ports/128406: New port: security/monkeysphere
Antoine Beaupre
anarcat at anarcat.ath.cx
Mon Oct 27 02:20:02 UTC 2008
>Number: 128406
>Category: ports
>Synopsis: New port: security/monkeysphere
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 27 02:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Antoine Beaupre
>Release: FreeBSD 6.3-RELEASE-p1 i386
>Organization:
Koumbit
>Environment:
System: FreeBSD lethe.koumbit.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Mon Mar 24 16:30:04 EDT 2008 anarcat at lethe.koumbit.net:/usr/obj/usr/src/sys/LETHE6 i386
>Description:
SSH key-based authentication is tried-and-true, but it lacks a true
Public Key Infrastructure for key certification, revocation and
expiration. Monkeysphere is a framework that uses the OpenPGP web of
trust for these PKI functions. It can be used in both directions: for
users to get validated host keys, and for hosts to authenticate users.
WWW: http://web.monkeysphere.info/
>How-To-Repeat:
>Fix:
I include the .shar for the port tree, but also the required patches to UIDs and GIDs.
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# monkeysphere
# monkeysphere/files
# monkeysphere/files/patch-etclocation
# monkeysphere/files/patch-sharelocation
# monkeysphere/files/patch-varlocation
# monkeysphere/distinfo
# monkeysphere/pkg-descr
# monkeysphere/pkg-deinstall
# monkeysphere/pkg-install
# monkeysphere/pkg-plist
# monkeysphere/Makefile
#
echo c - monkeysphere
mkdir -p monkeysphere > /dev/null 2>&1
echo c - monkeysphere/files
mkdir -p monkeysphere/files > /dev/null 2>&1
echo x - monkeysphere/files/patch-etclocation
sed 's/^X//' >monkeysphere/files/patch-etclocation << 'END-of-monkeysphere/files/patch-etclocation'
Xdiff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf
Xindex c001f2d..d33fd36 100644
X--- etc/monkeysphere-server.conf
X+++ etc/monkeysphere-server.conf
X@@ -17,7 +17,7 @@
X # authorized_keys file. '%h' will be replaced by the home directory
X # of the user, and %u will be replaced by the username of the user.
X # For purely admin-controlled authorized_user_ids, you might put them
X-# in /etc/monkeysphere/authorized_user_ids/%u
X+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u
X #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
X
X # Whether to add user controlled authorized_keys file to
Xdiff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1
Xindex 3ece735..09320d2 100644
X--- man/man1/monkeysphere.1
X+++ man/man1/monkeysphere.1
X@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_keys).
X ~/.monkeysphere/monkeysphere.conf
X User monkeysphere config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X ~/.monkeysphere/authorized_user_ids
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..360408e 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -203,10 +203,10 @@ User to control authentication keychain (monkeysphere).
X .SH FILES
X
X .TP
X-/etc/monkeysphere/monkeysphere-server.conf
X+/usr/local/etc/monkeysphere/monkeysphere-server.conf
X System monkeysphere-server config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X /var/lib/monkeysphere/authorized_keys/USER
X--- src/common.orig 2008-10-12 14:58:00.000000000 -0400
X+++ src/common 2008-10-25 17:40:34.000000000 -0400
X@@ -16,7 +16,7 @@
X ### COMMON VARIABLES
X
X # managed directories
X-SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"}
X+SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"}
X export SYSCONFIGDIR
X
X ########################################################################
END-of-monkeysphere/files/patch-etclocation
echo x - monkeysphere/files/patch-sharelocation
sed 's/^X//' >monkeysphere/files/patch-sharelocation << 'END-of-monkeysphere/files/patch-sharelocation'
X--- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400
X+++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=$(basename $0)
X
X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X
X--- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400
X+++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=$(basename $0)
X
X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X
END-of-monkeysphere/files/patch-sharelocation
echo x - monkeysphere/files/patch-varlocation
sed 's/^X//' >monkeysphere/files/patch-varlocation << 'END-of-monkeysphere/files/patch-varlocation'
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..29c7b6a 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -128,7 +128,7 @@ command to push the key to a keyserver. You must also modify the
X sshd_config on the server to tell sshd where the new server host key
X is located:
X
X-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+HostKey /var/monkeysphere/ssh_host_rsa_key
X
X In order for users logging into the system to be able to verify the
X host via the monkeysphere, at least one person (e.g. a server admin)
X@@ -170,7 +170,7 @@ users. You must also tell sshd to look at the monkeysphere-generated
X authorized_keys file for user authentication by setting the following
X in the sshd_config:
X
X-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X
X It is recommended to add "monkeysphere-server update-users" to a
X system crontab, so that user keys are kept up-to-date, and key
X@@ -209,17 +209,17 @@ System monkeysphere-server config file.
X /etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X-/var/lib/monkeysphere/authorized_keys/USER
X+/var/monkeysphere/authorized_keys/USER
X Monkeysphere-generated user authorized_keys files.
X .TP
X-/var/lib/monkeysphere/ssh_host_rsa_key
X+/var/monkeysphere/ssh_host_rsa_key
X Copy of the host's private key in ssh format, suitable for use by
X sshd.
X .TP
X-/var/lib/monkeysphere/gnupg-host
X+/var/monkeysphere/gnupg-host
X Monkeysphere host GNUPG home directory.
X .TP
X-/var/lib/monkeysphere/gnupg-authentication
X+/var/monkeysphere/gnupg-authentication
X Monkeysphere authentication GNUPG home directory.
X
X .SH AUTHOR
Xdiff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn
Xindex 6c8ad53..67fdda1 100644
X--- doc/getting-started-admin.mdwn
X+++ doc/getting-started-admin.mdwn
X@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections, put the
X following line in `/etc/ssh/sshd_config` (be sure to remove references
X to any other keys):
X
X- HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+ HostKey /var/monkeysphere/ssh_host_rsa_key
X
X FIXME: should we just suggest symlinks in the filesystem here instead?
X
X@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate using the
X OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again,
X making sure that no other AuthorizedKeysFile directive exists):
X
X- AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+ AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X
X And then read the section below about how to ensure these files are
X maintained. You'll need to restart `sshd` to have your changes take
X--- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400
X+++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400
X@@ -17,7 +17,7 @@
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X
X-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
X+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"}
X export SYSDATADIR
X
X # UTC date in ISO 8601 format if needed
X--- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400
X+++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400
X@@ -4,8 +4,8 @@
X # It is highly recommended that you
X # DO NOT MODIFY
X # these variables.
X-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg
X-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg
X+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg
X+keyring /var/monkeysphere/gnupg-host/pubring.gpg
X
X # PGP keyserver to use for PGP queries.
X keyserver hkp://pgp.mit.edu
END-of-monkeysphere/files/patch-varlocation
echo x - monkeysphere/distinfo
sed 's/^X//' >monkeysphere/distinfo << 'END-of-monkeysphere/distinfo'
XMD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49
XSHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7
XSIZE (monkeysphere_0.16.orig.tar.gz) = 66062
END-of-monkeysphere/distinfo
echo x - monkeysphere/pkg-descr
sed 's/^X//' >monkeysphere/pkg-descr << 'END-of-monkeysphere/pkg-descr'
XSSH key-based authentication is tried-and-true, but it lacks a true
XPublic Key Infrastructure for key certification, revocation and
Xexpiration. Monkeysphere is a framework that uses the OpenPGP web of
Xtrust for these PKI functions. It can be used in both directions: for
Xusers to get validated host keys, and for hosts to authenticate users.
X
XWWW: http://web.monkeysphere.info/
END-of-monkeysphere/pkg-descr
echo x - monkeysphere/pkg-deinstall
sed 's/^X//' >monkeysphere/pkg-deinstall << 'END-of-monkeysphere/pkg-deinstall'
X#!/bin/sh
X
X# a package removal script for monkeysphere (borrowing from
X# monkeysphere's debian/monkeysphere.postrm)
X
X# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
XVARLIB="/var/monkeysphere"
X
X
Xcase $2 in
XPOST-DEINSTALL)
X USER=monkeysphere
X# FIXME: This doesn't do anything! Under what circumstances do we
X# want to actually automatically purge all of /var/monkeysphere?
X
X# (note: FreeBSD does not seem to want the package-specific user to be
X# purged at package removal)
X if pw user show "${USER}" 2>/dev/null >/dev/null; then
X echo "Warning: If you will *NOT* use this package anymore, please remove the monkeysphere user manually."
X fi
X if [ -d "$VARLIB" ] ; then
X echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB"
X fi
X;;
Xesac
END-of-monkeysphere/pkg-deinstall
echo x - monkeysphere/pkg-install
sed 's/^X//' >monkeysphere/pkg-install << 'END-of-monkeysphere/pkg-install'
X#!/bin/sh
X
X# an installation script for monkeysphere (borrowing liberally from
X# postgresql and mysql pkg-install scripts, and from monkeysphere's
X# debian/monkeysphere.postinst)
X
X# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
X
X# PostgreSQL puts its data in /usr/local/pgsql/data
X
X# MySQL puts its data in /var/db/mysql
X
XVARLIB="/var/monkeysphere"
X
Xcase $2 in
XPOST-INSTALL)
X USER=monkeysphere
X GROUP=${USER}
X UID=641
X GID=${UID}
X SHELL=/usr/local/bin/bash
X
X if pw group show "${GROUP}" >/dev/null 2>&1; then
X echo "You already have a group \"${GROUP}\", so I will use it."
X else
X if pw groupadd ${GROUP} -g ${GID}; then
X echo "Added group \"${GROUP}\"."
X else
X echo "Adding group \"${GROUP}\" failed..."
X exit 1
X fi
X fi
X
X if pw user show "${USER}" >/dev/null 2>&1; then
X oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
X if [ x"$oldshell" != x"$SHELL" ]; then
X echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
X echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
X echo "You should fix this by hand and then re-install the package."
X echo " hint: pw usermod '$USER' -s '$SHELL'"
X exit 1
X fi
X echo "You already have a user \"${USER}\" with the proper shell, so I will use it."
X else
X if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \
X -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,,"
X then
X echo "Added user \"${USER}\"."
X else
X echo "Adding user \"${USER}\" failed..."
X exit 1
X fi
X fi
X
X ## set up the cache directories:
X
X install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host
X cat <<EOF > "$VARLIB"/gnupg-host/gpg.conf
Xlist-options show-uid-validity
XEOF
X
X install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication
X# install authentication gpg.conf
X cat <<EOF > "$VARLIB"/gnupg-authentication/gpg.conf
Xlist-options show-uid-validity
Xprimary-keyring $VARLIB/gnupg-authentication/pubring.gpg
Xkeyring $VARLIB/gnupg-host/pubring.gpg
XEOF
X chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf
X
X monkeysphere-server diagnostics
X ;;
Xesac
END-of-monkeysphere/pkg-install
echo x - monkeysphere/pkg-plist
sed 's/^X//' >monkeysphere/pkg-plist << 'END-of-monkeysphere/pkg-plist'
Xsbin/monkeysphere-server
Xshare/doc/monkeysphere/TODO
Xshare/doc/monkeysphere/MonkeySpec
Xshare/doc/monkeysphere/getting-started-user.mdwn
Xshare/doc/monkeysphere/getting-started-admin.mdwn
Xbin/openpgp2ssh
Xbin/monkeysphere-ssh-proxycommand
Xbin/monkeysphere
Xshare/monkeysphere/common
X at unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi
Xetc/monkeysphere/monkeysphere.conf.sample
X at exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi
X at unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi
Xetc/monkeysphere/monkeysphere-server.conf.sample
X at exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi
X at dirrm share/doc/monkeysphere
X at dirrm share/monkeysphere
X at dirrm etc/monkeysphere
END-of-monkeysphere/pkg-plist
echo x - monkeysphere/Makefile
sed 's/^X//' >monkeysphere/Makefile << 'END-of-monkeysphere/Makefile'
X# New ports collection makefile for: monkeysphere
X# Date created: 2008-09-11 23:38:27-0400
X# Whom: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X#
X# $FreeBSD$
X#
X
XPORTNAME= monkeysphere
XPORTVERSION= 0.16
XCATEGORIES= security
XMASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
X# hack for debian orig tarballs
XDISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz
X
XMAINTAINER= anarcat at anarcat.ath.cx
XCOMMENT= use the OpenPGP web of trust to verify ssh connections
X
XLIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls
XRUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \
X gpg:${PORTSDIR}/security/gnupg \
X lockfile:${PORTSDIR}/mail/procmail \
X /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \
X bash:${PORTSDIR}/shells/bash
X
XMAN1= monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1
XMAN7= monkeysphere.7
XMAN8= monkeysphere-server.8
XMANCOMPRESSED= yes
X
XMAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample
X
X# get rid of cruft after the patching:
Xpost-patch:
X find . -iname '*.orig' -delete
X
Xpost-install:
X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \
X fi
X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \
X fi
X.if !defined(PACKAGE_BUILDING)
X @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
X.endif
X
Xpost-deinstall:
X @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
X
X.include <bsd.port.mk>
END-of-monkeysphere/Makefile
exit
--- /usr/ports/UIDs 2008-09-10 20:30:08.000000000 -0400
+++ UIDs 2008-10-26 21:00:36.000000000 -0400
@@ -132,6 +132,7 @@
pulse:*:563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
_xsi:*:600:600::0:0:XMLSysInfo User:/nonexistent:/usr/sbin/nologin
_pla:*:636:80::0:0:phpLDAPAdmin Owner:/nonexistent:/usr/sbin/nologin
+monkeysphere:*:641:641:monkeysphere authentication user,,,:/var/monkeysphere:/usr/local/bin/bash
bnetd:*:700:700::0:0:Bnetd user:/nonexistent:/usr/sbin/nologin
bopm:*:717:717::0:0:Blitzed Open Proxy Monitor:/nonexistent:/bin/sh
openxpki:*:777:777::0:0:OpenXPKI Owner:/nonexistent:/usr/sbin/nologin
--- /usr/ports/GIDs 2008-09-08 16:09:59.000000000 -0400
+++ GIDs 2008-10-26 21:00:51.000000000 -0400
@@ -121,6 +121,7 @@
pulse:*:563:
pulse-access:*:564:
_xsi:*:600:
+monkeysphere:*:641:
bnetd:*:700:
bopm:*:717:
openxpki:*:777:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list