monkeysphere issueshttps://0xacab.org/monkeysphere/monkeysphere/-/issues2016-06-20T17:13:54Zhttps://0xacab.org/monkeysphere/monkeysphere/-/issues/6234signing failed: checksum error2016-06-20T17:13:54Zanarcatsigning failed: checksum errori tried to import a IKE key here:
<pre>
monkeysphere-host import-key /usr/local/etc/ipsec.d/private/rtr.koumbit.net.pem ike://rtr.koumbit.net
</pre>
first off, this added ssh:// as a prefix, so the uid was ssh://ike://rtr.koumbit...i tried to import a IKE key here:
<pre>
monkeysphere-host import-key /usr/local/etc/ipsec.d/private/rtr.koumbit.net.pem ike://rtr.koumbit.net
</pre>
first off, this added ssh:// as a prefix, so the uid was ssh://ike://rtr.koumbit.net.
then I cannot modify this key:
<pre>
root@rtr1:/var/monkeysphere/host # gpg --homedir=. --edit-key 940F9734
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/940F9734 created: 2013-08-10 expires: never usage: CA
trust: unknown validity: unknown
[ unknown] (1). ssh://ike://rtr.koumbit.net
gpg> adduid
Real name: ike://rtr.koumbit.net
Email address:
Comment:
You selected this USER-ID:
"ike://rtr.koumbit.net"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: signing failed: checksum error
</pre>
this is 0.24 on FreeBSD.
*(from redmine: created on 2013-08-10)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6252msva-perl chokes when more than one keyserver entry in gpg.conf2016-06-20T17:13:52Zdkgmsva-perl chokes when more than one keyserver entry in gpg.conftry putting two keyserver lines in gpg.conf. msva-perl chokes up with:
Not a valid keyserver (from gpg config /home/dkg/.gnupg/gpg.conf):
ARRAY(0x2f5bf48)
*(from redmine: created on 2013-08-29)*try putting two keyserver lines in gpg.conf. msva-perl chokes up with:
Not a valid keyserver (from gpg config /home/dkg/.gnupg/gpg.conf):
ARRAY(0x2f5bf48)
*(from redmine: created on 2013-08-29)*dkgdkghttps://0xacab.org/monkeysphere/monkeysphere/-/issues/6395newline should be created by monkeysphere-authentication2016-06-20T17:13:48ZGhost Usernewline should be created by monkeysphere-authenticationCurrently when monkeysphere-authentication update-users gets run against a ~/.ssh/authorized_keys file that does not have a newline at the end of the file (authorized_keys). monkeysphere-authentication creates the file /var/lib/monkeysp...Currently when monkeysphere-authentication update-users gets run against a ~/.ssh/authorized_keys file that does not have a newline at the end of the file (authorized_keys). monkeysphere-authentication creates the file /var/lib/monkeysphere/authorized_keys file without a newline as well. This produces uncleanly formatted files. It would be nice to have m-a add a new line to the end of these files if necessary.
I've attached an untested patch, that I think should perform this cleanup.
~/ross
*(from redmine: created on 2013-10-31)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6428m-a u too verbose for a cron job2016-06-20T17:13:47Zanarcatm-a u too verbose for a cron jobAfter deploying monkeysphere system-wide on Koumbit's infrastructure, we ended up with hundreds of (automated) opened tickets from the monkeysphere-authentication update-users cronjob we deployed.
A few examples:
<pre>
gpg: vérifi...After deploying monkeysphere system-wide on Koumbit's infrastructure, we ended up with hundreds of (automated) opened tickets from the monkeysphere-authentication update-users cronjob we deployed.
A few examples:
<pre>
gpg: vérification de la base de confiance
</pre>
... that should really be silent.
<pre>
ms: improper group writability on '/home/anarcat'
</pre>
... while I appreciate the security attention, there are perfectly legitimate reasons for my home to be group-writable, leave me alone.
<pre>
ms: Failure (2) searching keyserver pool.sks-keyservers.net for user id 'Antoine Beaupré <anarcat@koumbit.org>'
</pre>
... a transient error, probably, this shouldn't be an error condition that triggers an email.
<pre>
ms: improper ownership on '/home/scyrma/.ssh/authorized_keys': owner ID 1002 is neither scyrma (ID 1003) nor the superuser
ms: improper ownership on '/home/anarcat': owner ID 1002 is neither anarcat (ID 10001) nor the superuser
</pre>
... again, what business of yours? 1002 is the /etc/password uid, and 100001 is the LDAP uid... a working configuration, or at least, working enough that we didn't notice the problem until we installed monkeysphere.
We have simply silenced the whole cronjob as it is, but it seems like a bad solution... I would rather not flush the baby with the bathwater and be aware when monkeysphere really fails.
Related issues: #499, #500, #2699
*(from redmine: created on 2013-11-19)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6429massive number of forks since deployment2016-06-20T17:13:46Zanarcatmassive number of forks since deploymentThe number of forks per second on the servers where we deployed Monkeysphere was raised by an order of magnitude.
Example:
!forks-week.png!
Monkeysphere was deployed yesterday. The m-a update-users cronjob runs every 5 minutes.
...The number of forks per second on the servers where we deployed Monkeysphere was raised by an order of magnitude.
Example:
!forks-week.png!
Monkeysphere was deployed yesterday. The m-a update-users cronjob runs every 5 minutes.
*(from redmine: created on 2013-11-19)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6524unexpected failure in openpgp2ssh can cause monkeysphere-authentication to lo...2023-08-12T13:39:28Zdkgunexpected failure in openpgp2ssh can cause monkeysphere-authentication to lock people outKristian reports that an unexpected failure of openpgp2ssh (in his case, a major breakage in his perl installation) can leave the user locked out based on a monkeysphere-authentication run.
I would have expected the failure of openpgp2s...Kristian reports that an unexpected failure of openpgp2ssh (in his case, a major breakage in his perl installation) can leave the user locked out based on a monkeysphere-authentication run.
I would have expected the failure of openpgp2ssh to cause m-a to abort, since it is set -e -- we need to understand why that's not happening.
Kristian proposed a temporary workaround: just test that openpgp2ssh doesn't die horribly when run as a test:
<pre>
(I) Delete RSA.pm
(II)
kristianf@kflaptop ~ $ openpgp2ssh
Can't locate Crypt/OpenSSL/RSA.pm in @INC (@INC contains: /etc/perl /usr/local/lib64/perl5/5.16.3/x86_64-linux /usr/local/lib64/perl5/5.16.3 /usr/lib64/perl5/vendor_perl/5.16.3/x86_64-linux /usr/lib64/perl5/vendor_perl/5.16.3 /usr/local/lib64/perl5 /usr/lib64/perl5/vendor_perl /usr/lib64/perl5/5.16.3/x86_64-linux /usr/lib64/perl5/5.16.3) at /usr/bin/openpgp2ssh line 54.
BEGIN failed--compilation aborted at /usr/bin/openpgp2ssh line 54.
(III)
Apply patch
(IV)
kflaptop OpenSSL # monkeysphere-authentication u
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-12-31
openpgp2ssh command gives unexpected return code. This can lead to a scenario where no authorized keys are populated, even though they are otherwise valid. Aborting!
(V) Fix RSA.pm issue
(VI) runs as expected
</pre>
here's his patch:
<pre>
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index edc7995..2711ff2 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -84,6 +84,13 @@ gpg_sphere() {
su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
}
+check_openpgp2ssh_sanity() {
+ if [[ `su_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then
+ echo "openpgp2ssh command gives unexpected return code. This can lead to a scenario where no authorized keys are populated, even though they are otherwise valid. Aborting!"
+ exit 1
+ fi;
+}
+
# output to stdout the core fingerprint from the gpg core secret
# keyring
core_fingerprint() {
@@ -163,6 +170,7 @@ case $COMMAND in
'update-users'|'update-user'|'update'|'u')
source "${MASHAREDIR}/setup"
setup
+ check_openpgp2ssh_sanity
source "${MASHAREDIR}/update_users"
OUTPUT_STDOUT= update_users "$@"
;;
@@ -171,6 +179,7 @@ case $COMMAND in
(( $# > 0 )) || failure "Must specify user."
source "${MASHAREDIR}/setup"
setup
+ check_openpgp2ssh_sanity
source "${MASHAREDIR}/update_users"
OUTPUT_STDOUT=true update_users "$1"
;;
</pre>
*(from redmine: created on 2013-12-18)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6779ssh_proxycommand needs to adapt to stricter ssh-keygen -F2016-06-20T17:13:41ZGhost Userssh_proxycommand needs to adapt to stricter ssh-keygen -FI don't know what happened; either they started writing non-canonical addresses to known_hosts, or ssh-keygen -F is now stricter, but my ssh_proxycommand was failing silently. The patch attached fixes the problem.
*(from redmine: create...I don't know what happened; either they started writing non-canonical addresses to known_hosts, or ssh-keygen -F is now stricter, but my ssh_proxycommand was failing silently. The patch attached fixes the problem.
*(from redmine: created on 2014-02-26)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/6781better UX for when ms contacts a slow keyserver2016-06-20T17:13:38ZGhost Userbetter UX for when ms contacts a slow keyserverGPG's default timeout for keyserver operations is 30 seconds. Please either lower this to e.g. 10 seconds, or raise the log level of the " checking keyserver $KEYSERVER... " message to INFO (in /usr/share/monkeysphere/common).
*(from ...GPG's default timeout for keyserver operations is 30 seconds. Please either lower this to e.g. 10 seconds, or raise the log level of the " checking keyserver $KEYSERVER... " message to INFO (in /usr/share/monkeysphere/common).
*(from redmine: created on 2014-02-27)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/8094Monkeysphere should use su with "-s /bin/bash"2016-06-20T17:13:37ZGhost UserMonkeysphere should use su with "-s /bin/bash"The following will fail if the monkeysphere user doesn't have a proper shell:
<pre>
# requote arguments using bash builtin feature (see "help printf"):
su "$MONKEYSPHERE_USER" -c "$(printf "%q " "$@")"
</pre>
For instance when runni...The following will fail if the monkeysphere user doesn't have a proper shell:
<pre>
# requote arguments using bash builtin feature (see "help printf"):
su "$MONKEYSPHERE_USER" -c "$(printf "%q " "$@")"
</pre>
For instance when running "monkeysphere-authentication add-identity-certifier" and the monkeysphere user has */sbin/nologin* as a shell, we'll get:
<pre>
This account is currently not available.
</pre>
A more safer way (that does not expect /bin/bash as shell) would be something like the following:
<pre>
su -s /bin/bash "$MONKEYSPHERE_USER" -c "$(printf "%q " "$@")"
</pre>
*(from redmine: created on 2014-10-13)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/8414Make SBINDIR configurable2016-06-20T17:13:36ZGhost UserMake SBINDIR configurableMore and more distros are merging the bin and sbin directories, and even
other than that it’s handy to be able to specify the directories you
want for custom installs.
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B27...More and more distros are merging the bin and sbin directories, and even
other than that it’s handy to be able to specify the directories you
want for custom installs.
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
https://theos.kyriasis.com/~kyrias/
*(from redmine: created on 2014-12-10)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/9039XMPP protocol missing in MSVA-perl2016-06-20T17:13:35ZGhost UserXMPP protocol missing in MSVA-perlI just had a talk with some Jabber people on the Prosody MUC(Multi User Chat) about the merits of Monkeysphere.
It turned out there is already a "module for the Prosody XMPP server":https://code.google.com/p/prosody-modules/wiki/mod_s...I just had a talk with some Jabber people on the Prosody MUC(Multi User Chat) about the merits of Monkeysphere.
It turned out there is already a "module for the Prosody XMPP server":https://code.google.com/p/prosody-modules/wiki/mod_s2s_auth_monkeysphere to implement Monkeysphere authentication.
A big blocker for them seems to be that the MSVA(Monkeysphere Validation Agent)-perl package is unaware of the XMPP protocol as the following excerpt from @msva-perl/Crypt/Monkeysphere/MSVA.pm@ demonstrates:
<pre>
575 # check context string
576 if ($data->{context} =~ /^(https|ssh|smtp|ike|postgresql|imaps|imap|submission|e-mail)$/) {
577 $data->{context} = $1;
578 } else {
579 msvalog('error', "invalid context: %s\n", $data->{context});
580 $ret->{message} = sprintf("Invalid/unknown context: %s", $data->{context});
581 return $status,$ret;
582 }
</pre>
Please enable the XMPP world to join the Monkeysphere.
*(from redmine: created on 2015-03-08)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/9550subkey-to-ssh-agent cannot handle primary authentication key2016-06-20T17:13:35ZGhost Usersubkey-to-ssh-agent cannot handle primary authentication keyIf I have a keypacket where the primary key is the sole authentication-capable key, gen-subkey will say that I already have an authentication-capable key and will discourage me from generating another one. Furthermore, monkeysphere-auth...If I have a keypacket where the primary key is the sole authentication-capable key, gen-subkey will say that I already have an authentication-capable key and will discourage me from generating another one. Furthermore, monkeysphere-authentication is perfectly happy to generate authorized_keys entries from such a keypacket. However, if I try to use subkey-to-ssh-agent, it breaks with "no authentication-capable subkeys available" and asks me to run gen-subkey.
*(from redmine: created on 2015-06-09)*https://0xacab.org/monkeysphere/monkeysphere/-/issues/10465gpg-agent is spawned up but not finished after the setup2016-06-20T17:13:32ZGhost Usergpg-agent is spawned up but not finished after the setupIMO after installation into a chroot the gpg-agent should be finished.
Details: https://bugs.gentoo.org/show_bug.cgi?id=562762
*(from redmine: created on 2015-11-01)*IMO after installation into a chroot the gpg-agent should be finished.
Details: https://bugs.gentoo.org/show_bug.cgi?id=562762
*(from redmine: created on 2015-11-01)*