From owner-freebsd-ports Fri Dec 26 02:50:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA05915 for ports-outgoing; Fri, 26 Dec 1997 02:50:09 -0800 (PST) (envelope-from owner-freebsd-ports) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA05886; Fri, 26 Dec 1997 02:50:02 -0800 (PST) (envelope-from gnats) Date: Fri, 26 Dec 1997 02:50:02 -0800 (PST) Message-Id: <199712261050.CAA05886@hub.freebsd.org> To: freebsd-ports Cc: From: dirk.meyer@dinoex.sub.org (Dirk Meyer) Subject: ports/5200 Reply-To: dirk.meyer@dinoex.sub.org (Dirk Meyer) Sender: owner-freebsd-ports@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR ports/5200; it has been noted by GNATS. From: dirk.meyer@dinoex.sub.org (Dirk Meyer) To: freebsd-gnats-submit@FreeBSD.ORG Cc: Subject: ports/5200 Date: Fri, 26 Dec 1997 09:06:23 +0100 encode the port in this shar archive. -- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany -- Tel. +49-5606-6512 # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # pgpmoose-1/pkg/COMMENT # pgpmoose-1/pkg/DESCR # pgpmoose-1/pkg/PLIST # pgpmoose-1/files/md5 # pgpmoose-1/Makefile # echo x - pgpmoose-1/pkg/COMMENT sed 's/^X//' >pgpmoose-1/pkg/COMMENT << 'END-of-pgpmoose-1/pkg/COMMENT' XPGP Moose - signatures for moderated newsgroups END-of-pgpmoose-1/pkg/COMMENT echo x - pgpmoose-1/pkg/DESCR sed 's/^X//' >pgpmoose-1/pkg/DESCR << 'END-of-pgpmoose-1/pkg/DESCR' XPGP Moose X========= Xby Greg Rose X XThe aim of this software is to monitor the news Xpostings of moderators of USENET newsgroups, and to Xautomatically cancel forged messages purporting to Xbe approved. This can be extended to the approvals Xof individual users to automatically cancel messages Xthat appear without having been authorised by the Xuser. This has (obviously) been prompted by the Xrecent spammings and other events. X XThis software and protocol is designed around Xcryptographic signatures. The protocol is designed Xto allow the use of different signature techniques. XThis implemention assumes the use of PGP signatures, Xbut can be easily modified to use others, such as Xthe Digital Signature Standard. PGP was chosen for Xits widespread availability around the world. X XPGP, the crux of the cryptographic software, was Xwritten by Phil Zimmermann , who Xotherwise has nothing to do with this. The Xcryptographic framework was written by Greg Rose X, as were the INN news system Xhooks. X X XContents: X-------- X XHow Does It Work? XThe Bits: XHow Do You Register For The Service? XHandling Multiple Moderated Groups: XPossible Problems We've Forseen: XStatus: XObtaining, installing, configuring: XIt Really Wasn't That Hard. XLicense Terms: XVersion: X XHow Does It Work? X----------------- X XThis document is written from the point of view of Xa newsgroup moderator, but individual users could Xalso use the facility in analagous ways. X XWhen a moderator wants to protect their group from Xforged/unapproved postings, they should register Xtheir interest with one or more of the sites running XPGP Moose, and pick up the submission script. As Xpart of this process, the moderator would specify Xone or more PGP public keys that are allowed to Xapprove postings. X XWhen a post comes in, and the moderator wishes to Xapprove it, they do whatever they would normally Xdo before actually using inews (or whatever) to Xpost the message. As their last action, they run Xthe PGP Moose Approval program "pmapp". This Xinserts a special header which Xlooks like this: X XX-Auth: PGPMoose V1.0 PGP sci.crypt.research X iQBVAgUBL1/Kg2zWcw3p062JAQEYIgH/Xyrz6LaGG+fHaSxoexMECovzkIoADrQx X l73IXlUQEIoFl5jnDBBdHVvqTMEPS0118ytYVQZoQrdStuXB9Oc9gQ== X =azqs X XIf there are multiple moderated newsgroups, there Xmight be multiple X-Auth: headers, one Xfor each group that has requested assistance from Xthe PGP Moose daemon. In this example you can Xsee that the authentication carries the name of Xthe authenticating program, a protocol version Xnumber, an identifier of the type of digital Xsignature (currently only PGP) and the name of Xthe newsgroup in question. These, as well as the XFrom:, Subject: and Message-Id: lines, the list Xof newsgroups, and the non-blank lines of the Xmessage itself, are used as input to the PGP Xprogram to generate a signature. X XThe lines of the message body are preprocessed in Xa way that is meant to render harmless any mangling Xthat a typical news system might do to the article. XThe article itself is not changed, only the input Xto the signature generation. If a news system Xsubsequently mangles the article in a "norma" way, Xfor instance by inserting a ">" in front of a line Xstarting with "From", it will still pass the signature Xcheck. X XThe list of newsgroups must be handled specially, Xso that an article posted to multiple moderated Xcontrolled newsgroups can be appropriately Xhandled. See below for a more detailed treatment Xof the issues of posting to multiple moderated Xnewsgroups. X XThe PGP signature is then inserted into the XX-Auth: header, mostly so that it won't Xinterfere with, or be confused with, any signature Xin the body of the message. X XAnybody can check whether the message has been Xmodified in any significant way, simply by running Xthe PGP Moose Approval Checking program "pmcheck". XMore importantly, though, the sites running the PGP XMoose Checking Daemon will be doing this automatically Xfor every posting to the registered newsgroups, or Xfrom the registered users. And, if a posting fails Xthe checks, it may be automatically cancelled, and Xa notification sent to the moderator. (Initially, Xthe automatic cancellation will be disabled, since Xit is a pretty powerful sledgehammer, but that is Xthe intention anyway.) X XThis software is made freely available for just Xabout any purpose, but I've retained copyright so Xas to keep some semblance of involvement. See the Xlast section of this file. X X XThe Bits: X--------- X XThe approval and checking part of the PGP Moose Xconsists of a number of Bourne Shell scripts calling Xstandard Unix utilities and PGP. I could have used Xperl more elegantly, but this stuff is marginally Xmore widely available. If there are Unix version Xdependencies, they should be considered to be bugs Xand I'll happily attempt to remove them. X Xpmapp usage: pmapp [newsgroup|user] [file] X X This script takes the not-yet-posted X article, specified either by filename or X from standard input, and creates a X signature for it, which is then inserted X in the X-Auth: header. The article, X ready for posting, appears on the standard X output. X X In the configuration section at the top of X the script, the moderator may build in the X default name of the newsgroup or user, PGP X User Id to be used for the signature, and X the corresponding password. This is simply X for convenience, since spammers are not so X likely to go cracking the computer to get X the password, and it is a relatively simple X matter to generate a new user if it is, X indeed, compromised. For the paranoid, like X myself, if the password is not configured X into the script it is read from the terminal X instead. X Xpmcheck usage: pmcheck [newsgroup|user] [article] X X This script takes the article, specified X either by filename or from standard X input, and checks that the X X-Auth: line is something it X considers to be correct and that the X article has not been tampered with. X Pmcheck returns successfully if X everything checks out. Otherwise it will X return failure and issue one of a number X of error messages, for example: X X Posting for $NEWSGROUP not approved with PGP Moose. X Invalid designated signature from $GROUP X No public key for signature $GROUP X Signature doesn't match $FILE for $GROUP X '$SIG' not accepted for $GROUP. X X Anybody can run pmcheck. It behaves slightly X differently depending on the existence of X a file called (by default) X PGP_Moose_accept, and the presence or X absence of a newsgroup or user argument. X This file, if it exists, should contain X lines with a newsgroup name or email address, X some whitespace, and the PGP User Id approved X by the moderator or user (usually made up X specifically for this purpose). Multiple X lines for the same newsgroup/user are allowed. X For example: X X sci.crypt.research moderator X sci.crypt.research moderator X ggr@sydney.sterling.com Greg's News X X If such a file exists, and a specific X newsgroup or user is specified, pmcheck is silent X if all is well, and issues the last of the X error messages above if everything else X was all right but the signature was from X the wrong person. There must, in this X case, be a signature applying to the X designated newsgroup or user. X X Without such a file, or if no specific X newsgroup or user is given, all the signatures X in the article are checked. In this case X it is not considered an error if the signature X cannot be checked due to a missing public X key. If each signature is otherwise valid X you will get a message like: X X Valid signature from '$SIG'. X X In any case, if there is a problem with a X signature mentioned in the PGP_Moose_accept X file, it will be reported and an error status X will be returned. X Xpmcanon Xpmnewsgroups X These two scripts are used by pmapp and X pmcheck to recreate the exact input for X the signature, and to extract the list of X newsgroups in the header, respectively. X More documentation is in their manual X pages. X XThe PGP Moose checking daemon is packaged Xseparately, as there would not seem to be a lot Xof value in having too many people running it. XAccordingly, I was less precise in making it run Xabsolutely everywhere. It requires the Korn shell Xor equivalent, and perl, and currently only Xinterfaces to INN. I expect it would be easy to Xinterface it to CNews, but I don't have one. X Xpmdaemon X Runs pmcheck to check the X-Auth: header X for each controlled newsgroup for each X article that arrives in an appropriate X newsgroup. Mail is sent about any errant X articles, and automatic cancellation may X be enabled. X Xpmcancel X prepares a cancellation message based on X the headers of another message. X XWhen (if) I get a chance, I will create mail Xserver scripts that allow moderators who are not Xusing Unix to use these facilities. The first Xallows a moderator to mail a PGP signed copy of Xthe article to be posted. The server will then Xverify that the moderator sent it, and post it Xwith a (different but corresponding) approval. XThe second will accept an article and return Xsomething that you can check the signature on. XEither way, any moderator will still need PGP. X X XHow Do You Register For The Service? X------------------------------------ X XAhhh, this is the hard part. After all, it would Xbe pretty undesirable if someone, meaning well, Xtook any old body's word for it that some Ximportant moderated group should start working Xthis way, before the moderator was able to start Xapproving postings. A great way to hijack a Xnewsgroup. Similarly for hijacking some other Xuser's postings (tempting though it might be :-). X XAnother possibility is that someone, having seen Xwhat the valid signature looks like, simply Xcreates a whole new PGP key that happens to have Xthe same PGP User ID. Then they can sign and post Xstuff too. X XThe solution to both of these problems is the Xclassical one for public key systems. You need Xeither a certifying authority or the PGP Web of XTrust. We're using the Web of Trust. If you don't Xunderstand about PGP and the Web of Trust, go away Xnow and come back after you really do understand Xit. X XFor each newsgroup that wants to utilise this Xprogram, the moderator will have to create a Xspecial PGP key pair (preferably 512 bits to keep Xthe X-Auth: down to two full lines), and sign it. They Xmust then establish a path of trust to someone Xwho is running the PGP Moose server. It will be Xup to the administrator of that server to make Xsure that only trusted moderators' keys ever get Xinto the server's keyring. X XTHERE CAN BE NO SHORTCUTS TO THIS PROCEDURE. XOtherwise we are all back where we started. X XIn the case of an individual user, again you should Xestablish this verification path to one of the Xadministrators of the PGP Moose service. Contact Xme (ggr@usenix.org) for the time Xbeing to mutually figure out how to do this. X X XHandling Multiple Moderated Groups: X---------------------------------- X XWhen I first proposed this tool, I was under the Ximpression that postings to multiple moderated Xgroups was an abberation that should be stamped Xout. This turns out not to be the case, and Xrevisions to support this have been the cause of Xsome delay in the deployment of this tool. X XWhen the news system sees that an article has been Xposted to one or more moderated groups, it checks Xfor an Approved: header. If the header exists, the Xarticle is accepted and processed normally, Xotherwise it is mailed to the moderator of the Xfirst moderated newsgroup mentioned in the XNewsgroups: header. There seem to be three cases of Xinterest. X XThe trivial case, and the most normal one, is Xthat there is only one moderated newsgroup Xmentioned. The moderator approves the posting, and Xit is done. X XThe next, and probably most important, case, is Xwhen a moderator wants to cross-post a FAQ to Xtheir own group, as well as news.answers (for Xexample). In this case their approval counts for Xboth groups, so they can insert the Approved: Xheader and post away. Presumably the other groups Xare not under the control of the PGP Moose Daemon. XIn this case the moderator can just go ahead and Xput in the Approved: header, and save themself Xand pmapp a lot of time. It will be passed right Xthrough. X XThe other case is harder to get right. This is when Xthe article really is meant to be posted to two (or Xmore) unrelated moderated newsgroups. Now, if the Xfirst moderated group's moderator approves the Xposting, the other ones never hear about the article, Xat all. If this second group is controlled by the XPGP Moose an automatic cancel will be generated. So Xit becomes very important for the moderators to do Xwhat they should have been doing already, namely Xforward the article to the next moderator. This tool Xcan't help people who don't use it, but it provides Xsome support for those who do. X XThe approval script checks whether there are any Xmoderated newsgroups left that don't have XX-Auth: headers for them. If there are Xnone left, an Approved: header is inserted and the Xarticle gets posted. Otherwise, it issues a warning, Xand re-orders the newsgroups header with a newsgroup Xwhich is moderated but has no X-Auth: line Xat the start. When the article is posted, the news Xsystem will forward it to the moderator of the (new) Xfirst moderated group. If all moderators are sensible, Xand check for moderated newsgroups in this fashion, Xthe mess should sort itself out and the last moderator Xwill go ahead and post it. A warning nessage to Xthe subsequent moderator NOT to change the Xarticle is also inserted, since such a Xmodification would invalidate the previous Xsignatures.. X XTo ease this process, a second type of XX-Auth: header is supported. this has Xthe form: X X X-Auth: None ... Newsgroup X XThe important fact about this is that Xthe newsgroup appears last on the line, allowing a Xsort of partial approval, from moderators who Xdon't use the PGP Moose. X XThe Newsgroups: line is split into a sorted list Xof newsgroups for the purpose of generating the Xdigital signature. Note that this means that once Xan article has been approved and authenticated by Xone moderator, it cannot be altered in any way by Xa moderator of a subsequent group, including Xaltering the set of newsgroups mentioned in the XNewsgroups: header, the body of the posting, or Xthe other headers mentioned above. X X XPossible Problems We've Forseen: X-------------------------------- X XIf an article is truly mangled e.g. by truncation, it Xwill fail the authentication and be cancelled. XUntil it is demonstrated otherwise, this is Xassumed to be a rare and minor problem. When a Xcancel is issued, mail is sent to the moderator of Xthe group telling them, and they can tell us if it Xbecomes a problem. (In the initial deployment we Xexpect that no automatic cancels will actually be Xgenerated, only the notification mail will be Xsent.) X XCurrently the signature produced is assumed to be Xa PGP version 2.6 compatible one. X X XStatus: X------- X XThese scripts are implemented already, or as noted Xabove. They are undergoing beta testing and as soon Xas they have settled they will be made available Xvia anonymous FTP and posting to comp.sources.misc Xand sci.crypt.research and the moderators' list. X XIn the meantime, if you want to use the tools, or Xparticularly if you want to run a PGP Moose Xchecking daemon, contact me (ggr@usenix.org). X X XObtaining, installing, configuring: X----------------------------------- X XI regret that I don't have a public ftp site, but XI do have a web page where you can get a Xcompressed tar archive of the approval code. It is X Xoff my home page. X XIt is hard to talk in detail about installation Xand configuration, since many users are not in Xcharge of their own news server configuration. In Xmy case, I run all of the things out of a Xsubdirectory of my home directory. The only Xthing outside this area which must be changed is Xthe INN newsfeeds file, if you are running the Xchecking daemon. So, get the distribution file as Xabove and unpack it whereever you want it to live. X XThere are configuration sections at the top of Xpmcheck, pmapp and pmdaemon. I like to think that Xthey are relatively self-explanatory. One of the Xharder decisions is whether to use a separate Xkeyring for PGP Moose applications or not. It is Xvery strongly recommended that you do, if you are Xgoing to run the PGP Moose checking daemon, as Xthe keyring files will need to be readable by the Xuserid which INN runs under (usually "news"). XMost of these options can also be overridden by Xenvironment variables or command arguments, so it Xis possible to leave the scripts unmodified and Xsimply put a wrapper around them (which is what I Xdo). X XIn the case of pmapp, the newsgroup or user that Xthe authentication applies to can be specified on Xthe command itself; The PGP user id and password, Xand the Approved: header's contents, can be Xspecified by environment variables PMUSER, XPMPASSWORD and APP, respectively. X XFor pmcheck, the important one is the name of the Xconfiguration file specifying which signatures Xare valid for which newsgroups or users. X XPmdaemon runs from INN, and needs some special Xcare to set it up. "news" needs access permission Xto the directory and files for PGP Moose, and Xalso read permission on the public keyring. Note Xthat PGP creates keyrings with only owner Xpermissions. The search path is rarely correct, Xand should be set at the top of the pmdaemon Xscript. There are also a number of file names and Xmail addresses, but the comments should be clear Xenough. X XLastly, you want to incorporate pmapp in your Xmoderation script and possibly your posting Xscript. In my case, the last line of my posting Xscript basically said X X /usr/local/news/inews -S -h Xregarding how to donate. You can do it over the Xnet using PGP! I probably also should thank the Xmany people who have worked hard to bring Xencryption back out of the black chambers. Some Xnames which directly come to mind are Diffie, XHellman, Merkle, Rivest, Shamir, Adelman, Lai, XMassey, and probably many others. X XShare and Enjoy! X X XLicense Terms: X------------- X XThis software is copyrighted by Greg Rose, RoSecure XSoftware, and other parties. The following terms Xapply to all files associated with the software Xunless explicitly disclaimed in individual Xfiles. X XThe authors hereby grant permission to use, copy, Xmodify, distribute, and license this software and Xits documentation for any purpose, provided that Xexisting copyright notices are retained in all Xcopies and that this notice is included verbatim Xin any distributions. No written agreement, Xlicense, or royalty fee is required for any of Xthe authorized uses. Modifications to this Xsoftware may be copyrighted by their authors and Xneed not follow the licensing terms described Xhere, provided that the new terms are clearly Xindicated on the first page of each file where Xthey apply. X XIN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE XLIABLE TO ANY PARTY FOR DIRECT, INDIRECT, XSPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES XARISING OUT OF THE USE OF THIS SOFTWARE, ITS XDOCUMENTATION, OR ANY DERIVATIVES THEREOF, EVEN XIF THE AUTHORS HAVE BEEN ADVISED OF THE XPOSSIBILITY OF SUCH DAMAGE. X XTHE AUTHORS AND DISTRIBUTORS SPECIFICALLY XDISCLAIM ANY WARRANTIES, INCLUDING, BUT NOT XLIMITED TO, THE IMPLIED WARRANTIES OF XMERCHANTABILITY, FITNESS FOR A PARTICULAR XPURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE IS XPROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND XDISTRIBUTORS HAVE NO OBLIGATION TO PROVIDE XMAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR XMODIFICATIONS. X X XVersion: X------- X X@(#)README 1.6 (PGPMoose) 95/10/21 END-of-pgpmoose-1/pkg/DESCR echo x - pgpmoose-1/pkg/PLIST sed 's/^X//' >pgpmoose-1/pkg/PLIST << 'END-of-pgpmoose-1/pkg/PLIST' Xbin/pmapp Xbin/pmcanon Xbin/pmcheck Xbin/pmnewsgroups Xbin/pmdaemon Xbin/pmcancel Xman/man1/pmapp.1.gz Xman/man1/pmcanon.1.gz Xman/man1/pmcheck.1.gz Xman/man1/pmnewsgroups.1.gz Xman/man1/pmdaemon.1.gz Xman/man1/pmcancel.1.gz END-of-pgpmoose-1/pkg/PLIST echo x - pgpmoose-1/files/md5 sed 's/^X//' >pgpmoose-1/files/md5 << 'END-of-pgpmoose-1/files/md5' XMD5 (PGPMoose.tar.Z) = befe79f6f1583b4b0d7fc0f84344f6a6 END-of-pgpmoose-1/files/md5 echo x - pgpmoose-1/Makefile sed 's/^X//' >pgpmoose-1/Makefile << 'END-of-pgpmoose-1/Makefile' X# New ports collection makefile for: pgpmoose X# Version required: 1 X# Date created: 28 Nov 1997 X# Whom: dirk.meyer@dinoex.sub.org X# X# $Id$ X XDISTNAME= PGPMoose XPKGNAME= pgpmoose-1 XCATEGORIES= news security XMASTER_SITES= http://www.usenix.org/~ggr/ \ X ftp://ftp.dinoex.sub.de/pub/approved/ XEXTRACT_SUFX= .tar.Z X XMAINTAINER= dirk.meyer@dinoex.sub.org X XMAN1= pmapp.1 pmcanon.1 pmcheck.1 pmnewsgroups.1 \ X pmdaemon.1 pmcancel.1 XBIN1= pmapp pmcanon pmcheck pmnewsgroups \ X pmdaemon pmcancel X XWRKSRC= ${WRKDIR} XSTRIP= X Xdo-install: X.for i in ${BIN1} X @${INSTALL_PROGRAM} ${WRKSRC}/${i} ${PREFIX}/bin X.endfor X.for i in ${MAN1} X ${INSTALL_MAN} ${WRKSRC}/${i} ${PREFIX}/man/man1 X.endfor X X.include END-of-pgpmoose-1/Makefile exit