--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<base href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation"><div style="margin:-1px -1px 0;padding:0;border:1px solid #999;background:#fff"><div style="margin:12px;padding:8px;border:1px solid #999;background:#ddd;font:13px arial,sans-serif;color:#000;font-weight:normal;text-align:left">This is Google's cache of <a href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation" style="text-decoration:underline;color:#00c">http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation</a>. It is a snapshot of the page as it appeared on Dec 15, 2008 14:31:48 GMT. The <a href="http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation" style="text-decoration:underline;color:#00c">current page</a> could have changed in the meantime. <a href="http://www.google.com/intl/en/help/features_list.html#cached" style="text-decoration:underline;color:#00c">Learn more</a><br><br><div style="float:right"><a href="http://74.125.47.132/search?q=cache:TK3CfB0McV4J:redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation+http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation&hl=en&gl=us&strip=1" style="text-decoration:underline;color:#00c">Text-only version</a></div>
+<div>These terms only appear in links pointing to this page: <span style="font-weight:bold">http</span> <span style="font-weight:bold">redmine</span> <span style="font-weight:bold">josefsson</span> <span style="font-weight:bold">org</span> <span style="font-weight:bold">wiki</span> <span style="font-weight:bold">gnutls</span> <span style="font-weight:bold">gnutlsexternalvalidation</span> </div></div></div><div style="position:relative">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<title>GnuTLS - GnuTLSExternalValidation - Redmine</title>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<meta name="description" content="Redmine" />
+<meta name="keywords" content="issue,bug,tracker" />
+<link href="/stylesheets/application.css?1227251496" media="all" rel="stylesheet" type="text/css" />
+<script src="/javascripts/prototype.js?1224248241" type="text/javascript"></script>
+<script src="/javascripts/effects.js?1224248241" type="text/javascript"></script>
+<script src="/javascripts/dragdrop.js?1224248241" type="text/javascript"></script>
+<script src="/javascripts/controls.js?1224248241" type="text/javascript"></script>
+<script src="/javascripts/application.js?1224248241" type="text/javascript"></script>
+<link href="/stylesheets/jstoolbar.css?1224248241" media="screen" rel="stylesheet" type="text/css" />
+<!--[if IE]>
+ <style type="text/css">
+ * html body{ width: expression( document.documentElement.clientWidth < 900 ? '900px' : '100%' ); }
+ body {behavior: url(/stylesheets/csshover.htc?1224248241);}
+ </style>
+<![endif]-->
+
+<!-- page specific tags -->
+
+ <link href="/stylesheets/scm.css?1224248241" media="screen" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div id="wrapper">
+<div id="top-menu">
+ <div id="account">
+ <ul><li><a href="/login" class="login">Sign in</a></li>
+<li><a href="/account/register" class="register">Register</a></li></ul> </div>
+
+ <ul><li><a href="/" class="home">Home</a></li>
+<li><a href="/projects" class="projects">Projects</a></li>
+<li><a href="http://www.redmine.org/guide" class="help">Help</a></li></ul></div>
+
+<div id="header">
+ <div id="quick-search">
+ <form action="/search/index/gnutls" method="get">
+ <a href="/search/index/gnutls" accesskey="4">Search</a>:
+ <input accesskey="f" class="small" id="q" name="q" size="20" type="text" />
+ </form>
+
+ </div>
+
+ <h1>GnuTLS</h1>
+
+ <div id="main-menu">
+ <ul><li><a href="/projects/show/gnutls">Overview</a></li>
+<li><a href="/projects/activity/gnutls">Activity</a></li>
+<li><a href="/projects/roadmap/gnutls">Roadmap</a></li>
+<li><a href="/projects/gnutls/issues">Issues</a></li>
+<li><a href="/wiki/gnutls" class="selected">Wiki</a></li>
+<li><a href="/repositories/show/gnutls">Repository</a></li></ul>
+ </div>
+</div>
+
+<div class="" id="main">
+ <div id="sidebar">
+
+ <h3>Wiki</h3>
+
+<a href="/wiki/gnutls">Start page</a><br />
+<a href="/wiki/gnutls/Page_index/special">Index by title</a><br />
+<a href="/wiki/gnutls/Date_index/special">Index by date</a><br />
+
+
+ </div>
+
+ <div id="content">
+
+
+ <div class="contextual">
+
+
+
+
+
+
+
+
+<a href="/wiki/gnutls/GnuTLSExternalValidation/history" class="icon icon-history">History</a>
+</div>
+
+
+
+
+
+<div class="wiki">
+ <h1 id="GnuTLSExternalValidation">GnuTLSExternalValidation<a href="#GnuTLSExternalValidation" class="wiki-anchor">¶</a></h1>
+
+
+ <p>This page is intended to flesh out ideas to externalize the X.509 chain validation, X.509 private key handling, and possibly also OpenPGP validation and private key handling.</p>
+
+
+ <p>It is important to realize that these are different problems, so the solution may be different. Let's first make the goals clear:</p>
+
+
+ <ul>
+ <li>Make it possible to store private keys in a process different from the process that runs the GnuTLS client/server.</li>
+ <li>Make it possible to perform X.509 chain validation in a different process.</li>
+ <li>Make it possible to perform OpenPGP key validation in a different process.</li>
+ </ul>
+
+
+ <p>One must decide whether the external agent should be responsible for making authentication decisions, authorization decisions, or both. Possibly it should be able to make both kind of decisions. The GnuTLS process can always make further authorization decisions as well.</p>
+
+
+ <p>For private keys, there is the PKCS#11 interface. GnuTLS has a branch that supports it. However, PKCS#11 doesn't solve the problem with an external process. It seems better to move the PKCS#11 interface to the external agent, rather than adding PKCS#11 interface to GnuTLS itself. Btw, GnuTLS already has PKCS#11 support on a special branch, and has been tested against the Scute PKCS#11 provider together with a Swedish eID X.509 smartcard.</p>
+
+
+ <p>The solution should allow simple integration with GNOME components such as <a href="http://live.gnome.org/Seahorse" class="external">SeaHorse</a>.</p>
+
+
+ <h2 id="Private-key-protocol">Private key protocol<a href="#Private-key-protocol" class="wiki-anchor">¶</a></h2>
+
+
+ <p>Possible we should re-use GnuPG's external protocol here? What we need is an IPC protocol that does:</p>
+
+
+ <pre><code>SIGN [ALG] [KEY-ID] [TLS-DATA]</code></pre>
+
+
+ <p>Where KEY-ID somehow denotes a key to use, and TLS-DATA is the data that needs to be signed using the TLS algorithm. Given that TLS supports several algorithms, and even RSA is supported in more than one mode, there needs to be an ALG flag to indicate this.</p>
+
+
+ <h2 id="X509-Chain-Validation">X.509 Chain Validation<a href="#X509-Chain-Validation" class="wiki-anchor">¶</a></h2>
+
+
+ <p>GnuPG's dirmngr <a href="http://www.gnupg.org/documentation/manuals/dirmngr/Dirmngr-Protocol.html#Dirmngr-Protocol" class="external">has a protocol for doing this</a>, using <a href="http://www.gnupg.org/documentation/manuals/assuan/" class="external">assuan</a>. Unfortunately, <a href="http://www.gnupg.org/documentation/manuals/assuan/Assuan.html#Assuan" class="external">assuan's design criteria</a> state "no protection against DoS needed". This might make it unsuitable for a TLS implementation or other online tool.</p>
+
+
+ <p>It is not clear to me whether the trusted CAs should be sent over the IPC, or whether it is something that is assumed to be known by the agent. The latter seems safer, but the former may be useful in some scenarios. <em>(what scenarios?)</em> They aren't mutually incompatible, so maybe we can support both.</p>
+
+
+ <p>Thus we need a command to send over a trusted certificate:</p>
+
+
+ <pre><code>TRUSTED [b64pem...]</code></pre>
+
+
+ <p>And also send over untrusted certificates provided by the TLS peer:</p>
+
+
+ <pre><code>UNTRUSTED [b64pem...]</code></pre>
+
+
+ <p>Finally, a request to perform chain validation on a particular certificate is performed using:</p>
+
+
+ <pre><code>VALIDATE [b64pem...]</code></pre>
+
+
+ <h2 id="Generic-Certificate-Validation">Generic Certificate Validation<a href="#Generic-Certificate-Validation" class="wiki-anchor">¶</a></h2>
+
+
+ <p>It would be nice to be able to hand the agent any kind of certificate (OpenPGP or X.509), or even to be able to hand the agent a raw public key to see if it validates.</p>
+
+
+ <p>The crucial request would be:</p>
+
+
+ <pre><code>VALIDATE {LABEL} {CERTTYPE} {PEERNAME} {CERTIFICATE}</code></pre>
+
+
+ <p>This says "I'm a program called LABEL. I'm about to send you a certificate of type CERTTYPE. I want you to tell me whether the specified PEERNAME matches one of the names stored in the certificate, and that the matching name in the certificate is cryptographically valid based on your knowledge of trusted certifiers."</p>
+
+
+ <p>The agent can respond with VALID or INVALID. We maybe should consider whether INVALID might be implemented as an extensible set of reasons for invalidity (e.g. EXPIRED, NOMATCH, UNTRUSTED, SELFSIGNED, etc): would the potential extensibility from this outweigh the added implementation and semantic complexity?</p>
+
+
+ <p>The possible options for CERTTYPE could be:</p>
+
+
+ <ul>
+ <li>RAWPUBKEY (maybe modelled after <a href="http://tools.ietf.org/html/rfc4253#section-6.6" class="external">ssh-dss and ssh-rsa in RFC 4253</a> ?)</li>
+ <li>OPENPGP (after <a href="http://tools.ietf.org/html/rfc4880#section-11.1" class="external">section 11.1 of RFC 4880</a> either base-64 encoded or raw)</li>
+ <li>X509 (after <a href="http://tools.ietf.org/html/rfc5280" class="external">RFC 5280</a>, either PEM or DER encoded)</li>
+ </ul>
+
+
+ <p>This would allow numerous clients and servers to make use of the validation agent. For example:</p>
+
+
+ <ul>
+ <li><a href="http://www.lysator.liu.se/~nisse/lsh/" class="external">lsh</a> could feed its fetched host keys to the validation agent instead of having to maintain ~/.lsh/host-acls</li>
+ <li><a href="http://www.openldap.org/doc/admin24/tls.html#Client%20Certificates" class="external">slapd</a> could use the validation agent to identify the DN of the remote client.</li>
+ <li><a href="http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts" class="external">subversion</a> could ask the validation agent to ensure that the OpenPGP certificate offered by a remote https server (using <a href="http://www.outoforder.cc/projects/apache/mod_gnutls/" class="external">mod_gnutls</a>) is in fact who it claims to be (and the mod_gnutls could validate the identity of the client in the same way).</li>
+ </ul>
+
+
+ <p>Additionally, it might be nice to have a command to offer intermediate certificates to the certificate store:</p>
+
+
+ <pre><code>UNTRUSTED {LABEL} {CERTTYPE} {CERTIFICATE}</code></pre>
+
+
+ <p>using UNTRUSTED with a RAWPUBKEY certificate wouldn't be a meaningful operation, but it could be used for intermediate X.509 certificates, or for the equivalent OpenPGP certificates (if such things were handy).</p>
+</div>
+
+
+
+
+
+
+<p class="other-formats">
+Also available in:
+<span><a href="/wiki/gnutls/GnuTLSExternalValidation?export=html&version=9" class="html">HTML</a></span>
+<span><a href="/wiki/gnutls/GnuTLSExternalValidation?export=txt&version=9" class="text">TXT</a></span>
+</p>
+
+
+
+
+
+
+
+ </div>
+</div>
+
+<div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
+
+<div id="footer">
+ Powered by <a href="http://www.redmine.org/">Redmine</a> © 2006-2008 Jean-Philippe Lang
+</div>
+</div>
+
+</body>
+</html>
# Set whether or not to check keyservers at every monkeysphere
# interaction, including all ssh connections if you use the
-# monkeysphere-ssh-proxycommand.
+# monkeysphere ssh-proxycommand.
# NOTE: setting CHECK_KEYSERVER to true will leak information about
# the timing and frequency of your ssh connections to the maintainer
# of the keyserver.
.B update\-authorized_keys
Update the authorized_keys file for the user executing the command
(see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all
-monkeysphere keys are cleared from the authorized_keys file. Then, or
-each user ID in the user's authorized_user_ids file, gpg will be
+monkeysphere keys are cleared from the authorized_keys file. Then,
+for each user ID in the user's authorized_user_ids file, gpg will be
queried for keys associated with that user ID, optionally querying a
keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
.BR monkeysphere (7)),
the `\-\-length' or `\-l' option. `g' may be used in place of
`gen\-subkey'.
.TP
-.B ssh\-proxycommand
+.B ssh\-proxycommand [--no-connect] HOST [PORT]
An ssh ProxyCommand that can be used to trigger a monkeysphere update
of the ssh known_hosts file for a host that is being connected to with
ssh. This works by updating the known_hosts file for the host first,
`\-', then the key will be imported from stdin. Only RSA keys are
supported at the moment. NAME[:PORT] is used to specify the
fully-qualified hostname (and port) used in the user ID of the new
-OpenPGP key. If PORT is not specified, the no port is added to the
+OpenPGP key. If PORT is not specified, then no port is added to the
user ID, which means port 22 is assumed. `i' may be used in place of
`import\-key'.
.TP
monkeysphere (0.25-1~pre) UNRELEASED; urgency=low
* New upstream release:
- - fix the marginal ui output so that it's not prefixed by the LOG_PREFIX
-
- -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 07 Mar 2009 12:28:13 -0500
+ - update/fix the marginal ui output
+ - use msmktempdir everywhere (avoid unwrapped calls to mktemp for
+ portability)
+ - clean out some redundant "cat"s
+ - fix monkeysphere update-known_hosts for sshd running on non-standard
+ ports
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net> Wed, 18 Mar 2009 11:46:44 -0400
monkeysphere (0.24-1) unstable; urgency=low
--- /dev/null
+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
+# $Id$
+
+PortSystem 1.0
+
+name monkeysphere
+version 0.24
+categories net
+maintainers nomaintainer
+platforms darwin
+description use the OpenPGP web of trust to verify ssh connections
+
+long_description SSH key-based authentication is tried-and-true, \
+ but it lacks a true Public Key Infrastructure for \
+ key certification, revocation and expiration. \
+ Monkeysphere is a framework that uses the OpenPGP \
+ web of trust for these PKI functions. It can be \
+ used in both directions: for users to get \
+ validated host keys, and for hosts to authenticate \
+ users.
+
+homepage http://web.monkeysphere.info/
+master_sites http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
+distname ${name}_${version}
+worksrcdir ${name}-${version}
+checksums md5 8590532f4702fa44027a6a583657c9ef
+
+depends_run bin:ssh:openssh \
+ port:gnupg \
+ port:perl5.10 \
+ port:p5-crypt-rsa \
+ port:p5-digest-sha1 \
+ port:procmail
+
+build.target build
+destroot.args PREFIX=${destroot}${prefix} \
+ CONFDIR=${destroot}${prefix}/etc/monkeysphere \
+ DBDIR=${destroot}${prefix}/var/lib/monkeysphere \
+ MANDIR=${destroot}${prefix}/share/man \
+ DOCDIR=${destroot}${prefix}/share/doc/monkeysphere
update-authorized_keys (a) update authorized_keys file
gen-subkey (g) [KEYID] generate an authentication subkey
--length (-l) BITS key length in bits (2048)
- ssh-proxycommand monkeysphere ssh ProxyCommand
+ ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand
subkey-to-ssh-agent (s) store authentication subkey in ssh-agent
version (v) show version number
help (h,?) this help
# output known_hosts line from ssh key
ssh2known_hosts() {
local host
+ local port
local key
- host="$1"
+ # FIXME this does not properly deal with IPv6 hosts using the
+ # standard port (because it's unclear whether their final
+ # colon-delimited address section is a port number or an address
+ # string)
+ host=${1%:*}
+ port=${1##*:}
key="$2"
- echo -n "$host "
- echo -n "$key" | tr -d '\n'
- echo " MonkeySphere${DATE}"
+ # specify the host and port properly for new ssh known_hosts
+ # format
+ if [ "$port" != "$host" ] ; then
+ host="[${host}]:${port}"
+ fi
+ printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE"
}
# output authorized_keys line from ssh key
userID="$1"
key="$2"
- echo -n "$key" | tr -d '\n'
- echo " MonkeySphere${DATE} ${userID}"
+ printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID"
}
# convert key from gpg to ssh known_hosts format
gpg2known_hosts() {
local host
local keyID
+ local key
host="$1"
keyID="$2"
+ key=$(gpg2ssh "$keyID")
+
# NOTE: it seems that ssh-keygen -R removes all comment fields from
# all lines in the known_hosts file. why?
# NOTE: just in case, the COMMENT can be matched with the
# following regexp:
# '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
- echo -n "$host "
- gpg2ssh "$keyID" | tr -d '\n'
- echo " MonkeySphere${DATE}"
+ printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE"
}
# convert key from gpg to ssh authorized_keys format
gpg2authorized_keys() {
local userID
local keyID
+ local key
userID="$1"
keyID="$2"
+ key=$(gpg2ssh "$keyID")
+
# NOTE: just in case, the COMMENT can be matched with the
# following regexp:
# '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
- gpg2ssh "$keyID" | tr -d '\n'
- echo " MonkeySphere${DATE} ${userID}"
+ printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID"
}
### GPG UTILITIES
check_gpg_authentication_subkey "$keyID"
# generate the list of commands that will be passed to edit-key
- editCommands=$(cat <<EOF
-addkey
+ editCommands="addkey
7
S
E
Q
$keyLength
0
-save
-EOF
-)
+save"
# setup the temp fifo dir for retrieving the key password
log debug "creating password fifo..."
LOG_PREFIX=
- cat <<EOF | log info
--------------------- Monkeysphere warning -------------------
-Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
-EOF
-
- # retrieve the actual ssh key
- sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
- # FIXME: should we do any checks for failed keyscans, eg. host not
- # found?
+ # retrieve the ssh key being offered by the host
+ sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \
+ | awk '{ print $2, $3 }')
# get the gpg info for userid
gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \
--with-fingerprint --with-fingerprint \
="$userID" 2>/dev/null)
- # find all 'pub' and 'sub' lines in the gpg output, which each
- # represent a retrieved key for the user ID
- echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
- while IFS=: read -r type validity keyid uidfpr usage ; do
- case $type in
- 'pub'|'sub')
- # get the ssh key of the gpg key
- sshKeyGPG=$(gpg2ssh "$keyid")
-
- # if one of keys found matches the one offered by the
- # host, then output info
- if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
- cat <<EOF | log info
+ # output header
+ log info <<EOF
+-------------------- Monkeysphere warning -------------------
+Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
+EOF
+
+ # if the host key is retrieved from the host, check against known
+ # OpenPGP keys
+ if [ "$sshKeyOffered" ] ; then
+ # find all 'pub' and 'sub' lines in the gpg output, which each
+ # represent a retrieved key for the user ID
+ echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
+ while IFS=: read -r type validity keyid uidfpr usage ; do
+ case $type in
+ 'pub'|'sub')
+ # get the ssh key of the gpg key
+ sshKeyGPG=$(gpg2ssh "$keyid")
+
+ # if one of keys found matches the one offered by the
+ # host, then output info
+ if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+ log info <<EOF
An OpenPGP key matching the ssh key offered by the host was found:
EOF
- sshKeyGPGFile=$(msmktempfile)
- printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile"
- sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
- awk '{ print $2 }')
- rm -f "$sshKeyGPGFile"
+ sshKeyGPGFile=$(msmktempfile)
+ printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile"
+ sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
+ awk '{ print $2 }')
+ rm -f "$sshKeyGPGFile"
- # get the sigs for the matching key
- gpgSigOut=$(gpg_user --check-sigs \
- --list-options show-uid-validity \
- "$keyid")
+ # get the sigs for the matching key
+ gpgSigOut=$(gpg_user --check-sigs \
+ --list-options show-uid-validity \
+ "$keyid")
- # output the sigs, but only those on the user ID
- # we are looking for
- echo "$gpgSigOut" | awk '
+ # output the sigs, but only those on the user ID
+ # we are looking for
+ echo "$gpgSigOut" | awk '
{
if (match($0,"^pub")) { print; }
if (match($0,"^uid")) { ok=0; }
if (ok) { if (match($0,"^sig")) { print; } }
}
' | log info
- echo | log info
+ echo | log info
- # output the other user IDs for reference
- if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
- cat <<EOF | log info
+ # output the other user IDs for reference
+ if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
+ log info <<EOF
Other user IDs on this key:
EOF
- echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info
- echo | log info
- fi
+ echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info
+ echo | log info
+ fi
- # output ssh fingerprint
- cat <<EOF | log info
+ # output ssh fingerprint
+ log info <<EOF
RSA key fingerprint is ${sshFingerprint}.
EOF
- # this whole process is in a "while read"
- # subshell. the only way to get information out
- # of the subshell is to change the return code.
- # therefore we return 1 here to indicate that a
- # matching gpg key was found for the ssh key
- # offered by the host
- return 1
- fi
- ;;
- esac
- done || returnCode="$?"
-
- # if no key match was made (and the "while read" subshell returned
- # 1) output how many keys were found
- if (( returnCode != 1 )) ; then
- cat <<EOF | log info
+ # this whole process is in a "while read"
+ # subshell. the only way to get information
+ # out of the subshell is to change the return
+ # code. therefore we return 1 here to
+ # indicate that a matching gpg key was found
+ # for the ssh key offered by the host
+ return 1
+ fi
+ ;;
+ esac
+ done || returnCode="$?"
+
+ # if no key match was made (and the "while read" subshell
+ # returned 1) output how many keys were found
+ if (( returnCode != 1 )) ; then
+ log info <<EOF
None of the found keys matched the key offered by the host.
Run the following command for more info about the found keys:
gpg --check-sigs --list-options show-uid-validity =${userID}
EOF
- # FIXME: should we do anything extra here if the retrieved
- # host key is actually in the known_hosts file and the ssh
- # connection will succeed? Should the user be warned?
- # prompted?
+ # FIXME: should we do anything extra here if the retrieved
+ # host key is actually in the known_hosts file and the ssh
+ # connection will succeed? Should the user be warned?
+ # prompted?
+ fi
+
+ # if host key could not be retrieved from the host, output message
+ else
+ log info <<EOF
+Could not retrieve RSA host key from $HOST.
+EOF
fi
- cat <<EOF | log info
+ # output footer
+ log info <<EOF
-------------------- ssh continues below --------------------
EOF
}
# edit-key script to ltsign key
# NOTE: *all* user IDs will be ltsigned
-ltsignCommand=$(cat <<EOF
-ltsign
+ltsignCommand="ltsign
y
$trustval
$depth
$domain
y
-save
-EOF
- )
+save"
+# end script
# core ltsigns the newly imported certifier key
log debug "executing core ltsign script..."
fi
# edit-key script command to add user ID
-adduidCommand=$(cat <<EOF
-adduid
+adduidCommand="adduid
$userID
-save
-EOF
-)
+save"
+# end script
# execute edit-key script
if echo "$adduidCommand" | gpg_host_edit ; then
fi
# edit-key script to add revoker
-addrevokerCommand=$(cat <<EOF
-addrevoker
+addrevokerCommand="addrevoker
$fingerprint
y
save
-
-EOF
- )
+"
+# end script
# core ltsigns the newly imported revoker key
log debug "executing add revoker script..."
fi
# edit-key script command to revoke user ID
-revuidCommand=$(cat <<EOF
-$uidIndex
+revuidCommand="$uidIndex
revuid
y
4
Hostname removed by monkeysphere-host: $DATE
y
-save
-EOF
- )
+save"
+# end script
# execute edit-key script
if echo "$revuidCommand" | gpg_host_edit ; then
update_gpg_pub_file
-cat <<EOF | log info
+log info <<EOF
NOTE: Host key expiration date adjusted, but not yet published.
Run '$PGRM publish-key' to publish the new expiration date.
EOF
## Debian ##
If you are running a [Debian](http://www.debian.org/) system, the
-[monkeysphere is now available in the Debian unstable ("sid")
-distribution](http://packages.debian.org/sid/monkeysphere).
+[monkeysphere is available in the Debian archive](http://packages.debian.org/search?keywords=monkeysphere&searchon=names§ion=all&suite=all)
+
+If you are running Debian unstable or testing install the latest monkeysphere
+version as follows:
+
+ aptitude install monkeysphere
+
+If you are running Debian stable, you can get the monkeysphere package
+from [backports.org](http://backports.org/dokuwiki/doku.php?id=instructions)
You can also install the Monkeysphere directly from the Monkeysphere
Debian archive. You can add this archive to your system by putting
the following lines in `/etc/apt/sources.list.d/monkeysphere.list`:
- deb http://archive.monkeysphere.info/debian experimental monkeysphere
- deb-src http://archive.monkeysphere.info/debian experimental monkeysphere
+ deb http://archive.monkeysphere.info/debian experimental monkeysphere
+ deb-src http://archive.monkeysphere.info/debian experimental monkeysphere
The repository is currently signed by [The Monkeysphere archive
signing key](/archive-key), key id EB8AF314 (fingerprint: `2E8D D26C
## FreeBSD ##
-There is [now a FreeBSD port available](/news/FreeBSD-port-available)
-for the Monkeysphere.
+There is [a FreeBSD port
+available](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere)
+for the Monkeysphere, built and tested against FreeBSD 7.1.
-While the monkeysphere is not officially included in the ports tree
-yet, [a problem
-report](http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128406) has
-been submitted, and the package itself is functional.
+You should be able to build and install the latest port with:
-The latest version of the ports directory can be found in [the git
-repository](/community) under
-`packaging/freebsd/security/monkeysphere`. Please [let us
-know](/community) if you encounter any problems with it on a FreeBSD
-system.
-
-Until the port is accepted, you should be able to build the latest
-port with:
-
- git clone git://git.monkeysphere.info/monkeysphere
- cp -a monkeysphere/packaging/freebsd/security/monkeysphere /usr/ports/security
cd /usr/ports/security/monkeysphere
- make && make install
+ make package
+
+Enjoy!
## Source ##
--- /dev/null
+[[meta title="Monkeysphere 0.24 accepted in Debian testing"]]
+
+[Monkeysphere 0.24 is now available in the Debian testing distribution
+("squeeze")](http://packages.debian.org/testing/monkeysphere).
+Monkeysphere 0.24 is our strongest release yet. If you are running
+Debian testing, installing the monkeysphere is now very easy:
+
+ aptitude install monkeysphere
+
+See the [[download]] page for more information.
--- /dev/null
+[[meta title="Monkeysphere 0.24 accepted as a Debian Backport"]]
+
+[Monkeysphere 0.24 is now available at [Backports.org](http://backports.org).
+If you are running Debian stable ("Lenny"), you can install this version
+of the monkeysphere package by following the [instructions for installing
+backports](http://backports.org/dokuwiki/doku.php?id=instructions).
+
+See the [[download]] page for more information.
--- /dev/null
+[[meta title="FreeBSD 0.24 port accepted"]]
+
+FreeBSD's ports tree now contains [a port of the
+Monkeysphere](http://www.freebsd.org/cgi/ports.cgi?query=monkeysphere),
+version 0.24. If you run FreeBSD, [update your ports
+tree](http://www.freebsd.org/doc/en/books/handbook/ports-using.html),
+and then:
+
+ cd /usr/ports/security/monkeysphere
+ make package
+
[[meta title="FreeBSD port available"]]
+Update: [FreeBSD's official ports tree now contains monkeysphere
+0.24](FreeBSD-0.24-port-accepted).
+
There is now a FreeBSD port available for the Monkeysphere.
It has been built and tested (so far) on a FreeBSD 7.1 AMD64 system,
projects / monkeysphere.git / commitdiff