News
Here are the latest announcements about the Monkeysphere.
Version 0.2 of the Perl implementation of the Monkeysphere Validation Agent has been released.
Notes from the changelog:
* can now be invoked with a sub-command; will run until subcommand
completes, and then terminate with the same return code (this is
similar to the ssh-agent technique, and enables inclusion in
Xsession.d; see monkeysphere 0.29 package for automatic startup).
* chooses arbitrary open port by default (can still be specified with
MSVA_PORT environment variable)
* minimized logging spew by default.
* now shipping README.schema (notes about possible future MSVA
implementations)
* cleanup Makefile and distribution strategies.
Monkeysphere 0.29 has been released.
Notes from the changelog:
* This is mainly a bugfix release
* Fix man page typo about monkeysphere authorized_keys location
* Monkeysphere should work properly even if the user has "armor" in
their gpg.conf (closes MS #1625)
* monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
environment variable (and defaults to true)
* introduce monkeysphere sshfprs-for-userid (deprecates sshfpr), closes
MS #1436
* respect CHECK_KEYSERVER in more places (closes MS #1997)
* warn on keyserver failures for monkeysphere-authentication (closes MS
#1750)
* avoid checking trustdb for monkeysphere-host (closes MS #1957)
* allow monkeysphere-authentication to use hkps with trusted X.509 root
certificate authorities in
/etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt
Download it now!
Monkeysphere 0.28 has been released.
Notes from the changelog:
* Major rework of monkeysphere-host to handle multiple host keys. We
also no longer assume ssh service keys. monkeysphere-host is now a
general-purpose host service OpenPGP key management UI.
* Rename keys-from-userid command to more accurate keys-for-userid
* separate upstream and debian changelogs
Download it now!
Monkeysphere 0.27-1 has been released.
Notes from the changelog:
* New upstream release:
- fixed monkeysphere gen-subkey subcommand that was erroneously
creating DSA subkeys due to unannounced change in gpg edit-key UI.
Now tests for gpg version (closes MS #1536)
- add new monkeysphere keys-from-userid subcommand to output all
acceptable keys for a given user ID literal
* updated debian/copyright to match the latest revision of DEP5.
* updated standards version to 3.8.3 (no changes needed)
* add cpio to Build-Depends (used in test suite) (Closes: #562444)
Download it now!
Monkeysphere 0.26-1 has been released.
Notes from the changelog:
* New upstream release:
- add 'refresh-keys' subcommand to monkeysphere-authentication
- improve marginal UI (closes MS #1141)
- add MONKEYSPHERE_STRICT_MODES configuration to avoid
permission-checking (closes MS #649)
- test scripts use STRICT_MODES to avoid failure when built under /tmp
(Closes: #527765)
- do permissions checks with a perl script instead of non-portable
readlink GNUisms
- bail on permissions check if we hit the home directory (helpful on
Mac OS and other systems with loose /home or /Users (closes MS #675)
Download it now!
Monkeysphere 0.25-1 has been released.
Notes from the changelog:
* New upstream release:
- update/fix the marginal ui output
- use msmktempdir everywhere (avoid unwrapped calls to mktemp for
portability)
- clean out some redundant "cat"s
- fix monkeysphere update-known_hosts for sshd running on non-standard
ports
- add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
- pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
(changes dependency to libdigest-sha-perl)
- some portability improvements
- properly handle translation of keys with fingerprints with leading
all-zero bytes.
- resolve symlinks when checking paths (thanks Silvio Rhatto)
(closes MS #917)
- explicitly set and use MONKEYSPHERE_GROUP from system "groups"
(closes: #534008)
- monkeysphere-host now uses keytrans to add and revoke hostname
(closes MS #422)
* update Standard-Version to 3.8.2 (no changes needed)
Download it now!
[Monkeysphere 0.24 is now available at Backports.org. If you are running Debian stable ("Lenny"), you can install this version of the monkeysphere package by following the instructions for installing backports.
See the download page for more information.
Monkeysphere 0.24 is now available in the Debian testing distribution ("squeeze"). Monkeysphere 0.24 is our strongest release yet. If you are running Debian testing, installing the monkeysphere is now very easy:
aptitude install monkeysphere
See the download page for more information.
FreeBSD's ports tree now contains a port of the Monkeysphere, version 0.24. If you run FreeBSD, update your ports tree, and then:
cd /usr/ports/security/monkeysphere
make package
Monkeysphere 0.24-1 has been released.
Notes from the changelog:
* New upstream release:
- fixed how version information is stored/retrieved
- now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
- no longer needs base64 in PATH
- added "test" make target
- improved transitions/0.23 script so it no longer fails in common
circumstances (Closes: #517779)
- RSA only: no longer handles DSA keys
- added ability to specify subkeys to add to ssh agent with
new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
* update/cleanup maintainer scripts
* remove GnuTLS dependency
* remove versioned coreutils | base64 dependency
* added Build-Deps for dh_autotest
* switch to Architecture: all
* added cron to Recommends
Download it now!
Monkeysphere 0.23.1-1 has been released.
Notes from the changelog:
* New Upstrem "Brown Paper Bag" Release: - adjusts internal version numbers
Download it now!
Monkeysphere 0.23-1 has been released.
Notes from the changelog:
"The Golden Bezoar Release"
* New upstream release.
* rearchitect UI:
- replace monkeysphere-server with monkeysphere-{authentication,host}
- fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere
* new ability to import existing ssh host key into monkeysphere. So now
m-a import-key replaces m-s gen-key.
* provide pem2openpgp for translating unencrypted PEM-encoded raw key
material into OpenPGP keys (introduces new perl dependencies)
* get rid of getopts dependency
* added version output option
* better checks for the existence of a host private key for
monkeysphere-host subcommands that need it.
* better checks on validity of existing authentication subkeys when
doing monkeysphere gen_subkey.
* add transition infrastructure for major changes between releases (see
transitions/README.txt)
* implement and document two new monkeysphere-host subcommands:
revoke-key and add-revoker
Download it now!
A workday with several Monkeysphere contributors on 2009-01-31 resulted in a significant reorganization of the project in several areas, primarily driven by the realization that there are two fundamentally different concepts on the server side:
- publishing host keys via the Web-of-Trust (WoT), and
- authenticating users via the WoT.
For simplicity and clarity, those two concepts should be independent from each other, but earlier releases of the Monkeysphere tangled the two up together more than we probably should have.
So the next release, version 0.23 (a.k.a. The Golden Bezoar) will have the following significant changes:
user interface:
/usr/sbin/monkeysphere-serveris no more, and its functionality will be split out into/usr/sbin/monkeysphere-host(for functionality dealing with publishing the ssh host key through the WoT) and/usr/sbin/monkeysphere-authentication(for functionality dealing with authenticating users via the WoT)./usr/bin/monkeysphere-ssh-proxycommandhas been folded into/usr/bin/monkeysphereitself as a new subcommand.code: the subfunctions are now stored in their own separate files, and sourced as-needed by the three top-level commands. The test suite has also been re-written to reflect the above UI changes.
documentation: in addition to making the man pages reflect the above UI changes, we're rewriting the "getting started" documentation to use the conceptually-cleaner distinctions above.
data storage:
/var/lib/monkeysphereitself has been re-organized with the aim of keeping the host/authentication distinction clear, simplifying the internal use ofgpg, and facilitating privilege-separated access.
The Golden Bezoar will also feature the ability to painlessly publish your current ssh host key to the WoT without needing to re-key the server. If you're considering adopting the Monkeysphere in the near future, we recommend waiting for 0.23 to be released, as it should be conceptually clearer and easier to use.
The Monkeysphere has made it into Debian!
It is in Debian unstable ("sid") now, which means it won't make it into the next stable release ("lenny"), but hopefully will make it into the stable release after that ("squeeze").
Congratulations to all the work by all the monkeysphere developers, and to Micah Anderson for being our Debian sponsor.
Please feel free to start submitting bug reports to the Debian BTS.
Monkeysphere 0.22-1 has been released.
Notes from the changelog:
* New upstream release:
[ Jameson Graef Rollins ]
- added info log output when a new key is added to known_hosts file.
- added some useful output to the ssh-proxycommand for "marginal"
cases where keys are found for host but do not have full validity.
- force ssh-keygen to read from stdin to get ssh key fingerprint.
[ Daniel Kahn Gillmor ]
- automatically output two copies of the host's public key: one
standard ssh public key file, and the other a minimal OpenPGP key with
just the latest valid self-sig.
- debian/control: corrected alternate dependency from procfile to
procmail (which provides /usr/bin/lockfile)
Download it now!
Monkeysphere 0.20-1 has been released.
Notes from the changelog:
[ Daniel Kahn Gillmor ]
* ensure that tempdirs are properly created, bail out otherwise instead
of stumbling ahead.
* minor fussing with the test script to make it cleaner.
[ Jameson Graef Rollins ]
* clean up Makefile to generate more elegant source tarballs.
* make myself the maintainer.
Download it now!
Update: FreeBSD's official ports tree now contains monkeysphere 0.24.
There is now a FreeBSD port available for the Monkeysphere.
It has been built and tested (so far) on a FreeBSD 7.1 AMD64 system, installed from the BETA2 ISOs. Many thanks to Anarcat for his work in pulling this port together!
While the monkeysphere is not officially included in the ports tree yet, a problem report has been submitted, and the package itself is functional.
The latest version of the ports directory can be found in the git
repository under
packaging/freebsd/security/monkeysphere. Please let us
know if you encounter any problems with it on a FreeBSD
system.
If you have git installed on your FreeBSD system, you should be able to build the latest port with:
git clone git://git.monkeysphere.info/monkeysphere
cp -a monkeysphere/packaging/freebsd/security/monkeysphere /usr/ports/security
cd /usr/ports/security/monkeysphere
make && make install
Happy Hacking!
Monkeysphere 0.19-1 released!
Monkeysphere 0.19-1 has been released.
Notes from the changelog:
[ Daniel Kahn Gillmor ] * simulating an X11 session in the test script. * updated packaging so that symlinks to config files are correct.
Download it now!
Monkeysphere 0.18-1 released!
Monkeysphere 0.18-1 has been released.
Notes from the changelog:
[ Jameson Graef Rollins ]
* Fix bugs in authorized_{user_ids,keys} file permission checking.
* Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
files.
* chown authorized_keys files to `whoami`, for compatibility with test
suite.
* major improvements to test suite, added more tests.
[ Daniel Kahn Gillmor ]
* update make install to ensure placement of
/etc/monkeysphere/gnupg-{host,authentication}.conf
* choose either --quick-random or --debug-quick-random depending on
which gpg supports for the test suite.
Download it now!
Monkeysphere 0.17-1 released!
Monkeysphere 0.17-1 has been released.
Notes from the changelog:
[ Jameson Graef Rollins ]
* Fix some bugs in, and cleanup, authorized_keys file creation in
monkeysphere-server update-users.
* Move to using the empty string for not adding a user-controlled
authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
Download it now!
2009-04-05 UPDATE: Since Monkeysphere no longer depends on GnuTLS at all (moved to using Perl for key translation), and GnuTLS 2.6 is now available in Debian testing, we have removed the GnuTLS patches from the repostiory (although they will continue to be available in the history, or course).
We announced earlier that the Monkeysphere project was providing patched versions of GnuTLS to support one piece of Monkeysphere functionality. Fortunately, those patches are no longer needed, because as of version 2.6, GnuTLS contains the necessary functionality natively.
Therefore, our project will no longer provide patched copies of GnuTLS, though we will continue to keep the patch alive in in our git repository until GnuTLS 2.6 has been more widely adopted.
If you were pulling patched versions of GnuTLS 2.4 from the Monkeysphere archive, you may prefer to pull GnuTLS 2.6 from debian's experimental archive (at least until it GnuTLS 2.6 drops into unstable, which should happen shortly after the release of lenny.
Monkeysphere 0.16-1 released!
Monkeysphere 0.16-1 has been released.
Notes from the changelog:
[ Daniel Kahn Gillmor ]
* replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
portability.
* fixed busted lockfile arrangement, where empty file was being locked
* portability fixes in the way we use date, mktemp, hostname, su
* stop using /usr/bin/stat, since the syntax appears to be totally
unportable
* require GNU getopt, and test for getopt failures (look for getopt in
/usr/local/bin first, since that's where FreeBSD's GNU-compatible
getopt lives.
* monkeysphere-server diagnostics now counts problems and suggests a
re-run after they have been resolved.
* completed basic test suite: this can be run from the git sources or
the tarball with: cd tests && ./basic
[ Jameson Graef Rollins ]
* Genericize fs location variables.
* break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
install.
Download it now!
MonkeySphere 0.15-1 released!
MonkeySphere 0.15-1 has been released.
From the changelog:
* porting work and packaging simplification: clarifying makefiles,
pruning dependencies, etc.
* added tests to monkeysphere-server diagnostics
* moved monkeysphere(5) to section 7 of the manual
* now shipping TODO in /usr/share/doc/monkeysphere
Download it now!
MonkeySphere 0.14-1 released!
MonkeySphere 0.14-1 has been released.
This release introduces packaging and distribution changes only, so that we can offer a clean tarball to non-debian users who might be interested.
Download it now!
MonkeySphere 0.13-1 released!
MonkeySphere 0.13-1 has been released. In this release we moved the user config directory from ~/.config/monkeysphere to ~/.monkeysphere, over concerns that the old location is not quite standard enough.
download it now!
MonkeySphere 0.12-1 released!
MonkeySphere 0.12-1 has been released. This release includes documentation updates, and a re-organized logging subsystem with various levels of verbosity, modeled after LogLevel in OpenSSH.
download it now!
The monkeysphere git repository has been moved from
git://monkeysphere.info/monkeysphere to
git://git.monkeysphere.info/monkeysphere. You'll probably want to
update your .git/config to match the official clone
target.
Apologies for any confusion or hassle this causes!
The monkeysphere APT repository has been moved from
http://monkeysphere.info/debian to
http://archive.monkeysphere.info/debian. You'll probably want to
update your sources.list to match the official lines.
The monkeysphere APT repository is also using a new archive signing key:
pub 4096R/EB8AF314 2008-09-02 [expires: 2009-09-02]
Key fingerprint = 2E8D D26C 53F1 197D DF40 3E61 18E6 67F1 EB8A F314
uid [ full ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)
Apologies for any confusion or hassle this causes!
2008-10-25 UPDATE: GnuTLS 2.6 has been released, and it contains the functionality we needed. Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with passphrase-protected authentication subkeys. The information on this page is now of historical interest only.
The MonkeySphere project is now making available a patched version of
GnuTLS version 2.4.x, which enhances the utility
of the monkeysphere package by enabling it to read authentication
subkeys emitted by GnuPG under certain
circumstances.
You can track this package in debian lenny by adding the following
lines to /etc/apt/sources.list:
deb http://archive.monkeysphere.info/debian experimental gnutls
deb-src http://archive.monkeysphere.info/debian experimental gnutls
Or you can patch and build the packages yourself with the patches and scripts provided in the MonkeySphere git repo.
The only modification needed simply enables the library to parse a GNU extension to the String-to-key (S2K) mechanism as laid out in RFC 4880.
The specific S2K extension supported is known as gnu-dummy, and it
simply allows a "secret" key block to be written without storing any
of the secret key material. This is used by GnuPG on the primary key
when the --export-secret-subkeys argument is given.
GnuPG's DETAILS file describes this extension this way:
GNU extensions to the S2K algorithm
===================================
S2K mode 101 is used to identify these extensions.
After the hash algorithm the 3 bytes "GNU" are used to make
clear that these are extensions for GNU, the next bytes gives the
GNU protection mode - 1000. Defined modes are:
1001 - do not store the secret part at all
1002 - a stub to access smartcards (not used in 1.2.x)
And gpg(1) says of --export-secret-subkeys:
[This] command has the special property to render the secret
part of the primary key useless; this is a GNU extension to
OpenPGP and other implementations can not be expected to
successfully import such a key.
A version of this patch was first proposed on
gnutls-dev,
and looks like it will be adopted upstream in the GnuTLS 2.6.x series,
at which point these packages will be unnecessary.
Until that time, these packages are provided to tide over users of
monkeysphere on debian lenny (or compatible systems) who want to be
able to hand off the authentication-capable OpenPGP subkeys in their
GnuPG keyring to their SSH agent.