News
Monkeysphere 0.35 for Fedora (f14-f16) is now available, a big thanks to Bernie Innocenti for the work!
If you are running Fedora, now all you need to do to get monkeysphere installed is to do the following:
# yum install monkeysphere
For other methods, please visit our Download area.
xul-ext-monkeysphere 0.6 has been released.
Notes from the changelog:
* bump MaxVersion to 4.0.* (Thanks to tmarble for testing 4.0b10! dkg
takes responsibility for the 4.0.* testing)
* add pt-BR localization (Thanks, rhatto!)
Download it now!
msva-perl 0.8 has been released.
Notes from the changelog:
* Minor bugfix release!
* Avoid indirect object creation (thanks to intrigeri for pointing this out).
* Bug fix for unused option provided to gpgkeys_hkpms.
* Allow use of hkpms keyservers from gpg.conf
* Allow the use of ports in hostnames (closes MS # 2665)
* Do not report self-sigs as other certifiers (but report valid,
non-matching identities independently) (closes MS # 2569)
* List certifiers only once (closes MS # 2573)
* Enable the use of --keyserver-options http-proxy for gpgkeys_hkpms
(includes support for socks proxies) (closes MS # 2677)
Download it now!
msva-perl 0.7 has been released.
Notes from the changelog:
* udpated msva-query-agent documentation
* added gpgkeys_hkpms for monkeysphere-authenticated HKPS access
(closes MS #2016)
Download it now!
xul-ext-monkeysphere 0.5 has been released.
Notes from the changelog:
* code cleanup
* add log_level preference.
* bump MaxVersion from 3.6.* to 4.0b7 for firefox/iceweasel (thanks to
jaywalk and simonft for testing!)
* internationalize extension, add fr-FR localization (Thanks, julm!)
* add nl-NL localization (Thanks, kwadronaut!)
Download it now!
msva-perl 0.6 has been released.
Notes from the changelog:
* Add new element to JSON syntax allowing request to override
keyserver_policy (closes MS #2542)
* Do not kill off child handling processes on HUP -- let them finish
their queries.
* Refactor logging code
* If we have Gtk2, Linux::Inotify2, and AnyEvent, we should monitor for
updates and prompt the user when we notice one. (closes MS #2540)
* Added tests/basic, as a simple test of a few functions (closes MS #2537)
* fixed double-prompting on sites that have more than one User ID
(closes MS #2567)
* report server implementation name and version with every query (closes
MS #2564)
* support x509pem, opensshpubkey, and rfc4716 PKC formats in addition to
x509der (addresses MS #2566)
* add new peer type categorization (closes MS #2568) -- peers of type
client can have much more flexible names than regular hostnames we
look for for servers.
Download it now!
monkeysphere 0.35 has been released.
Notes from the changelog:
* Remove reference to USE_VALIDATION_AGENT. * Fix ssh_proxycommand for marginal hosts (closes MS #2593) * GnuPG should always behave as --fixed-list-mode (closes MS #2587)
Download it now!
It was recently pointed out that the version 0.5 of the perl implementation of the monkeysphere validation agent depend on more recent versions of GnuPG::Interface than can be found in ubuntu, or in the stable, testing, or unstable debian repositories. The needed version of GnuPG::Interface is currently only available in package form from debian's experimental repository.
msva-perl 0.5 is experimental as well, due to this dependency. So we're now shipping the needed version of GnuPG::Interface in the Monkeysphere APT repository.
Monkeysphere version 0.31 introduced a vulnerability which could allow an arbitrary code execution attack as the 'monkeysphere' system account, if the superuser were to run the command "monkeysphere-authentication keys-for-user". Depending on the configuration of the host, access to this system account can potentially grant access to other accounts.
The problem also existed in version 0.32 but was resolved in version 0.33. Versions prior to 0.31 were not affected.
If you are running one of the versions with this issue, it is highly recommended that you update as soon as possible.
A CVE reference identifier was released for this issue: CVE-2010-4096
For more information, please see the mailing list post about the issue
monkeysphere 0.34 has been released.
Notes from the changelog:
* fix keys-for-user so that it outputs proper authorized_keys lines
(close MS #2550)
* refactor key processing for key files, greatly reducing redundant code
paths
* update authorized_keys and known_hosts in temp filess that are
atomically moved into place
* don't fail if authorized_keys file not already present (Closes: 600644)
* document CHECK_KEYSERVER in monkeysphere-authentication man page
(close MS #2556)
Download it now!
monkeysphere 0.33 has been released.
Notes from the changelog:
[ Daniel Kahn Gillmor ]
* defaulting MONKEYSPHERE_HASH_KNOWN_HOSTS to false
(closes MS #2483)
[ Jameson Rollins ]
* fix security vulnerability is parsing userids in
monkeysphere-authentication keys-for-user (Closes: #600304)
* fix failure after first invalid key in monkeysphere-authentication
keys-for-user (closes MS #2545)
* ignore command options in monkeysphere-authentication keys-for-user
Download it now!
msva-perl 0.5 has been released.
Notes from the changelog:
* If ${MSVA_KEYSERVER} is unset or blank, default to using keyserver
from ${GNUPGHOME}/gpg.conf if that file exists. (addresses MS #2080)
* Under Linux, report details about the requesting process if we can
learn them from /proc (closes MS #2005)
* Conditionally rely on Gtk2 perl module -- no marginal UI without it,
but you can also install the MSVA now without needing to pull in a
bunch of Gtk libs (closes MS #2514)
* Sending a SIGHUP to the running server now re-execs it cleanly,
keeping the same port assignments and monitoring the same child
process. This can be used to upgrade running msva instances after a
package update (closes MS #2532)
Download it now!
Chris Palmer's presentation "We Must Fix HTTPS":
There are now ArchLinux packages available for the monkeysphere, and msva-perl, you can find them on AUR:
If you use ArchLinux, and these packages, please give us some feedback on them!
msva-perl 0.4 has been released.
Notes from the changelog:
* removed dependency on monkeysphere package -- just invoke GnuPG
directly (needs GnuPG::Interface, Regexp::Common) (closes MS #2034)
* adds MSVA_KEYSERVER_POLICY and MSVA_KEYSERVER environment variables.
* added a marginal UI (needs Gtk2 perl module) (closes MS #2004)
* Filter incoming uids to match a strict regex (closes MS #2270)
* Trivially untaint the environment for the single child process
(closes MS #2461)
Download it now!
Monkeysphere 0.32 has been released.
Notes from the changelog:
[ Jameson Rollins ]
* Fix specification of install paths in all scripts and man pages
(closes MS #2491)
* Fix need for single argument to gpg_sphere (thanks Clint)
(closes MS #442)
* specify LC_ALL=C for all gpg calls
(closes MS #2496)
[ Micah Anderson ]
* fix monkeysphere-host revoke-key, which never worked properly :(
* add some debug output to monkeysphere-host publish-key
(closes MS #2289)
[ Clint Adams ]
* add support for options to the authorized User IDs file. Options that
should apply to keys for a given User ID should be on
whitespace-prefixed lines immediately following that User ID.
(closes MS #440)
Download it now!
Danny O'Brien writes in Slate an interesting article entitled "The Internet's Secret Back Door: Web users in the United Arab Emirates have more to worry about than having just their BlackBerries cracked." in which it is detailed that MitM attacks can be facilitated by any of a few hundred CA-delegates. It discusses the CA company CyberTrust which is the government-connected mobile company in the UAE.
A spirited discussion follows up on Schneier's blog.
The EFF also calls out Verizon on this issue, asserting thats the Etisalat Certificate Authority threatens web security.
The New York Times also picks up the story.
Behind the scenes, on mozilla.dev.security.policy the issue is discussed.
Now that the certificate cartel issue is becoming more and more known as a problem in the wider public, what will happen? Will outcries over specific CAs result in changes that do nothing to address the structural problem?
dkg (with jrollins's help) gave a great talk on the Monkeysphere at The Next HOPE conference. DVD's of the talk are available for $5. Hopefully we can get a copy of the video that we can make available on the net.
Monkeysphere 0.31 has been released.
Notes from the changelog:
[ Daniel Kahn Gillmor ]
* support x509 anchors for monkeysphere-host, allow shared anchor
between m-h and m-a (closes MS #2288)
* do not bail or fail on m-h publish-key if the admin interactively
declines to publish one of the keys key (closes MS #1945)
* report updated expiration date upon successful conclusion of m-h
set-expire (closes MS #2291)
* added some files in examples/ to demonstrate system integration
with OpenSSH
[ Jameson Rollins ]
* add keys-for-user subcommand to monkeysphere-authentication
Download it now!
Version 0.3 of the Perl implementation of the Monkeysphere Validation Agent has been released.
Notes from the changelog:
* packaging re-organization * properly closing piped monkeysphere call * restore default SIGCHLD handling for exec'ed subprocess (Closes: MS #2414)
Version 0.4 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.
When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.
From the changelog:
* auto-generate install.rdf to ensure proper version numbers.
Version 0.3 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.
When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.
From the changelog:
* Fix clearSite status menu function * generate icon pngs from svg source (closes #2012) * add BROKEN security state handling (closes #2217)
Version 0.2 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.
When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.
This is a brown paper bag release, fixing the xpi build process.
Version 0.1 of the Monkeysphere Xul Extension (Firefox and Iceweasel browser plugin) has been released.
When used with the Monkeysphere Validation Agent, this browser plugin allows you to validate web sites via the OpenPGP web of trust when regular X.509 validation fails.
Seth Schoen, from the EFF, will be giving a talk at Linux Fest NW entitled, "Fixing SSL security: Supplementing the certificate authority model" on Saturday at 11am.
They aren't trusted-third-parties, they are centralised-vulnerability-parties. An article in Financial Cryptography argues "why the browsers must change their old SSL security model".
Pushing the CA into taking responsibility for the MiTM, an interesting article which poses some interesting questions, such as "what happens when a CA MITM's its own customer?"
Monkeysphere 0.30 has been released.
Notes from the changelog:
* changing tarball creation and packaging strategies
* make non-ssh parts of monkeysphere work well when openssh is not
installed; degrade ssh-specific parts gracefully when openssh is not
installed.
Download it now!
Sophisticated X.509 certificate interception devices designed to collect encrypted SSL traffic based on forged 'look-alike' certificates: http://www.wired.com/threatlevel/2010/03/packet-forensics/
A Tor developer writes about how he disables all Certificate Authorities on his system and instead selectively trusts those SSL certificates from individual websites: http://blog.torproject.org/blog/life-without-ca
Christopher Soghoian and Sid Stamm's draft research paper entitled "Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL" presents evidence that CAs may be cooperating with government agencies to help them spy undetected on "secure" encrypted communications: http://files.cloudprivacy.net/ssl-mitm.pdf
Bruce Schneier summarizes the current Man-in-the-Middle Attacks Against SSL: http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
Jake Edge writes in Linux Weekly News on The Monkeysphere: http://lwn.net/Articles/373988/
LWN article on the business of SSL man-in-the-middle-attacks, the threat may be more practical than previously thought: http://lwn.net/Articles/380140/
New Research Suggests That Governments May Fake SSL Certificates:https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
Using a MITM attack to improve security: http://milliways.chance.ru/~ark/benevolent-ssl-mitm.pdf
Version 0.2 of the Perl implementation of the Monkeysphere Validation Agent has been released.
Notes from the changelog:
* can now be invoked with a sub-command; will run until subcommand
completes, and then terminate with the same return code (this is
similar to the ssh-agent technique, and enables inclusion in
Xsession.d; see monkeysphere 0.29 package for automatic startup).
* chooses arbitrary open port by default (can still be specified with
MSVA_PORT environment variable)
* minimized logging spew by default.
* now shipping README.schema (notes about possible future MSVA
implementations)
* cleanup Makefile and distribution strategies.
Monkeysphere 0.29 has been released.
Notes from the changelog:
* This is mainly a bugfix release
* Fix man page typo about monkeysphere authorized_keys location
* Monkeysphere should work properly even if the user has "armor" in
their gpg.conf (closes MS #1625)
* monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
environment variable (and defaults to true)
* introduce monkeysphere sshfprs-for-userid (deprecates sshfpr), closes
MS #1436
* respect CHECK_KEYSERVER in more places (closes MS #1997)
* warn on keyserver failures for monkeysphere-authentication (closes MS
#1750)
* avoid checking trustdb for monkeysphere-host (closes MS #1957)
* allow monkeysphere-authentication to use hkps with trusted X.509 root
certificate authorities in
/etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt
Download it now!
Monkeysphere 0.28 has been released.
Notes from the changelog:
* Major rework of monkeysphere-host to handle multiple host keys. We
also no longer assume ssh service keys. monkeysphere-host is now a
general-purpose host service OpenPGP key management UI.
* Rename keys-from-userid command to more accurate keys-for-userid
* separate upstream and debian changelogs
Download it now!
Monkeysphere 0.27-1 has been released.
Notes from the changelog:
* New upstream release:
- fixed monkeysphere gen-subkey subcommand that was erroneously
creating DSA subkeys due to unannounced change in gpg edit-key UI.
Now tests for gpg version (closes MS #1536)
- add new monkeysphere keys-from-userid subcommand to output all
acceptable keys for a given user ID literal
* updated debian/copyright to match the latest revision of DEP5.
* updated standards version to 3.8.3 (no changes needed)
* add cpio to Build-Depends (used in test suite) (Closes: #562444)
Download it now!
Monkeysphere 0.26-1 has been released.
Notes from the changelog:
* New upstream release:
- add 'refresh-keys' subcommand to monkeysphere-authentication
- improve marginal UI (closes MS #1141)
- add MONKEYSPHERE_STRICT_MODES configuration to avoid
permission-checking (closes MS #649)
- test scripts use STRICT_MODES to avoid failure when built under /tmp
(Closes: #527765)
- do permissions checks with a perl script instead of non-portable
readlink GNUisms
- bail on permissions check if we hit the home directory (helpful on
Mac OS and other systems with loose /home or /Users (closes MS #675)
Download it now!
Monkeysphere 0.25-1 has been released.
Notes from the changelog:
* New upstream release:
- update/fix the marginal ui output
- use msmktempdir everywhere (avoid unwrapped calls to mktemp for
portability)
- clean out some redundant "cat"s
- fix monkeysphere update-known_hosts for sshd running on non-standard
ports
- add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
- pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
(changes dependency to libdigest-sha-perl)
- some portability improvements
- properly handle translation of keys with fingerprints with leading
all-zero bytes.
- resolve symlinks when checking paths (thanks Silvio Rhatto)
(closes MS #917)
- explicitly set and use MONKEYSPHERE_GROUP from system "groups"
(closes: #534008)
- monkeysphere-host now uses keytrans to add and revoke hostname
(closes MS #422)
* update Standard-Version to 3.8.2 (no changes needed)
Download it now!
[Monkeysphere 0.24 is now available at Backports.org. If you are running Debian stable ("Lenny"), you can install this version of the monkeysphere package by following the instructions for installing backports.
See the download page for more information.
Monkeysphere 0.24 is now available in the Debian testing distribution ("squeeze"). Monkeysphere 0.24 is our strongest release yet. If you are running Debian testing, installing the monkeysphere is now very easy:
aptitude install monkeysphere
See the download page for more information.
FreeBSD's ports tree now contains a port of the Monkeysphere, version 0.24. If you run FreeBSD, update your ports tree, and then:
cd /usr/ports/security/monkeysphere
make package
Monkeysphere 0.24-1 has been released.
Notes from the changelog:
* New upstream release:
- fixed how version information is stored/retrieved
- now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
- no longer needs base64 in PATH
- added "test" make target
- improved transitions/0.23 script so it no longer fails in common
circumstances (Closes: #517779)
- RSA only: no longer handles DSA keys
- added ability to specify subkeys to add to ssh agent with
new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
* update/cleanup maintainer scripts
* remove GnuTLS dependency
* remove versioned coreutils | base64 dependency
* added Build-Deps for dh_autotest
* switch to Architecture: all
* added cron to Recommends
Download it now!
Monkeysphere 0.23.1-1 has been released.
Notes from the changelog:
* New Upstrem "Brown Paper Bag" Release: - adjusts internal version numbers
Download it now!
Monkeysphere 0.23-1 has been released.
Notes from the changelog:
"The Golden Bezoar Release"
* New upstream release.
* rearchitect UI:
- replace monkeysphere-server with monkeysphere-{authentication,host}
- fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere
* new ability to import existing ssh host key into monkeysphere. So now
m-a import-key replaces m-s gen-key.
* provide pem2openpgp for translating unencrypted PEM-encoded raw key
material into OpenPGP keys (introduces new perl dependencies)
* get rid of getopts dependency
* added version output option
* better checks for the existence of a host private key for
monkeysphere-host subcommands that need it.
* better checks on validity of existing authentication subkeys when
doing monkeysphere gen_subkey.
* add transition infrastructure for major changes between releases (see
transitions/README.txt)
* implement and document two new monkeysphere-host subcommands:
revoke-key and add-revoker
Download it now!
A workday with several Monkeysphere contributors on 2009-01-31 resulted in a significant reorganization of the project in several areas, primarily driven by the realization that there are two fundamentally different concepts on the server side:
- publishing host keys via the Web-of-Trust (WoT), and
- authenticating users via the WoT.
For simplicity and clarity, those two concepts should be independent from each other, but earlier releases of the Monkeysphere tangled the two up together more than we probably should have.
So the next release, version 0.23 (a.k.a. The Golden Bezoar) will have the following significant changes:
user interface:
/usr/sbin/monkeysphere-serveris no more, and its functionality will be split out into/usr/sbin/monkeysphere-host(for functionality dealing with publishing the ssh host key through the WoT) and/usr/sbin/monkeysphere-authentication(for functionality dealing with authenticating users via the WoT)./usr/bin/monkeysphere-ssh-proxycommandhas been folded into/usr/bin/monkeysphereitself as a new subcommand.code: the subfunctions are now stored in their own separate files, and sourced as-needed by the three top-level commands. The test suite has also been re-written to reflect the above UI changes.
documentation: in addition to making the man pages reflect the above UI changes, we're rewriting the "getting started" documentation to use the conceptually-cleaner distinctions above.
data storage:
/var/lib/monkeysphereitself has been re-organized with the aim of keeping the host/authentication distinction clear, simplifying the internal use ofgpg, and facilitating privilege-separated access.
The Golden Bezoar will also feature the ability to painlessly publish your current ssh host key to the WoT without needing to re-key the server. If you're considering adopting the Monkeysphere in the near future, we recommend waiting for 0.23 to be released, as it should be conceptually clearer and easier to use.