* Fix man page typo about monkeysphere authorized_keys location
* Monkeysphere should work properly even if the user has "armor" in
their gpg.conf (closes MS #1625)
+ * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
+ environment variable (and defaults to true)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:38:43 -0500
* Please add new entries in reverse chronological order whenever you make *
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2010-03-09 - micah
+ * setup /srv/micah.monkeysphere.info
+ * replaced /etc/mathopd.conf virtual for daniel with one for me
+ * removed /srv/daniel.monkeysphere.info - not used
+
2010-03-08 - mjgoins
* Adding self to webmaster's authorized_user_ids
* updating ikiwiki to use the version from lenny backports
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2010-03-10 - micah
+ * Updated /etc/monkeysphere/*.conf to use zimmermann
+ for the keyserver
+
+2010-03-09 - dkg
+ * transferred the https://z.m.o key from /root/.gnupg into the
+ monkeysphere-host keyring with:
+
+ gpg --export-secret-keys | GNUPGHOME=/var/lib/monkeysphere/host gpg --import
+
+ * used undocumented "monkeysphere-host update-pgp-pub-file" to
+ refresh the output of m-h s.
+
+2010-02-19 - dkg
+ * upgraded to monkeysphere 0.28-1~bpo50+1 (includes gnupg from
+ backports.org)
+
+2010-02-?? - dkg
+ * manually created an OpenPGP certificate for zimmermann's https
+ RSA key, stored in /root/.gnupg; published it to the keyserver
+ network, certified it myself.
+
2008-11-29 - dkg
* zimmermann now uses an X.509 certificate signed by the MF/PL CA
for its HTTPS connection.
-
+
2008-11-19 - dkg
* added 10 SKS peers as a result of feedback from sks-devel.
* set localtime to America/New_York via dpkg-reconfigure tzdata
* made nginx proxy plain ol' HTTP on port 80 also so that SKS does
not need to try to listen on a privileged port.
* turned on initial_stat and stat_hour: 3 in /etc/sks/sksconf
-
+
2008-11-19 - mlc
* aptitude install nginx
* get rid of /etc/nginx/sites-enabled/default
# Set whether or not to check keyservers at every monkeysphere
# interaction, including all ssh connections if you use the
-# monkeysphere ssh-proxycommand.
-# NOTE: setting CHECK_KEYSERVER to true will leak information about
-# the timing and frequency of your ssh connections to the maintainer
-# of the keyserver.
+# monkeysphere ssh-proxycommand. Leave unset for default behavior
+# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false.
+# NOTE: setting CHECK_KEYSERVER explicitly to true will leak
+# information about the timing and frequency of your ssh connections
+# to the maintainer of the keyserver.
#CHECK_KEYSERVER=true
# The path to the SSH known_hosts file.
# The path to the SSH authorized_keys file.
#AUTHORIZED_KEYS=~/.ssh/authorized_keys
+
+# Set to true to enable validation agent during X session startup
+# where available.
+#USE_VALIDATION_AGENT=false
.SH AUTHOR
Written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
-.TH MONKEYSPHERE "7" "March 2009" "monkeysphere" "System Frameworks"
+.TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks"
.SH NAME
-monkeysphere - ssh authentication framework using OpenPGP Web of
-Trust
+monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust
.SH DESCRIPTION
.SH AUTHOR
Written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
/etc/monkeysphere/monkeysphere\-authentication.conf
System monkeysphere-authentication config file.
.TP
+/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt
+If monkeysphere-authentication is configured to query an hkps
+keyserver, it will use X.509 Certificate Authority certificates in
+this file to validate any X.509 certificates used by the keyserver.
+.TP
/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
.TP
.SH AUTHOR
This man page was written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
.SH AUTHOR
This man page was written by:
-Jameson Rollins <jrollins@fifthhorseman.net>,
+Jameson Rollins <jrollins@finestructure.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
--- /dev/null
+# /etc/X11/Xsession.d/70monkeysphere_use-validation-agent
+
+# This is a script to be sourced by Xsession. It wraps the session
+# startup argument with a monkeysphere-validation-agent nested
+# process, if available and none already exist.
+
+# Enable this system-wide by setting
+# MONKEYSPHERE_USE_VALIDATION_AGENT=true in
+# /etc/monkeysphere/monkeysphere.conf
+
+# Note that there is some weird interaction between this and
+# dbus-session at the moment: dbus-launch can start the msva just
+# fine, but if msva tries to start dbus-launch, dbus-launch fails
+# with:
+
+# Failed to waitpid() for babysitter intermediate process: No child processes
+
+# So this is placed at position 70 -- *before* the dbus Xsession
+# startup script, which is at 75 as of 2010-03-12, when i wrote this.
+
+# this is also good, because it means that the MSVA will learn about
+# the dbus session parameters, in case we want the agent to use dbus
+# to communicate with the user.
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+MSVAGENT=/usr/bin/monkeysphere-validation-agent
+MSSYSCONFIG=/etc/monkeysphere/monkeysphere.conf
+MSUSERCONFIG="$HOME/.monkeysphere/monkeysphere.conf"
+
+if [ -x "$MSVAGENT" ] ; then
+ if [ "$(USE_VALIDATION_AGENT=
+. "$MSSYSCONFIG" 2>/dev/null
+. "$MSUSERCONFIG" 2>/dev/null || :
+printf '%s' "$USE_VALIDATION_AGENT")" = "true" ] ; then
+ STARTUP="$MSVAGENT $STARTUP"
+ fi
+fi
[ Daniel Kahn Gillmor ]
* bumped Standards-Version to 3.8.4 (no changes needed)
* indicated bash dependency on version 3.2 or later (see MS #1687)
+ * including /etc/Xsession.d/70monkeysphere_use_validation_agent so that
+ administrators and users can choose to start up a validation agent for
+ each X session using monkeysphere.conf
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Feb 2010 12:40:56 -0500
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Mar 2010 01:57:39 -0500
monkeysphere (0.28-1) unstable; urgency=low
adduser,
${misc:Depends}
Recommends: netcat | socat, ssh-askpass, cron
+Suggests: monkeysphere-validation-agent
Enhances: openssh-client, openssh-server
Description: leverage the OpenPGP web of trust for SSH and TLS authentication
SSH key-based authentication is tried-and-true, but it lacks a true
usr/share/man/man7
usr/share/man/man8
etc/monkeysphere
+etc/X11
+etc/X11/Xsession.d
--- /dev/null
+debian/70monkeysphere_use-validation-agent etc/X11/Xsession.d
# monkeysphere: Monkeysphere client tool
#
# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
;;
'keys-for-userid'|'u')
+ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
keys_for_userid "$@"
;;
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-auto-check-trustdb --no-greeting --quiet --no-tty "$@"
}
# list the info about the a key, in colon format, to stdout
if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then
fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10)
if [ "$PROMPT" != "false" ] ; then
- printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2
+ printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$userID" "$fingerprint" >&2
read OK; OK=${OK:=N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "Service name not added."
for key in $keys ; do
if (( i++ > 0 )) ; then
- echo "##############################"
+ printf "\n"
fi
"$cmd" "$key"
done
# FIXME: make no-show-keyring work so we don't have to do the grep'ing
# FIXME: can we show uid validity somehow?
gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \
- | grep -v "^${GNUPGHOME}/pubring.gpg$" \
- | egrep -v '^-+$'
+ | grep -v "^${GNUPGHOME}/pubring.gpg$" \
+ | egrep -v '^-+$' \
+ | grep -v '^$'
# list revokers, if there are any
revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \
for key in $revokers ; do
echo "revoker: $key"
done
- echo
fi
# list the pgp fingerprint
--search ="$userID" &>/dev/null
returnCode="$?"
+ if [ "$returnCode" != 0 ] ; then
+ log error "Failure ($returnCode) searching keyserver $KEYSERVER for user id '$userID'"
+ fi
+
return "$returnCode"
}
# Monkeysphere authentication list-certifiers subcommand
#
# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# Edits will be overwritten.
no-greeting
list-options show-uid-validity
+keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt
EOF
# make sure the monkeysphere user owns everything in the sphere
--- /dev/null
+[[!meta title="Monkeysphere Validation Agent"]]
+
+# Monkeysphere Validation Agent #
+
+The Monkeysphere Validation Agent offers a local service for systems
+to validate certificates (both X.509 and OpenPGP) and other public
+keys in their proper contexts.
+
+Among other reasons, having a validation agent is a good thing
+because:
+
+* Multiple tools can rely on the same PKI (e.g. the user's web browser
+ and the user's ssh client).
+* A single validation agent can present a consistent UI to the user
+ (when used in an end-user context), or provide a unified trust model
+ to various services (when used in a server-side context).
+* Authentication/certificate validation code can potentially be
+ isolated to a protected environment.
+
+## Implementations ##
+
+There are currently two implementations of the validation agent:
+
+ * msva-perl
+ * msva-ruby
+
+## Protocol ##
+
+The Monkeysphere Validation Agent protocol (MSVA) is defined as a
+minimal HTTP server with JSON-encapsulated requests and responses.
+You may want to read [more protocol details](protocol).
+
--- /dev/null
+[[!meta title="Validation Agent Protocol"]]
+
+# Validation Agent Protocol #
+
+In its current form, the
+[Monkeysphere Validation Agent](/validation-agent) is conceived of as
+a minimalistic HTTP server that accepts two different requests:
+
+ GET / -- initial contact query, protocol version compatibility.
+ (no query parameters)
+ (returns: protoversion, server, available)
+
+ POST /reviewcert -- request validation of a certificate
+ (query parameters: uid, context, pkc)
+ (returns: valid, message)
+
+Query parameters are posted as a JSON blob (*not* as
+www-form-encoded).
+
+The variables that are returned are application/json as well.
+
+* PKC means: public key carrier: raw key, OpenPGP cert, or X.509 cert
+* UID means: User ID (like in OpenPGP)
+* context refers to the setting in which the certificate is offered. For example, "https" means: "this certificate was offered by an HTTPS server"