News

Monkeysphere Validation Agent (Perl) 0.2 released!

Mon, 15 Mar 2010 15:34:09 -0400

Version 0.2 of the Perl implementation of the Monkeysphere Validation Agent has been released.

Notes from the changelog:

  * can now be invoked with a sub-command; will run until subcommand
    completes, and then terminate with the same return code (this is
    similar to the ssh-agent technique, and enables inclusion in
    Xsession.d; see monkeysphere 0.29 package for automatic startup).
  * chooses arbitrary open port by default (can still be specified with
    MSVA_PORT environment variable)
  * minimized logging spew by default.
  * now shipping README.schema (notes about possible future MSVA
    implementations)
  * cleanup Makefile and distribution strategies.

Monkeysphere 0.29 released!

Mon, 15 Mar 2010 01:08:48 -0400

Monkeysphere 0.29 has been released.

Notes from the changelog:

  * This is mainly a bugfix release
  * Fix man page typo about monkeysphere authorized_keys location
  * Monkeysphere should work properly even if the user has "armor" in
    their gpg.conf (closes MS #1625)
  * monkeysphere keys-for-userid now respects MONKEYSPHERE_CHECK_KEYSERVER
    environment variable (and defaults to true)
  * introduce monkeysphere sshfprs-for-userid (deprecates sshfpr), closes
    MS #1436
  * respect CHECK_KEYSERVER in more places (closes MS #1997)
  * warn on keyserver failures for monkeysphere-authentication (closes MS
    #1750)
  * avoid checking trustdb for monkeysphere-host (closes MS #1957)
  * allow monkeysphere-authentication to use hkps with trusted X.509 root
    certificate authorities in
    /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt

Download it now!

Monkeysphere 0.28 released!

Tue, 19 Jan 2010 14:33:43 -0500

Monkeysphere 0.28 has been released.

Notes from the changelog:

  * Major rework of monkeysphere-host to handle multiple host keys.  We
    also no longer assume ssh service keys.  monkeysphere-host is now a
    general-purpose host service OpenPGP key management UI.
  * Rename keys-from-userid command to more accurate keys-for-userid
  * separate upstream and debian changelogs

Download it now!

Monkeysphere 0.27-1 released!

Mon, 11 Jan 2010 21:10:36 -0500

Monkeysphere 0.27-1 has been released.

Notes from the changelog:

  * New upstream release:
    - fixed monkeysphere gen-subkey subcommand that was erroneously
      creating DSA subkeys due to unannounced change in gpg edit-key UI.
      Now tests for gpg version (closes MS #1536)
    - add new monkeysphere keys-from-userid subcommand to output all
      acceptable keys for a given user ID literal
  * updated debian/copyright to match the latest revision of DEP5.
  * updated standards version to 3.8.3 (no changes needed)
  * add cpio to Build-Depends (used in test suite) (Closes: #562444)

Download it now!

Monkeysphere 0.26-1 released!

Sat, 01 Aug 2009 17:40:56 -0400

Monkeysphere 0.26-1 has been released.

Notes from the changelog:

  * New upstream release:
    - add 'refresh-keys' subcommand to monkeysphere-authentication
    - improve marginal UI (closes MS #1141)
    - add MONKEYSPHERE_STRICT_MODES configuration to avoid
      permission-checking (closes MS #649)
    - test scripts use STRICT_MODES to avoid failure when built under /tmp
      (Closes: #527765)
    - do permissions checks with a perl script instead of non-portable
      readlink GNUisms
    - bail on permissions check if we hit the home directory (helpful on
      Mac OS and other systems with loose /home or /Users (closes MS #675)

Download it now!

Monkeysphere 0.25-1 released!

Thu, 16 Jul 2009 22:35:48 -0400

Monkeysphere 0.25-1 has been released.

Notes from the changelog:

  * New upstream release:
    - update/fix the marginal ui output
    - use msmktempdir everywhere (avoid unwrapped calls to mktemp for
      portability)
    - clean out some redundant "cat"s
    - fix monkeysphere update-known_hosts for sshd running on non-standard
      ports
    - add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key
    - pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1
       (changes dependency to libdigest-sha-perl)
    - some portability improvements
    - properly handle translation of keys with fingerprints with leading
      all-zero bytes.
    - resolve symlinks when checking paths (thanks Silvio Rhatto)
      (closes MS #917)
    - explicitly set and use MONKEYSPHERE_GROUP from system "groups"
      (closes: #534008)
    - monkeysphere-host now uses keytrans to add and revoke hostname
      (closes MS #422)
  * update Standard-Version to 3.8.2 (no changes needed)

Download it now!

Monkeysphere 0.24 accepted as a Debian Backport

Sun, 22 Mar 2009 20:04:27 -0400

[Monkeysphere 0.24 is now available at Backports.org. If you are running Debian stable ("Lenny"), you can install this version of the monkeysphere package by following the instructions for installing backports.

See the download page for more information.

Monkeysphere 0.24 accepted in Debian testing

Wed, 18 Mar 2009 12:20:22 -0400

Monkeysphere 0.24 is now available in the Debian testing distribution ("squeeze"). Monkeysphere 0.24 is our strongest release yet. If you are running Debian testing, installing the monkeysphere is now very easy:

   aptitude install monkeysphere

See the download page for more information.

FreeBSD 0.24 port accepted

Tue, 10 Mar 2009 17:44:11 -0400

FreeBSD's ports tree now contains a port of the Monkeysphere, version 0.24. If you run FreeBSD, update your ports tree, and then:

cd /usr/ports/security/monkeysphere
make package

Monkeysphere 0.24-1 released!

Tue, 03 Mar 2009 22:06:40 -0500

Monkeysphere 0.24-1 has been released.

Notes from the changelog:

  * New upstream release:
    - fixed how version information is stored/retrieved
    - now uses perl-based keytrans for both pem2openpgp and openpgp2ssh
    - no longer needs base64 in PATH
    - added "test" make target
    - improved transitions/0.23 script so it no longer fails in common
      circumstances (Closes: #517779)
    - RSA only: no longer handles DSA keys
    - added ability to specify subkeys to add to ssh agent with
      new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
  * update/cleanup maintainer scripts
  * remove GnuTLS dependency
  * remove versioned coreutils | base64 dependency
  * added Build-Deps for dh_autotest
  * switch to Architecture: all
  * added cron to Recommends

Download it now!

Monkeysphere 0.23.1-1 released!

Sat, 21 Feb 2009 18:29:32 -0500

Monkeysphere 0.23.1-1 has been released.

Notes from the changelog:

  * New Upstrem "Brown Paper Bag" Release:
   - adjusts internal version numbers

Download it now!

Monkeysphere 0.23-1 released!

Sat, 21 Feb 2009 17:59:03 -0500

Monkeysphere 0.23-1 has been released.

Notes from the changelog:

  "The Golden Bezoar Release"

  * New upstream release.
  * rearchitect UI:
    - replace monkeysphere-server with monkeysphere-{authentication,host}
    - fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere

  * new ability to import existing ssh host key into monkeysphere.  So now
    m-a import-key replaces m-s gen-key.
  * provide pem2openpgp for translating unencrypted PEM-encoded raw key
    material into OpenPGP keys (introduces new perl dependencies)
  * get rid of getopts dependency
  * added version output option
  * better checks for the existence of a host private key for
    monkeysphere-host subcommands that need it.
  * better checks on validity of existing authentication subkeys when
    doing monkeysphere gen_subkey.
  * add transition infrastructure for major changes between releases (see
    transitions/README.txt)
  * implement and document two new monkeysphere-host subcommands:
    revoke-key and add-revoker

Download it now!

Plans for The Golden Bezoar

Wed, 04 Feb 2009 12:21:25 -0500

A workday with several Monkeysphere contributors on 2009-01-31 resulted in a significant reorganization of the project in several areas, primarily driven by the realization that there are two fundamentally different concepts on the server side:

publishing host keys via the Web-of-Trust (WoT), and
authenticating users via the WoT.

For simplicity and clarity, those two concepts should be independent from each other, but earlier releases of the Monkeysphere tangled the two up together more than we probably should have.

So the next release, version 0.23 (a.k.a. The Golden Bezoar) will have the following significant changes:

user interface: /usr/sbin/monkeysphere-server is no more, and its functionality will be split out into /usr/sbin/monkeysphere-host (for functionality dealing with publishing the ssh host key through the WoT) and /usr/sbin/monkeysphere-authentication (for functionality dealing with authenticating users via the WoT). /usr/bin/monkeysphere-ssh-proxycommand has been folded into /usr/bin/monkeysphere itself as a new subcommand.
code: the subfunctions are now stored in their own separate files, and sourced as-needed by the three top-level commands. The test suite has also been re-written to reflect the above UI changes.
documentation: in addition to making the man pages reflect the above UI changes, we're rewriting the "getting started" documentation to use the conceptually-cleaner distinctions above.
data storage: /var/lib/monkeysphere itself has been re-organized with the aim of keeping the host/authentication distinction clear, simplifying the internal use of gpg, and facilitating privilege-separated access.

The Golden Bezoar will also feature the ability to painlessly publish your current ssh host key to the WoT without needing to re-key the server. If you're considering adopting the Monkeysphere in the near future, we recommend waiting for 0.23 to be released, as it should be conceptually clearer and easier to use.

Monkeysphere now in Debian!

Wed, 10 Dec 2008 11:08:57 -0500

The Monkeysphere has made it into Debian!

It is in Debian unstable ("sid") now, which means it won't make it into the next stable release ("lenny"), but hopefully will make it into the stable release after that ("squeeze").

Congratulations to all the work by all the monkeysphere developers, and to Micah Anderson for being our Debian sponsor.

Please feel free to start submitting bug reports to the Debian BTS.

Monkeysphere 0.22-1 released!

Fri, 28 Nov 2008 21:04:03 -0500

Monkeysphere 0.22-1 has been released.

Notes from the changelog:

  * New upstream release:
  [ Jameson Graef Rollins ]

    - added info log output when a new key is added to known_hosts file.
    - added some useful output to the ssh-proxycommand for "marginal"
      cases where keys are found for host but do not have full validity.
    - force ssh-keygen to read from stdin to get ssh key fingerprint.

  [ Daniel Kahn Gillmor ]

    - automatically output two copies of the host's public key: one
    standard ssh public key file, and the other a minimal OpenPGP key with
    just the latest valid self-sig.
    - debian/control: corrected alternate dependency from procfile to
    procmail (which provides /usr/bin/lockfile)

Download it now!

Monkeysphere 0.21-1 released!

Sat, 15 Nov 2008 16:31:01 -0500

Monkeysphere 0.21-1 has been released.

Notes from the changelog:

Download it now!

Monkeysphere 0.20-1 released!

Sat, 15 Nov 2008 14:22:56 -0500

Monkeysphere 0.20-1 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * ensure that tempdirs are properly created, bail out otherwise instead
    of stumbling ahead.
  * minor fussing with the test script to make it cleaner.

  [ Jameson Graef Rollins ]
  * clean up Makefile to generate more elegant source tarballs.
  * make myself the maintainer.

Download it now!

FreeBSD port available

Thu, 30 Oct 2008 18:05:02 -0400

Update: FreeBSD's official ports tree now contains monkeysphere 0.24.

There is now a FreeBSD port available for the Monkeysphere.

It has been built and tested (so far) on a FreeBSD 7.1 AMD64 system, installed from the BETA2 ISOs. Many thanks to Anarcat for his work in pulling this port together!

While the monkeysphere is not officially included in the ports tree yet, a problem report has been submitted, and the package itself is functional.

The latest version of the ports directory can be found in the git repository under packaging/freebsd/security/monkeysphere. Please let us know if you encounter any problems with it on a FreeBSD system.

If you have git installed on your FreeBSD system, you should be able to build the latest port with:

git clone git://git.monkeysphere.info/monkeysphere
cp -a monkeysphere/packaging/freebsd/security/monkeysphere /usr/ports/security
cd /usr/ports/security/monkeysphere
make && make install

Happy Hacking!

Monkeysphere 0.19-1 released!

Wed, 29 Oct 2008 03:10:07 -0400

Monkeysphere 0.19-1 released!

Monkeysphere 0.19-1 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * simulating an X11 session in the test script.
  * updated packaging so that symlinks to config files are correct.

Download it now!

Monkeysphere 0.18-1 released!

Wed, 29 Oct 2008 01:03:48 -0400

Monkeysphere 0.18-1 released!

Monkeysphere 0.18-1 has been released.

Notes from the changelog:

  [ Jameson Graef Rollins ]
  * Fix bugs in authorized_{user_ids,keys} file permission checking.
  * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
    files.
  * chown authorized_keys files to `whoami`, for compatibility with test
    suite.
  * major improvements to test suite, added more tests.

  [ Daniel Kahn Gillmor ]
  * update make install to ensure placement of
    /etc/monkeysphere/gnupg-{host,authentication}.conf 
  * choose either --quick-random or --debug-quick-random depending on
    which gpg supports for the test suite.

Download it now!

Monkeysphere 0.17-1 released!

Tue, 28 Oct 2008 09:57:13 -0400

Monkeysphere 0.17-1 released!

Monkeysphere 0.17-1 has been released.

Notes from the changelog:

  [ Jameson Graef Rollins ]  
  * Fix some bugs in, and cleanup, authorized_keys file creation in
    monkeysphere-server update-users.
  * Move to using the empty string for not adding a user-controlled
    authorized_keys file in the RAW_AUTHORIZED_KEYS variable.

Download it now!

GnuTLS 2.6.x enables Monkeysphere to read authentication subkeys

Sun, 26 Oct 2008 20:18:25 -0400

2009-04-05 UPDATE: Since Monkeysphere no longer depends on GnuTLS at all (moved to using Perl for key translation), and GnuTLS 2.6 is now available in Debian testing, we have removed the GnuTLS patches from the repostiory (although they will continue to be available in the history, or course).

We announced earlier that the Monkeysphere project was providing patched versions of GnuTLS to support one piece of Monkeysphere functionality. Fortunately, those patches are no longer needed, because as of version 2.6, GnuTLS contains the necessary functionality natively.

Therefore, our project will no longer provide patched copies of GnuTLS, though we will continue to keep the patch alive in in our git repository until GnuTLS 2.6 has been more widely adopted.

If you were pulling patched versions of GnuTLS 2.4 from the Monkeysphere archive, you may prefer to pull GnuTLS 2.6 from debian's experimental archive (at least until it GnuTLS 2.6 drops into unstable, which should happen shortly after the release of lenny.

Monkeysphere 0.16-1 released!

Sun, 26 Oct 2008 03:36:52 -0400

Monkeysphere 0.16-1 released!

Monkeysphere 0.16-1 has been released.

Notes from the changelog:

  [ Daniel Kahn Gillmor ]
  * replaced "#!/bin/bash" with "#!/usr/bin/env bash" for better
    portability.
  * fixed busted lockfile arrangement, where empty file was being locked
  * portability fixes in the way we use date, mktemp, hostname, su
  * stop using /usr/bin/stat, since the syntax appears to be totally
    unportable
  * require GNU getopt, and test for getopt failures (look for getopt in
    /usr/local/bin first, since that's where FreeBSD's GNU-compatible
    getopt lives.
  * monkeysphere-server diagnostics now counts problems and suggests a
    re-run after they have been resolved.
  * completed basic test suite: this can be run from the git sources or
    the tarball with: cd tests && ./basic

  [ Jameson Graef Rollins ]
  * Genericize fs location variables.
  * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
    install.

Download it now!

MonkeySphere 0.15-1 released!

Fri, 05 Sep 2008 18:48:55 -0400

MonkeySphere 0.15-1 released!

MonkeySphere 0.15-1 has been released.

From the changelog:

  * porting work and packaging simplification: clarifying makefiles,
    pruning dependencies, etc.
  * added tests to monkeysphere-server diagnostics
  * moved monkeysphere(5) to section 7 of the manual
  * now shipping TODO in /usr/share/doc/monkeysphere

Download it now!

MonkeySphere 0.14-1 released!

Thu, 04 Sep 2008 13:35:25 -0400

MonkeySphere 0.14-1 released!

MonkeySphere 0.14-1 has been released.

This release introduces packaging and distribution changes only, so that we can offer a clean tarball to non-debian users who might be interested.

Download it now!

MonkeySphere 0.13-1 released!

Thu, 04 Sep 2008 12:17:57 -0400

MonkeySphere 0.13-1 released!

MonkeySphere 0.13-1 has been released. In this release we moved the user config directory from ~/.config/monkeysphere to ~/.monkeysphere, over concerns that the old location is not quite standard enough.

download it now!

MonkeySphere 0.12-1 released!

Tue, 02 Sep 2008 20:15:22 -0400

MonkeySphere 0.12-1 released!

MonkeySphere 0.12-1 has been released. This release includes documentation updates, and a re-organized logging subsystem with various levels of verbosity, modeled after LogLevel in OpenSSH.

download it now!

git repository moved

Tue, 02 Sep 2008 01:18:05 -0400

The monkeysphere git repository has been moved from git://monkeysphere.info/monkeysphere to git://git.monkeysphere.info/monkeysphere. You'll probably want to update your .git/config to match the official clone target.

Apologies for any confusion or hassle this causes!

APT repository moved

Tue, 02 Sep 2008 00:59:50 -0400

The monkeysphere APT repository has been moved from http://monkeysphere.info/debian to http://archive.monkeysphere.info/debian. You'll probably want to update your sources.list to match the official lines.

The monkeysphere APT repository is also using a new archive signing key:

pub   4096R/EB8AF314 2008-09-02 [expires: 2009-09-02]
      Key fingerprint = 2E8D D26C 53F1 197D DF40  3E61 18E6 67F1 EB8A F314
uid       [  full  ] Monkeysphere Archive Signing Key (http://archive.monkeysphere.info/debian)

Apologies for any confusion or hassle this causes!

Modified GnuTLS 2.4.x available

Fri, 22 Aug 2008 01:48:47 -0400

2008-10-25 UPDATE: GnuTLS 2.6 has been released, and it contains the functionality we needed. Please upgrade to GnuTLS 2.6 if you need Monkeysphere to deal with passphrase-protected authentication subkeys. The information on this page is now of historical interest only.

The MonkeySphere project is now making available a patched version of GnuTLS version 2.4.x, which enhances the utility of the monkeysphere package by enabling it to read authentication subkeys emitted by GnuPG under certain circumstances.

You can track this package in debian lenny by adding the following lines to /etc/apt/sources.list:

deb http://archive.monkeysphere.info/debian experimental gnutls
deb-src http://archive.monkeysphere.info/debian experimental gnutls

Or you can patch and build the packages yourself with the patches and scripts provided in the MonkeySphere git repo.

The only modification needed simply enables the library to parse a GNU extension to the String-to-key (S2K) mechanism as laid out in RFC 4880.

The specific S2K extension supported is known as gnu-dummy, and it simply allows a "secret" key block to be written without storing any of the secret key material. This is used by GnuPG on the primary key when the --export-secret-subkeys argument is given.

GnuPG's DETAILS file describes this extension this way:

GNU extensions to the S2K algorithm
===================================
S2K mode 101 is used to identify these extensions.
After the hash algorithm the 3 bytes "GNU" are used to make
clear that these are extensions for GNU, the next bytes gives the
GNU protection mode - 1000.  Defined modes are:
  1001 - do not store the secret part at all
  1002 - a stub to access smartcards (not used in 1.2.x)

And gpg(1) says of --export-secret-subkeys:

[This] command has the special property to render the secret
part of the primary key useless; this is a GNU extension to
OpenPGP and other implementations can not be expected to
successfully import such a key.

A version of this patch was first proposed on gnutls-dev, and looks like it will be adopted upstream in the GnuTLS 2.6.x series, at which point these packages will be unnecessary.

Until that time, these packages are provided to tide over users of monkeysphere on debian lenny (or compatible systems) who want to be able to hand off the authentication-capable OpenPGP subkeys in their GnuPG keyring to their SSH agent.