SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users. WWW: http://web.monkeysphere.info/ Fix: I include the .shar for the port tree, but also the required patches to UIDs and GIDs. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # monkeysphere # monkeysphere/files # monkeysphere/files/patch-etclocation # monkeysphere/files/patch-sharelocation # monkeysphere/files/patch-varlocation # monkeysphere/distinfo # monkeysphere/pkg-descr # monkeysphere/pkg-deinstall # monkeysphere/pkg-install # monkeysphere/pkg-plist # monkeysphere/Makefile # echo c - monkeysphere mkdir -p monkeysphere > /dev/null 2>&1 echo c - monkeysphere/files mkdir -p monkeysphere/files > /dev/null 2>&1 echo x - monkeysphere/files/patch-etclocation sed 's/^X//' >monkeysphere/files/patch-etclocation << 'END-of-monkeysphere/files/patch-etclocation' Xdiff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf Xindex c001f2d..d33fd36 100644 X--- etc/monkeysphere-server.conf X+++ etc/monkeysphere-server.conf X@@ -17,7 +17,7 @@ X # authorized_keys file. '%h' will be replaced by the home directory X # of the user, and %u will be replaced by the username of the user. X # For purely admin-controlled authorized_user_ids, you might put them X-# in /etc/monkeysphere/authorized_user_ids/%u X+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u X #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" X X # Whether to add user controlled authorized_keys file to Xdiff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1 Xindex 3ece735..09320d2 100644 X--- man/man1/monkeysphere.1 X+++ man/man1/monkeysphere.1 X@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_keys). X ~/.monkeysphere/monkeysphere.conf X User monkeysphere config file. X .TP X-/etc/monkeysphere/monkeysphere.conf X+/usr/local/etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X ~/.monkeysphere/authorized_user_ids Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 Xindex f207e2c..360408e 100644 X--- man/man8/monkeysphere-server.8 X+++ man/man8/monkeysphere-server.8 X@@ -203,10 +203,10 @@ User to control authentication keychain (monkeysphere). X .SH FILES X X .TP X-/etc/monkeysphere/monkeysphere-server.conf X+/usr/local/etc/monkeysphere/monkeysphere-server.conf X System monkeysphere-server config file. X .TP X-/etc/monkeysphere/monkeysphere.conf X+/usr/local/etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X /var/lib/monkeysphere/authorized_keys/USER X--- src/common.orig 2008-10-12 14:58:00.000000000 -0400 X+++ src/common 2008-10-25 17:40:34.000000000 -0400 X@@ -16,7 +16,7 @@ X ### COMMON VARIABLES X X # managed directories X-SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} X+SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"} X export SYSCONFIGDIR X X ######################################################################## END-of-monkeysphere/files/patch-etclocation echo x - monkeysphere/files/patch-sharelocation sed 's/^X//' >monkeysphere/files/patch-sharelocation << 'END-of-monkeysphere/files/patch-sharelocation' X--- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400 X+++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400 X@@ -13,7 +13,7 @@ X ######################################################################## X PGRM=$(basename $0) X X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X X--- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400 X+++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400 X@@ -13,7 +13,7 @@ X ######################################################################## X PGRM=$(basename $0) X X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X END-of-monkeysphere/files/patch-sharelocation echo x - monkeysphere/files/patch-varlocation sed 's/^X//' >monkeysphere/files/patch-varlocation << 'END-of-monkeysphere/files/patch-varlocation' Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 Xindex f207e2c..29c7b6a 100644 X--- man/man8/monkeysphere-server.8 X+++ man/man8/monkeysphere-server.8 X@@ -128,7 +128,7 @@ command to push the key to a keyserver. You must also modify the X sshd_config on the server to tell sshd where the new server host key X is located: X X-HostKey /var/lib/monkeysphere/ssh_host_rsa_key X+HostKey /var/monkeysphere/ssh_host_rsa_key X X In order for users logging into the system to be able to verify the X host via the monkeysphere, at least one person (e.g. a server admin) X@@ -170,7 +170,7 @@ users. You must also tell sshd to look at the monkeysphere-generated X authorized_keys file for user authentication by setting the following X in the sshd_config: X X-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u X+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u X X It is recommended to add "monkeysphere-server update-users" to a X system crontab, so that user keys are kept up-to-date, and key X@@ -209,17 +209,17 @@ System monkeysphere-server config file. X /etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X-/var/lib/monkeysphere/authorized_keys/USER X+/var/monkeysphere/authorized_keys/USER X Monkeysphere-generated user authorized_keys files. X .TP X-/var/lib/monkeysphere/ssh_host_rsa_key X+/var/monkeysphere/ssh_host_rsa_key X Copy of the host's private key in ssh format, suitable for use by X sshd. X .TP X-/var/lib/monkeysphere/gnupg-host X+/var/monkeysphere/gnupg-host X Monkeysphere host GNUPG home directory. X .TP X-/var/lib/monkeysphere/gnupg-authentication X+/var/monkeysphere/gnupg-authentication X Monkeysphere authentication GNUPG home directory. X X .SH AUTHOR Xdiff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn Xindex 6c8ad53..67fdda1 100644 X--- doc/getting-started-admin.mdwn X+++ doc/getting-started-admin.mdwn X@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections, put the X following line in `/etc/ssh/sshd_config` (be sure to remove references X to any other keys): X X- HostKey /var/lib/monkeysphere/ssh_host_rsa_key X+ HostKey /var/monkeysphere/ssh_host_rsa_key X X FIXME: should we just suggest symlinks in the filesystem here instead? X X@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate using the X OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again, X making sure that no other AuthorizedKeysFile directive exists): X X- AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u X+ AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u X X And then read the section below about how to ensure these files are X maintained. You'll need to restart `sshd` to have your changes take X--- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400 X+++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400 X@@ -17,7 +17,7 @@ X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X X-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} X+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"} X export SYSDATADIR X X # UTC date in ISO 8601 format if needed X--- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400 X+++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400 X@@ -4,8 +4,8 @@ X # It is highly recommended that you X # DO NOT MODIFY X # these variables. X-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg X-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg X+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg X+keyring /var/monkeysphere/gnupg-host/pubring.gpg X X # PGP keyserver to use for PGP queries. X keyserver hkp://pgp.mit.edu END-of-monkeysphere/files/patch-varlocation echo x - monkeysphere/distinfo sed 's/^X//' >monkeysphere/distinfo << 'END-of-monkeysphere/distinfo' XMD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49 XSHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 XSIZE (monkeysphere_0.16.orig.tar.gz) = 66062 END-of-monkeysphere/distinfo echo x - monkeysphere/pkg-descr sed 's/^X//' >monkeysphere/pkg-descr << 'END-of-monkeysphere/pkg-descr' XSSH key-based authentication is tried-and-true, but it lacks a true XPublic Key Infrastructure for key certification, revocation and Xexpiration. Monkeysphere is a framework that uses the OpenPGP web of Xtrust for these PKI functions. It can be used in both directions: for Xusers to get validated host keys, and for hosts to authenticate users. X XWWW: http://web.monkeysphere.info/ END-of-monkeysphere/pkg-descr echo x - monkeysphere/pkg-deinstall sed 's/^X//' >monkeysphere/pkg-deinstall << 'END-of-monkeysphere/pkg-deinstall' X#!/bin/sh X X# a package removal script for monkeysphere (borrowing from X# monkeysphere's debian/monkeysphere.postrm) X X# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> X# Copyright 2008 X X# FIXME: is /var/lib/monkeysphere the right place for this stuff on X# FreeBSD? XVARLIB="/var/monkeysphere" X X Xcase $2 in XPOST-DEINSTALL) X USER=monkeysphere X# FIXME: This doesn't do anything! Under what circumstances do we X# want to actually automatically purge all of /var/monkeysphere? X X# (note: FreeBSD does not seem to want the package-specific user to be X# purged at package removal) X if pw user show "${USER}" 2>/dev/null >/dev/null; then X echo "Warning: If you will *NOT* use this package anymore, please remove the monkeysphere user manually." X fi X if [ -d "$VARLIB" ] ; then X echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB" X fi X;; Xesac END-of-monkeysphere/pkg-deinstall echo x - monkeysphere/pkg-install sed 's/^X//' >monkeysphere/pkg-install << 'END-of-monkeysphere/pkg-install' X#!/bin/sh X X# an installation script for monkeysphere (borrowing liberally from X# postgresql and mysql pkg-install scripts, and from monkeysphere's X# debian/monkeysphere.postinst) X X# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> X# Copyright 2008 X X# FIXME: is /var/lib/monkeysphere the right place for this stuff on X# FreeBSD? X X# PostgreSQL puts its data in /usr/local/pgsql/data X X# MySQL puts its data in /var/db/mysql X XVARLIB="/var/monkeysphere" X Xcase $2 in XPOST-INSTALL) X USER=monkeysphere X GROUP=${USER} X UID=641 X GID=${UID} X SHELL=/usr/local/bin/bash X X if pw group show "${GROUP}" >/dev/null 2>&1; then X echo "You already have a group \"${GROUP}\", so I will use it." X else X if pw groupadd ${GROUP} -g ${GID}; then X echo "Added group \"${GROUP}\"." X else X echo "Adding group \"${GROUP}\" failed..." X exit 1 X fi X fi X X if pw user show "${USER}" >/dev/null 2>&1; then X oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:` X if [ x"$oldshell" != x"$SHELL" ]; then X echo "You already have a \"${USER}\" user, but its shell is '$oldshell'." X echo "This package requires that \"${USER}\"'s shell be '$SHELL'." X echo "You should fix this by hand and then re-install the package." X echo " hint: pw usermod '$USER' -s '$SHELL'" X exit 1 X fi X echo "You already have a user \"${USER}\" with the proper shell, so I will use it." X else X if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \ X -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,," X then X echo "Added user \"${USER}\"." X else X echo "Adding user \"${USER}\" failed..." X exit 1 X fi X fi X X ## set up the cache directories: X X install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host X cat <<EOF > "$VARLIB"/gnupg-host/gpg.conf Xlist-options show-uid-validity XEOF X X install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication X# install authentication gpg.conf X cat <<EOF > "$VARLIB"/gnupg-authentication/gpg.conf Xlist-options show-uid-validity Xprimary-keyring $VARLIB/gnupg-authentication/pubring.gpg Xkeyring $VARLIB/gnupg-host/pubring.gpg XEOF X chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf X X monkeysphere-server diagnostics X ;; Xesac END-of-monkeysphere/pkg-install echo x - monkeysphere/pkg-plist sed 's/^X//' >monkeysphere/pkg-plist << 'END-of-monkeysphere/pkg-plist' Xsbin/monkeysphere-server Xshare/doc/monkeysphere/TODO Xshare/doc/monkeysphere/MonkeySpec Xshare/doc/monkeysphere/getting-started-user.mdwn Xshare/doc/monkeysphere/getting-started-admin.mdwn Xbin/openpgp2ssh Xbin/monkeysphere-ssh-proxycommand Xbin/monkeysphere Xshare/monkeysphere/common X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi Xetc/monkeysphere/monkeysphere.conf.sample X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi Xetc/monkeysphere/monkeysphere-server.conf.sample X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi X@dirrm share/doc/monkeysphere X@dirrm share/monkeysphere X@dirrm etc/monkeysphere END-of-monkeysphere/pkg-plist echo x - monkeysphere/Makefile sed 's/^X//' >monkeysphere/Makefile << 'END-of-monkeysphere/Makefile' X# New ports collection makefile for: monkeysphere X# Date created: 2008-09-11 23:38:27-0400 X# Whom: Daniel Kahn Gillmor <dkg@fifthhorseman.net> X# X# $FreeBSD$ X# X XPORTNAME= monkeysphere XPORTVERSION= 0.16 XCATEGORIES= security XMASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ X# hack for debian orig tarballs XDISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz X XMAINTAINER= anarcat@anarcat.ath.cx XCOMMENT= use the OpenPGP web of trust to verify ssh connections X XLIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls XRUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \ X gpg:${PORTSDIR}/security/gnupg \ X lockfile:${PORTSDIR}/mail/procmail \ X /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \ X bash:${PORTSDIR}/shells/bash X XMAN1= monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1 XMAN7= monkeysphere.7 XMAN8= monkeysphere-server.8 XMANCOMPRESSED= yes X XMAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample X X# get rid of cruft after the patching: Xpost-patch: X find . -iname '*.orig' -delete X Xpost-install: X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \ X fi X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \ X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \ X fi X.if !defined(PACKAGE_BUILDING) X @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL X.endif X Xpost-deinstall: X @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL X X.include <bsd.port.mk> END-of-monkeysphere/Makefile exit
On Thu, Oct 30, 2008 at 05:46:57PM -0400, Daniel Kahn Gillmor wrote: > I've talked with Antoine, and i'm up for taking over the FreeBSD port > of monkeysphere from him, since i'm more heavily involved with the > upstream development at the moment. He seems OK with that. I confirm that. A. -- Rock journalism is people who can't write interviewing people who can't talk for people who can't read. - Frank Zappa
Responsible Changed From-To: freebsd-ports-bugs->miwi I'll take it.
This is a multi-part message in MIME format.
State Changed From-To: open->closed New port added. Thanks!
miwi 2009-03-10 07:45:27 UTC FreeBSD ports repository Modified files: security Makefile Added files: security/monkeysphere Makefile distinfo pkg-deinstall pkg-descr pkg-install pkg-plist security/monkeysphere/files patch-src_monkeysphere-host patch-src_share_keytrans Log: SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users. WWW: http://web.monkeysphere.info/ PR: ports/128406 Submitted by: Daniel Kahn Gillmor <dkg at fifthhorseman.net> Revision Changes Path 1.1023 +1 -0 ports/security/Makefile 1.1 +72 -0 ports/security/monkeysphere/Makefile (new) 1.1 +3 -0 ports/security/monkeysphere/distinfo (new) 1.1 +11 -0 ports/security/monkeysphere/files/patch-src_monkeysphere-host (new) 1.1 +11 -0 ports/security/monkeysphere/files/patch-src_share_keytrans (new) 1.1 +29 -0 ports/security/monkeysphere/pkg-deinstall (new) 1.1 +7 -0 ports/security/monkeysphere/pkg-descr (new) 1.1 +64 -0 ports/security/monkeysphere/pkg-install (new) 1.1 +49 -0 ports/security/monkeysphere/pkg-plist (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"