ports/128406 New port: security/monkeysphere
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 30 22:20:03 UTC 2008
The following reply was made to PR ports/128406; it has been noted by GNATS.
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To: bug-followup at FreeBSD.org, anarcat at anarcat.ath.cx
Cc:
Subject: Re: ports/128406 New port: security/monkeysphere
Date: Thu, 30 Oct 2008 17:46:57 -0400
--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="
--=-=-=
I've talked with Antoine, and i'm up for taking over the FreeBSD port
of monkeysphere from him, since i'm more heavily involved with the
upstream development at the moment. He seems OK with that.
Attached is an updated shar file for version 0.19 of the port, which
works for me on a FreeBSD system installed from 7.1-BETA2.
Antoine's original patches for UID and GID are still relevant, too.
Let me know if there's anything else i should do to help get this into
the ports tree once the freeze ends.
Regards,
--dkg
--=-=-=
Content-Type: text/x-sh
Content-Disposition: inline; filename=shar-2.sh
Content-Transfer-Encoding: quoted-printable
Content-Description: FreeBSD port for monkeysphere, version 0.19
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# monkeysphere
# monkeysphere/files
# monkeysphere/files/patch-etclocation
# monkeysphere/files/patch-sharelocation
# monkeysphere/files/patch-varlocation
# monkeysphere/distinfo
# monkeysphere/Makefile
# monkeysphere/pkg-descr
# monkeysphere/pkg-install
# monkeysphere/pkg-plist
# monkeysphere/pkg-deinstall
#
echo c - monkeysphere
mkdir -p monkeysphere > /dev/null 2>&1
echo c - monkeysphere/files
mkdir -p monkeysphere/files > /dev/null 2>&1
echo x - monkeysphere/files/patch-etclocation
sed 's/^X//' >monkeysphere/files/patch-etclocation << 'a2c685c81926e342cb0d=
6b8121cc2ec3'
Xdiff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf
Xindex c001f2d..d33fd36 100644
X--- etc/monkeysphere-server.conf
X+++ etc/monkeysphere-server.conf
X@@ -17,7 +17,7 @@
X # authorized_keys file. '%h' will be replaced by the home directory
X # of the user, and %u will be replaced by the username of the user.
X # For purely admin-controlled authorized_user_ids, you might put them
X-# in /etc/monkeysphere/authorized_user_ids/%u, for instance.
X+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u, for instance.
X #AUTHORIZED_USER_IDS=3D"%h/.monkeysphere/authorized_user_ids"
X=20
X # Whether to add user controlled authorized_keys file to
Xdiff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1
Xindex 3ece735..09320d2 100644
X--- man/man1/monkeysphere.1
X+++ man/man1/monkeysphere.1
X@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_ke=
ys).
X ~/.monkeysphere/monkeysphere.conf
X User monkeysphere config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X ~/.monkeysphere/authorized_user_ids
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..360408e 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -203,10 +203,10 @@ User to control authentication keychain (monkeyspher=
e).
X .SH FILES
X=20
X .TP
X-/etc/monkeysphere/monkeysphere-server.conf
X+/usr/local/etc/monkeysphere/monkeysphere-server.conf
X System monkeysphere-server config file.
X .TP
X-/etc/monkeysphere/monkeysphere.conf
X+/usr/local/etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X /var/lib/monkeysphere/authorized_keys/USER
X--- src/common.orig 2008-10-12 14:58:00.000000000 -0400
X+++ src/common 2008-10-25 17:40:34.000000000 -0400
X@@ -16,7 +16,7 @@
X ### COMMON VARIABLES
X=20
X # managed directories
X-SYSCONFIGDIR=3D${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"}
X+SYSCONFIGDIR=3D${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"}
X export SYSCONFIGDIR
X=20
X ########################################################################
a2c685c81926e342cb0d6b8121cc2ec3
echo x - monkeysphere/files/patch-sharelocation
sed 's/^X//' >monkeysphere/files/patch-sharelocation << 'e58f45ef49fc61a719=
435bf0960663ac'
X--- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400
X+++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=3D$(basename $0)
X=20
X-SYSSHAREDIR=3D${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=3D${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X=20
X--- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400
X+++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400
X@@ -13,7 +13,7 @@
X ########################################################################
X PGRM=3D$(basename $0)
X=20
X-SYSSHAREDIR=3D${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
X+SYSSHAREDIR=3D${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"}
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X=20
e58f45ef49fc61a719435bf0960663ac
echo x - monkeysphere/files/patch-varlocation
sed 's/^X//' >monkeysphere/files/patch-varlocation << '9c7c05c03adccce0ba37=
a96ac1ed8b05'
Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8
Xindex f207e2c..29c7b6a 100644
X--- man/man8/monkeysphere-server.8
X+++ man/man8/monkeysphere-server.8
X@@ -128,7 +128,7 @@ command to push the key to a keyserver. You must also=
modify the
X sshd_config on the server to tell sshd where the new server host key
X is located:
X=20
X-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+HostKey /var/monkeysphere/ssh_host_rsa_key
X=20
X In order for users logging into the system to be able to verify the
X host via the monkeysphere, at least one person (e.g. a server admin)
X@@ -170,7 +170,7 @@ users. You must also tell sshd to look at the monkeys=
phere-generated
X authorized_keys file for user authentication by setting the following
X in the sshd_config:
X=20
X-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X=20
X It is recommended to add "monkeysphere-server update-users" to a
X system crontab, so that user keys are kept up-to-date, and key
X@@ -209,17 +209,17 @@ System monkeysphere-server config file.
X /etc/monkeysphere/monkeysphere.conf
X System-wide monkeysphere config file.
X .TP
X-/var/lib/monkeysphere/authorized_keys/USER
X+/var/monkeysphere/authorized_keys/USER
X Monkeysphere-generated user authorized_keys files.
X .TP
X-/var/lib/monkeysphere/ssh_host_rsa_key
X+/var/monkeysphere/ssh_host_rsa_key
X Copy of the host's private key in ssh format, suitable for use by
X sshd.
X .TP
X-/var/lib/monkeysphere/gnupg-host
X+/var/monkeysphere/gnupg-host
X Monkeysphere host GNUPG home directory.
X .TP
X-/var/lib/monkeysphere/gnupg-authentication
X+/var/monkeysphere/gnupg-authentication
X Monkeysphere authentication GNUPG home directory.
X=20
X .SH AUTHOR
Xdiff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn
Xindex 6c8ad53..67fdda1 100644
X--- doc/getting-started-admin.mdwn
X+++ doc/getting-started-admin.mdwn
X@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections,=
put the
X following line in `/etc/ssh/sshd_config` (be sure to remove references
X to any other keys):
X=20
X- HostKey /var/lib/monkeysphere/ssh_host_rsa_key
X+ HostKey /var/monkeysphere/ssh_host_rsa_key
X=20
X FIXME: should we just suggest symlinks in the filesystem here instead?
X=20
X@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate =
using the
X OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again,
X making sure that no other AuthorizedKeysFile directive exists):
X=20
X- AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
X+ AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u
X=20
X And then read the section below about how to ensure these files are
X maintained. You'll need to restart `sshd` to have your changes take
X--- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400
X+++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400
X@@ -17,7 +17,7 @@
X export SYSSHAREDIR
X . "${SYSSHAREDIR}/common" || exit 1
X=20
X-SYSDATADIR=3D${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
X+SYSDATADIR=3D${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"}
X export SYSDATADIR
X=20
X # UTC date in ISO 8601 format if needed
X--- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400
X+++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400
X@@ -4,8 +4,8 @@
X # It is highly recommended that you
X # DO NOT MODIFY
X # these variables.
X-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg
X-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg
X+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg
X+keyring /var/monkeysphere/gnupg-host/pubring.gpg
X=20
X # PGP keyserver to use for PGP queries.
X keyserver hkp://pgp.mit.edu
9c7c05c03adccce0ba37a96ac1ed8b05
echo x - monkeysphere/distinfo
sed 's/^X//' >monkeysphere/distinfo << '32dba0505f502eb959b288b6ab212b72'
XMD5 (monkeysphere_0.19.orig.tar.gz) =3D 64c643dd0ab642bbc8814aec1718000e
XSHA256 (monkeysphere_0.19.orig.tar.gz) =3D 321b77c1e10fe48ffbef8491893f5dd=
22842c35c11464efa7893150ce756a522
XSIZE (monkeysphere_0.19.orig.tar.gz) =3D 68335
32dba0505f502eb959b288b6ab212b72
echo x - monkeysphere/Makefile
sed 's/^X//' >monkeysphere/Makefile << 'e6b49990150f96b526ac42696550a8a5'
X# New ports collection makefile for: monkeysphere
X# Date created: 2008-09-11 23:38:27-0400
X# Whom: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X#
X# $FreeBSD$
X#
X
XPORTNAME=3D monkeysphere
XPORTVERSION=3D 0.19
XCATEGORIES=3D security
XMASTER_SITES=3D http://archive.monkeysphere.info/debian/pool/monkeysphere=
/m/monkeysphere/
X# hack for debian orig tarballs
XDISTFILES=3D ${PORTNAME}_${DISTVERSION}.orig.tar.gz
X
XMAINTAINER=3D dkg at fifthhorseman.net
XCOMMENT=3D use the OpenPGP web of trust to verify ssh connections
X
XLIB_DEPENDS=3D gnutls.26:${PORTSDIR}/security/gnutls
XRUN_DEPENDS=3D base64:${PORTSDIR}/converters/base64 \
X gpg:${PORTSDIR}/security/gnupg1 \
X lockfile:${PORTSDIR}/mail/procmail \
X /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \
X bash:${PORTSDIR}/shells/bash
X
XMAN1=3D monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1
XMAN7=3D monkeysphere.7
XMAN8=3D monkeysphere-server.8
XMANCOMPRESSED=3D yes
X
XMAKE_ARGS=3D ETCPREFIX=3D${PREFIX} MANPREFIX=3D${PREFIX}/man ETCSUFFIX=3D.=
sample
X
X# get rid of cruft after the patching:
Xpost-patch:
X find . -iname '*.orig' -delete
X
Xpost-install:
X @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-host.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-host.conf.sample ${PREFIX}/etc=
/monkeysphere/gnupg-host.conf ; \
X fi
X @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf.sample ${P=
REFIX}/etc/monkeysphere/gnupg-authentication.conf ; \
X fi
X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/e=
tc/monkeysphere/monkeysphere.conf ; \
X fi
X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \
X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PR=
EFIX}/etc/monkeysphere/monkeysphere-server.conf ; \
X fi
X.if !defined(PACKAGE_BUILDING)
X @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
X.endif
X
Xpost-deinstall:
X @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
X
X.include <bsd.port.mk>
e6b49990150f96b526ac42696550a8a5
echo x - monkeysphere/pkg-descr
sed 's/^X//' >monkeysphere/pkg-descr << 'b56f21cd6b5644dc1076afa644be514b'
XSSH key-based authentication is tried-and-true, but it lacks a true
XPublic Key Infrastructure for key certification, revocation and
Xexpiration. Monkeysphere is a framework that uses the OpenPGP web of
Xtrust for these PKI functions. It can be used in both directions: for
Xusers to get validated host keys, and for hosts to authenticate users.
X
XWWW: http://web.monkeysphere.info/
b56f21cd6b5644dc1076afa644be514b
echo x - monkeysphere/pkg-install
sed 's/^X//' >monkeysphere/pkg-install << '063e2436db8337e6d9141e8f388ca4b0'
X#!/bin/sh
X
X# an installation script for monkeysphere (borrowing liberally from
X# postgresql and mysql pkg-install scripts, and from monkeysphere's
X# debian/monkeysphere.postinst)
X
X# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
X
X# PostgreSQL puts its data in /usr/local/pgsql/data
X
X# MySQL puts its data in /var/db/mysql
X
XVARLIB=3D"/var/monkeysphere"
XETCDIR=3D"/usr/local/etc/monkeysphere"
X
Xcase $2 in
XPOST-INSTALL)
X USER=3Dmonkeysphere
X GROUP=3D${USER}
X UID=3D641
X GID=3D${UID}
X SHELL=3D/usr/local/bin/bash
X
X if pw group show "${GROUP}" >/dev/null 2>&1; then
X echo "You already have a group \"${GROUP}\", so I will use=
it."
X else
X if pw groupadd ${GROUP} -g ${GID}; then
X echo "Added group \"${GROUP}\"."
X else
X echo "Adding group \"${GROUP}\" failed..."
X exit 1
X fi
X fi
X
X if pw user show "${USER}" >/dev/null 2>&1; then
X oldshell=3D`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
X if [ x"$oldshell" !=3D x"$SHELL" ]; then
X echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
X echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
X echo "You should fix this by hand and then re-install the package."
X echo " hint: pw usermod '$USER' -s '$SHELL'"
X exit 1
X fi
X echo "You already have a user \"${USER}\" with the proper shel=
l, so I will use it."
X else
X if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \
X -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphe=
re authentication user,,,"
X then
X echo "Added user \"${USER}\"."
X else
X echo "Adding user \"${USER}\" failed..."
X exit 1
X fi
X fi
X
X ## set up the cache directories, and link them to the config files:
X
X install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host
X ln -sf "$ETCDIR"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
X
X install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authent=
ication
X ln -sf "$ETCDIR"/gnupg-authentication.conf "$VARLIB"/gnupg-authenticatio=
n/gpg.conf
X
X chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf
X
X monkeysphere-server diagnostics
X ;;
Xesac
063e2436db8337e6d9141e8f388ca4b0
echo x - monkeysphere/pkg-plist
sed 's/^X//' >monkeysphere/pkg-plist << '69e1e9d8bd1ff3c1846b4c7eb779393e'
Xsbin/monkeysphere-server
Xshare/doc/monkeysphere/TODO
Xshare/doc/monkeysphere/MonkeySpec
Xshare/doc/monkeysphere/getting-started-user.mdwn
Xshare/doc/monkeysphere/getting-started-admin.mdwn
Xbin/openpgp2ssh
Xbin/monkeysphere-ssh-proxycommand
Xbin/monkeysphere
Xshare/monkeysphere/common
X at unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monk=
eysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.con=
f; fi
Xetc/monkeysphere/monkeysphere.conf.sample
X at exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F=
%B/monkeysphere.conf; fi
X at unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/e=
tc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/mo=
nkeysphere-server.conf; fi
Xetc/monkeysphere/monkeysphere-server.conf.sample
X at exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -=
p %D/%F %B/monkeysphere-server.conf; fi
X at dirrm share/doc/monkeysphere
X at dirrm share/monkeysphere
X at dirrm etc/monkeysphere
69e1e9d8bd1ff3c1846b4c7eb779393e
echo x - monkeysphere/pkg-deinstall
sed 's/^X//' >monkeysphere/pkg-deinstall << 'f331c3c6e289e2ef8efd846de3f3ad=
6f'
X#!/bin/sh
X
X# a package removal script for monkeysphere (borrowing from
X# monkeysphere's debian/monkeysphere.postrm)
X
X# Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
X# Copyright 2008
X
X# FIXME: is /var/lib/monkeysphere the right place for this stuff on
X# FreeBSD?
XVARLIB=3D"/var/monkeysphere"
X
X
Xcase $2 in
XPOST-DEINSTALL)
X USER=3Dmonkeysphere
X# FIXME: This doesn't do anything! Under what circumstances do we
X# want to actually automatically purge all of /var/monkeysphere?
X
X# (note: FreeBSD does not seem to want the package-specific user to be
X# purged at package removal)
X if pw user show "${USER}" 2>/dev/null >/dev/null; then
X echo "Warning: If you will *NOT* use this package anymore, please rem=
ove the monkeysphere user manually."
X fi
X if [ -d "$VARLIB" ] ; then
X echo "Warning: You may want to remove monkeysphere's cached authentic=
ation data and keyrings in $VARLIB"
X fi
X;;
Xesac
f331c3c6e289e2ef8efd846de3f3ad6f
exit
--=-=-=--
--==-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIVAwUBSQorUczS7ZTSFznpAQJXEg/+MVM+EiCCMyzew4XL8mjq9XfzICneb0It
+1aoon4l6m5yvOD3txXv8OBe5YpcBKWJ8Nwjl9gmTnutGl+CTHXun3kC0Ssn9NcH
vs6k6dKNT+Eo+THKf2aVqbKkzkhUIK5yTPe9S7fGR3DImUOxFhPqzHA/smKHXuN9
HaGISsqUFo9VaPSulrLtYY5TMqBJAXgrIW/7ljM9gS7Y+n7DNy1LkC/4RC9dMtdy
WygAioIkFMK44u7ZWjN025KJgPCZ1t7JvetIUbj6xMb87taM64zHICGwmTgu4bo2
s3oA8Iewf4QIRqAG7LdoD2mUUtqMUFEnoAJaQqfv17xtNJM3FF1yt347HtRc3DzP
0IK5bNXg/eGtFpOysTEAPXOmq8P9eOzR2wY7InU3nERuBYADVdqh2ZWzMPDoUXTD
G4mpVDvx1VhpDOFUsYzjJ4Qj1d23AiSJlRvoKIbylRAv9I3vUJFGbIxBgTvKm3PA
u3D5Z/n9RDzFrdn4YkGJgFqD5H7QGuAHtek6UG+5EqmjCoMNUajCCTHIyiHGpLCD
ll5i44sBY0hB7V2EVlzr3gW1Y2Uh7pBvWqnBFVMJ/KNzD61pJZnyEVP2Xy0XTNb6
tBnZxc9aWmxANizE9z7Tb+XQ9LjKtoXie41PGausVxJFdpB57aNGvIxtaV3wzBtS
YHKuShdTTcw=
=UmxN
-----END PGP SIGNATURE-----
--==-=-=--
More information about the freebsd-ports-bugs
mailing list