* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2008-10-25 - dkg
+ * aptitude update && aptitude full-upgrade
+ * brought monkeysphere up to 0.16-1
+ * repointed keyserver usage to pool.sks-keyservers.net
+
2008-09-04 - dkg
* added two mime-type declarations in /etc/mathopd.conf so .debs
and .tar.gz files come out reasonably; restarted mathopd for the
#
PORTNAME= monkeysphere
-PORTVERSION= 0.16~pre
+PORTVERSION= 0.16
CATEGORIES= security
MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
# hack for debian orig tarballs
DISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz
-# comment this out to test the port
-IGNORE= this port is not finished yet
-
MAINTAINER= dkg@fifthhorseman.net
COMMENT= use the OpenPGP web of trust to verify ssh connections
@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \
${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \
fi
+.if !defined(PACKAGE_BUILDING)
+ @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+.endif
+
+post-deinstall:
+ @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
.include <bsd.port.mk>
+++ /dev/null
-This port is not ready yet.
-
-We also need to create the monkeysphere user in the pkg-install and
-remove it in pkg-deinstall. To do this, this page has useful tips:
-
-http://www.freebsd.org/doc/en/books/porters-handbook/dads-uid-and-gids.html
-
-and we'll have to copy scripts from existing ports that are suggested
-above, see:
-
-http://www.freebsd.org/cgi/cvsweb.cgi/ports/japanese/Wnn6/pkg-install
-http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/cvsup-mirror/pkg-install
-
-or just look around the ports tree for pkg-install files, they are
-usually for adding users.
-
-Finally the pkg-plist needs to be checked. The package hasn't been
-installed at all once yet, it only patches and builds.
-
-The port is therefore marked as IGNORE, which makes it unusable, comment
-out the IGNORE line in the Makefile to test.
-MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 6e9489117794fa6afab8935b75cc5ccf
-SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = fceab7cc77d9755e6484895ede56701b298ce3649bfcd10288a12803a565b7e5
-SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59721
+MD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49
+SHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7
+SIZE (monkeysphere_0.16.orig.tar.gz) = 66062
GID=${UID}
SHELL=/usr/local/bin/bash
- if pw group show "${GROUP}" 2>/dev/null; then
+ if pw group show "${GROUP}" >/dev/null 2>&1; then
echo "You already have a group \"${GROUP}\", so I will use it."
else
if pw groupadd ${GROUP} -g ${GID}; then
fi
fi
- if oldshell=`pw user show "${USER}" 2>/dev/null`; then
+ if pw user show "${USER}" >/dev/null 2>&1; then
+ oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
if [ x"$oldshell" != x"$SHELL" ]; then
echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
-Origin: The MonkeySphere Project
-Label: MonkeySphere/Debian
+Origin: The Monkeysphere Project
+Label: Monkeysphere/Debian
Suite: experimental
Codename: experimental
Architectures: i386 powerpc amd64 arm source
-Components: monkeysphere gnutls
-Description: Packages implementing the monkeysphere for debian
+Components: monkeysphere
+Description: Packages implementing the Monkeysphere for debian
SignWith: 2E8DD26C53F1197DDF403E6118E667F1EB8AF314
DscIndices: Sources Release . .gz
DebIndices: Packages Release . .gz
if ! test_gnu_dummy_s2k_extension ; then
failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys.
-You may want to consider patching or upgrading.
+You may want to consider patching or upgrading to GnuTLS 2.6 or later.
For more details, see:
http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html"
Once you have created an OpenPGP authentication subkey, you will need
to feed it to your ssh agent.
-Currently (2008-08-23), gnutls does not support this operation. In order
-to take this step, you will need to upgrade to a patched version of
-gnutls. You can easily upgrade a Debian system by adding the following
-to `/etc/apt/sources.list.d/monkeysphere.list`:
-
- deb http://archive.monkeysphere.info/debian experimental gnutls
- deb-src http://archive.monkeysphere.info/debian experimental gnutls
-
-Next, run `aptitude update; aptitude install libgnutls26`.
-
-With the patched gnutls installed, you can feed your authentication
-subkey to your ssh agent by running:
+The GnuTLS library supports this operation as of version 2.6, but
+earlier versions do not. With a recent version of GnuTLS installed,
+you can feed your authentication subkey to your ssh agent by running:
$ monkeysphere subkey-to-ssh-agent
+If you can't (or don't want to) upgrade to GnuTLS 2.6 or later, there
+are patches for GnuTLS 2.4 available in [the Monkeysphere git
+repo](/community).
+
FIXME: using the key with a single ssh connection?
+Establish trust
+---------------
+
+Now that you have the above setup, you will need to establish an
+acceptable trust path to the admin(s) of a monkeysphere-enabled server
+that you will be connecting to. You need to do this because the admin
+is certifying the host, and you need a mechanism to validate that
+certification. The only way to do that is by indicating who you trust
+to certify hosts. This is a two step process: first you must sign the
+key, and then you have to indicate a trust level.
+
+The process of signing another key is outside the scope of this
+document, however the [gnupg
+README](http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/README?root=GnuPG&view=markup)
+details the signing process and you can find good [documentation
+](http://www.debian.org/events/keysigning) online detailing this
+process.
+
+If you have signed your admins' key, you need to denote some kind of
+trust to that key. To do this you should edit the key and use the
+'trust' command. For the Monkeysphere to trust the assertions that are
+made about a host, you need full calculated validity to the host
+certifiers. This can be done either by giving full trust to one
+host-certifying key, or by giving marginal trust to three different
+host-certifiers. In the following we demonstrate how to add full trust
+validity to a host-certifying key:
+
+
+ $ gpg --edit-key 'Jane Admin'
+ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+
+ Command> trust
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+
+ Please decide how far you trust this user to correctly verify other users' keys
+ (by looking at passports, checking fingerprints from different sources, etc.)
+
+ 1 = I don't know or won't say
+ 2 = I do NOT trust
+ 3 = I trust marginally
+ 4 = I trust fully
+ 5 = I trust ultimately
+ m = back to the main menu
+
+ Your decision? 4
+
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: full validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+ Please note that the shown key validity is not necessarily correct
+ unless you restart the program.
+
+ Command> save
+ Key not changed so no update needed.
+ $
+
+Note: Due to a limitation with gnupg, it is not currently possible to
+limit the domain scope properly, which means that if you fully trust
+an admin, you'll trust all their certifications.
+
+Because the Monkeysphre relies on GPG's definition of the OpenPGP web
+of trust, it is important to understand [how GPG calculates User ID
+validity for a key](/trust-models).
+
Miscellaneous
-------------
--- /dev/null
+[[meta title="GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys"]]
+
+We [announced earlier](/news/modified-gnutls-2.4.x-available) that the
+Monkeysphere project was providing patched versions of GnuTLS to
+support one piece of Monkeysphere functionality. Fortunately, those
+patches are no longer needed, because as of [version
+2.6](http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3135),
+GnuTLS contains the necessary functionality natively.
+
+Therefore, our project will no longer provide patched copies of
+GnuTLS, though we will continue to keep the patch alive in in [our git
+repository](/community) until GnuTLS 2.6 has been more widely adopted.
+
+If you were pulling patched versions of GnuTLS 2.4 from the
+Monkeysphere archive, you may prefer to pull GnuTLS 2.6 from [debian's
+experimental archive](http://wiki.debian.org/DebianExperimental) (at
+least until it GnuTLS 2.6 drops into unstable, which should happen
+shortly after the release of
+[lenny](http://wiki.debian.org/DebianLenny).
[[meta title="Modified GnuTLS 2.4.x available"]]
+-----
+
+**2008-10-25 UPDATE:** [GnuTLS 2.6 has been released, and it contains the
+functionality we needed](/news/gnutls-2.6-enables-monkeysphere).
+Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with
+passphrase-protected authentication subkeys. The information on this
+page is now of historical interest only.
+
+-----
+
The MonkeySphere project is now making available a patched version of
[GnuTLS](http://gnutls.org/) version 2.4.x, which enhances the utility
of the `monkeysphere` package by enabling it to read authentication
projects / monkeysphere.git / commitdiff