-MonkeySphere is a system to use the OpenPGP web-of-trust to
+Monkeysphere is a system to use the OpenPGP web-of-trust to
authenticate and encrypt ssh connections.
It is free software, developed by:
Jamie McClelland <jamie@mayfirst.org>
Micah Anderson <micah@riseup.net>
Matthew Goins <mjgoins@openflows.com>
- Mike Castleman <mlcastle@mlcastle.net>
+ Mike Castleman <m@mlcastle.net>
Elliot Winard <enw@caveteen.com>
Ross Glover <ross@ross.mayfirst.org>
Greg Lyle <greg@stealthisemail.com>
-MonkeySphere is distributed in the hope that it will be useful, but
+Monkeysphere is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
-MonkeySphere Copyright 2007, and are all released under the GPL,
+Monkeysphere Copyright 2007, and are all released under the GPL,
version 3 or later.
-MONKEYSPHERE_VERSION = `head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+#!/usr/bin/make -f
+
+# Makefile for monkeysphere
+
+# (c) 2008 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Licensed under GPL v3 or later
+
+MONKEYSPHERE_VERSION = `head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
# these defaults are for debian. porters should probably adjust them
# before calling make install
debian-package: tarball
tar xzf monkeysphere_$(MONKEYSPHERE_VERSION).orig.tar.gz
- cp -a debian monkeysphere-$(MONKEYSPHERE_VERSION)
+ cp -a packaging/debian monkeysphere-$(MONKEYSPHERE_VERSION)
(cd monkeysphere-$(MONKEYSPHERE_VERSION) && debuild -uc -us)
rm -rf monkeysphere-$(MONKEYSPHERE_VERSION)
--- /dev/null
+packaging/debian/changelog
\ No newline at end of file
+++ /dev/null
-monkeysphere (0.20-1) UNRELEASED; urgency=low
-
- [ Jameson Graef Rollins ]
- * clean up Makefile to generate more elegant source tarballs.
-
- [ Daniel Kahn Gillmor ]
- * ensure that tempdirs are properly created, bail out otherwise instead
- of stumbling ahead.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Oct 2008 15:03:23 -0400
-
-monkeysphere (0.19-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * simulating an X11 session in the test script.
- * updated packaging so that symlinks to config files are correct.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 02:47:49 -0400
-
-monkeysphere (0.18-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix bugs in authorized_{user_ids,keys} file permission checking.
- * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
- files.
- * chown authorized_keys files to `whoami`, for compatibility with test
- suite.
- * major improvements to test suite, added more tests.
-
- [ Daniel Kahn Gillmor ]
- * update make install to ensure placement of
- /etc/monkeysphere/gnupg-{host,authentication}.conf
- * choose either --quick-random or --debug-quick-random depending on
- which gpg supports for the test suite.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 00:41:38 -0400
-
-monkeysphere (0.17-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix some bugs in, and cleanup, authorized_keys file creation in
- monkeysphere-server update-users.
- * Move to using the empty string for not adding a user-controlled
- authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Oct 2008 02:04:22 -0400
-
-monkeysphere (0.16-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
- portability.
- * fixed busted lockfile arrangement, where empty file was being locked
- * portability fixes in the way we use date, mktemp, hostname, su
- * stop using /usr/bin/stat, since the syntax appears to be totally
- unportable
- * require GNU getopt, and test for getopt failures (look for getopt in
- /usr/local/bin first, since that's where FreeBSD's GNU-compatible
- getopt lives.
- * monkeysphere-server diagnostics now counts problems and suggests a
- re-run after they have been resolved.
- * completed basic test suite: this can be run from the git sources or
- the tarball with: cd tests && ./basic
-
- [ Jameson Graef Rollins ]
- * Genericize fs location variables.
- * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
- install.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 26 Oct 2008 03:06:18 -0400
-
-monkeysphere (0.15-1) experimental; urgency=low
-
- * porting work and packaging simplification: clarifying makefiles,
- pruning dependencies, etc.
- * added tests to monkeysphere-server diagnostics
- * moved monkeysphere(5) to section 7 of the manual
- * now shipping TODO in /usr/share/doc/monkeysphere
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 19:08:40 -0400
-
-monkeysphere (0.14-1) experimental; urgency=low
-
- * changing debian packaging back to format 1.0 so we get automatic
- tarballs, and easier inclusion in other build networks.
- * no other source changes.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 13:03:35 -0400
-
-monkeysphere (0.13-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * tweaks in /usr/bin/monkeysphere to handle odd secret keyrings.
- * updated makefile to reflect the package building technique we've been
- using for a month now.
-
- [ Jameson Graef Rollins ]
- * move location of user config directory to ~/.monkeysphere.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Sep 2008 17:26:10 -0400
-
-monkeysphere (0.12-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Improved output handling. New LOG_LEVEL variable.
-
- [ Daniel Kahn Gillmor ]
- * debian/control: switched Homepage: and Vcs-Git: to canonicalized
- upstream hostnames.
- * updated documentation for new release.
- * changed my associated e-mail address for this package.
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Sep 2008 18:54:29 -0400
-
-monkeysphere (0.11-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * fix bug in trustdb update on add/revoke-hostname.
-
- [ Daniel Kahn Gillmor ]
- * debian/control: added Build-Depends: git-core for the new packaging
- format
- * new subcommand: monkeysphere subkey-to-ssh-agent (relies on a patched
- GnuTLS to deal with GPG's gnu-dummy S2K extension, but fails cleanly
- if not found).
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Wed, 20 Aug 2008 11:24:35 -0400
-
-monkeysphere (0.10-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * brown paper bag release: invert test on calculated validity of keys.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 16:22:34 -0400
-
-monkeysphere (0.9-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * implemented "monkeysphere-server extend-key" to adjust expiration
- date of host key.
- * removed "monkeysphere-server fingerprint". Use "monkeysphere-server
- show-key" instead.
-
- [ Jameson Graef Rollins ]
- * fixed bug in user id processing that prevented bad primary keys from
- being properly removed.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 15:42:12 -0400
-
-monkeysphere (0.8-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * debian/control: switched Vcs-Git to use "centralized" git repo instead
- of my own.
- * More monkeysphere-server diagnostics
- * monkeysphere --gen-subkey now guesses what KeyID you meant.
- * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey
- works sensibly under X11
-
- [ Jameson Graef Rollins ]
- * fix another bug when known_hosts files are missing.
- * sort processed keys so that "good" keys are processed after "bad"
- keys. This will prevent malicious bad keys from causing good keys to
- be removed from key files.
- * enabled host key publication.
- * added checking of gpg.conf for keyserver
- * new functions to add/revoke host key user IDs
- * improved list-certifiers function (now non-privileged)
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 12:43:37 -0400
-
-monkeysphere (0.7-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * Added monkeysphere-server diagnostics subcommand.
- * rebuilding package using Format: 3.0 (git)
-
- [ Jameson Graef Rollins ]
- * fix how check for file modification is done.
- * rework out user id processing is done to provide more verbose log
- output.
- * fix bug in monkeysphpere update-authorized_keys subcommand where
- disallowed keys failed to be remove from authorized_keys file.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 04 Aug 2008 10:47:41 -0400
-
-monkeysphere (0.6-1) experimental; urgency=low
-
- [ Jameson Graef Rollins ]
- * Fix bug in return on error of ssh-proxycommand.
-
- [ Daniel Kahn Gillmor ]
- * try socat if netcat is not available in proxycommand.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 29 Jul 2008 10:27:20 -0400
-
-monkeysphere (0.5-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * updated READMEs to match current state of code
-
- [ Jameson Graef Rollins ]
- * Tweak how empty authorized_user_ids and known_hosts files are handled.
- * Do not fail when authorized_user_ids or known_hosts file is not found.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 28 Jul 2008 10:50:02 -0400
-
-monkeysphere (0.4-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * New version.
- * Fixed return code error in openpgp2ssh
-
- [ Jameson Graef Rollins ]
- * Privilege separation: use monkeysphere user to handle maintenance of
- the gnupg authentication keychain for server.
- * Improved certifier key management.
- * Fixed variable scoping and config file precedence.
- * Add options for key generation and add-certifier functions.
- * Fix return codes for known_host and authorized_keys updating
- functions.
- * Add write permission check on authorized_keys, known_hosts, and
- authorized_user_ids files.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 22 Jul 2008 21:50:17 -0400
-
-monkeysphere (0.3-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * new version.
-
- [ Jameson Graef Rollins ]
- * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
- the more appropriate /var/lib/monkeysphere.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 24 Jun 2008 00:55:29 -0400
-
-monkeysphere (0.2-2) experimental; urgency=low
-
- * added lockfile-progs dependency
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:34:05 -0400
-
-monkeysphere (0.2-1) experimental; urgency=low
-
- [ Daniel Kahn Gillmor ]
- * openpgp2ssh now supports specifying keys by full fingerprint.
-
- [ Jameson Graef Rollins ]
- * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
- %h/.config/monkeysphere/authorized_user_ids, instead of
- /etc/monkeysphere/authorized_user_ids.
- * Remove {update,remove}-userids functions, since we decided they
- weren't useful enough to be worth maintaining.
- * Better handling of unknown users in server update-users
- * Add file locking when modifying known_hosts or authorized_keys
- * Better failure/prompting for gen-subkey
- * Add ability to set any owner trust level for keys in server keychain.
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 17:03:19 -0400
-
-monkeysphere (0.1-1) experimental; urgency=low
-
- * First release of debian package for monkeysphere.
- * This is experimental -- please report bugs!
-
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 00:34:53 -0400
-
+++ /dev/null
-Source: monkeysphere
-Section: net
-Priority: extra
-Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Uploaders: Jameson Graef Rollins <jrollins@finestructure.net>
-Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0)
-Standards-Version: 3.8.0.1
-Homepage: http://web.monkeysphere.info/
-Vcs-Git: git://git.monkeysphere.info/monkeysphere
-Dm-Upload-Allowed: yes
-
-Package: monkeysphere
-Architecture: any
-Depends: openssh-client, gnupg, coreutils (>= 6) | base64, lockfile-progs | procfile, adduser, ${shlibs:Depends}
-Recommends: netcat | socat, ssh-askpass
-Enhances: openssh-client, openssh-server
-Description: use the OpenPGP web of trust to verify ssh connections
- SSH key-based authentication is tried-and-true, but it lacks a true
- Public Key Infrastructure for key certification, revocation and
- expiration. Monkeysphere is a framework that uses the OpenPGP web of
- trust for these PKI functions. It can be used in both directions:
- for users to get validated host keys, and for hosts to authenticate
- users.
+++ /dev/null
-Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=226
-Debianized-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Debianized-Date: Fri Jun 13 10:19:16 EDT 2008
-Original-Source: http://web.monkeysphere.info/download
-
-Files: *
-Copyright: Copyright 2008 Jameson Rollins <jrollins@fifthhorseman.net>,
- Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
- Jamie McClelland <jamie@mayfirst.org>,
- Micah Anderson <micah@riseup.net>,
- Matthew Goins <mjgoins@openflows.com>,
- Mike Castleman <mlcastle@mlcastle.net>,
- Elliot Winard <enw@caveteen.com>,
- Ross Glover <ross@ross.mayfirst.org>,
- Greg Lyle <greg@stealthisemail.com>
-
-License: GPL-3+
- This package is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
- .
- On Debian systems, the complete text of the GNU General Public License
- can be found in file "/usr/share/common-licenses/GPL".
+++ /dev/null
-var/lib/monkeysphere
-var/lib/monkeysphere/authorized_keys
-var/lib/monkeysphere/tmp
-usr/bin
-usr/sbin
-usr/share
-usr/share/monkeysphere
-usr/share/man
-usr/share/man/man1
-usr/share/man/man7
-usr/share/man/man8
-etc/monkeysphere
+++ /dev/null
-#!/bin/sh -e
-
-# postinst script for monkeysphere
-
-# Author: Jameson Rollins <jrollins@fifthhorseman.net>
-# Copyright 2008
-
-ETC="/etc/monkeysphere"
-VARLIB="/var/lib/monkeysphere"
-
-if ! getent passwd monkeysphere >/dev/null ; then
- echo "adding monkeysphere user..."
- adduser --quiet --system --no-create-home --group \
- --home "$VARLIB" \
- --shell '/bin/bash' \
- --gecos 'monkeysphere authentication user,,,' \
- monkeysphere
-fi
-
-# install host gnupg home directory
-install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host
-# link in the gpg.conf
-ln -sTf "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
-
-# install authentication gnupg home directory
-install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication
-# link in the gpg.conf
-ln -sTf "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+++ /dev/null
-#!/bin/sh -e
-
-# postrm script for monkeysphere
-
-# Author: Jameson Rollins <jrollins@fifthhorseman.net>
-# Copyright 2008
-
-case $1 in
- purge)
- rmdir --ignore-fail-on-non-empty /var/lib/monkeysphere || true
- echo "removing monkeysphere user..."
- userdel monkeysphere > /dev/null || true
- ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
+++ /dev/null
-#!/bin/sh -e
-
-# preinst script for monkeysphere
-
-# Author: Jameson Rollins <jrollins@fifthhorseman.net>
-# Copyright 2008
-
-ETC="/etc/monkeysphere"
-VARLIB="/var/lib/monkeysphere"
-
-# move the gpg.conf files from the GNUPGHOMEs if they're there to
-# /etc, where they will be linked back into the GNUPGHOMEs later
-if [ -f "$VARLIB"/gnupg-host/gpg.conf -a ! -L "$VARLIB"/gnupg-host/gpg.conf ] ; then
- mv "$VARLIB"/gnupg-host/gpg.conf "$ETC"/gpg-host.conf
- chown root:root "$ETC"/gpg-host.conf
- ln -s "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
-fi
-if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authentication/gpg.conf ] ; then
- mv "$VARLIB"/gnupg-authentication/gpg.conf "$ETC"/gpg-authentication.conf
- chown root:root "$ETC"/gpg-authentication.conf
- ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
-fi
+++ /dev/null
-#!/usr/bin/make -f
-%:
- dh $@
--- /dev/null
+******************************************************************************
+* *
+* zimmerman system log *
+* *
+******************************************************************************
+* Please add new entries in reverse chronological order whenever you make *
+* changes to this system (first command at top, last at bottom) *
+******************************************************************************
+
+2008-11-15 - micah
+ * aptitude update && aptitude full-upgrade
+ * aptitude install sks
+ * cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
+ http://nynex.net/keydump/ -e robots=off
+ * install monkeysphere 0.21-2 package
+
+2008-11-15 - jamie
+ * aptitude install esmtp-run mailx
+ * edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org
--- /dev/null
+monkeysphere (0.22~pre-1) UNRELEASED; urgency=low
+
+ * New upstream release:
+ [ Jameson Rollins ]
+
+ - added info log output when a new key is added to known_hosts file.
+ - added some useful output to the ssh-proxycommand for "marginal"
+ cases where keys are found for host but do not have full validity.
+
+ [ Daniel Kahn Gillmor ]
+
+ - automatically output two copies of the host's public key: one
+ standard ssh public key file, and the other a minimal OpenPGP key with
+ just the latest valid self-sig.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sun, 16 Nov 2008 03:22:08 -0500
+
+monkeysphere (0.21-2) unstable; urgency=low
+
+ * actually rmdir /var/lib/monkeysphere-* during prerm if possible.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 15 Nov 2008 16:36:57 -0500
+
+monkeysphere (0.21-1) unstable; urgency=low
+
+ * New upstream release:
+ - move debian packaging to packaging subdirectory.
+ * Add debian prerm script, and add debhelper lines to other install
+ scripts.
+ * Initial release to Debian (Closes: #505806)
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 16:14:27 -0500
+
+monkeysphere (0.20-1) unstable; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * ensure that tempdirs are properly created, bail out otherwise instead
+ of stumbling ahead.
+ * minor fussing with the test script to make it cleaner.
+
+ [ Jameson Graef Rollins ]
+ * clean up Makefile to generate more elegant source tarballs.
+ * make myself the maintainer.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 13:12:57 -0500
+
+monkeysphere (0.19-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * simulating an X11 session in the test script.
+ * updated packaging so that symlinks to config files are correct.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 02:47:49 -0400
+
+monkeysphere (0.18-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix bugs in authorized_{user_ids,keys} file permission checking.
+ * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
+ files.
+ * chown authorized_keys files to `whoami`, for compatibility with test
+ suite.
+ * major improvements to test suite, added more tests.
+
+ [ Daniel Kahn Gillmor ]
+ * update make install to ensure placement of
+ /etc/monkeysphere/gnupg-{host,authentication}.conf
+ * choose either --quick-random or --debug-quick-random depending on
+ which gpg supports for the test suite.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 00:41:38 -0400
+
+monkeysphere (0.17-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix some bugs in, and cleanup, authorized_keys file creation in
+ monkeysphere-server update-users.
+ * Move to using the empty string for not adding a user-controlled
+ authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Oct 2008 02:04:22 -0400
+
+monkeysphere (0.16-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
+ portability.
+ * fixed busted lockfile arrangement, where empty file was being locked
+ * portability fixes in the way we use date, mktemp, hostname, su
+ * stop using /usr/bin/stat, since the syntax appears to be totally
+ unportable
+ * require GNU getopt, and test for getopt failures (look for getopt in
+ /usr/local/bin first, since that's where FreeBSD's GNU-compatible
+ getopt lives.
+ * monkeysphere-server diagnostics now counts problems and suggests a
+ re-run after they have been resolved.
+ * completed basic test suite: this can be run from the git sources or
+ the tarball with: cd tests && ./basic
+
+ [ Jameson Graef Rollins ]
+ * Genericize fs location variables.
+ * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
+ install.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 26 Oct 2008 03:06:18 -0400
+
+monkeysphere (0.15-1) experimental; urgency=low
+
+ * porting work and packaging simplification: clarifying makefiles,
+ pruning dependencies, etc.
+ * added tests to monkeysphere-server diagnostics
+ * moved monkeysphere(5) to section 7 of the manual
+ * now shipping TODO in /usr/share/doc/monkeysphere
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 19:08:40 -0400
+
+monkeysphere (0.14-1) experimental; urgency=low
+
+ * changing debian packaging back to format 1.0 so we get automatic
+ tarballs, and easier inclusion in other build networks.
+ * no other source changes.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Sep 2008 13:03:35 -0400
+
+monkeysphere (0.13-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * tweaks in /usr/bin/monkeysphere to handle odd secret keyrings.
+ * updated makefile to reflect the package building technique we've been
+ using for a month now.
+
+ [ Jameson Graef Rollins ]
+ * move location of user config directory to ~/.monkeysphere.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Sep 2008 17:26:10 -0400
+
+monkeysphere (0.12-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Improved output handling. New LOG_LEVEL variable.
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: switched Homepage: and Vcs-Git: to canonicalized
+ upstream hostnames.
+ * updated documentation for new release.
+ * changed my associated e-mail address for this package.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Sep 2008 18:54:29 -0400
+
+monkeysphere (0.11-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * fix bug in trustdb update on add/revoke-hostname.
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: added Build-Depends: git-core for the new packaging
+ format
+ * new subcommand: monkeysphere subkey-to-ssh-agent (relies on a patched
+ GnuTLS to deal with GPG's gnu-dummy S2K extension, but fails cleanly
+ if not found).
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Wed, 20 Aug 2008 11:24:35 -0400
+
+monkeysphere (0.10-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * brown paper bag release: invert test on calculated validity of keys.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 16:22:34 -0400
+
+monkeysphere (0.9-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * implemented "monkeysphere-server extend-key" to adjust expiration
+ date of host key.
+ * removed "monkeysphere-server fingerprint". Use "monkeysphere-server
+ show-key" instead.
+
+ [ Jameson Graef Rollins ]
+ * fixed bug in user id processing that prevented bad primary keys from
+ being properly removed.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 15:42:12 -0400
+
+monkeysphere (0.8-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * debian/control: switched Vcs-Git to use "centralized" git repo instead
+ of my own.
+ * More monkeysphere-server diagnostics
+ * monkeysphere --gen-subkey now guesses what KeyID you meant.
+ * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey
+ works sensibly under X11
+
+ [ Jameson Graef Rollins ]
+ * fix another bug when known_hosts files are missing.
+ * sort processed keys so that "good" keys are processed after "bad"
+ keys. This will prevent malicious bad keys from causing good keys to
+ be removed from key files.
+ * enabled host key publication.
+ * added checking of gpg.conf for keyserver
+ * new functions to add/revoke host key user IDs
+ * improved list-certifiers function (now non-privileged)
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 12:43:37 -0400
+
+monkeysphere (0.7-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * Added monkeysphere-server diagnostics subcommand.
+ * rebuilding package using Format: 3.0 (git)
+
+ [ Jameson Graef Rollins ]
+ * fix how check for file modification is done.
+ * rework out user id processing is done to provide more verbose log
+ output.
+ * fix bug in monkeysphpere update-authorized_keys subcommand where
+ disallowed keys failed to be remove from authorized_keys file.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 04 Aug 2008 10:47:41 -0400
+
+monkeysphere (0.6-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix bug in return on error of ssh-proxycommand.
+
+ [ Daniel Kahn Gillmor ]
+ * try socat if netcat is not available in proxycommand.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 29 Jul 2008 10:27:20 -0400
+
+monkeysphere (0.5-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * updated READMEs to match current state of code
+
+ [ Jameson Graef Rollins ]
+ * Tweak how empty authorized_user_ids and known_hosts files are handled.
+ * Do not fail when authorized_user_ids or known_hosts file is not found.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 28 Jul 2008 10:50:02 -0400
+
+monkeysphere (0.4-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * New version.
+ * Fixed return code error in openpgp2ssh
+
+ [ Jameson Graef Rollins ]
+ * Privilege separation: use monkeysphere user to handle maintenance of
+ the gnupg authentication keychain for server.
+ * Improved certifier key management.
+ * Fixed variable scoping and config file precedence.
+ * Add options for key generation and add-certifier functions.
+ * Fix return codes for known_host and authorized_keys updating
+ functions.
+ * Add write permission check on authorized_keys, known_hosts, and
+ authorized_user_ids files.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 22 Jul 2008 21:50:17 -0400
+
+monkeysphere (0.3-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * new version.
+
+ [ Jameson Graef Rollins ]
+ * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
+ the more appropriate /var/lib/monkeysphere.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Tue, 24 Jun 2008 00:55:29 -0400
+
+monkeysphere (0.2-2) experimental; urgency=low
+
+ * added lockfile-progs dependency
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:34:05 -0400
+
+monkeysphere (0.2-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * openpgp2ssh now supports specifying keys by full fingerprint.
+
+ [ Jameson Graef Rollins ]
+ * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+ %h/.config/monkeysphere/authorized_user_ids, instead of
+ /etc/monkeysphere/authorized_user_ids.
+ * Remove {update,remove}-userids functions, since we decided they
+ weren't useful enough to be worth maintaining.
+ * Better handling of unknown users in server update-users
+ * Add file locking when modifying known_hosts or authorized_keys
+ * Better failure/prompting for gen-subkey
+ * Add ability to set any owner trust level for keys in server keychain.
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 17:03:19 -0400
+
+monkeysphere (0.1-1) experimental; urgency=low
+
+ * First release of debian package for monkeysphere.
+ * This is experimental -- please report bugs!
+
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 00:34:53 -0400
+
--- /dev/null
+Source: monkeysphere
+Section: net
+Priority: extra
+Maintainer: Jameson Graef Rollins <jrollins@finestructure.net>
+Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0)
+Standards-Version: 3.8.0.1
+Homepage: http://web.monkeysphere.info/
+Vcs-Git: git://git.monkeysphere.info/monkeysphere
+Dm-Upload-Allowed: yes
+
+Package: monkeysphere
+Architecture: any
+Depends: openssh-client, gnupg, coreutils (>= 6) | base64, lockfile-progs | procfile, adduser, ${shlibs:Depends}
+Recommends: netcat | socat, ssh-askpass
+Enhances: openssh-client, openssh-server
+Description: use the OpenPGP web of trust to verify ssh connections
+ SSH key-based authentication is tried-and-true, but it lacks a true
+ Public Key Infrastructure for key certification, revocation and
+ expiration. Monkeysphere is a framework that uses the OpenPGP web of
+ trust for these PKI functions. It can be used in both directions:
+ for users to get validated host keys, and for hosts to authenticate
+ users.
--- /dev/null
+Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=226
+Debianized-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Debianized-Date: Fri Jun 13 10:19:16 EDT 2008
+Original-Source: http://web.monkeysphere.info/download
+
+Files: *
+Copyright: Copyright 2008 Jameson Rollins <jrollins@fifthhorseman.net>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+ Jamie McClelland <jamie@mayfirst.org>,
+ Micah Anderson <micah@riseup.net>,
+ Matthew Goins <mjgoins@openflows.com>,
+ Mike Castleman <mlcastle@mlcastle.net>,
+ Elliot Winard <enw@caveteen.com>,
+ Ross Glover <ross@ross.mayfirst.org>,
+ Greg Lyle <greg@stealthisemail.com>
+
+License: GPL-3+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ can be found in file "/usr/share/common-licenses/GPL".
--- /dev/null
+var/lib/monkeysphere
+var/lib/monkeysphere/authorized_keys
+var/lib/monkeysphere/tmp
+usr/bin
+usr/sbin
+usr/share
+usr/share/monkeysphere
+usr/share/man
+usr/share/man/man1
+usr/share/man/man7
+usr/share/man/man8
+etc/monkeysphere
--- /dev/null
+#!/bin/sh -e
+
+# postinst script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+ETC="/etc/monkeysphere"
+VARLIB="/var/lib/monkeysphere"
+
+if ! getent passwd monkeysphere >/dev/null ; then
+ echo "adding monkeysphere user..."
+ adduser --quiet --system --no-create-home --group \
+ --home "$VARLIB" \
+ --shell '/bin/bash' \
+ --gecos 'monkeysphere authentication user,,,' \
+ monkeysphere
+fi
+
+# install host gnupg home directory
+install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host
+# link in the gpg.conf
+ln -sTf "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+
+# install authentication gnupg home directory
+install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication
+# link in the gpg.conf
+ln -sTf "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh -e
+
+# postrm script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+case $1 in
+ purge)
+ echo "removing monkeysphere user..."
+ userdel monkeysphere > /dev/null || true
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh -e
+
+# preinst script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+ETC="/etc/monkeysphere"
+VARLIB="/var/lib/monkeysphere"
+
+# move the gpg.conf files from the GNUPGHOMEs if they're there to
+# /etc, where they will be linked back into the GNUPGHOMEs later
+if [ -f "$VARLIB"/gnupg-host/gpg.conf -a ! -L "$VARLIB"/gnupg-host/gpg.conf ] ; then
+ mv "$VARLIB"/gnupg-host/gpg.conf "$ETC"/gpg-host.conf
+ chown root:root "$ETC"/gpg-host.conf
+ ln -s "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+fi
+if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authentication/gpg.conf ] ; then
+ mv "$VARLIB"/gnupg-authentication/gpg.conf "$ETC"/gpg-authentication.conf
+ chown root:root "$ETC"/gpg-authentication.conf
+ ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh -e
+
+# prerm script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+VARLIB="/var/lib/monkeysphere"
+
+rm -f "$VARLIB"/gnupg-host/gpg.conf
+rm -f "$VARLIB"/gnupg-authentication/gpg.conf
+rmdir --ignore-fail-on-non-empty "$VARLIB"/gnupg-host
+rmdir --ignore-fail-on-non-empty "$VARLIB"/gnupg-authentication
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/usr/bin/make -f
+%:
+ dh $@
@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi
etc/monkeysphere/monkeysphere-server.conf.sample
@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi
+@unexec if cmp -s %D/etc/monkeysphere/gnupg-host.conf.sample %D/etc/monkeysphere/gnupg-host.conf; then rm -f %D/etc/monkeysphere/gnupg-host.conf; fi
+etc/monkeysphere/gnupg-host.conf.sample
+@exec if [ ! -f %D/etc/monkeysphere/gnupg-host.conf ] ; then cp -p %D/%F %B/gnupg-host.conf; fi
+@unexec if cmp -s %D/etc/monkeysphere/gnupg-authentication.conf.sample %D/etc/monkeysphere/gnupg-authentication.conf; then rm -f %D/etc/monkeysphere/gnupg-authentication.conf; fi
+etc/monkeysphere/gnupg-authentication.conf.sample
+@exec if [ ! -f %D/etc/monkeysphere/gnupg-authentication.conf ] ; then cp -p %D/%F %B/gnupg-authentication.conf; fi
@dirrm share/doc/monkeysphere
@dirrm share/monkeysphere
@dirrm etc/monkeysphere
process_host_known_hosts() {
local host
local userID
+ local noKey=
local nKeys
local nKeysOK
local ok
continue
fi
- # remove the old host key line, and note if removed
- remove_line "$KNOWN_HOSTS" "$sshKey"
+ # remove any old host key line, and note if removed nothing is
+ # removed
+ remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true
# if key OK, add new host line
if [ "$ok" -eq '0' ] ; then
else
ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
fi
+
+ # log if this is a new key to the known_hosts file
+ if [ "$noKey" ] ; then
+ log info "* new key for $host added to known_hosts file."
+ fi
fi
done
# dumping to a file named ' ' so that the ssh-keygen output
# doesn't claim any potentially bogus hostname(s):
- tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
- gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
+ tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+ gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey"
echo -n "ssh fingerprint: "
- (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
+ ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }'
rm -rf "$tmpkey"
echo -n "OpenPGP fingerprint: "
echo "$fingerprint"
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
- log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+ log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+ ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
+ log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
+ gpg_authentication --export-options export-minimal --export "0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+ log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
}
# extend the lifetime of a host key:
# established. Can be added to ~/.ssh/config as follows:
# ProxyCommand monkeysphere-ssh-proxycommand %h %p
+########################################################################
+PGRM=$(basename $0)
+
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
+
+########################################################################
+# FUNCTIONS
########################################################################
usage() {
-cat <<EOF >&2
+ cat <<EOF >&2
usage: ssh -o ProxyCommand="$(basename $0) %h %p" ...
EOF
}
+log() {
+ echo "$@" >&2
+}
+
+output_no_valid_key() {
+ local sshKeyOffered
+ local userID
+ local type
+ local validity
+ local keyid
+ local uidfpr
+ local usage
+ local sshKeyGPG
+ local sshFingerprint
+
+ log "OpenPGP keys with*out* full validity found for this host:"
+ log
+
+ # retrieve the actual ssh key
+ sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
+
+ userID="ssh://${HOSTP}"
+
+ # output gpg info for (exact) userid and store
+ gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
+ --with-fingerprint --with-fingerprint \
+ ="$userID" 2>/dev/null)
+
+ # loop over all lines in the gpg output and process.
+ echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
+ while IFS=: read -r type validity keyid uidfpr usage ; do
+ case $type in
+ 'pub'|'sub')
+ # get the ssh key of the gpg key
+ sshKeyGPG=$(gpg2ssh "$keyid")
+
+ # if one of keys found matches the one offered by the
+ # host, then output info
+ if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+
+ # get the fingerprint of the ssh key
+ tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+ echo "$sshKeyGPG" > "$tmpkey"
+ sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }')
+ rm -rf "$tmpkey"
+
+ # output gpg info
+ gpg --check-sigs \
+ --list-options show-uid-validity \
+ "$keyid" >&2
+
+ # output ssh fingerprint
+ log "RSA key fingerprint is ${sshFingerprint}."
+ log "Falling through to standard ssh host checking."
+ log
+ fi
+ ;;
+ esac
+ done
+}
+
########################################################################
# export the monkeysphere log level
PORT="$2"
if [ -z "$HOST" ] ; then
- echo "Host not specified." >&2
+ log "Host not specified."
usage
exit 255
fi
# update the known_hosts file for the host
monkeysphere update-known_hosts "$HOSTP"
+# output on depending on the return of the update-known_hosts
+# subcommand, which is (ultimately) the return code of the
+# update_known_hosts function in common
+case $? in
+ 0)
+ # acceptable host key found so continue to ssh
+ true
+ ;;
+ 1)
+ # no hosts at all found so also continue (drop through to
+ # regular ssh host verification)
+ true
+ ;;
+ 2)
+ # at least one *bad* host key (and no good host keys) was
+ # found, so output some usefull information
+ output_no_valid_key
+ ;;
+ *)
+ # anything else drop through
+ true
+ ;;
+esac
+
# exec a netcat passthrough to host for the ssh connection
if [ -z "$NO_CONNECT" ] ; then
if (which nc 2>/dev/null >/dev/null); then
# all subcommands in this script should complete without failure:
set -e
+# piped commands should return the code of the first non-zero return
+set -o pipefail
## make sure that the right tools are installed to run the test. the
## test has *more* requirements than plain ol' monkeysphere:
-
which socat || { echo "You must have socat installed to run this test." ; exit 1; }
## FIXME: other checks?
# kill the sshd process if it's still running
kill "$SSHD_PID"
+ SSHD_PID=
set -e
echo "### removing temp dir..."
rm -rf "$TEMPDIR"
+ if [ "$SSHD_PID" ] ; then
+ echo "### killing off lingering sshd..."
+ kill "$SSHD_PID"
+ fi
+
wait
}
+SSHD_PID=
+
## setup trap
trap failed_cleanup EXIT
export SSHD_CONFIG="$TEMPDIR"/sshd_config
export SOCKET="$TEMPDIR"/ssh-socket
-export SSHD_PID=
# Make sure $DISPLAY is set to convince ssh and monkeysphere to fall
# back on $SSH_ASKPASS. Make sure it's not set to the current actual
#!/bin/bash
-VERSION=`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
+VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`
{
echo "MD5 (monkeysphere_${VERSION}.orig.tar.gz) =" $(md5sum "monkeysphere_${VERSION}.orig.tar.gz" | cut -f1 -d\ )
#!/bin/bash
-VERSION=`head -n1 debian/changelog | sed 's/.*(\([^)]*\)).*/\1/'`
+VERSION=`head -n1 packaging/debian/changelog | sed 's/.*(\([^)]*\)).*/\1/'`
{
sed "s/__VERSION__/$VERSION/g" < utils/releasenote.header
--- /dev/null
+I would like to know, at INFO (default) log level, when the
+monkeyspehere makes a "real" modification to my known_hosts file; that
+is, when it adds or deletes a key.
+
+Apparently this is hard because monkeysphere is currently configured to
+delete all keys and then add good keys, so a key added for the first
+time seems to the monkeysphere very similar to a key re-added ten
+seconds after last login.
+
+Still, from a UI perspective, I want to know what monkeysphere is doing.
+
+------
+
+It looks like jrollins committed a change for reporting at INFO level
+when a host key gets added by the monkeysphere:
+2459fa3ea277d7b9289945748619eab1e3441e5c
+
+When i connect to a host whose key is not already present in my
+known_hosts file, i get the following to stderr:
+
+ ms: * new key for squeak.fifthhorseman.net added to known_hosts file.
+
+This doesn't fully close this bug, because we aren't notifying on key
+deletion, afaict.
# Documentation #
-## Dependencies ##
-
-Monkeysphere relies on:
-
- * [GnuTLS](http://gnutls.org/) version 2.4.0 or later
- * [OpenSSH](http://openssh.com/)
- * [GnuPG](http://gnupg.org/)
-
## Getting started ##
* [Downloading and installing](/download)
* Getting started as a [user](/getting-started-user)
* Getting started as a [server admin](/getting-started-admin)
+
+## Under the hood ##
+
* [Developing the monkeysphere](/community)
+ * [Technical details](/technical-details)
## References ##
# Downloading and Installing #
+Once you've installed the packages, please see the [documentation
+page](/doc) to read up on how to get started [as a regular
+user](/getting-started-user) or [as a systems
+administrator](/getting-started-admin).
+
+## Dependencies ##
+
+Monkeysphere relies on:
+
+ * [GnuTLS](http://gnutls.org/)
+ * version 2.4 or later for general use
+ * [version 2.6 or later](/news/gnutls-2.6-enables-monkeysphere) to use the `monkeysphere subkey-to-ssh-agent` subcommand.
+ * [OpenSSH](http://openssh.com/)
+ * [GnuPG](http://gnupg.org/)
+
## Debian ##
-If you are running a Debian system, you can install Monkeysphere
-by following these directions:
+If you are running a [Debian](http://www.debian.org/) system, you can
+install Monkeysphere by following these directions:
You can add this repo to your system by putting the following lines in
`/etc/apt/sources.list.d/monkeysphere.list`:
deb http://archive.monkeysphere.info/debian experimental monkeysphere
deb-src http://archive.monkeysphere.info/debian experimental monkeysphere
-The repository is currently signed by the Monkeysphere archive
-signing key, key id EB8AF314 (fingerprint: `2E8D
-D26C 53F1 197D DF40 3E61 18E6 67F1 EB8A F314`). To cryptographically
+The repository is currently signed by [The Monkeysphere archive
+signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C
+53F1 197D DF40 3E61 18E6 67F1 EB8A F314`). To cryptographically
verify the packages, you'll want to [add this key to your apt
configuration after verifying its integrity](/archive-key).
To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will
-also need [version 2.6 of GnuTLS](/news/gnutls-2.6-enables-monkeysphere),
-which is available in Debian experimental.
-
-Once you've installed the packages, you might want to read up on how
-to get started [as a regular user](/getting-started-user) or [as a
-systems administrator](/getting-started-admin).
+also need [version 2.6 of
+GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is available in
+Debian experimental.
## FreeBSD ##
-There is [now a FreeBSD port available](/news/FreeBSD-port-available/)
+There is [now a FreeBSD port available](/news/FreeBSD-port-available)
for the Monkeysphere.
While the monkeysphere is not officially included in the ports tree
cd /usr/ports/security/monkeysphere
make && make install
+To use the `monkeysphere subkey-to-ssh-agent` subcommand, you will
+also need [version 2.6 of
+GnuTLS](/news/gnutls-2.6-enables-monkeysphere), which is [slated to be
+available after the 7.1 ports slush is
+over](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/127330).
+
## Source ##
For those that would like to download the source directly, [the source
is available](/community) via [git](http://git.or.cz/).
The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.19.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.21.orig.tar.gz)
is also available, and has these checksums:
<pre>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-checksums for the monkeysphere 0.19 release:
+checksums for the monkeysphere 0.21 release:
MD5:
-64c643dd0ab642bbc8814aec1718000e monkeysphere_0.19.orig.tar.gz
+15fe181983565aca0fbe4c41f9f6752e monkeysphere_0.21.orig.tar.gz
SHA1:
-ea3c263b084d2c0b7922cd96677be192201700e4 monkeysphere_0.19.orig.tar.gz
+27e915a45cdbe50a139ed4f4b13746b17c165b0f monkeysphere_0.21.orig.tar.gz
SHA256:
-321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522 monkeysphere_0.19.orig.tar.gz
+1535c3f722f5f5c1646a4981efef4a262ac7b23bf4b980c9aee11af2600eedc2 monkeysphere_0.21.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-iQIVAwUBSQgMCRjmZ/HrivMUAQI2Jg//bZoSxx0Nor6uBikRGHQny8LzgUT/0kpv
-xg0eRmL9kQwhGis/sdOiJ9cHykJ1ukhRiIZGfxPBdxiQbWGs9nM6147TGIDgqx6D
-yYIW41dvzTRB0TwjNd7g1q6MaSiDNuU/6dD+ooM3/IiR8PDR7X8we0WhSM63KD+v
-HeMsN51UMhBfeaZ06fxrjYoJCvnp0YNYJpLuvtd5tzxqJCJA2Vh5VqJMbMP/MtbY
-zM/zuNXRI1mJnQZeU++IaAnimX7c7SsGjLaloZG8mapYqqY0tKJ5Yod6aeloq+i5
-wI4gZuuPcgAntD6cnPaqB1ni/d71yywme5F75zpezXGzKzDSh1J5oE6akjMi2lJE
-DSOKp7zb7TvDwXxCl+vOVod81F260gPhonlTsD/LpBfPGPBdWlWP+fFchb9N/a2u
-weCMhUYX1u8Jg/bHIycjoQjPEgZwCkJT9RKF1NTLyWvb4P4a3sPe+fauCMZFbTQ/
-3EYPRBY+PfIDO09XswdB5O3gq6B33ChyWJpdwlXEEHMcFt1FuezuP0avVM9/3ZNp
-MkqalDrUEd65X8o+CE3KjFxjMceVdda9mz2netnoHrFMW6X3mFqE2fTldgHi1mCT
-hMCqpPzY04+HOHYZ0GapR3pvedd4dwhkNYrdpckp+nJMTRfexEPH/NXDVNH/mxKg
-jLoIos0SaiY=
-=VUsz
+iQIVAwUBSR8+7BjmZ/HrivMUAQLeKg/+JT4LCXBR/06p/w2KBd1MKqch5Qf2ryIo
+mxCTWtZRgVQSeOFUJ5SXX+Tfs7VZfkV5HuahUH3NmGC6EMhYyB2olwBOOoIAqEKw
+1zVyn49bowCee+gTc3QHyT0Eqgt2ARtzl3/VrHkiw2MaJN3IZXseovyL8ksnEu+u
+s8fq26imtBrrucIxp4ZtHUw/h/YrJohHcJ8QQN5/UWFLug4C4aRFmnzL+oCySxAa
+0au/zFxxRZE5pMhLUvRwwCwPFx2CGBz6y9lAOiDPhhUqh+Bf7JKWJzk35Dj5Tm+2
+lCIzYtfpBkuF9ehCrm8WYF5aFg+gto8Bc6IJci9J6h2npBYIG0IbWOknMZz3+Ti2
+c3EltlJjK0LKEHujDYjf9tkNAxbBdtlYuw8x925ILeK7n8xX0Jr1TDzPyAIYaogv
+IVqsgnvQ489K8k06173kyrPaetyvOlU3bN1zcPdqTyCD6+eBbeCeKXO4324C8iMF
+rQPW4HScOdIidqFuzHyIT7PoY4DwWMgeAVymRSEufifvRcdCvQdlC4MaxxVf5I8A
+ATkD3CrY+5NZeERAGbmlu7Uz+sUk5tLUH0Q2qvjZUIQRctfr4BMheuBubsLR9yP3
+FZ4Q4kl34eU/WU7NtTmIFy7gDhLSIoeQINfYZlNEXQ7Y/RZUOEwoPI/spAXgw6De
+Xpsw0wPZtcM=
+=JDaA
-----END PGP SIGNATURE-----
</pre>
--- /dev/null
+[[meta title="Features"]]
+
+# Features #
+
------------------------------------------------
If you haven't installed monkeysphere yet, you will need to [download
-and install] (/download) before continuing.
+and install](/download) before continuing.
Make sure that you have the GnuTLS library version 2.6 or later
installed on your system. If you can't (or don't want to) upgrade to
--- /dev/null
+[[meta title="Monkeysphere 0.20-1 released!"]]
+
+Monkeysphere 0.20-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ [ Daniel Kahn Gillmor ]
+ * ensure that tempdirs are properly created, bail out otherwise instead
+ of stumbling ahead.
+ * minor fussing with the test script to make it cleaner.
+
+ [ Jameson Graef Rollins ]
+ * clean up Makefile to generate more elegant source tarballs.
+ * make myself the maintainer.
+</pre>
+
+[[Download]] it now!
--- /dev/null
+[[meta title="Monkeysphere 0.21-1 released!"]]
+
+Monkeysphere 0.21-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+</pre>
+
+[[Download]] it now!
--- /dev/null
+[[meta title="Technical Details"]]
+
+# Technical Details #
+
+Under construction.
+
+## Host key verification ##
+
+When an ssh connection is initiated, the ssh client checks that the
+host key presented by the server matches one found in the connecting
+user's `known_hosts` file. If so, the ssh client allows the
+connection to continue. If not, the client asks the user if they
+would like to accept the host key for future session by asking the
+user to verify the host key's fingerprint.
+
+### Adding a server to the monkeysphere ###
+
+Servers are "monkeysphere enabled" by generating an OpenPGP
+authentication key for the server, translating the key into on ssh
+key, and publishing the host key to the Web of Trust.
+
+### Verifying a host key ###
+
+## User authentication ##
+
+### Adding an individual to the monkeysphere ###
+
+### Verifying a user key ###
projects / monkeysphere.git / commitdiff