monkeysphere (0.12-1) UNRELEASED; urgency=low
* Improved output handling.
+ * debian/control: switched Homepage: and Vcs-Git: to canonicalized
+ upstream hostnames.
-- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sun, 24 Aug 2008 23:49:23 -0700
Uploaders: Jameson Rollins <jrollins@fifthhorseman.net>
Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0), git-core
Standards-Version: 3.8.0.1
-Homepage: http://monkeysphere.info/
-Vcs-Git: git://monkeysphere.info/monkeysphere
+Homepage: http://web.monkeysphere.info/
+Vcs-Git: git://git.monkeysphere.info/monkeysphere
Dm-Upload-Allowed: yes
Format: 3.0 (git)
Allow server administrators to add-identity-certifier from a key in
the filesystem (or on stdin, etc)
+
+Think about packaging monkeysphere for other (non-apt-based) operating
+ systems. RPM-based linux systems, FreeBSD ports, and Mac OS X seem
+ like the most likely candidates.
user?</p>
<p>A group of us have been working on a public key infrastructure for
-SSH. <a href="http://monkeysphere.info">Monkeysphere</a> makes use of
-the existing OpenPGP web-of-trust to fetch and cryptographically
+SSH. <a href="http://web.monkeysphere.info">Monkeysphere</a> makes use
+of the existing OpenPGP web-of-trust to fetch and cryptographically
validate (and revoke!) keys. This works in either directions: both
<code>authorized_keys</code> <em>and</em> <code>known_hosts</code> are
handled. Monkeysphere gives users and admins tools to deal with SSH
belong, instead of requiring humans to do tedious (and error-prone)
manual key verification.</p>
-<p>We have <a href="http://monkeysphere.info/download">debian packages
+<p>We have <a href="http://web.monkeysphere.info/download">debian packages
available</a> which should install against lenny, <a
href="https://lists.riseup.net/www/info/monkeysphere">a mailing
list</a>, and open ears for good questions, suggestions and
criticism.</p>
-<p>If you have a chance to give it a try (<a href="???">as a user</a>
-or <a href="???">as an admin</a>), it would be great to <a
+<p>If you have a chance to give it a try (<a
+href="http://web.monkeysphere.info/getting-started-user/">as a
+user</a> or <a
+href="http://web.monkeysphere.info/getting-started-admin/">as an
+admin</a>), it would be great to <a
href="https://lists.riseup.net/www/info/monkeysphere">get
feedback</a>.</p>
--- /dev/null
+logo.png: logo.svg
+ inkscape -e logo.png logo.svg
* changes to this system (first command at top, last at bottom) *
******************************************************************************
+2008-09-01 - dkg
+ * set up http://dkg.monkeysphere.info so that i could play around
+ with ikiwiki updates
+ * moved apt repository over to http://archive.monkeysphere.info/
+ * aptitude update && aptitude dist-upgrade
+ * canonicalizing hostname for normal web access to
+ http://web.monkeysphere.info
+
2008-08-26 - dkg
* aptitude update && aptitude full-upgrade
* added account 'daniel' for Dan Scott, and set him up with a way
echo "WARNING: There is a known bug in this function."
echo "This function has been known to occasionally revoke the wrong user ID."
echo "Please see the following bug report for more information:"
- echo "http://monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
+ echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
if [ ${OK/y/Y} != 'Y' ] ; then
failure "aborting."
[[!template id="nav"]]
-
+[[meta title="Bugs"]]
This is Monkeysphere's bug list. You can also browse our [completed bugs](done).
If you don't have commit access to the public repo, we'd appreciate
[[meta title="Add man pages to web site"]]
We should publish the various monkeysphere man pages in browsable form
-somewhere under http://monkeysphere.info/. Ideally, this would be
+somewhere under http://web.monkeysphere.info/. Ideally, this would be
updated automatically from the sources for the official man pages
themselves.
[[!template id="nav"]]
-[[meta title="Monkeysphere community"]]
+[[meta title="Community"]]
-# Mailing list #
+## Mailing list ##
The Monkeysphere project is a new project with just one mailing list
at the moment. Its where we roll our sphere, discuss development
archives](https://lists.riseup.net/www/arc/monkeysphere) if you don't
believe us.
-# Development #
+## Development ##
The Monkeysphere uses a distributed development model with
[git](http://git.or.cz/). Once you've [installed
clone](http://www.kernel.org/pub/software/scm/git/docs/git-clone.html)
from this web site:
- git clone git://monkeysphere.info/monkeysphere
+ git clone git://git.monkeysphere.info/monkeysphere
-## Individual developer repositories ##
+### Individual developer repositories ###
You might also be interested in the repositories of individual
developers, which may contain branches or features not yet in the main
git clone git://labs.riseup.net/~micah/monkeysphere
-# Contact #
+## Contact ##
Please feel free to contact any of the Monkeysphere developers or post
to the mailing list with questions, comments, bug reports, requests,
[[!template id="nav"]]
[[meta title="Documentation"]]
-# Dependencies #
+## Dependencies ##
Monkeysphere relies on:
* [OpenSSH](http://openssh.com/)
* [GnuPG](http://gnupg.org/)
-# Getting started #
+## Getting started ##
* Getting started as a [user](/getting-started-user)
* Getting started as a [server admin](/getting-started-admin)
-# References #
+## References ##
* [Initial specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH)
* [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880)
* [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252)
* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
- * [Other similar projects](/others)
+
+## Other ##
+
+ * [Similar Projects](/similar) (other attempts at a PKI for SSH)
You can add this repo to your system by putting the following lines in
/etc/apt/sources.list.d/monkeysphere.list:
- deb http://monkeysphere.info/debian experimental monkeysphere
- deb-src http://monkeysphere.info/debian experimental monkeysphere
+ deb http://archive.monkeysphere.info/debian experimental monkeysphere
+ deb-src http://archive.monkeysphere.info/debian experimental monkeysphere
The repository is currently signed by [Daniel Kahn Gillmor's OpenPGP
key](http://fifthhorseman.net/dkg.gpg "dkg's key"), key id D21739E9
to get started [as a regular user](/getting-started-user), or [as a
systems administrator](/getting-started-admin).
-### Enhancements ###
+## Enhancements ##
As of 2008-08-22, If you run debian lenny you're very close to being
able to run a fully monkeysphere-enabled system. One gap in the
the MonkeySphere by adjusting the monkeysphere `sources.list` lines to
include the `gnutls` component. So they'd look like this instead:
- deb http://monkeysphere.info/debian experimental monkeysphere gnutls
- deb-src http://monkeysphere.info/debian experimental monkeysphere gnutls
+ deb http://archive.monkeysphere.info/debian experimental monkeysphere gnutls
+ deb-src http://archive.monkeysphere.info/debian experimental monkeysphere gnutls
You can [read more about this offering](/news/modified-gnutls-2.4.x-available).
gnutls. You can easily upgrade a Debian system by adding the following
to `/etc/apt/sources.list.d/monkeysphere.list`:
- deb http://monkeysphere.info/debian experimental gnutls
- deb-src http://monkeysphere.info/debian experimental gnutls
+ deb http://archive.monkeysphere.info/debian experimental gnutls
+ deb-src http://archive.monkeysphere.info/debian experimental gnutls
Next, run `aptitude update; aptitude install libgnutls26`.
+h2 {
+-moz-border-radius-topleft:4px;
+-moz-border-radius-topright:4px;
+background-color:#B67B4E;
+color:black;
+display:block;
+font-weight:bold;
+padding:0 0 0 10px;
+}
+
body {
- font-family: "Liberation Sans",sans-serif;
- font-size:1em;
- margin-left: 5%;
- margin-right:20%;
+color:#3F403F;
+font-family:"Liberation Sans",sans-serif;
+font-size:0.95em;
}
-h1 {
- font-size: 1.5em;
+*|*:visited
+color:#f6a464;
}
-h2 {
- font-size: 1.2em;
+*|*:-moz-any-link {
+text-decoration:none;
}
-h3 {
- font-size: 1em;
+:-moz-any-link {
+cursor:pointer;
}
-h4 {
- font-size: 1em;
+a:link {
+ color: #CC6600;
+ text-deoration: none;
}
-.header span {
- font-size: 1.5em;
- color: #aaaaaa;
+a:visited {
+ color: #c2772b;
+}
+
+a:hover {
+ text-decoration: underline;
}
pre {
padding: 3px 3px 3px 3px;
margin-left: 2em;
}
+
+table.sitenav {
+ border-bottom: 2px solid black;
+ padding: 0px;
+ width: 100%;
+ font-size: larger;
+}
+
+table.sitenav img.logo {
+ margin: 0px;
+ padding: 0px;
+ vertical-align: bottom;
+}
+
+table.sitenav a {
+ font-weight: bold;
+ margin-right: 1em;
+}
+
+table.sitenav span.selflink {
+ font-weight: bold;
+ text-decoration: underline;
+ margin-right: 1em;
+}
+
+div.header {
+ text-align: right;
+}
+
+div.actions {
+ text-align: right;
+}
[[!template id="nav"]]
-
+[[meta title="News"]]
Here are the latest announcements about the Monkeysphere.
[[inline pages="./news/* and !*/Discussion" rootpage="news" show="30"]]
--- /dev/null
+[[meta title="APT repository moved"]]
+
+The monkeysphere APT repository has been moved from
+`http://monkeysphere.info/debian` to
+`http://archive.monkeysphere.info/debian`. You'll probably want to
+update your `sources.list` to match the [official lines](/download).
+
+Apologies for any confusion or hassle this causes!
--- /dev/null
+[[meta title="git repository moved"]]
+
+The monkeysphere git repository has been moved from
+`git://monkeysphere.info/monkeysphere` to
+`git://git.monkeysphere.info/monkeysphere`. You'll probably want to
+update your `.git/config` to match the [official clone
+target](/community).
+
+Apologies for any confusion or hassle this causes!
You can track this package in debian lenny by adding the following
lines to `/etc/apt/sources.list`:
- deb http://monkeysphere.info/debian experimental gnutls
- deb-src http://monkeysphere.info/debian experimental gnutls
+ deb http://archive.monkeysphere.info/debian experimental gnutls
+ deb-src http://archive.monkeysphere.info/debian experimental gnutls
Or you can patch and build the packages yourself with the patches and
scripts provided in [the MonkeySphere git repo](/download).
--- /dev/null
+[[!template id="nav"]]
+[[meta title="Similar Projects"]]
+
+The monkeysphere isn't the only project intending to implement a PKI
+for OpenSSH. We provide links to these other projects because they're
+interesting, though we have concerns with their approaches.
+
+[[toc ]]
+
+All of the other projects we've found so far require a patched version
+of OpenSSH, which makes adoption more difficult. Most people don't
+build their own software, and simply overlaying a patched binary is
+associated with significant maintenance (and therefore security)
+problems.
+
+While ultimately contributing a patch to
+[OpenSSH](http://openssh.com/) (or any
+[free](http://www.chiark.greenend.org.uk/~sgtatham/putty/)
+[SSH](http://www.lysator.liu.se/~nisse/lsh/)
+[implementation](http://matt.ucc.asn.au/dropbear/dropbear.html)) is
+not a bad thing, we hope to be able to better establish the use of a
+PKI without resorting to source modification.
+
+## openssh-gpg ##
+
+[openssh-gpg](http://www.red-bean.com/~nemo/openssh-gpg/) is a patch
+against OpenSSH to support OpenPGP certificates. According to its
+documentation, it is intended to support [`pgp-sign-rsa` and
+`pgp-sign-dss` public key algorithms for hosts, as specified by the
+IETF](http://tools.ietf.org/html/rfc4253#section-6.6).
+
+Some concerns with `openssh-gpg`:
+
+ * This patch is old; it doesn't appear to have been maintained beyond
+ OpenSSH 3.6p1. As of this writing, OpenSSH 5.1p1 is current.
+
+ * It only provides infrastructure in one direction: the user
+ authenticating the host by name. There doesn't seem to be a
+ mechanism for dealing with identifying users by name, or allowing
+ users to globally revoke or update keys.
+
+ * The choice of User ID (`anything goes here (and here!)
+ <ssh@foo.example.net>`) for host keys overlaps with the current use
+ of the User ID space. While it's unlikely that someone actually
+ uses this e-mail address in the web of trust, it would be a nasty
+ collision, as the holder of that key could impersonate the server
+ in question. The monkeysphere uses [User IDs of the form
+ `ssh://foo.example.net`](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
+ to avoid collisions with existing use.
+
+ * It's not clear that `openssh-gpg` acknowledges or respects the
+ [usage flags](http://tools.ietf.org/html/rfc4880#section-5.2.3.21)
+ on the host keys. This means that it could accept a "sign-only"
+ key as suitable for authenticating a host, despite the
+ clearly-marked intentions of the key-holder.
+
+## Perspectives OpenSSH client ##
+
+[The Perspectives project](http://www.cs.cmu.edu/~perspectives/) at
+CMU has released an [openssh client that uses network
+notaries](http://www.cs.cmu.edu/~perspectives/openssh.html) to bolster
+your confidence in newly-seen keys. This offers a defense against a
+narrow MITM attack (e.g. by someone who controls your local gateway)
+by simply verifying that other machines from around the network see
+the same keys for the remote host that you're seeing.
+
+This tactic is quite useful, but doesn't take the system as far as it
+could go, and doesn't tie into any existing web of trust.
+
+Some concerns with the Perspectives OpenSSH client:
+
+ * This client won't help if you are connecting to machines behind
+ firewalls, on NAT'ed LANs, with source IP filtering, or otherwise
+ in a restricted network state.
+
+ * There is still a question of why you should trust these particular
+ notaries during your verification. Who are the notaries? How
+ could they be compromised?
+
+ * It only provides infrastructure in one direction: the user
+ authenticating the host by name. There is no mechanism for dealing
+ with identifying users by name, or allowing users to globally
+ revoke or change keys.
+
+ * It doesn't provide any mechanism for key rotation or revocation:
+ Perspectives won't help you if you need to re-key your machine.
+
+## OpenSSH with X.509v3 certificates ##
+
+Roumen Petrov [maintains a patch to OpenSSH that works with the X.509
+PKI model](http://www.roumenpetrov.info/openssh/). This is the
+certificate hierarchy commonly used by TLS (and SSL).
+
+Some concerns about OpenSSH with X.509v3:
+
+ * the X.509 certificate specification itself [encourages corporate
+ consolidation and centralized global "trust" because of its
+ single-issuer architectural
+ limitation](http://lair.fifthhorseman.net/~dkg/tls-centralization/).
+ This results in an expensive and cumbersome system for smaller
+ players, and it also doesn't correspond to the true distributed
+ nature of human-to-human trust. Furthermore, centralized global
+ "trusted authorities" create a tempting target for attack, and a
+ single-point-of-failure if an attack is successful.
+
+ Depending on how you declare your trust relationships, OpenPGP is
+ capable of providing the same hierarchical structure as X.509, but
+ it is not limited to such a structure. The OpenPGP Web of Trust
+ model is more flexible and more adaptable to represent real-world
+ trust than X.509's rigid hierarchy.
+
+ * X.509 certificates can identify hosts by name, but not by
+ individual service. This means that a compromised web or e-mail
+ server with access to the X.509 key for that service could re-use
+ its certificate as an SSH server, and it would be able to
+ masquerade successfully.
+
+ The monkeysphere uses [User IDs of the form
+ `ssh://foo.example.net`](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/),
+ so they are not by-default shared across services on the same host
+ (you can still share a key across services on the same host if you
+ like, but the service User IDs can be certified independently of
+ one another).
-[[overview|/index]] | [[why?|/why]] | [[/download]] | [[documentation|/doc]] | [[/news]] | [[/community]] | [[/bugs]]
+<table class="sitenav" cellpadding="0" cellspacing="0">
+<tbody><tr><td>
+<a class="logo" href="/"><img class="logo" src="/logo.png" alt="monkeysphere" width="343" height="85" /></a>
+</td><td>
-----
+[[WHY?|why]]
+[[DOWNLOAD|download]]
+[[DOCUMENTATION|doc]]
+[[NEWS|news]]
+[[COMMUNITY|community]]
+[[BUGS|bugs]]
+
+</td></tr></tbody></table>
[[meta title="Why should you be interested in the MonkeySphere?"]]
-# Why should you be interested in the MonkeySphere? #
+[[toc ]]
## As an `ssh` user ##
new one without having to comb through every single account you have
ever connected to?
+[Get started with the monkeysphere as a user!](/getting-started-user)
+
## As an system administrator ##
As a system administrator, have you ever tried to re-key an SSH
user's key to authenticate across an entire infrastructure you manage,
without touching each host by hand?
+[Get started with the monkeysphere as an administrator!](/getting-started-admin)
+
## What's the connection? ##
All of these issues are related to a lack of a [Public Key