+++ /dev/null
-******************************************************************************
-* *
-* zimmerman system log *
-* *
-******************************************************************************
-* Please add new entries in reverse chronological order whenever you make *
-* changes to this system (first command at top, last at bottom) *
-******************************************************************************
-
-2008-11-15 - micah
- * aptitude update && aptitude full-upgrade
- * aptitude install sks
- * cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
- http://nynex.net/keydump/ -e robots=off
- * install monkeysphere 0.21-2 package
-
-2008-11-15 - jamie
- * aptitude install esmtp-run mailx
- * edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org
--- /dev/null
+******************************************************************************
+* *
+* zimmermann system log *
+* *
+******************************************************************************
+* Please add new entries in reverse chronological order whenever you make *
+* changes to this system (first command at top, last at bottom) *
+******************************************************************************
+
+2008-11-29 - dkg
+ * zimmermann now uses an X.509 certificate signed by the MF/PL CA
+ for its HTTPS connection.
+
+2008-11-19 - dkg
+ * added 10 SKS peers as a result of feedback from sks-devel.
+ * set localtime to America/New_York via dpkg-reconfigure tzdata
+ * aptitude update && aptitude full-upgrade
+ * set up /var/lib/sks/www/index.html based on
+ doc/zimmermann/index.html from this repo.
+ * made nginx proxy plain ol' HTTP on port 80 also so that SKS does
+ not need to try to listen on a privileged port.
+ * turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf
+
+2008-11-19 - mlc
+ * aptitude install nginx
+ * get rid of /etc/nginx/sites-enabled/default
+ * create /etc/nginx/sites-available/https-proxy and make a symlink
+ to it in the sites-enabled directory
+ * invoke-rc.d nginx start
+
+2008-11-17 - micah
+ * verified the SHA256 values for the key material
+ * /usr/lib/sks/sks_build.sh (chose option #2: normalbuild)
+ * chown -R debian-sks:debian-sks /var/lib/sks
+ * edit /etc/default/sks to enable the initscript
+ * /etc/init.d/sks start
+ * rm -rf /var/lib/sks/dump
+
+2008-11-15 - micah
+ * aptitude update && aptitude full-upgrade
+ * aptitude install sks
+ * cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
+ http://nynex.net/keydump/ -e robots=off
+ * install monkeysphere 0.21-2 package
+ * apt-get install bzip2 ; bunzip2 /var/lib/sks/dump/*.bz2
+
+2008-11-15 - jamie
+ * aptitude install esmtp-run mailx
+ * edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org
--- /dev/null
+server {
+ listen 443;
+ server_name zimmermann.mayfirst.org;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+ ssl_ciphers HIGH:MEDIUM:!ADH;
+
+ access_log off;
+
+ location / {
+ proxy_pass http://localhost:11371/;
+ }
+}
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+ <head>
+ <title>SKS Search Page</title>
+ <meta http-equiv="content-type" content="text/html; charset="utf-8">
+ <meta name="author" content="Yaron M. Minsky/Jack Cummings/Daniel Kahn Gillmor">
+ </head>
+ <body text="#000000" bgcolor="#ffffff" link="#000099" vlink="#990099" alink="#000099">
+ <h1><a href="http://www.nongnu.org/sks/">SKS OpenPGP Keyserver</a> <br> @zimmermann.mayfirst.org</h1>
+ <p> SKS is a OpenPGP keyserver whose goal is to provide easy to deploy, decentralized, and highly reliable synchronization. That means that a key submitted to one SKS server will quickly be distributed to all key servers, and even wildly out-of-date servers, or servers that experience spotty connectivity, can fully synchronize with rest of the system. </p>
+ <p>You can find out more about SKS, along with links to graphs of the network status <a href="http://www.nongnu.org/sks/">here</a>.</p>
+ <table cellpadding="2" cellspacing="2" border="1" width="600" bgcolor="#ddddff">
+ <tr>
+ <td valign="top">
+ <h3>Extract a key</h3>
+ <p>You can extract a key by typing in some words that appear in the userid
+ of the key you're looking for, or by typing in the keyid in hex format ("0x...")</p>
+ <p>
+ <form action="/pks/lookup" method="get">
+ Search String: <input name="search" size="40"> <br>
+ Show PGP "fingerprints" for keys
+ <input type="checkbox" name="fingerprint"> <br>
+ Show SKS full-key hashes
+ <input type="checkbox" name="hash"> <br>
+ Search for keys: <br>
+ <input type="radio" name="op" value="index" CHECKED> get index of matching keys <br>
+ <input type="radio" name="op" value="vindex"> get verbose index of matching keys <br>
+ <input type="radio" name="op" value="get"> retrieve ascii-armored keys <br>
+ <input type="radio" name="op" value="hget"> retrieve keys by full-key hash
+ <br>
+ <input type="reset" value="Reset">
+ <input type="submit">
+ </form>
+ <br>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top">
+ <h3>Submit a key</h3>
+ You can submit a key by simply pasting in the ASCII-armored version
+ of your key and clicking on submit.
+ <form action="/pks/add" method="post">
+ <textarea name="keytext" rows="20" cols="66"></textarea> <br>
+ <input type="reset" value="Reset">
+ <input type="submit" value="Submit this key to the keyserver!">
+ </form>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <h3>
+ Access
+ </h3>
+ To use this server directly via HKP add this to your .PGP keyserver list:<br>
+
+<pre>x-hkp://zimmermann.mayfirst.org
+http://zimmermann.mayfirst.org:11371</pre>
+
+ You can also select a random server by adding this to your keyserver list:<br>
+
+<pre>x-hkp://pool.sks-keyservers.net
+http://pool.sks-keyservers.net:11371</pre>
+
+ </td>
+ </tr>
+ </tbody>
+ </table>
+
+<hr>
+ [<a href="/pks/lookup?op=stats">Server Status</a>] If you have any questions
+ about or problems with this server, please <a href="https://support.mayfirst.org/newticket?summary=zimmermann.mayfirst.org%20trouble">open a ticket</a>.
+ </body>
+</html>
-monkeysphere (0.22~pre-1) UNRELEASED; urgency=low
+monkeysphere (0.23~pre-1) UNRELEASED; urgency=low
* New upstream release:
- [ Jameson Rollins ]
+ - added better checks for the existence of a host private key for
+ functions that require it to be there.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sun, 30 Nov 2008 17:14:50 -0500
+
+monkeysphere (0.22-1) unstable; urgency=low
+
+ * New upstream release:
+ [ Jameson Graef Rollins ]
- added info log output when a new key is added to known_hosts file.
- added some useful output to the ssh-proxycommand for "marginal"
cases where keys are found for host but do not have full validity.
+ - force ssh-keygen to read from stdin to get ssh key fingerprint.
[ Daniel Kahn Gillmor ]
- automatically output two copies of the host's public key: one
standard ssh public key file, and the other a minimal OpenPGP key with
just the latest valid self-sig.
+ - debian/control: corrected alternate dependency from procfile to
+ procmail (which provides /usr/bin/lockfile)
- -- Jameson Graef Rollins <jrollins@finestructure.net> Sun, 16 Nov 2008 03:22:08 -0500
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Fri, 28 Nov 2008 14:23:31 -0500
monkeysphere (0.21-2) unstable; urgency=low
Package: monkeysphere
Architecture: any
-Depends: openssh-client, gnupg, coreutils (>= 6) | base64, lockfile-progs | procfile, adduser, ${shlibs:Depends}
+Depends: openssh-client, gnupg, coreutils (>= 6) | base64, lockfile-progs | procmail, adduser, ${shlibs:Depends}
Recommends: netcat | socat, ssh-askpass
Enhances: openssh-client, openssh-server
Description: use the OpenPGP web of trust to verify ssh connections
#
PORTNAME= monkeysphere
-PORTVERSION= 0.19
+PORTVERSION= 0.22~pre
CATEGORIES= security
MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
# hack for debian orig tarballs
-MD5 (monkeysphere_0.19.orig.tar.gz) = 64c643dd0ab642bbc8814aec1718000e
-SHA256 (monkeysphere_0.19.orig.tar.gz) = 321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522
-SIZE (monkeysphere_0.19.orig.tar.gz) = 68335
+MD5 (monkeysphere_0.22~pre.orig.tar.gz) = fd19f09ed9a720f673d74c9cb58e9d6d
+SHA256 (monkeysphere_0.22~pre.orig.tar.gz) = 337c7fdb93b697fba5a9e35cdff2b5faf0e4914fd8beab7994b456d58d19abb6
+SIZE (monkeysphere_0.22~pre.orig.tar.gz) = 69345
--- /dev/null
+http://www.rpm-based.org/how-to-create-rpm-package
--- /dev/null
+Name: monkeysphere
+Summary: use the OpenPGP web of trust to verify ssh connections
+Version: 0.22~pre
+Release: 1
+License: GPLv3
+Group: net
+URL: http://web.monkeysphere.info/
+
+Source: http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_%{version}.orig.tar.gz
+
+%description
+SSH key-based authentication is tried-and-true, but it lacks a true
+Public Key Infrastructure for key certification, revocation and
+expiration. Monkeysphere is a framework that uses the OpenPGP web of
+trust for these PKI functions. It can be used in both directions: for
+users to get validated host keys, and for hosts to authenticate users.
+
+Monkeysphere is free software released under the GNU General Public
+License (GPL).
+
+%prep
+%setup -q
+
+%build
+%{__make}
+
+%install
+%{__rm} -rf %{buildroot}
+Prefix=%{buildroot}/usr
+%makeinstall
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-, root, root, 0755)
+
+%changelog
+* Sat Nov 22 2008 -
+- Initial release.
local shortunits
# try things the GNU way first
- if date -d "$number $longunits" "$format" >&/dev/null ; then
+ if date -d "$number $longunits" "$format" >/dev/null 2>&1; then
date -d "$number $longunits" "$format"
else
# otherwise, convert to (a limited version of) BSD date syntax:
;;
'uid') # user ids
if [ "$lastKey" != pub ] ; then
- log verbose " - got a user ID after a sub key?! user IDs should only follow primary keys!"
+ log verbose " ! got a user ID after a sub key?! user IDs should only follow primary keys!"
continue
fi
# if an acceptable user ID was already found, skip
if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then
# mark user ID acceptable
uidOK=true
+ else
+ log debug " - unacceptable user ID validity ($validity)."
fi
else
continue
# if sub key validity is not ok, skip
if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
+ log debug " - unacceptable sub key validity ($validity)."
continue
fi
# if sub key capability is not ok, skip
if ! check_capability "$usage" $requiredCapability ; then
+ log debug " - unacceptable sub key capability ($usage)."
continue
fi
log verbose "done."
}
-function subkey_to_ssh_agent() {
+subkey_to_ssh_agent() {
# try to add all authentication subkeys to the agent:
local sshaddresponse
su_monkeysphere_user "gpg $@"
}
+# function to check for host secret keys
+# fails if host sec key exists, exits true otherwise
+check_host_keyring() {
+ if ! gpg_host --list-secret-keys --fingerprint \
+ --with-colons --fixed-list-mode 2>/dev/null | grep -q '^sec:' ; then
+
+ failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
+ fi
+}
+
# output just key fingerprint
fingerprint_server_key() {
gpg_host --list-secret-keys --fingerprint \
fingerprint=$(fingerprint_server_key)
gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint"
- # dumping to a file named ' ' so that the ssh-keygen output
- # doesn't claim any potentially bogus hostname(s):
- tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
- gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey"
+ # do some crazy "Here Strings" redirection to get the key to
+ # ssh-keygen, since it doesn't read from stdin cleanly
echo -n "ssh fingerprint: "
- ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }'
- rm -rf "$tmpkey"
+ ssh-keygen -l -f /dev/stdin \
+ <<<$(gpg_authentication "--export $fingerprint" | \
+ openpgp2ssh "$fingerprint" 2>/dev/null) | \
+ awk '{ print $1, $2, $4 }'
echo -n "OpenPGP fingerprint: "
echo "$fingerprint"
}
userID="ssh://${hostName}"
# check for presense of key with user ID
+ # FIXME: is this the proper test to be doing here?
if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then
failure "Key for '$userID' already exists"
fi
log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
- gpg_authentication --export-options export-minimal --export "0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+ gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
}
local fpr=$(fingerprint_server_key)
local extendTo="$1"
- if [ -z "$fpr" ] ; then
- failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first."
- fi
-
# get the new expiration date
extendTo=$(get_gpg_expiration "$extendTo")
echo " - Recommendation: remove the above HostKey lines from $sshd_config"
problemsfound=$(($problemsfound+1))
fi
+
+ # FIXME: test (with ssh-keyscan?) that the running ssh
+ # daemon is actually offering the monkeysphere host key.
+
fi
fi
# export the key to the host keyring
gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import
- if [ "$trust" == marginal ]; then
+ if [ "$trust" = marginal ]; then
trustval=1
- elif [ "$trust" == full ]; then
+ elif [ "$trust" = full ]; then
trustval=2
else
failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
case $COMMAND in
'update-users'|'update-user'|'u')
+ check_host_keyring
update_users "$@"
;;
;;
'extend-key'|'e')
+ check_host_keyring
extend_key "$@"
;;
'add-hostname'|'add-name'|'n+')
+ check_host_keyring
add_hostname "$@"
;;
'revoke-hostname'|'revoke-name'|'n-')
+ check_host_keyring
revoke_hostname "$@"
;;
'show-key'|'show'|'s')
+ check_host_keyring
show_server_key
;;
'publish-key'|'publish'|'p')
+ check_host_keyring
publish_server_key
;;
;;
'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
+ check_host_keyring
add_certifier "$@"
;;
'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
+ check_host_keyring
remove_certifier "$@"
;;
'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
+ check_host_keyring
list_certifiers "$@"
;;
local uidfpr
local usage
local sshKeyGPG
+ local tmpkey
local sshFingerprint
+ local gpgSigOut
- log "OpenPGP keys with*out* full validity found for this host:"
- log
+ userID="ssh://${HOSTP}"
+
+ log "-------------------- Monkeysphere warning -------------------"
+ log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity."
# retrieve the actual ssh key
sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
+ # FIXME: should we do any checks for failed keyscans, eg. host not
+ # found?
- userID="ssh://${HOSTP}"
-
- # output gpg info for (exact) userid and store
+ # get the gpg info for userid
gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
--with-fingerprint --with-fingerprint \
="$userID" 2>/dev/null)
- # loop over all lines in the gpg output and process.
+ # find all 'pub' and 'sub' lines in the gpg output, which each
+ # represent a retrieved key for the user ID
echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
while IFS=: read -r type validity keyid uidfpr usage ; do
case $type in
# if one of keys found matches the one offered by the
# host, then output info
if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+ log "An OpenPGP key matching the ssh key offered by the host was found:"
+ log
- # get the fingerprint of the ssh key
- tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
- echo "$sshKeyGPG" > "$tmpkey"
- sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }')
- rm -rf "$tmpkey"
+ # do some crazy "Here Strings" redirection to get the key to
+ # ssh-keygen, since it doesn't read from stdin cleanly
+ sshFingerprint=$(ssh-keygen -l -f /dev/stdin \
+ <<<$(echo "$sshKeyGPG") | \
+ awk '{ print $2 }')
- # output gpg info
- gpg --check-sigs \
+ # get the sigs for the matching key
+ gpgSigOut=$(gpg --check-sigs \
--list-options show-uid-validity \
- "$keyid" >&2
+ "$keyid")
+
+ # output the sigs, but only those on the user ID
+ # we are looking for
+ echo "$gpgSigOut" | awk '
+{
+if (match($0,"^pub")) { print; }
+if (match($0,"^uid")) { ok=0; }
+if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
+if (ok) { if (match($0,"^sig")) { print; } }
+}
+' >&2
+ log
+
+ # output the other user IDs for reference
+ if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
+ log "Other user IDs on this key:"
+ echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2
+ log
+ fi
# output ssh fingerprint
log "RSA key fingerprint is ${sshFingerprint}."
- log "Falling through to standard ssh host checking."
- log
+
+ # this whole process is in a "while read"
+ # subshell. the only way to get information out
+ # of the subshell is to change the return code.
+ # therefore we return 1 here to indicate that a
+ # matching gpg key was found for the ssh key
+ # offered by the host
+ return 1
fi
;;
esac
done
+
+ # if no key match was made (and the "while read" subshell returned
+ # 1) output how many keys were found
+ if (($? != 1)) ; then
+ log "None of the found keys matched the key offered by the host."
+ log "Run the following command for more info about the found keys:"
+ log "gpg --check-sigs --list-options show-uid-validity =${userID}"
+ # FIXME: should we do anything extra here if the retrieved
+ # host key is actually in the known_hosts file and the ssh
+ # connection will succeed? Should the user be warned?
+ # prompted?
+ fi
+
+ log "-------------------- ssh continues below --------------------"
}
########################################################################
;;
esac
+# FIXME: what about the case where monkeysphere successfully finds a
+# valid key for the host and adds it to the known_hosts file, but a
+# different non-monkeysphere key for the host already exists in the
+# known_hosts, and it is this non-ms key that is offered by the host?
+# monkeysphere will succeed, and the ssh connection will succeed, and
+# the user will be left with the impression that they are dealing with
+# a OpenPGP/PKI host key when in fact they are not. should we use
+# ssh-keyscan to compare the keys first?
+
# exec a netcat passthrough to host for the ssh connection
if [ -z "$NO_CONNECT" ] ; then
if (which nc 2>/dev/null >/dev/null); then
{
sed "s/__VERSION__/$VERSION/g" < utils/releasenote.header
- head -n$(( $(grep -n '^ --' debian/changelog | head -n1 | cut -f1 -d:) - 2 )) debian/changelog | tail -n+3
+ head -n$(( $(grep -n '^ --' packaging/debian/changelog | head -n1 | cut -f1 -d:) - 2 )) packaging/debian/changelog | tail -n+3
sed "s/__VERSION__/$VERSION/g" < utils/releasenote.footer
} > "website/news/release-$VERSION.mdwn"
--- /dev/null
+It would be nice to make all of the Monkeysphere scripts POSIX
+compliant, for portability and light-weightedness. Better POSIX
+compliance would probably at least be better for compatibility with
+o{ther,lder} versions of bash. Unfortunately there are quite a few
+bashism at the moment, so this may not be trivial. For instance:
+
+ servo:~/cmrg/monkeysphere/git 0$ checkbashisms -f src/monkeysphere-server 2>&1 | wc -l
+ 50
+ servo:~/cmrg/monkeysphere/git 0$
Are there other ways we can deal with this problem?
--dkg
+
+Here is an example when using monkeysphere-server
+add-identity-certifier on a host with a newly-installed monkeysphere
+installaton. Note that running the same command a second time works
+as expected:
+
+ 0 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+ gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+ gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+ gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+ gpg: failed to rebuild keyring cache: file open error
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: next trustdb check due at 2009-03-30
+ gpg: Total number processed: 1
+ gpg: imported: 1 (RSA: 1)
+ Could not receive a key with this ID from the 'pool.sks-keyservers.net' keyserver.
+ 255 pip:~# monkeysphere-server c+ 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
+ gpg: requesting key D21739E9 from hkp server pool.sks-keyservers.net
+ gpg: key D21739E9: "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" not changed
+ gpg: Total number processed: 1
+ gpg: unchanged: 1
+
+ key found:
+ pub 4096R/D21739E9 2007-06-02 [expires: 2012-05-31]
+ Key fingerprint = 0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9
+ uid [ unknown] Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ uid [ unknown] Daniel Kahn Gillmor <dkg@openflows.com>
+ uid [ unknown] Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+ uid [ unknown] Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+ uid [ unknown] [jpeg image of size 3515]
+ sub 2048R/4BFA08E4 2008-06-19 [expires: 2009-06-19]
+ sub 4096R/21484CFF 2007-06-02 [expires: 2012-05-31]
+
+ Are you sure you want to add the above key as a
+ certifier of users on this system? (y/N) y
+ gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
+ gpg: Total number processed: 1
+ gpg: imported: 1 (RSA: 1)
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: next trustdb check due at 2009-03-30
+ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+
+ pub 4096R/D21739E9 created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: unknown
+ [ unknown] (1). Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ [ unknown] (2) Daniel Kahn Gillmor <dkg@openflows.com>
+ [ unknown] (3) Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+ [ unknown] (4) Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+ [ unknown] (5) [jpeg image of size 3515]
+
+
+ pub 4096R/D21739E9 created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: unknown
+ Primary key fingerprint: 0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9
+
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ Daniel Kahn Gillmor <dkg@openflows.com>
+ Daniel Kahn Gillmor <dkg@astro.columbia.edu>
+ Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>
+ [jpeg image of size 3515]
+
+ This key is due to expire on 2012-05-31.
+ Please decide how far you trust this user to correctly verify other users' keys
+ (by looking at passports, checking fingerprints from different sources, etc.)
+
+ 1 = I trust marginally
+ 2 = I trust fully
+
+
+ Please enter the depth of this trust signature.
+ A depth greater than 1 allows the key you are signing to make
+ trust signatures on your behalf.
+
+
+ Please enter a domain to restrict this signature, or enter for none.
+
+
+ Are you sure that you want to sign this key with your
+ key "ssh://pip.fifthhorseman.net" (9B83C17D)
+
+ The signature will be marked as non-exportable.
+
+
+ gpg: can't create `/var/lib/monkeysphere/gnupg-host/pubring.gpg.tmp': Permission denied
+ gpg: failed to rebuild keyring cache: file open error
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
+ gpg: next trustdb check due at 2009-03-30
+
+ Identity certifier added.
+ 0 pip:~#
--- /dev/null
+Since Monkeysphere is using bash, it would be nice to use the shell
+build in getopts function, instead of the external getopt program.
+This would reduce an external dependency, which would definitely be
+better for portability.
+++ /dev/null
-I would like to know, at INFO (default) log level, when the
-monkeyspehere makes a "real" modification to my known_hosts file; that
-is, when it adds or deletes a key.
-
-Apparently this is hard because monkeysphere is currently configured to
-delete all keys and then add good keys, so a key added for the first
-time seems to the monkeysphere very similar to a key re-added ten
-seconds after last login.
-
-Still, from a UI perspective, I want to know what monkeysphere is doing.
-
-------
-
-It looks like jrollins committed a change for reporting at INFO level
-when a host key gets added by the monkeysphere:
-2459fa3ea277d7b9289945748619eab1e3441e5c
-
-When i connect to a host whose key is not already present in my
-known_hosts file, i get the following to stderr:
-
- ms: * new key for squeak.fifthhorseman.net added to known_hosts file.
-
-This doesn't fully close this bug, because we aren't notifying on key
-deletion, afaict.
--- /dev/null
+I would like to know, at INFO (default) log level, when the
+monkeyspehere makes a "real" modification to my known\_hosts file; that
+is, when it adds or deletes a key.
+
+Apparently this is hard because monkeysphere is currently configured to
+delete all keys and then add good keys, so a key added for the first
+time seems to the monkeysphere very similar to a key re-added ten
+seconds after last login.
+
+Still, from a UI perspective, I want to know what monkeysphere is doing.
+
+------
+
+It looks like jrollins committed a change for reporting at INFO level
+when a host key gets added by the monkeysphere:
+2459fa3ea277d7b9289945748619eab1e3441e5c
+
+When i connect to a host whose key is not already present in my
+known_hosts file, i get the following to stderr:
+
+ ms: * new key for squeak.fifthhorseman.net added to known_hosts file.
+
+This doesn't fully close this bug, because we aren't notifying on key
+deletion, afaict.
+
+------
+
+So current log level DEBUG will output a message if the known host
+file has been modified. If the issue is that you want to know at the
+default log level everytime the known\_hots file is modified, then we
+should just move this message to INFO instead of debug, and then maybe
+remove the message that I added above. I was under the impression
+that the issue was more about notification that a *new* key was added
+to the known\_hosts file, and therefore the new INFO message above
+fixed that problem. Should we do this instead?
+
+In general, more verbose log levels *do* tell the user what the
+monkeysphere is doing. Moving to DEBUG log level will tell you pretty
+much everything that happens. I do *not* think that this should be
+the default log level, though.
+
+------
+
+I wouldn't want to see an extremely verbose default log level. But i
+do think that saying something like "key blah blah blah was stripped
+from your known\_hosts file because it was expired" (for example)
+would be useful. I think this case would occur infrequently enough
+that it is worth reporting in the UI at the regular log level.
+
+ --dkg
* Getting started as a [user](/getting-started-user)
* Getting started as a [server admin](/getting-started-admin)
+## Going further ##
+
+ * [Signing host keys](/signing-host-keys)
+
## Under the hood ##
* [Developing the monkeysphere](/community)
## References ##
- * [Initial specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
+ * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
* [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880)
* [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252)
* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
is available](/community) via [git](http://git.or.cz/).
The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.21.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.22.orig.tar.gz)
is also available, and has these checksums:
<pre>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-checksums for the monkeysphere 0.21 release:
+checksums for the monkeysphere 0.22 release:
MD5:
-15fe181983565aca0fbe4c41f9f6752e monkeysphere_0.21.orig.tar.gz
+2bb00c86323409b98aff53f94d9ce0a6 monkeysphere_0.22.orig.tar.gz
SHA1:
-27e915a45cdbe50a139ed4f4b13746b17c165b0f monkeysphere_0.21.orig.tar.gz
+312882ad192b8e7303e3e0ac9db20ac8ddc529b3 monkeysphere_0.22.orig.tar.gz
SHA256:
-1535c3f722f5f5c1646a4981efef4a262ac7b23bf4b980c9aee11af2600eedc2 monkeysphere_0.21.orig.tar.gz
+2566facda807a67a4d2d6de3833cccfa0b78b454909e8d25f47a235a9e621b24 monkeysphere_0.22.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-iQIVAwUBSR8+7BjmZ/HrivMUAQLeKg/+JT4LCXBR/06p/w2KBd1MKqch5Qf2ryIo
-mxCTWtZRgVQSeOFUJ5SXX+Tfs7VZfkV5HuahUH3NmGC6EMhYyB2olwBOOoIAqEKw
-1zVyn49bowCee+gTc3QHyT0Eqgt2ARtzl3/VrHkiw2MaJN3IZXseovyL8ksnEu+u
-s8fq26imtBrrucIxp4ZtHUw/h/YrJohHcJ8QQN5/UWFLug4C4aRFmnzL+oCySxAa
-0au/zFxxRZE5pMhLUvRwwCwPFx2CGBz6y9lAOiDPhhUqh+Bf7JKWJzk35Dj5Tm+2
-lCIzYtfpBkuF9ehCrm8WYF5aFg+gto8Bc6IJci9J6h2npBYIG0IbWOknMZz3+Ti2
-c3EltlJjK0LKEHujDYjf9tkNAxbBdtlYuw8x925ILeK7n8xX0Jr1TDzPyAIYaogv
-IVqsgnvQ489K8k06173kyrPaetyvOlU3bN1zcPdqTyCD6+eBbeCeKXO4324C8iMF
-rQPW4HScOdIidqFuzHyIT7PoY4DwWMgeAVymRSEufifvRcdCvQdlC4MaxxVf5I8A
-ATkD3CrY+5NZeERAGbmlu7Uz+sUk5tLUH0Q2qvjZUIQRctfr4BMheuBubsLR9yP3
-FZ4Q4kl34eU/WU7NtTmIFy7gDhLSIoeQINfYZlNEXQ7Y/RZUOEwoPI/spAXgw6De
-Xpsw0wPZtcM=
-=JDaA
+iQIVAwUBSTCiPRjmZ/HrivMUAQLg/BAAsdLsCQYSmvYLrYy1HiARtZOckqSOFv5e
+lnoOYEXKCXVjKqYUn4gjOkP2kQlnEOazfXrT/pO4u0AKUbf3C8bPDpIeao8uuPXI
+GG6HOWtsY93a2g8DM9fOzadIwhhBc9U7VwizBwFsxMw6xFTIKfoqqQonfEYFFLb6
+zyJVcfhmmGjgoJ9qA3AlYAf/i3Y/fcXh+YMI5J3Gez3BTVcep41UlcQUyd33pHF6
+aHdSWCzrotFual3fbf0meQewbBCW3JRBsbmCHQltbO/kNrtyfXb3Rp4oLiffcmpI
+DhfpFeonVHnUI9CVHmL7qbnBsgu5Q8l8Fxzu5pyzrGJxlvqBCpG8JM2FI0jJxw6o
+LQkmXCHteYKyopqKz5X0ATCot2Eoc9+kNEHwNWI37XbY7AV1XOOzGiaMjl+w8aUR
+QM8+Gi0h7SU2KuEogIsq1TghsDp3BJpTyBnc72ttLt2BvMzANOJnM8cmQqW8bOpz
+9Jdob+ISKkKG9q0wp61gb+8/f7mZKNtpr2rpRVYyjHgwR5XfbnS+gaD2B1NyG7NY
+yxW7fHpTsuwqcm2ONjZCDpEj0bXM0cL7r8c3J0L5kRCiN05c/KKYTNC70kTwCeQa
+ninihvIJal0Wu3LZxtYmtxuApq3wmc8NPo66C+TC24YGtxxJuZMS1qOlPFIPADIa
+EeBVdDmRbBw=
+=FmCP
-----END PGP SIGNATURE-----
</pre>
up your machine to automatically identify connecting users by their
presence in the OpenPGP web of trust.
+
Server host key publication
---------------------------
To generate and publish a server host key:
existing session to the machine while you test your changes so you
don't get locked out.
+
Monkeysphere authorized_keys maintenance
----------------------------------------
This would refresh your keychain every day at noon.
+
Install the monkeysphere software on your system
------------------------------------------------
GnuTLS 2.6 or later, there are patches for GnuTLS 2.4 available in
[the Monkeysphere git repo](/community).
+
Keeping your `known_hosts` file in sync with your keyring
------------------------------------------------------------
+---------------------------------------------------------
With your keyring updated, you want to make sure that OpenSSH can
still see the most recent trusted information about who the various
command could be added to a crontab as well, if desired.
+
Using `monkeysphere-ssh-proxycommand`(1)
----------------------------------------
you want to add the subkey to on the command line.
+
Using your OpenPGP authentication key for SSH
---------------------------------------------
FIXME: using the key with a single ssh connection?
+
Establish trust
---------------
--- /dev/null
+[[meta title="Monkeysphere 0.22-1 released!"]]
+
+Monkeysphere 0.22-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ * New upstream release:
+ [ Jameson Graef Rollins ]
+
+ - added info log output when a new key is added to known_hosts file.
+ - added some useful output to the ssh-proxycommand for "marginal"
+ cases where keys are found for host but do not have full validity.
+ - force ssh-keygen to read from stdin to get ssh key fingerprint.
+
+ [ Daniel Kahn Gillmor ]
+
+ - automatically output two copies of the host's public key: one
+ standard ssh public key file, and the other a minimal OpenPGP key with
+ just the latest valid self-sig.
+ - debian/control: corrected alternate dependency from procfile to
+ procmail (which provides /usr/bin/lockfile)
+</pre>
+
+[[Download]] it now!
--- /dev/null
+# Signing a host's SSH key using OpenPGP #
+
+This page is meant to address the issue of signing OpenPGP-based SSH
+host keys. Machines are not people, so the circumstances under which
+one should sign a host key are different from those under which one
+should sign another person's key.
+
+# Why are signatures on an SSH host key important? #
+
+In order for users to validate a host (an SSH server) in a
+monkeysphere-enabled network, the host key must have *full* calculated
+validity from the perspective of the connecting user. If the user has
+not themselves signed the server's key, then the server's key can only
+be valid if other people that the user trusts have signed the key.
+
+If only one person has signed the server's key, then the user must
+fully trust the single person who has signed the host key. Full trust
+should be granted sparingly and with consideration, though, so unless
+the user knows the server admin very well, they will in general not
+have full trust of this person.
+
+However, full trust of the host key can also be achieved if the
+server key has been signed by three or more people that the user has
+ *marginal* trust of. In other words, three or more *marginally*
+trusted signatures equals one *fully* trusted signature. It is much
+more common for users to have marginal trust of other users in the Web
+of Trust. For this reason, it is advisable to have as many people
+sign the server key as possible.
+
+## What information should you have before signing a host key? ##
+
+Before signing the key of a person, you want to do two things:
+
+1. verify the identity of the person.
+2. verify that the person is actually in control of the key that you
+are signing.
+
+For a server, you want to do basically the same thing:
+
+1. verify the identity of the server.
+2. verify that the server is actually in control of the key that you
+are signing.
+
+However, verifying these things for a server is less intuitive than it
+is for a human.
+
+Verifying that the host is in control of the key is, in principle,
+straightforward. If you are logged on to the machine in question,
+then you can check directly that the key exists on the system.
+
+What is not so straightforward is what exactly it means to "verify the
+identity" of a remote server on the internet? The identity in this
+case is the fully qualified domain name (FQDN) of the host. Verifying
+this identity amounts to being sure that the host in question really
+is located at that FQDN.
+
+## Signing the host key ##
+
+If you are the person (or persons) that actually setup the server and
+configured Monkeysphere and ssh on the server, then you should sign
+the host key as part of that process. When the server is first set
+up, the administrators who set it up are the only ones who can
+actually vouch for the server key, so their signatures are necessary
+to get things going. Their signatures are also necessary so that they
+can validate the host key themselves and log into the server via
+monkeysphere-enabled ssh in the future.
+
+If you did not set up the server initially, you do not have an
+accumulated full trust of the person(s) who did, and you do not
+necessarily have console access to the server directly, it's hard to
+confidently verify the server identity and key ownership. You would
+like to be able to walk up to the server, log in at the console, and
+get the fingerprint of the ssh host key directly. But this is usually
+impossible.
+
+However, it is still possible to verify the server identity *and*
+server ownership of the key, even in this case.
+
+## Remotely verifying host identity and key possession ##
+
+It is in fact possible to verify the identity and key ownership of a
+server in one fell swoop with monkeysphere-enabled ssh. Here is the
+procedure:
+
+> **Attempt to make a monkeysphere-enabled ssh connection to the host in
+question. Monkeysphere will check that the ssh host key offered by the
+host matches the OpenPGP key with the correct host FQDN user ID. If
+the ssh host key and the OpenPGP key with the correct user ID match,
+then you will have effectively:**
+
+>**1. verified the host identity, because you actually connected to the
+host in question, which you know because you:**
+
+>**2. verified the host is in control of the key, because the ssh host
+key offered by the host matches the OpenPGP key with correct host FQDN
+user ID.**
+
+Here is an example:
+
+ servo:~ 0$ ssh zimmermann.mayfirst.org
+ -------------------- Monkeysphere warning -------------------
+ Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
+ An OpenPGP key matching the ssh key offered by the host was found:
+
+ pub 2048R/860E8F9C 2008-10-29 [expires: 2009-02-26]
+ uid [marginal] ssh://zimmermann.mayfirst.org
+ sig! 76CC057D 2008-11-15 Jamie McClelland <jamie@mayfirst.org>
+ sig!3 860E8F9C 2008-10-29 ssh://zimmermann.mayfirst.org
+ sig! D21739E9 2008-10-29 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+ sig! 1CF2D62A 2008-11-16 Micah Anderson <micah@riseup.net>
+
+ RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
+ -------------------- ssh continues below --------------------
+ The authenticity of host 'zimmermann.mayfirst.org (<no hostip for proxy command>)' can't be established.
+ RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
+ No matching host key fingerprint found in DNS.
+ Are you sure you want to continue connecting (yes/no)? no
+ Host key verification failed.
+ servo:~ 255$
+
+I have attempted to connect to the host zimmermann.mayfirst.org.
+zimmermann's host key has only *marginal* validity for the FQDN user
+ID in question, so I am not able to connect. However, the
+Monkeysphere has checked that the ssh host key actually does match the
+OpenPGP key with the correct user ID `ssh://zimmermann.mayfirst.org`.
+I have therefore verified the identity of zimmermann, and verified
+that zimmermann is in possession of the key in question.
projects / monkeysphere.git / commitdiff