Bug 128406

Summary:

New port: security/monkeysphere

Product:

Ports & Packages

Reporter:

Antoine Beaupre <anarcat>

Component:

Individual Port(s)

Assignee:

Martin Wilke <miwi>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none
file.diff	none

Description Antoine Beaupre 2008-10-27 02:20:01 UTC

SSH key-based authentication is tried-and-true, but it lacks a true
Public Key Infrastructure for key certification, revocation and
expiration.  Monkeysphere is a framework that uses the OpenPGP web of
trust for these PKI functions.  It can be used in both directions: for
users to get validated host keys, and for hosts to authenticate users.

WWW: http://web.monkeysphere.info/

Fix: I include the .shar for the port tree, but also the required patches to UIDs and GIDs.

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	monkeysphere
#	monkeysphere/files
#	monkeysphere/files/patch-etclocation
#	monkeysphere/files/patch-sharelocation
#	monkeysphere/files/patch-varlocation
#	monkeysphere/distinfo
#	monkeysphere/pkg-descr
#	monkeysphere/pkg-deinstall
#	monkeysphere/pkg-install
#	monkeysphere/pkg-plist
#	monkeysphere/Makefile
#
echo c - monkeysphere
mkdir -p monkeysphere > /dev/null 2>&1
echo c - monkeysphere/files
mkdir -p monkeysphere/files > /dev/null 2>&1
echo x - monkeysphere/files/patch-etclocation
sed 's/^X//' >monkeysphere/files/patch-etclocation << 'END-of-monkeysphere/files/patch-etclocation'
Xdiff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf
Xindex c001f2d..d33fd36 100644
X--- etc/monkeysphere-server.conf
X+++ etc/monkeysphere-server.conf
X@@ -17,7 +17,7 @@
X # authorized_keys file.  '%h' will be replaced by the home directory
X # of the user, and %u will be replaced by the username of the user.
X # For purely admin-controlled authorized_user_ids, you might put them
X-# in /etc/monkeysphere/authorized_user_ids/%u
X+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u
X #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
X 
X # Whether to add user controlled authorized_keys file to
Xdiff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1
Xindex 3ece735..09320d2 100644
X--- man/man1/monkeysphere.1
X+++ man/man1/monkeysphere.1
X@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_keys).
X ~/.monkeysphere/monkeysphere.conf
X User monkeysphere config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X ~/.monkeysphere/authorized_user_ids
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..360408e 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -203,10 +203,10 @@ User to control authentication keychain (monkeysphere).
X .SH FILES
X 
X .TP
X-/etc/monkeysphere/monkeysphere-server.conf
X+/usr/local/etc/monkeysphere/monkeysphere-server.conf
X System monkeysphere-server config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X /var/lib/monkeysphere/authorized_keys/USER
X--- src/common.orig	2008-10-12 14:58:00.000000000 -0400
X+++ src/common	2008-10-25 17:40:34.000000000 -0400
X@@ -16,7 +16,7 @@
X ### COMMON VARIABLES
X 
X # managed directories
X-SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"}
X+SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"}
X export SYSCONFIGDIR
X 
X ########################################################################
END-of-monkeysphere/files/patch-etclocation
echo x - monkeysphere/files/patch-sharelocation
sed 's/^X//' >monkeysphere/files/patch-sharelocation << 'END-of-monkeysphere/files/patch-sharelocation'
X--- src/monkeysphere.orig	2008-10-12 14:58:00.000000000 -0400
X+++ src/monkeysphere	2008-10-25 17:41:41.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=$(basename $0)
X 
X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X 
X--- src/monkeysphere-server.orig	2008-10-25 14:17:50.000000000 -0400
X+++ src/monkeysphere-server	2008-10-25 17:42:50.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=$(basename $0)
X 
X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X 
END-of-monkeysphere/files/patch-sharelocation
echo x - monkeysphere/files/patch-varlocation
sed 's/^X//' >monkeysphere/files/patch-varlocation << 'END-of-monkeysphere/files/patch-varlocation'
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..29c7b6a 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -128,7 +128,7 @@ command to push the key to a keyserver.  You must also modify the
X sshd_config on the server to tell sshd where the new server host key
X is located:
X 
X-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+HostKey /var/monkeysphere/ssh_host_rsa_key
X 
X In order for users logging into the system to be able to verify the
X host via the monkeysphere, at least one person (e.g. a server admin)
X@@ -170,7 +170,7 @@ users.  You must also tell sshd to look at the monkeysphere-generated
X authorized_keys file for user authentication by setting the following
X in the sshd_config:
X 
X-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X 
X It is recommended to add "monkeysphere-server update-users" to a
X system crontab, so that user keys are kept up-to-date, and key
X@@ -209,17 +209,17 @@ System monkeysphere-server config file.
X /etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X-/var/lib/monkeysphere/authorized_keys/USER
X+/var/monkeysphere/authorized_keys/USER
X Monkeysphere-generated user authorized_keys files.
X .TP
X-/var/lib/monkeysphere/ssh_host_rsa_key
X+/var/monkeysphere/ssh_host_rsa_key
X Copy of the host's private key in ssh format, suitable for use by
X sshd.
X .TP
X-/var/lib/monkeysphere/gnupg-host
X+/var/monkeysphere/gnupg-host
X Monkeysphere host GNUPG home directory.
X .TP
X-/var/lib/monkeysphere/gnupg-authentication
X+/var/monkeysphere/gnupg-authentication
X Monkeysphere authentication GNUPG home directory.
X 
X .SH AUTHOR
Xdiff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn
Xindex 6c8ad53..67fdda1 100644
X--- doc/getting-started-admin.mdwn
X+++ doc/getting-started-admin.mdwn
X@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections, put the
X following line in `/etc/ssh/sshd_config` (be sure to remove references
X to any other keys):
X 
X-	HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+	HostKey /var/monkeysphere/ssh_host_rsa_key
X 
X FIXME: should we just suggest symlinks in the filesystem here instead?
X 
X@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate using the
X OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again,
X making sure that no other AuthorizedKeysFile directive exists):
X 
X-	AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+	AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X 
X And then read the section below about how to ensure these files are
X maintained.  You'll need to restart `sshd` to have your changes take
X--- src/monkeysphere-server.orig	2008-10-25 18:01:19.000000000 -0400
X+++ src/monkeysphere-server	2008-10-25 18:01:24.000000000 -0400
X@@ -17,7 +17,7 @@
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X 
X-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
X+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"}
X export SYSDATADIR
X 
X # UTC date in ISO 8601 format if needed
X--- etc/gnupg-authentication.conf.orig	2008-10-25 18:02:58.000000000 -0400
X+++ etc/gnupg-authentication.conf	2008-10-25 18:03:04.000000000 -0400
X@@ -4,8 +4,8 @@
X # It is highly recommended that you
X #    DO NOT MODIFY
X # these variables.
X-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg
X-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg
X+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg
X+keyring /var/monkeysphere/gnupg-host/pubring.gpg
X 
X # PGP keyserver to use for PGP queries.
X keyserver hkp://pgp.mit.edu
END-of-monkeysphere/files/patch-varlocation
echo x - monkeysphere/distinfo
sed 's/^X//' >monkeysphere/distinfo << 'END-of-monkeysphere/distinfo'
XMD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49
XSHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7
XSIZE (monkeysphere_0.16.orig.tar.gz) = 66062
END-of-monkeysphere/distinfo
echo x - monkeysphere/pkg-descr
sed 's/^X//' >monkeysphere/pkg-descr << 'END-of-monkeysphere/pkg-descr'
XSSH key-based authentication is tried-and-true, but it lacks a true
XPublic Key Infrastructure for key certification, revocation and
Xexpiration.  Monkeysphere is a framework that uses the OpenPGP web of
Xtrust for these PKI functions.  It can be used in both directions: for
Xusers to get validated host keys, and for hosts to authenticate users.
X
XWWW: http://web.monkeysphere.info/
END-of-monkeysphere/pkg-descr
echo x - monkeysphere/pkg-deinstall
sed 's/^X//' >monkeysphere/pkg-deinstall << 'END-of-monkeysphere/pkg-deinstall'
X#!/bin/sh
X
X# a package removal script for monkeysphere (borrowing from
X# monkeysphere's debian/monkeysphere.postrm)
X
X# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
XVARLIB="/var/monkeysphere"
X
X
Xcase $2 in
XPOST-DEINSTALL)
X        USER=monkeysphere
X# FIXME: This doesn't do anything!  Under what circumstances do we
X# want to actually automatically purge all of /var/monkeysphere?
X
X# (note: FreeBSD does not seem to want the package-specific user to be
X# purged at package removal)
X	if pw user show "${USER}" 2>/dev/null >/dev/null; then
X	    echo "Warning: If you will *NOT* use this package anymore, please remove the monkeysphere user manually."
X	fi
X	if [ -d "$VARLIB" ] ; then
X	    echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB"
X	fi
X;;
Xesac
END-of-monkeysphere/pkg-deinstall
echo x - monkeysphere/pkg-install
sed 's/^X//' >monkeysphere/pkg-install << 'END-of-monkeysphere/pkg-install'
X#!/bin/sh
X
X# an installation script for monkeysphere (borrowing liberally from
X# postgresql and mysql pkg-install scripts, and from monkeysphere's
X# debian/monkeysphere.postinst)
X
X# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
X
X# PostgreSQL puts its data in /usr/local/pgsql/data
X
X# MySQL puts its data in /var/db/mysql
X
XVARLIB="/var/monkeysphere"
X
Xcase $2 in
XPOST-INSTALL)
X        USER=monkeysphere
X        GROUP=${USER}
X        UID=641
X        GID=${UID}
X        SHELL=/usr/local/bin/bash
X
X        if pw group show "${GROUP}" >/dev/null 2>&1; then
X                echo "You already have a group \"${GROUP}\", so I will use it."
X        else
X                if pw groupadd ${GROUP} -g ${GID}; then
X                        echo "Added group \"${GROUP}\"."
X                else
X                        echo "Adding group \"${GROUP}\" failed..."
X                        exit 1
X                fi
X        fi
X
X        if pw user show "${USER}" >/dev/null 2>&1; then
X            oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
X	    if [ x"$oldshell" != x"$SHELL" ]; then
X		echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
X		echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
X		echo "You should fix this by hand and then re-install the package."
X		echo "   hint: pw usermod '$USER' -s '$SHELL'"
X		exit 1
X	    fi
X            echo "You already have a user \"${USER}\" with the proper shell, so I will use it."
X        else
X                if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \
X                        -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,,"
X                then
X                        echo "Added user \"${USER}\"."
X                else
X                        echo "Adding user \"${USER}\" failed..."
X                        exit 1
X                fi
X        fi
X
X	## set up the cache directories:
X
X	install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host
X	cat <<EOF > "$VARLIB"/gnupg-host/gpg.conf
Xlist-options show-uid-validity
XEOF
X
X	install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication
X# install authentication gpg.conf
X	cat <<EOF > "$VARLIB"/gnupg-authentication/gpg.conf
Xlist-options show-uid-validity
Xprimary-keyring $VARLIB/gnupg-authentication/pubring.gpg
Xkeyring $VARLIB/gnupg-host/pubring.gpg
XEOF
X	chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf
X
X	monkeysphere-server diagnostics
X        ;;
Xesac
END-of-monkeysphere/pkg-install
echo x - monkeysphere/pkg-plist
sed 's/^X//' >monkeysphere/pkg-plist << 'END-of-monkeysphere/pkg-plist'
Xsbin/monkeysphere-server
Xshare/doc/monkeysphere/TODO
Xshare/doc/monkeysphere/MonkeySpec
Xshare/doc/monkeysphere/getting-started-user.mdwn
Xshare/doc/monkeysphere/getting-started-admin.mdwn
Xbin/openpgp2ssh
Xbin/monkeysphere-ssh-proxycommand
Xbin/monkeysphere
Xshare/monkeysphere/common
X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi
Xetc/monkeysphere/monkeysphere.conf.sample
X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi
X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi
Xetc/monkeysphere/monkeysphere-server.conf.sample
X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi
X@dirrm share/doc/monkeysphere
X@dirrm share/monkeysphere
X@dirrm etc/monkeysphere
END-of-monkeysphere/pkg-plist
echo x - monkeysphere/Makefile
sed 's/^X//' >monkeysphere/Makefile << 'END-of-monkeysphere/Makefile'
X# New ports collection makefile for:   monkeysphere
X# Date created:        2008-09-11 23:38:27-0400
X# Whom:                Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X#
X# $FreeBSD$
X#
X
XPORTNAME=      monkeysphere
XPORTVERSION=   0.16
XCATEGORIES=    security
XMASTER_SITES=  http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
X# hack for debian orig tarballs
XDISTFILES=      ${PORTNAME}_${DISTVERSION}.orig.tar.gz
X
XMAINTAINER=    anarcat@anarcat.ath.cx
XCOMMENT=       use the OpenPGP web of trust to verify ssh connections
X
XLIB_DEPENDS=	gnutls.26:${PORTSDIR}/security/gnutls
XRUN_DEPENDS=    base64:${PORTSDIR}/converters/base64 \
X		gpg:${PORTSDIR}/security/gnupg \
X		lockfile:${PORTSDIR}/mail/procmail \
X		/usr/local/bin/getopt:${PORTSDIR}/misc/getopt \
X		bash:${PORTSDIR}/shells/bash
X
XMAN1=		monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1
XMAN7=		monkeysphere.7
XMAN8=		monkeysphere-server.8
XMANCOMPRESSED= yes
X
XMAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample
X
X# get rid of cruft after the patching:
Xpost-patch:
X	find . -iname '*.orig' -delete
X
Xpost-install:
X	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \
X		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \
X	fi
X	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \
X		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \
X	fi
X.if !defined(PACKAGE_BUILDING)
X	@${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
X.endif
X
Xpost-deinstall:
X	@${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
X
X.include <bsd.port.mk>
END-of-monkeysphere/Makefile
exit

Comment 1 Antoine Beaupre 2008-10-31 01:40:39 UTC

On Thu, Oct 30, 2008 at 05:46:57PM -0400, Daniel Kahn Gillmor wrote:
> I've talked with Antoine, and i'm up for taking over the FreeBSD port
> of monkeysphere from him, since i'm more heavily involved with the
> upstream development at the moment.  He seems OK with that.


I confirm that.

A.

-- 
Rock journalism is people who can't write interviewing people who can't
talk for people who can't read.
                        - Frank Zappa

Comment 2 Martin Wilke freebsd_committer

2008-11-06 06:53:47 UTC

Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.

Comment 3 dkg 2009-03-10 06:32:14 UTC

This is a multi-part message in MIME format.

Comment 4 Martin Wilke freebsd_committer

2009-03-10 07:45:04 UTC

State Changed
From-To: open->closed

New port added. Thanks!

Comment 5 dfilter service freebsd_committer

2009-03-10 07:45:41 UTC

miwi        2009-03-10 07:45:27 UTC

  FreeBSD ports repository

  Modified files:
    security             Makefile 
  Added files:
    security/monkeysphere Makefile distinfo pkg-deinstall 
                          pkg-descr pkg-install pkg-plist 
    security/monkeysphere/files patch-src_monkeysphere-host 
                                patch-src_share_keytrans 
  Log:
  SSH key-based authentication is tried-and-true, but it lacks a true
  Public Key Infrastructure for key certification, revocation and
  expiration.  Monkeysphere is a framework that uses the OpenPGP web of
  trust for these PKI functions.  It can be used in both directions: for
  users to get validated host keys, and for hosts to authenticate users.
  
  WWW: http://web.monkeysphere.info/
  
  PR:             ports/128406
  Submitted by:   Daniel Kahn Gillmor <dkg at fifthhorseman.net>
  
  Revision  Changes    Path
  1.1023    +1 -0      ports/security/Makefile
  1.1       +72 -0     ports/security/monkeysphere/Makefile (new)
  1.1       +3 -0      ports/security/monkeysphere/distinfo (new)
  1.1       +11 -0     ports/security/monkeysphere/files/patch-src_monkeysphere-host (new)
  1.1       +11 -0     ports/security/monkeysphere/files/patch-src_share_keytrans (new)
  1.1       +29 -0     ports/security/monkeysphere/pkg-deinstall (new)
  1.1       +7 -0      ports/security/monkeysphere/pkg-descr (new)
  1.1       +64 -0     ports/security/monkeysphere/pkg-install (new)
  1.1       +49 -0     ports/security/monkeysphere/pkg-plist (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"