From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Oct 27 02:20:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FDFB106567C for ; Mon, 27 Oct 2008 02:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2DB4C8FC0C for ; Mon, 27 Oct 2008 02:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9R2K2sX018944 for ; Mon, 27 Oct 2008 02:20:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9R2K2QG018943; Mon, 27 Oct 2008 02:20:02 GMT (envelope-from gnats) Resent-Date: Mon, 27 Oct 2008 02:20:02 GMT Resent-Message-Id: <200810270220.m9R2K2QG018943@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Antoine Beaupre Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C78B106569B for ; Mon, 27 Oct 2008 02:17:17 +0000 (UTC) (envelope-from anarcat@lethe.koumbit.net) Received: from lethe.koumbit.net (modemcable028.26-70-69.static.videotron.ca [69.70.26.28]) by mx1.freebsd.org (Postfix) with ESMTP id C8DE68FC12 for ; Mon, 27 Oct 2008 02:17:16 +0000 (UTC) (envelope-from anarcat@lethe.koumbit.net) Received: by lethe.koumbit.net (Postfix, from userid 1000) id 77A1A1707C; Sun, 26 Oct 2008 21:44:44 -0400 (EDT) Message-Id: <20081027014444.77A1A1707C@lethe.koumbit.net> Date: Sun, 26 Oct 2008 21:44:44 -0400 (EDT) From: Antoine Beaupre To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/128406: New port: security/monkeysphere X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Antoine Beaupre List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 02:20:02 -0000 >Number: 128406 >Category: ports >Synopsis: New port: security/monkeysphere >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Oct 27 02:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Antoine Beaupre >Release: FreeBSD 6.3-RELEASE-p1 i386 >Organization: Koumbit >Environment: System: FreeBSD lethe.koumbit.net 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Mon Mar 24 16:30:04 EDT 2008 anarcat@lethe.koumbit.net:/usr/obj/usr/src/sys/LETHE6 i386 >Description: SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users. WWW: http://web.monkeysphere.info/ >How-To-Repeat: >Fix: I include the .shar for the port tree, but also the required patches to UIDs and GIDs. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # monkeysphere # monkeysphere/files # monkeysphere/files/patch-etclocation # monkeysphere/files/patch-sharelocation # monkeysphere/files/patch-varlocation # monkeysphere/distinfo # monkeysphere/pkg-descr # monkeysphere/pkg-deinstall # monkeysphere/pkg-install # monkeysphere/pkg-plist # monkeysphere/Makefile # echo c - monkeysphere mkdir -p monkeysphere > /dev/null 2>&1 echo c - monkeysphere/files mkdir -p monkeysphere/files > /dev/null 2>&1 echo x - monkeysphere/files/patch-etclocation sed 's/^X//' >monkeysphere/files/patch-etclocation << 'END-of-monkeysphere/files/patch-etclocation' Xdiff --git etc/monkeysphere-server.conf etc/monkeysphere-server.conf Xindex c001f2d..d33fd36 100644 X--- etc/monkeysphere-server.conf X+++ etc/monkeysphere-server.conf X@@ -17,7 +17,7 @@ X # authorized_keys file. '%h' will be replaced by the home directory X # of the user, and %u will be replaced by the username of the user. X # For purely admin-controlled authorized_user_ids, you might put them X-# in /etc/monkeysphere/authorized_user_ids/%u X+# in /usr/local/etc/monkeysphere/authorized_user_ids/%u X #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" X X # Whether to add user controlled authorized_keys file to Xdiff --git man/man1/monkeysphere.1 man/man1/monkeysphere.1 Xindex 3ece735..09320d2 100644 X--- man/man1/monkeysphere.1 X+++ man/man1/monkeysphere.1 X@@ -111,7 +111,7 @@ Path to ssh authorized_keys file (~/.ssh/authorized_keys). X ~/.monkeysphere/monkeysphere.conf X User monkeysphere config file. X .TP X-/etc/monkeysphere/monkeysphere.conf X+/usr/local/etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X ~/.monkeysphere/authorized_user_ids Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 Xindex f207e2c..360408e 100644 X--- man/man8/monkeysphere-server.8 X+++ man/man8/monkeysphere-server.8 X@@ -203,10 +203,10 @@ User to control authentication keychain (monkeysphere). X .SH FILES X X .TP X-/etc/monkeysphere/monkeysphere-server.conf X+/usr/local/etc/monkeysphere/monkeysphere-server.conf X System monkeysphere-server config file. X .TP X-/etc/monkeysphere/monkeysphere.conf X+/usr/local/etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X /var/lib/monkeysphere/authorized_keys/USER X--- src/common.orig 2008-10-12 14:58:00.000000000 -0400 X+++ src/common 2008-10-25 17:40:34.000000000 -0400 X@@ -16,7 +16,7 @@ X ### COMMON VARIABLES X X # managed directories X-SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} X+SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/usr/local/etc/monkeysphere"} X export SYSCONFIGDIR X X ######################################################################## END-of-monkeysphere/files/patch-etclocation echo x - monkeysphere/files/patch-sharelocation sed 's/^X//' >monkeysphere/files/patch-sharelocation << 'END-of-monkeysphere/files/patch-sharelocation' X--- src/monkeysphere.orig 2008-10-12 14:58:00.000000000 -0400 X+++ src/monkeysphere 2008-10-25 17:41:41.000000000 -0400 X@@ -13,7 +13,7 @@ X ######################################################################## X PGRM=$(basename $0) X X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X X--- src/monkeysphere-server.orig 2008-10-25 14:17:50.000000000 -0400 X+++ src/monkeysphere-server 2008-10-25 17:42:50.000000000 -0400 X@@ -13,7 +13,7 @@ X ######################################################################## X PGRM=$(basename $0) X X-SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} X+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/local/share/monkeysphere"} X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X END-of-monkeysphere/files/patch-sharelocation echo x - monkeysphere/files/patch-varlocation sed 's/^X//' >monkeysphere/files/patch-varlocation << 'END-of-monkeysphere/files/patch-varlocation' Xdiff --git man/man8/monkeysphere-server.8 man/man8/monkeysphere-server.8 Xindex f207e2c..29c7b6a 100644 X--- man/man8/monkeysphere-server.8 X+++ man/man8/monkeysphere-server.8 X@@ -128,7 +128,7 @@ command to push the key to a keyserver. You must also modify the X sshd_config on the server to tell sshd where the new server host key X is located: X X-HostKey /var/lib/monkeysphere/ssh_host_rsa_key X+HostKey /var/monkeysphere/ssh_host_rsa_key X X In order for users logging into the system to be able to verify the X host via the monkeysphere, at least one person (e.g. a server admin) X@@ -170,7 +170,7 @@ users. You must also tell sshd to look at the monkeysphere-generated X authorized_keys file for user authentication by setting the following X in the sshd_config: X X-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u X+AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u X X It is recommended to add "monkeysphere-server update-users" to a X system crontab, so that user keys are kept up-to-date, and key X@@ -209,17 +209,17 @@ System monkeysphere-server config file. X /etc/monkeysphere/monkeysphere.conf X System-wide monkeysphere config file. X .TP X-/var/lib/monkeysphere/authorized_keys/USER X+/var/monkeysphere/authorized_keys/USER X Monkeysphere-generated user authorized_keys files. X .TP X-/var/lib/monkeysphere/ssh_host_rsa_key X+/var/monkeysphere/ssh_host_rsa_key X Copy of the host's private key in ssh format, suitable for use by X sshd. X .TP X-/var/lib/monkeysphere/gnupg-host X+/var/monkeysphere/gnupg-host X Monkeysphere host GNUPG home directory. X .TP X-/var/lib/monkeysphere/gnupg-authentication X+/var/monkeysphere/gnupg-authentication X Monkeysphere authentication GNUPG home directory. X X .SH AUTHOR Xdiff --git doc/getting-started-admin.mdwn doc/getting-started-admin.mdwn Xindex 6c8ad53..67fdda1 100644 X--- doc/getting-started-admin.mdwn X+++ doc/getting-started-admin.mdwn X@@ -30,7 +30,7 @@ To use the newly-generated host key for ssh connections, put the X following line in `/etc/ssh/sshd_config` (be sure to remove references X to any other keys): X X- HostKey /var/lib/monkeysphere/ssh_host_rsa_key X+ HostKey /var/monkeysphere/ssh_host_rsa_key X X FIXME: should we just suggest symlinks in the filesystem here instead? X X@@ -40,7 +40,7 @@ To enable users to use the monkeysphere to authenticate using the X OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again, X making sure that no other AuthorizedKeysFile directive exists): X X- AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u X+ AuthorizedKeysFile /var/monkeysphere/authorized_keys/%u X X And then read the section below about how to ensure these files are X maintained. You'll need to restart `sshd` to have your changes take X--- src/monkeysphere-server.orig 2008-10-25 18:01:19.000000000 -0400 X+++ src/monkeysphere-server 2008-10-25 18:01:24.000000000 -0400 X@@ -17,7 +17,7 @@ X export SYSSHAREDIR X . "${SYSSHAREDIR}/common" || exit 1 X X-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} X+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/monkeysphere"} X export SYSDATADIR X X # UTC date in ISO 8601 format if needed X--- etc/gnupg-authentication.conf.orig 2008-10-25 18:02:58.000000000 -0400 X+++ etc/gnupg-authentication.conf 2008-10-25 18:03:04.000000000 -0400 X@@ -4,8 +4,8 @@ X # It is highly recommended that you X # DO NOT MODIFY X # these variables. X-primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg X-keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg X+primary-keyring /var/monkeysphere/gnupg-authentication/pubring.gpg X+keyring /var/monkeysphere/gnupg-host/pubring.gpg X X # PGP keyserver to use for PGP queries. X keyserver hkp://pgp.mit.edu END-of-monkeysphere/files/patch-varlocation echo x - monkeysphere/distinfo sed 's/^X//' >monkeysphere/distinfo << 'END-of-monkeysphere/distinfo' XMD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49 XSHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 XSIZE (monkeysphere_0.16.orig.tar.gz) = 66062 END-of-monkeysphere/distinfo echo x - monkeysphere/pkg-descr sed 's/^X//' >monkeysphere/pkg-descr << 'END-of-monkeysphere/pkg-descr' XSSH key-based authentication is tried-and-true, but it lacks a true XPublic Key Infrastructure for key certification, revocation and Xexpiration. Monkeysphere is a framework that uses the OpenPGP web of Xtrust for these PKI functions. It can be used in both directions: for Xusers to get validated host keys, and for hosts to authenticate users. X XWWW: http://web.monkeysphere.info/ END-of-monkeysphere/pkg-descr echo x - monkeysphere/pkg-deinstall sed 's/^X//' >monkeysphere/pkg-deinstall << 'END-of-monkeysphere/pkg-deinstall' X#!/bin/sh X X# a package removal script for monkeysphere (borrowing from X# monkeysphere's debian/monkeysphere.postrm) X X# Author: Daniel Kahn Gillmor X# Copyright 2008 X X# FIXME: is /var/lib/monkeysphere the right place for this stuff on X# FreeBSD? XVARLIB="/var/monkeysphere" X X Xcase $2 in XPOST-DEINSTALL) X USER=monkeysphere X# FIXME: This doesn't do anything! Under what circumstances do we X# want to actually automatically purge all of /var/monkeysphere? X X# (note: FreeBSD does not seem to want the package-specific user to be X# purged at package removal) X if pw user show "${USER}" 2>/dev/null >/dev/null; then X echo "Warning: If you will *NOT* use this package anymore, please remove the monkeysphere user manually." X fi X if [ -d "$VARLIB" ] ; then X echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB" X fi X;; Xesac END-of-monkeysphere/pkg-deinstall echo x - monkeysphere/pkg-install sed 's/^X//' >monkeysphere/pkg-install << 'END-of-monkeysphere/pkg-install' X#!/bin/sh X X# an installation script for monkeysphere (borrowing liberally from X# postgresql and mysql pkg-install scripts, and from monkeysphere's X# debian/monkeysphere.postinst) X X# Author: Daniel Kahn Gillmor X# Copyright 2008 X X# FIXME: is /var/lib/monkeysphere the right place for this stuff on X# FreeBSD? X X# PostgreSQL puts its data in /usr/local/pgsql/data X X# MySQL puts its data in /var/db/mysql X XVARLIB="/var/monkeysphere" X Xcase $2 in XPOST-INSTALL) X USER=monkeysphere X GROUP=${USER} X UID=641 X GID=${UID} X SHELL=/usr/local/bin/bash X X if pw group show "${GROUP}" >/dev/null 2>&1; then X echo "You already have a group \"${GROUP}\", so I will use it." X else X if pw groupadd ${GROUP} -g ${GID}; then X echo "Added group \"${GROUP}\"." X else X echo "Adding group \"${GROUP}\" failed..." X exit 1 X fi X fi X X if pw user show "${USER}" >/dev/null 2>&1; then X oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:` X if [ x"$oldshell" != x"$SHELL" ]; then X echo "You already have a \"${USER}\" user, but its shell is '$oldshell'." X echo "This package requires that \"${USER}\"'s shell be '$SHELL'." X echo "You should fix this by hand and then re-install the package." X echo " hint: pw usermod '$USER' -s '$SHELL'" X exit 1 X fi X echo "You already have a user \"${USER}\" with the proper shell, so I will use it." X else X if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \ X -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,," X then X echo "Added user \"${USER}\"." X else X echo "Adding user \"${USER}\" failed..." X exit 1 X fi X fi X X ## set up the cache directories: X X install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host X cat < "$VARLIB"/gnupg-host/gpg.conf Xlist-options show-uid-validity XEOF X X install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication X# install authentication gpg.conf X cat < "$VARLIB"/gnupg-authentication/gpg.conf Xlist-options show-uid-validity Xprimary-keyring $VARLIB/gnupg-authentication/pubring.gpg Xkeyring $VARLIB/gnupg-host/pubring.gpg XEOF X chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf X X monkeysphere-server diagnostics X ;; Xesac END-of-monkeysphere/pkg-install echo x - monkeysphere/pkg-plist sed 's/^X//' >monkeysphere/pkg-plist << 'END-of-monkeysphere/pkg-plist' Xsbin/monkeysphere-server Xshare/doc/monkeysphere/TODO Xshare/doc/monkeysphere/MonkeySpec Xshare/doc/monkeysphere/getting-started-user.mdwn Xshare/doc/monkeysphere/getting-started-admin.mdwn Xbin/openpgp2ssh Xbin/monkeysphere-ssh-proxycommand Xbin/monkeysphere Xshare/monkeysphere/common X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi Xetc/monkeysphere/monkeysphere.conf.sample X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi X@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-server.conf.sample %D/etc/monkeysphere/monkeysphere-server.conf; then rm -f %D/etc/monkeysphere/monkeysphere-server.conf; fi Xetc/monkeysphere/monkeysphere-server.conf.sample X@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-server.conf ] ; then cp -p %D/%F %B/monkeysphere-server.conf; fi X@dirrm share/doc/monkeysphere X@dirrm share/monkeysphere X@dirrm etc/monkeysphere END-of-monkeysphere/pkg-plist echo x - monkeysphere/Makefile sed 's/^X//' >monkeysphere/Makefile << 'END-of-monkeysphere/Makefile' X# New ports collection makefile for: monkeysphere X# Date created: 2008-09-11 23:38:27-0400 X# Whom: Daniel Kahn Gillmor X# X# $FreeBSD$ X# X XPORTNAME= monkeysphere XPORTVERSION= 0.16 XCATEGORIES= security XMASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ X# hack for debian orig tarballs XDISTFILES= ${PORTNAME}_${DISTVERSION}.orig.tar.gz X XMAINTAINER= anarcat@anarcat.ath.cx XCOMMENT= use the OpenPGP web of trust to verify ssh connections X XLIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls XRUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \ X gpg:${PORTSDIR}/security/gnupg \ X lockfile:${PORTSDIR}/mail/procmail \ X /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \ X bash:${PORTSDIR}/shells/bash X XMAN1= monkeysphere.1 openpgp2ssh.1 monkeysphere-ssh-proxycommand.1 XMAN7= monkeysphere.7 XMAN8= monkeysphere-server.8 XMANCOMPRESSED= yes X XMAKE_ARGS= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample X X# get rid of cruft after the patching: Xpost-patch: X find . -iname '*.orig' -delete X Xpost-install: X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \ X fi X @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ]; then \ X ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-server.conf ; \ X fi X.if !defined(PACKAGE_BUILDING) X @${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL X.endif X Xpost-deinstall: X @${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL X X.include END-of-monkeysphere/Makefile exit --- /usr/ports/UIDs 2008-09-10 20:30:08.000000000 -0400 +++ UIDs 2008-10-26 21:00:36.000000000 -0400 @@ -132,6 +132,7 @@ pulse:*:563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin _xsi:*:600:600::0:0:XMLSysInfo User:/nonexistent:/usr/sbin/nologin _pla:*:636:80::0:0:phpLDAPAdmin Owner:/nonexistent:/usr/sbin/nologin +monkeysphere:*:641:641:monkeysphere authentication user,,,:/var/monkeysphere:/usr/local/bin/bash bnetd:*:700:700::0:0:Bnetd user:/nonexistent:/usr/sbin/nologin bopm:*:717:717::0:0:Blitzed Open Proxy Monitor:/nonexistent:/bin/sh openxpki:*:777:777::0:0:OpenXPKI Owner:/nonexistent:/usr/sbin/nologin --- /usr/ports/GIDs 2008-09-08 16:09:59.000000000 -0400 +++ GIDs 2008-10-26 21:00:51.000000000 -0400 @@ -121,6 +121,7 @@ pulse:*:563: pulse-access:*:564: _xsi:*:600: +monkeysphere:*:641: bnetd:*:700: bopm:*:717: openxpki:*:777: >Release-Note: >Audit-Trail: >Unformatted: