for
+connection authentication.
+
+.SH IDENTITY CERTIFIERS
+
+FIXME: describe identity certifier concept
+
+.SH KEY ACCEPTABILITY
+
+During known_host and authorized_keys updates, the monkeysphere
+commands work from a set of user IDs to determine acceptable keys for
+ssh authentication. OpenPGP keys are considered acceptable if the
+following criteria are met:
+.TP
+.B capability
+The key must have the "authentication" ("a") usage flag set.
+.TP
+.B validity
+The key itself must be valid, i.e. it must be well-formed, not
+expired, and not revoked.
+.TP
+.B certification
+The relevant user ID must be signed by a trusted identity certifier.
+
+.SH HOST IDENTIFICATION
+
+The OpenPGP keys for hosts have associated user IDs that use the ssh
+URI specification for the host, i.e. "ssh://host.full.domain[:port]".
+
+.SH AUTHOR
+
+Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
+Gillmor <dkg@fifthhorseman.net>
+
+.SH SEE ALSO
+
+.BR monkeysphere (1),
+.BR monkeysphere-server (8),
+.BR monkeysphere-ssh-proxycommand (1),
+.BR gpg (1),
+.BR ssh (1),
+.BR http://tools.ietf.org/html/rfc4880,
+.BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/
authorized_user_ids file are processed. For each user ID, gpg will be
queried for keys associated with that user ID, optionally querying a
keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
-monkeysphere(5)), the key is added to the account's
+monkeysphere(7)), the key is added to the account's
monkeysphere-controlled authorized_keys file. If the
RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
file (usually ~USER/.ssh/authorized_keys) is appended to the
.SH SEE ALSO
.BR monkeysphere (1),
-.BR monkeysphere (5),
+.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1)
/* variables for the output conversion: */
int pipestatus;
int pipefd, child_pid;
- char* const b64args[] = {"base64", "--wrap=0", NULL};
+ char* const b64args[] = {"sh", "-c", "base64 | tr -c -d '[A-Za-z0-9=+/]'", NULL};
init_datum(&m);
init_datum(&e);
export SHARE
. "${SHARE}/common" || exit 1
-# date in UTF format if needed
+# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# unset some environment variables that could screw things up
VARLIB="/var/lib/monkeysphere"
export VARLIB
-# date in UTF format if needed
+# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# unset some environment variables that could screw things up
echo "! No monkeysphere user found! Please create a monkeysphere system user."
fi
+ if ! [ -d "$VARLIB" ] ; then
+ echo "! no $VARLIB directory found. Please create it."
+ fi
+
echo "Checking host GPG key..."
if (( "$keysfound" < 1 )); then
echo "! No host key found."
## Other ##
* [Similar Projects](/similar) (other attempts at a PKI for SSH)
+ * [Mirroring the website](/mirrors)
border: 1px solid #aaa;
padding: 3px 3px 3px 3px;
margin-left: 2em;
+ overflow: auto;
}
table.sitenav {
table.sitenav a {
font-weight: bold;
margin-right: 1em;
+ font-variant: small-caps;
}
table.sitenav span.selflink {
font-weight: bold;
text-decoration: underline;
margin-right: 1em;
+ font-variant: small-caps;
}
div.header {
-[[meta title="Mirroring the web site"]]
+[[meta title="Mirroring the Monkeysphere web site"]]
-In keeping with the philosophy of distributed development, our web site is
+# Mirroring the Monkeysphere web site #
+
+In keeping with the distributed philosophy of distributed development, our web site is
stored in our git repositories and converted into html by
[ikiwiki](http://ikiwiki.info/).
We're mirrored on several servers. Rather than using ikiwiki's [pinger/pingee
approach to distribution](http://ikiwiki.info/tips/distributed_wikis/), we've
-opted for a method that uses ssh.
+opted for a simpler rsync of the ikiwiki-produced html files.
## Initial steps to take on the mirror server ##
-Add etch-backports to your /etc/apt/sources.list:
-
- deb http://www.backports.org/debian etch-backports main contrib non-free
-
-Add the following lines to your /etc/apt/preferences file:
-
- Package: ikiwiki
- Pin: release a=etch-backports
- Pin-Priority: 999
-
- # needed by ikiwiki
- Package: libcgi-formbuilder-perl
- Pin: release a=etch-backports
- Pin-Priority: 999
-
- Package: git-core
- Pin: release a=etch-backports
- Pin-Priority: 999
-
-Install git-core and ikiwiki
+Create a new user.
- aptitude update; aptitutde install git-core ikiwiki
-
-Create a new user. Change the new users shell to git-shell:
-
- adduser -s /usr/bin/git-shell <username>
-
-Add webmaster@george's public key to this user's ~/.ssh/authorized_keys file
-
-Add web site configuration that the user has write access to. If you are using Apache, include the following rewrite:
+Add web site configuration that the user has write access to. If you are
+using Apache, include the following rewrite:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(YOURHOSTNAME|web)\.monkeysphere\.info$ [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://web.monkeysphere.info/$1 [L,R]
-Upload and edit ikiwiki.setup.sample from the docs directory
-
-As the new user, create a git repo
-
- mkdir monkeysphere.git; cd monkeysphere.git; git init --bare;
+Add `webmaster@george`'s public key to this user's
+`~/.ssh/authorized_keys` file, restricting that user to rsync (modify
+path to web directory as needed):
+ command="/usr/bin/rsync --server -vlogDtprz --delete . web/",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0SCD6tAh7g1yyuelIm5zyh5OFX89NNbpNzyp+BxXNxMc/C1BS9SN5KlNDT30WdDbw3X0St0dBBC69TZWYbSUn4+/6BNmYpLH2orhedBv4w2jBLmtVEfnMWa3a11CnIagMEkEz7rBIWpl76WOqzoueQbAAa/7GziVmv+2qdjcDFxHluO+VL/+gEw8BqZc587oiDYkIw3oBnOLaxUWDtaMFKiL8sgdBmPxzc8PgHxL5ezVDJExw5krR4FK7hG7KpBOlSwKQPFy2pPhHSb1ZuFJmp2kr2wfJ0RO7By5s/GbrkJbnGoiJ5W0fUC9YoI82U3svC5saowvoSo19yToJW4QUw== webmaster@george
-## Initial Admin steps to take to enable the configuration ##
+## Admin steps to take to enable the configuration ##
Add a new dns record for SERVERNAME.monkeysphere.info.
-Test the ssh connection by logging in as webmaster@george.riseup.net
-
-Add the new server as a remote on webmaster@george.riseup.net:monkeysphere.git
-
- cd ~/monkeysphere.git
- git add remote SERVERNAME USER@SERVERNAME.monkeysphere.info:/path/to/repo
-
-Modify ~/monkeysphere.git/config, so the new repo stanza looks like this:
-
- [remote "SERVERNAME"]
- url = USER@SERVERNAME.monkeysphere.info:monkeysphere.git
- push = +refs/heads/master
- skipDefaultUpdate = true
-
-Test:
-
- git push SERVERNAME
-
-
-## Final steps to take on mirror server ##
-
-At this point, you should have a populated git repo in your
-monkeyshere.git directory.
-
-Change the mode of monkeysphere.git/hooks/post-receive to 755
-
- chmod 755 monkesphere.git/hooks/post-receive
-
-Edit the file so that it executes the post-receive hook ikiwiki generates (as
-you specified in the ikiwiki.setup file)
+If the mirror server is not participating in the monkeysphere, add the
+server to webmaster's known host file.
-Next, clone the repository:
+Add the new server to `webmaster@george:~/mirrors` in the format:
- clone monkeysphere.git monkeysphere
+ username@server:directory
-And lastly, run ikiwiki manually to generate the post-receive hook:
+Test by manually running the git post-receive hook as
+`webmaster@george`:
- ikiwiki --setup ikiwiki.setup
+ ~/monkeysphere.git/hooks/post-receive
+Add a new `A` record into the `web.monkeysphere.info` round robin.
<a class="logo" href="/"><img class="logo" src="/logo.png" alt="monkeysphere" width="343" height="85" /></a>
</td><td>
-[[WHY?|why]]
-[[DOWNLOAD|download]]
-[[DOCUMENTATION|doc]]
-[[NEWS|news]]
-[[COMMUNITY|community]]
-[[BUGS|bugs]]
+[[Why?|why]]
+[[Download|download]]
+[[Documentation|doc]]
+[[News|news]]
+[[Community|community]]
+[[Bugs|bugs]]
</td></tr></tbody></table>
so it's important to understand how GPG calculates User ID validity
for a key.
-The basic question asked is: For a given User ID on a specific key,
-given some set of valid certifications (signatures), and some explicit
-statements about whose certifications you think are trustworthy
-(ownertrust), should we consider this User ID to be legitimately
-attached to this key (a "valid" User ID)?
+The basic question that a trust model tries to answer is: For a given
+User ID on a specific key, given some set of valid certifications
+(signatures), and some explicit statements about whose certifications
+you think are trustworthy (ownertrust), should we consider this User
+ID to be legitimately attached to this key (a "valid" User ID)?
It's worth noting that there are two integral parts in this
calculation: