.SH AUTHOR
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel
-Kahn Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
-\" DELETEME
-\".BR monkeysphere-ssh-proxycommand (1),
-\".BR monkeysphere-server (8),
.BR monkeysphere-host (8),
.BR monkeysphere-authentication (8),
.BR monkeysphere (7),
.SH DESCRIPTION
-\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust
for ssh authentication. OpenPGP keys are tracked via GnuPG, and added
to the authorized_keys and known_hosts files used by ssh for
connection authentication.
.SH AUTHOR
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
.BR monkeysphere (1),
-.BR monkeysphere-server (8),
-.BR monkeysphere-ssh-proxycommand (1),
+.BR monkeysphere-host (8),
+.BR monkeysphere-authentication (8),
+.BR openpgp2ssh (1),
+.BR pem2openpgp (1),
.BR gpg (1),
.BR ssh (1),
.BR http://tools.ietf.org/html/rfc4880,
\fBmonkeysphere-authentication\fP is a Monkeysphere server admin utility.
.SH SUBCOMMANDS
-\fBmonkeysphere-authentication\fP takes various subcommands.(Users may use the
-abbreviated subcommand in parentheses):
+\fBmonkeysphere-authentication\fP takes various subcommands.
.TP
-.B update-users (u) [ACCOUNT]...
-Rebuild the monkeysphere-controlled authorized_keys files. For each specified
-account, the user ID's listed in the account's authorized_user_ids file are
-processed. For each user ID, gpg will be queried for keys associated with that
-user ID, optionally querying a keyserver. If an acceptable key is found (see
-KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the account's
-monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS
-variable is set, then a separate authorized_keys file (usually
-~USER/.ssh/authorized_keys) is appended to the monkeysphere-controlled
-authorized_keys file. If no accounts are specified, then all accounts on the
-system are processed. `u' may be used in place of `update-users'.
-
-\" XXX
-
+.B setup
+Setup the server for Monkeysphere user authentication. `s' may be
+used in place of `setup'.
.TP
-.B add-id-certifier (c+) KEYID
+.B update-users [ACCOUNT]...
+Rebuild the monkeysphere-controlled authorized_keys files. For each
+specified account, the user ID's listed in the account's
+authorized_user_ids file are processed. For each user ID, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
+monkeysphere(7)), the key is added to the account's
+monkeysphere-controlled authorized_keys file. If the
+RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
+file (usually ~USER/.ssh/authorized_keys) is appended to the
+monkeysphere-controlled authorized_keys file. If no accounts are
+specified, then all accounts on the system are processed. `u' may be
+used in place of `update-users'.
+.TP
+.B add-id-certifier KEYID
Instruct system to trust user identity certifications made by KEYID.
Using the `-n' or `--domain' option allows you to indicate that you
only trust the given KEYID to make identifications within a specific
with the `-d' or `--depth' option (default is 1). `c+' may be used in
place of `add-id-certifier'.
.TP
-.B remove-id-certifier (c-) KEYID
+.B remove-id-certifier KEYID
Instruct system to ignore user identity certifications made by KEYID.
`c-' may be used in place of `remove-id-certifier'.
.TP
-.B list-id-certifiers (c)
+.B list-id-certifiers
List key IDs trusted by the system to certify user identities. `c'
may be used in place of `list-id-certifiers'.
.TP
show version number
.SH "EXPERT" SUBCOMMANDS
+
Some commands are very unlikely to be needed by most administrators.
-These commands must follow the word `expert'.
+These commands must prefaced by the word `expert'.
.TP
-.B diagnostics (d)
-Review the state of the server with respect to authentication.
+.B diagnostics
+Review the state of the server with respect to authentication. `d'
+may be used in place of `diagnostics'.
.TP
.B gpg-cmd
Execute a gpg command on the gnupg-authentication keyring as the
modifying the gnupg-authentication keyring can affect ssh user
authentication.
-.SH SETUP
+.SH SETUP USER AUTHENTICATION
If the server will handle user authentication through
monkeysphere-generated authorized_keys files, the server must be told
sshd to look at the monkeysphere-generated authorized_keys file for
user authentication by setting the following in the sshd_config:
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u
It is recommended to add "monkeysphere-authentication update-users" to a
system crontab, so that user keys are kept up-to-date, and key
.SH ENVIRONMENT
The following environment variables will override those specified in
-(defaults in parentheses):
+the config file (defaults in parentheses):
.TP
MONKEYSPHERE_MONKEYSPHERE_USER
User to control authentication keychain (monkeysphere).
increasing order of verbosity.
.TP
MONKEYSPHERE_KEYSERVER
-OpenPGP keyserver to use (subkeys.pgp.net).
+OpenPGP keyserver to use (pool.sks-keyservers.net).
.TP
MONKEYSPHERE_AUTHORIZED_USER_IDS
Path to user authorized_user_ids file
.SH AUTHOR
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Matthew Goins <mjgoins@openflows.com>
.SH SEE ALSO
\fBmonkeysphere-host\fP takes various subcommands:
.TP
+.B show-key
+Output information about host's OpenPGP and SSH keys. `s' may be used
+in place of `show-key'.
+.TP
.B extend-key EXPIRE
Extend the validity of the OpenPGP key for the host until EXPIRE from
the present. If EXPIRE is not specified, then the user will be
<n>y = key expires in n years
.fi
`e' may be used in place of `extend-key'.
-
.TP
.B add-hostname HOSTNAME
Add a hostname user ID to the server host key. `n+' may be used in
in place of `revoke-hostname'.
.TP
.B add-revoker FINGERPRINT
-
+Add a revoker to the host's OpenPGP key. `o' may be be used in place
+of `add-revoker'.
.TP
-.B show-key
-Output gpg information about host's OpenPGP key. `s' may be used in
-place of `show-key'.
+.B revoke-key
+Revoke the host's OpenPGP key. `r' may be used in place of
+`revoke-key'.
.TP
.B publish-key
Publish the host's OpenPGP key to the keyserver. `p' may be used in
.TP
.B version
show version number
+
.SH "EXPERT" SUBCOMMANDS
+
Some commands are very unlikely to be needed by most administrators.
-These commands must follow the word `expert'.
+These commands must prefaced by the word `expert'.
.TP
.B gen-key [HOSTNAME]
Generate a OpenPGP key for the host. If HOSTNAME is not specified,
alternate key bit length can be specified with the `-l' or `--length'
option (default 2048). An expiration length can be specified with the
`-e' or `--expire' option (prompt otherwise). The expiration format
-is the same as that of \fBextend-key\fP, below. A key revoker
-fingerprint can be specified with the `-r' or `--revoker' option. `g'
-may be used in place of `gen-key'.
-
-.TP
-.B diagnostics
-Review the state of the server with respect to the MonkeySphere in
-general and report on suggested changes. Among other checks, this
-includes making sure there is a valid host key, that the key is
-published, that the sshd configuration points to the right place, and
-that there are at least some valid identity certifiers. `d' may be
-used in place of `diagnostics'.
+is the same as that of \fBextend-key\fP, below. `g' may be used in
+place of `gen-key'.
.TP
.B import-key
FIXME:
--hostname (-h) NAME[:PORT] hostname for key user ID
--keyfile (-f) FILE key file to import
--expire (-e) EXPIRE date to expire
+.TP
+.B diagnostics
+Review the state of the monkeysphere server host key and report on
+suggested changes. Among other checks, this includes making sure
+there is a valid host key, that the key is published, that the sshd
+configuration points to the right place, etc. `d' may be used in
+place of `diagnostics'.
-.SH SETUP
+.SH SETUP HOST AUTHENTICATION
-In order to start using the monkeysphere, you must first generate an
-OpenPGP key for the server and convert that key to an ssh key that can
-be used by ssh for host authentication. This can be done with the
-\fBgen-key\fP subcommand:
+To enable host verification via the monkeysphere, the host's key must
+be published to the Web of Trust. This is not done by default. To
+publish the host key to the keyservers, run the following command:
-$ monkeysphere-server gen-key
+$ monkeysphere-host publish-key
-To enable host verification via the monkeysphere, you must then
-publish the host's key to the Web of Trust using the \fBpublish-key\fP
-command to push the key to a keyserver. You must also modify the
-sshd_config on the server to tell sshd where the new server host key
-is located:
+You must also modify the sshd_config on the server to tell sshd where
+the new server host key is located:
-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
+HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key
In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host's key. This is done using standard OpenPGP
-keysigning techniques, usually: pul the key from the keyserver, verify
-and sign the key, and then re-publish the signature. Once an admin's
-signature is published, users logging into the host can use it to
-validate the host's key.
+keysigning techniques, usually: pull the key from the keyserver,
+verify and sign the key, and then re-publish the signature. Once an
+admin's signature is published, users logging into the host can use it
+to validate the host's key.
+
+.SH ENVIRONMENT
+The following environment variables will override those specified in
+the config file (defaults in parentheses):
.TP
MONKEYSPHERE_LOG_LEVEL
Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
increasing order of verbosity.
.TP
MONKEYSPHERE_KEYSERVER
-OpenPGP keyserver to use (subkeys.pgp.net).
+OpenPGP keyserver to use (pool.sks-keyservers.net).
.SH FILES
+
.TP
/etc/monkeysphere/monkeysphere-host.conf
System monkeysphere-host config file.
.TP
-/var/lib/monkeysphere/ssh_host_rsa_key
+/var/lib/monkeysphere/host/ssh_host_rsa_key
Copy of the host's private key in ssh format, suitable for use by
sshd.
.SH AUTHOR
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Matthew Goins <mjgoins@openflows.com>
.SH SEE ALSO
gen-subkey (g) [KEYID] generate an authentication subkey
--length (-l) BITS key length in bits (2048)
--expire (-e) EXPIRE date to expire
- ssh-proxycommand ssh proxycommand
+ ssh-proxycommand monkeysphere ssh ProxyCommand
subkey-to-ssh-agent (s) store authentication subkey in ssh-agent
version (v) show version number
help (h,?) this help
# version 3 or later.
########################################################################
+set -e
+
PGRM=$(basename $0)
SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
. "${SYSSHAREDIR}/common" || exit 1
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export SYSDATADIR
+
# sharedir for authentication functions
MASHAREDIR="${SYSSHAREDIR}/ma"
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-export SYSDATADIR
+# datadir for authentication functions
+MADATADIR="${SYSDATADIR}/authentication"
# temp directory to enable atomic moves of authorized_keys files
-MATMPDIR="${SYSDATADIR}/tmp"
+MATMPDIR="${MADATADIR}/tmp"
export MSTMPDIR
# UTC date in ISO 8601 format if needed
Monkeysphere authentication admin tool.
subcommands:
+ setup (s) setup monkeysphere user authentication
update-users (u) [USER]... update user authorized_keys files
add-id-certifier (c+) KEYID import and tsign a certification key
--domain (-n) DOMAIN limit ID certifications to DOMAIN
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${SYSDATADIR}/authentication/core"}
-GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${SYSDATADIR}/authentication/sphere"}
+GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"}
+GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
# export variables needed in su invocation
export DATE
shift
case $COMMAND in
+ 'setup'|'setup'|'s')
+ source "${MASHAREDIR}/setup"
+ setup "$@"
+ ;;
+
'update-users'|'update-user'|'u')
source "${MASHAREDIR}/update_users"
update_users "$@"
export SYSSHAREDIR
. "${SYSSHAREDIR}/common" || exit 1
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export SYSDATADIR
+
# sharedir for host functions
MHSHAREDIR="${SYSSHAREDIR}/mh"
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-export SYSDATADIR
+# datadir for host functions
+MHDATADIR="${SYSDATADIR}/host"
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
add-revoker (o) FINGERPRINT add a revoker to the host key
revoke-key (r) revoke host key
- publish-key (p) publish server host key to keyserver
+ publish-key (p) publish host key to keyserver
expert <expert-subcommand> run expert command
expert help expert command help
}
# output just key fingerprint
-fingerprint_server_key() {
+fingerprint_host_key() {
# set the pipefail option so functions fails if can't read sec key
set -o pipefail
# function to check for host secret key
check_host_keyring() {
- fingerprint_server_key >/dev/null \
- || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
+ fingerprint_host_key >/dev/null \
+ || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first."
}
# show info about the host key
# FIXME: you shouldn't have to be root to see the host key fingerprint
check_host_keyring
- fingerprintPGP=$(fingerprint_server_key)
+ fingerprintPGP=$(fingerprint_host_key)
gpg_host "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null
echo "OpenPGP fingerprint: $fingerprintPGP"
- if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then
- fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \
+ if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then
+ fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \
awk '{ print $1, $2, $4 }')
echo "ssh fingerprint: $fingerprintSSH"
else
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
-GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/host"}
+GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
# export variables needed in su invocation
export DATE
# write output to stderr based on specified LOG_LEVEL the first
# parameter is the priority of the output, and everything else is what
-# is echoed to stderr
+# is echoed to stderr. If there is nothing else, then output comes
+# from stdin, and is not prefaced by log prefix.
log() {
local priority
local level
output=true
fi
if [ "$priority" = "$level" -a "$output" = 'true' ] ; then
- echo -n "ms: " >&2
- echo "$@" >&2
+ if [ "$1" ] ; then
+ echo -n "ms: " >&2
+ echo "$@" >&2
+ else
+ cat >&2
+ fi
fi
done
}
# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-# monkeysphere-ssh-proxycommand: MonkeySphere ssh ProxyCommand hook
+# Monkeysphere ssh-proxycommand subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# This is meant to be run as an ssh ProxyCommand to initiate a
# monkeysphere known_hosts update before an ssh connection to host is
# established. Can be added to ~/.ssh/config as follows:
-# ProxyCommand monkeysphere-ssh-proxycommand %h %p
+# ProxyCommand monkeysphere ssh-proxycommand %h %p
ssh_proxycommand() {
userID="ssh://${HOSTP}"
- log "-------------------- Monkeysphere warning -------------------"
- log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity."
+ cat <<EOF | log info
+-------------------- Monkeysphere warning -------------------
+Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
+EOF
# retrieve the actual ssh key
sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
# if one of keys found matches the one offered by the
# host, then output info
if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
- log "An OpenPGP key matching the ssh key offered by the host was found:"
- log
+ cat <<EOF | log info
+An OpenPGP key matching the ssh key offered by the host was found:
+
+EOF
# do some crazy "Here Strings" redirection to get the key to
# ssh-keygen, since it doesn't read from stdin cleanly
if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
if (ok) { if (match($0,"^sig")) { print; } }
}
-' >&2
- log
+' | log info
+ echo | log info
# output the other user IDs for reference
if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
- log "Other user IDs on this key:"
- echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2
- log
+ cat <<EOF | log info
+Other user IDs on this key:
+
+EOF
+ echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info
+ echo | log info
fi
# output ssh fingerprint
- log "RSA key fingerprint is ${sshFingerprint}."
+ cat <<EOF | log info
+RSA key fingerprint is ${sshFingerprint}.
+EOF
# this whole process is in a "while read"
# subshell. the only way to get information out
# if no key match was made (and the "while read" subshell returned
# 1) output how many keys were found
if (($? != 1)) ; then
- log "None of the found keys matched the key offered by the host."
- log "Run the following command for more info about the found keys:"
- log "gpg --check-sigs --list-options show-uid-validity =${userID}"
+ cat <<EOF | log info
+None of the found keys matched the key offered by the host.
+Run the following command for more info about the found keys:
+gpg --check-sigs --list-options show-uid-validity =${userID}
+EOF
+
# FIXME: should we do anything extra here if the retrieved
# host key is actually in the known_hosts file and the ssh
# connection will succeed? Should the user be warned?
# prompted?
fi
- log "-------------------- ssh continues below --------------------"
+ cat <<EOF | log info
+-------------------- ssh continues below --------------------
+EOF
}
########################################################################
PORT="$2"
if [ -z "$HOST" ] ; then
- log "Host not specified."
+ log error "Host not specified."
usage
exit 255
fi
local sshd_config
local problemsfound=0
-# FIXME: what's the correct, cross-platform answer?
-sshd_config=/etc/ssh/sshd_config
-seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
-keysfound=$(echo "$seckey" | grep -c ^sec:)
-curdate=$(date +%s)
-# warn when anything is 2 months away from expiration
-warnwindow='2 months'
-warndate=$(advance_date $warnwindow +%s)
-
if ! id monkeysphere >/dev/null ; then
echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
problemsfound=$(($problemsfound+1))
problemsfound=$(($problemsfound+1))
fi
-echo "Checking host GPG key..."
+echo "Checking for authentication directory..."
+if ! [ -d "$MADATADIR" ] ; then
+ echo "! No authentication data directory found."
+ echo " - Recommendation: run 'monkeysphere-authentication setup'"
+ exit
+fi
+
+# FIXME: what's the correct, cross-platform answer?
+seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
+keysfound=$(echo "$seckey" | grep -c ^sec:)
+curdate=$(date +%s)
+# warn when anything is 2 months away from expiration
+warnwindow='2 months'
+warndate=$(advance_date $warnwindow +%s)
+
+echo "Checking core GPG key..."
if (( "$keysfound" < 1 )); then
- echo "! No host key found."
- echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ echo "! No core key found."
+ echo " - Recommendation: run 'monkeysphere-authentication setup'"
problemsfound=$(($problemsfound+1))
elif (( "$keysfound" > 1 )); then
- echo "! More than one host key found?"
+ echo "! More than one core key found?"
# FIXME: recommend a way to resolve this
problemsfound=$(($problemsfound+1))
else
# check for key expiration:
if [ "$expire" ]; then
if (( "$expire" < "$curdate" )); then
- echo "! Host key is expired."
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo "! Core key is expired."
+ echo " - Recommendation: ???"
problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
- echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ echo " - Recommendation: ???"
problemsfound=$(($problemsfound+1))
fi
fi
# and weirdnesses:
if [ "$create" ] && (( "$create" > "$curdate" )); then
- echo "! Host key was created in the future(?!). Is your clock correct?"
+ echo "! Core key was created in the future(?!). Is your clock correct?"
echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
problemsfound=$(($problemsfound+1))
fi
-
- # check for UserID expiration:
- echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
- while IFS=: read create expire uid ; do
- # FIXME: should we be doing any checking on the form
- # of the User ID? Should we be unmangling it somehow?
-
- if [ "$create" ] && (( "$create" > "$curdate" )); then
- echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
- echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
- problemsfound=$(($problemsfound+1))
- fi
- if [ "$expire" ] ; then
- if (( "$expire" < "$curdate" )); then
- echo "! User ID '$uid' is expired."
- # FIXME: recommend a way to resolve this
- problemsfound=$(($problemsfound+1))
- elif (( "$expire" < "$warndate" )); then
- echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
- # FIXME: recommend a way to resolve this
- problemsfound=$(($problemsfound+1))
- fi
- fi
- done
-# FIXME: verify that the host key is properly published to the
-# keyservers (do this with the non-privileged user)
-
-# FIXME: check that there are valid, non-expired certifying signatures
-# attached to the host key after fetching from the public keyserver
-# (do this with the non-privileged user as well)
-
-# FIXME: propose adding a revoker to the host key if none exist (do we
-# have a way to do that after key generation?)
-
- # Ensure that the ssh_host_rsa_key file is present and non-empty:
- echo
- echo "Checking host SSH key..."
- if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
- echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
- problemsfound=$(($problemsfound+1))
- else
- if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
- echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
- problemsfound=$(($problemsfound+1))
- fi
-
- # propose changes needed for sshd_config (if any)
- if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
- echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
- echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
- problemsfound=$(($problemsfound+1))
- fi
- if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
- echo "! $sshd_config refers to some non-monkeysphere host keys:"
- echo "$badhostkeys"
- echo " - Recommendation: remove the above HostKey lines from $sshd_config"
- problemsfound=$(($problemsfound+1))
- fi
-
- # FIXME: test (with ssh-keyscan?) that the running ssh
- # daemon is actually offering the monkeysphere host key.
-
- fi
fi
# FIXME: look at the ownership/privileges of the various keyrings,
# we make them as minimal as possible?)
# FIXME: look to see that the ownertrust rules are set properly on the
-# authentication keyring
+# sphere keyring
# FIXME: make sure that at least one identity certifier exists
# authorized_keys?
echo
-echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+echo "Checking for Monkeysphere-enabled public-key authentication for users ..."
# Ensure that User ID authentication is enabled:
if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
echo "! $sshd_config does not point to monkeysphere authorized keys."
if [ "$problemsfound" -gt 0 ]; then
echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
- echo " monkeysphere-server diagnostics"
+ echo " monkeysphere-authentication expert diagnostics"
else
echo "Everything seems to be in order!"
fi
--- /dev/null
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere authentication setup subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2009, and are all released under the GPL,
+# version 3 or later.
+
+setup() {
+ # make all needed directories
+ mkdir -p "${MADATADIR}"
+ mkdir -p "${MATMPDIR}"
+ mkdir -p "${GNUPGHOME_SPHERE}"
+ mkdir -p "${GNUPGHOME_CORE}"
+
+ # deliberately replace the config files via truncation
+ # FIXME: should we be dumping to tmp files and then moving atomically?
+ cat >"${GNUPGHOME_CORE}"/gpg.conf <<EOF
+# Monkeysphere trust core GnuPG configuration
+# This file is maintained by the Monkeysphere software.
+# Edits will be overwritten.
+no-greeting
+list-options show-uid-validity
+EOF
+
+ cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
+# Monkeysphere trust sphere GnuPG configuration
+# This file is maintained by the Monkeysphere software.
+# Edits will be overwritten.
+no-greeting
+primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
+keyring ${GNUPGHOME_CORE}/pubring.gpg
+
+list-options show-uid-validity
+EOF
+
+ # fingerprint of core key. this should be empty on unconfigured systems.
+ local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+
+ if [ -z "$CORE_FPR" ] ; then
+ log info "Setting up Monkeysphere authentication trust core"
+
+ local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
+
+ local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+
+ # generate the key with ssh-keygen...
+ ssh-keygen -q -b 1024 -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
+ # and then translate to openpgp encoding and import
+ # FIXME: pem2openpgp currently sets the A flag and a short
+ # expiration date. We should set the C flag and no expiration
+ # date.
+ < "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
+
+ gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key
+ CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+ if [ -z "$CORE_FPR" ] ; then
+ failure "Failed to create Monkeysphere authentication trust core!"
+ fi
+
+ else
+ log verbose "This system has already set up the Monkeysphere authentication trust core"
+ fi
+
+
+ # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
+ printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
+ local ORIG_TRUST
+ if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
+ if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
+ failure "Monkeysphere authentication trust sphere should explicitly trust the core. It does not have proper ownertrust settings."
+ fi
+ else
+ failure "Could not get monkeysphere-authentication trust guidelines."
+ fi
+
+ # ensure that we're using the extended trust model (1), and that
+ # our preferences are reasonable (i.e. 3 marginal OR 1 fully
+ # trusted certifications are sufficient to grant full validity.
+ if [ "1:3:1" != $(gpg_sphere --with-colons --fixed-list-mode --list-keys | head -n1 | grep ^tru: cut -f3,6,7 -d:) ] ; then
+ failure "monkeysphere-preference does not have the expected trust model settings"
+ fi
+}
GNUPGHOME="$GNUPGHOME_SPHERE"
# the authorized_keys directory
-authorizedKeysDir="${SYSDATADIR}/authentication/authorized_keys"
+authorizedKeysDir="${MADATADIR}/authorized_keys"
# check to see if the gpg trust database has been initialized
if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
userID="ssh://${1}"
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# match to only ultimately trusted user IDs
tmpuidMatch="u:$(echo $userID | gpg_escape)"
echo "Checking host GPG key..."
if (( "$keysfound" < 1 )); then
echo "! No host key found."
- echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'"
problemsfound=$(($problemsfound+1))
elif (( "$keysfound" > 1 )); then
echo "! More than one host key found?"
if [ "$expire" ]; then
if (( "$expire" < "$curdate" )); then
echo "! Host key is expired."
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
problemsfound=$(($problemsfound+1))
fi
fi
# FIXME: recommend a way to resolve this
problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
- echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
# FIXME: recommend a way to resolve this
problemsfound=$(($problemsfound+1))
fi
# directories housing them, etc (what should those values be? can
# we make them as minimal as possible?)
-# FIXME: look to see that the ownertrust rules are set properly on the
-# authentication keyring
-
-# FIXME: make sure that at least one identity certifier exists
-
-# FIXME: look at the timestamps on the monkeysphere-generated
-# authorized_keys files -- warn if they seem out-of-date.
-
-# FIXME: check for a cronjob that updates monkeysphere-generated
-# authorized_keys?
-
-echo
-echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
-# Ensure that User ID authentication is enabled:
-if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
- echo "! $sshd_config does not point to monkeysphere authorized keys."
- echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
- problemsfound=$(($problemsfound+1))
-fi
-if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
- echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
- echo "$badauthorizedkeys"
- echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
- problemsfound=$(($problemsfound+1))
-fi
if [ "$problemsfound" -gt 0 ]; then
echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
- echo " monkeysphere-server diagnostics"
+ echo " monkeysphere-host expert diagnostics"
else
echo "Everything seems to be in order!"
fi
extend_key() {
-local fpr=$(fingerprint_server_key)
+local fpr=$(fingerprint_host_key)
local extendTo="$1"
# get the new expiration date
# check for presense of secret key
# FIXME: is this the proper test to be doing here?
-fingerprint_server_key >/dev/null \
+fingerprint_host_key >/dev/null \
&& failure "An OpenPGP host key already exists."
# get options
echo "$keyParameters" | gpg_host --batch --gen-key
# find the key fingerprint of the newly generated key
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
- openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
-ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
-log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+ openpgp2ssh "$fingerprint" > "${MHDATADIR}/ssh_host_rsa_key")
+log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key"
+ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub"
+log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
# show info about new key
show_key
# check for presense of secret key
# FIXME: is this the proper test to be doing here?
-fingerprint_server_key >/dev/null \
+fingerprint_host_key >/dev/null \
&& failure "An OpenPGP host key already exists."
# get options
pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import)
# find the key fingerprint of the newly converted key
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# export host ownertrust to authentication keyring
log verbose "setting ultimate owner trust for host key..."
echo "${fingerprint}:6:" | gpg_host "--import-ownertrust"
# export public key to file
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
# show info about new key
show_key
fi
# find the key fingerprint
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# publish host key
# FIXME: need to define how to do this
userID="ssh://${1}"
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# match to only ultimately trusted user IDs
tmpuidMatch="u:$(echo $userID | gpg_escape)"
## make sure that the right tools are installed to run the test. the
## test has *more* requirements than plain ol' monkeysphere:
-which socat || { echo "You must have socat installed to run this test." ; exit 1; }
+which socat >/dev/null || { echo "You must have socat installed to run this test." ; exit 1; }
## FIXME: other checks?
+######################################################################
+### FUNCTIONS
+
# gpg command for test admin user
gpgadmin() {
GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@"
trap failed_cleanup EXIT
+######################################################################
### SETUP VARIABLES
+
## set up some variables to ensure that we're operating strictly in
## the tests, not system-wide:
-export TESTDIR=$(pwd)
+export TESTDIR=$(dirname "$0")
# make temp dir
TEMPDIR="$TESTDIR"/tmp
# *anything* with any running X11 session.
export DISPLAY=monkeys
+
+######################################################################
### CONFIGURE ENVIRONMENTS
# copy in admin and testuser home to tmp
+echo "##################################################"
echo "### copying admin and testuser homes..."
cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
# set up sshd
+echo "##################################################"
echo "### configuring sshd..."
-cp etc/ssh/sshd_config "$SSHD_CONFIG"
+cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG"
# write the sshd_config
cat <<EOF >> "$SSHD_CONFIG"
HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authentication/authorized_keys/%u
EOF
+
+######################################################################
+### SERVER HOST SETUP
+
# set up monkeysphere host
+echo "##################################################"
echo "### configuring monkeysphere host..."
mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/host
-# set up monkeysphere authentication
-echo "### configuring monkeysphere authentication..."
-mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
-cp etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
-cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
-AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
-EOF
-cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
-primary-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/sphere/pubring.gpg
-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/core/pubring.gpg
-EOF
-
-
-### SERVER TESTS
-
# create a new host key
-echo "### generating server key..."
+echo "##################################################"
+echo "### generating server host key..."
# add gpg.conf with quick-random
get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
echo | monkeysphere-host expert gen-key --length 1024 --expire 0 testhost
# remove the gpg.conf
rm "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
+# FIXME: need to test import-key as well
+
HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\ )
# certify it with the "Admin's Key".
# (this would normally be done via keyservers)
-echo "### certifying server key..."
-monkeysphere-authentication expert gpg-cmd "--armor --export $HOSTKEYID" | gpgadmin --import
+echo "##################################################"
+echo "### certifying server host key..."
+GNUPGHOME="$MONKEYSPHERE_SYSCONFIGDIR"/host gpg --armor --export "$HOSTKEYID" | gpgadmin --import
echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
+# FIXME: add revoker?
+
# FIXME: how can we test publish-key without flooding junk into the
# keyservers?
+# FIXME: should we run "diagnostics" here to test setup?
+
+
+######################################################################
+### SERVER AUTHENTICATION SETUP
+
+# set up monkeysphere authentication
+echo "##################################################"
+echo "### setup monkeysphere authentication..."
+mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
+cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
+cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
+AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
+EOF
+monkeysphere-authentication setup
+get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
+
# add admin as identity certifier for testhost
+echo "##################################################"
echo "### adding admin as certifier..."
echo y | monkeysphere-authentication add-id-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
+# FIXME: should we run "diagnostics" here to test setup?
-### TESTUSER TESTS
+
+######################################################################
+### TESTUSER SETUP
# generate an auth subkey for the test user that expires in 2 days
+echo "##################################################"
echo "### generating key for testuser..."
monkeysphere gen-subkey --expire 2
# add server key to testuser keychain
+echo "##################################################"
echo "### export server key to testuser..."
gpgadmin --armor --export "$HOSTKEYID" | gpg --import
# teach the "server" about the testuser's key
+echo "##################################################"
echo "### export testuser key to server..."
gpg --export testuser | monkeysphere-authentication gpg-cmd --import
+
+# update authorized_keys for user
+echo "##################################################"
echo "### update server authorized_keys file for this testuser..."
monkeysphere-authentication update-users $(whoami)
+
+######################################################################
+### TESTS
+
# connect to test sshd, using monkeysphere-ssh-proxycommand to verify
# the identity before connection. This should work in both directions!
+echo "##################################################"
echo "### ssh connection test for success..."
ssh_test
# remove the testuser's authorized_user_ids file, update, and make
# sure that the ssh authentication FAILS
+echo "##################################################"
echo "### removing testuser authorized_user_ids and updating..."
mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak}
monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
echo "### ssh connection test for server authentication denial..."
ssh_test 255
mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,}
# put improper permissions on authorized_user_ids file, update, and
# make sure ssh authentication FAILS
+echo "##################################################"
echo "### setting group writability on authorized_user_ids and updating..."
chmod g+w "$TESTHOME"/.monkeysphere/authorized_user_ids
monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
echo "### ssh connection test for server authentication denial..."
ssh_test 255
chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids
+echo "##################################################"
echo "### setting other writability on authorized_user_ids and updating..."
chmod o+w "$TESTHOME"/.monkeysphere/authorized_user_ids
monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
echo "### ssh connection test for server authentication denial..."
ssh_test 255
chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids
+# FIXME: addtest: remove admin as id-certifier and check ssh failure
+
+# FIXME: addtest: revoke hostname on host key and check ssh failure
+
+# FIXME: addtest: revoke the host key and check ssh failure
+
+
+######################################################################
trap - EXIT
-echo
-echo "Monkeysphere basic tests completed successfully!"
-echo
+echo "##################################################"
+echo " Monkeysphere basic tests completed successfully!"
+echo "##################################################"
cleanup
projects / monkeysphere.git / commitdiff