SSH key-based authentication is tried-and-true, but it lacks a true

Public Key Infrastructure for key certification, revocation and
expiration.  Monkeysphere is a framework that uses the OpenPGP web of
trust for these PKI functions.  It can be used in both directions: for
users to get validated host keys, and for hosts to authenticate users.

WWW: http://web.monkeysphere.info/

PR:		ports/128406
Submitted by:	Daniel Kahn Gillmor <dkg at fifthhorseman.net>

8 files changed, 246 insertions, 0 deletions

diff --git a/security/monkeysphere/Makefile b/security/monkeysphere/Makefile
new file mode 100644
index 000000000000..65d71f4bcef6
--- /dev/null
+++ b/security/monkeysphere/Makefile
@@ -0,0 +1,72 @@
+# New ports collection makefile for:   monkeysphere
+# Date created:        2008-09-11 23:38:27-0400
+# Whom:                Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	monkeysphere
+PORTVERSION=	0.24
+CATEGORIES=	security
+MASTER_SITES=	http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
+# hack for debian orig tarballs
+DISTFILES=	${PORTNAME}_${DISTVERSION}.orig.tar.gz
+
+MAINTAINER=	dkg@fifthhorseman.net
+COMMENT=	Use the OpenPGP web of trust to verify ssh connections
+
+RUN_DEPENDS=	gpg:${PORTSDIR}/security/gnupg1 \
+		lockfile:${PORTSDIR}/mail/procmail \
+		bash:${PORTSDIR}/shells/bash \
+		${SITE_PERL}/${PERL_ARCH}/Crypt/OpenSSL/RSA.pm:${PORTSDIR}/security/p5-Crypt-OpenSSL-RSA \
+		${SITE_PERL}/${PERL_ARCH}/Digest/SHA1.pm:${PORTSDIR}/security/p5-Digest-SHA1
+
+MAN1=		monkeysphere.1 openpgp2ssh.1 pem2openpgp.1
+MAN7=		monkeysphere.7
+MAN8=		monkeysphere-host.8 monkeysphere-authentication.8
+MANCOMPRESSED=	yes
+
+MAKE_ARGS=	ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/man ETCSUFFIX=.sample
+
+# use proper system paths for FreeBSD instead of debian's:
+post-patch:
+	@${REINPLACE_CMD} -e 's|/etc/monkeysphere|/usr/local/etc/monkeysphere|g' \
+	  ${WRKSRC}/src/share/defaultenv \
+	  ${WRKSRC}/src/transitions/0.23 \
+	  ${WRKSRC}/man/man1/monkeysphere.1 \
+	  ${WRKSRC}/man/man8/monkeysphere-authentication.8 \
+	  ${WRKSRC}/man/man8/monkeysphere-host.8 \
+	  ${WRKSRC}/etc/monkeysphere-authentication.conf
+	@${REINPLACE_CMD} -e 's|/var/lib/monkeysphere|/var/monkeysphere|g' \
+	  ${WRKSRC}/src/transitions/0.23 \
+	  ${WRKSRC}/man/man1/monkeysphere.1 \
+	  ${WRKSRC}/man/man8/monkeysphere-authentication.8 \
+	  ${WRKSRC}/man/man8/monkeysphere-host.8 \
+	  ${WRKSRC}/src/monkeysphere-host \
+	  ${WRKSRC}/src/monkeysphere-authentication \
+	  ${WRKSRC}/doc/getting-started-admin.mdwn
+	@${REINPLACE_CMD} -e 's|/usr/share/monkeysphere|/usr/local/share/monkeysphere|g' \
+	  ${WRKSRC}/src/monkeysphere-host \
+	  ${WRKSRC}/src/monkeysphere-authentication \
+	  ${WRKSRC}/src/monkeysphere
+	# and clean up cruft from the sed replacements:
+	${FIND} ${WRKSRC} -name '*.bak' -delete
+
+post-install:
+	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \
+		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \
+	fi
+	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf ]; then \
+		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-host.conf ; \
+	fi
+	@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf ]; then \
+		${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere-authentication.conf ; \
+	fi
+.if !defined(PACKAGE_BUILDING)
+	@${SETENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+.endif
+
+post-deinstall:
+	@${SETENV} ${SH} ${PKGDEINSTALL} ${PKGNAME} POST-DEINSTALL
+
+.include <bsd.port.mk>
diff --git a/security/monkeysphere/distinfo b/security/monkeysphere/distinfo
new file mode 100644
index 000000000000..a0a9df9e98e6
--- /dev/null
+++ b/security/monkeysphere/distinfo
@@ -0,0 +1,3 @@
+MD5 (monkeysphere_0.24.orig.tar.gz) = 8590532f4702fa44027a6a583657c9ef
+SHA256 (monkeysphere_0.24.orig.tar.gz) = 2a58cee998ddb1b21b953826fc746a743e17d94e6fa34ac9cbee4262873b5c5f
+SIZE (monkeysphere_0.24.orig.tar.gz) = 86044
diff --git a/security/monkeysphere/files/patch-src_monkeysphere-host b/security/monkeysphere/files/patch-src_monkeysphere-host
new file mode 100644
index 000000000000..9414c7355010
--- /dev/null
+++ b/security/monkeysphere/files/patch-src_monkeysphere-host
@@ -0,0 +1,11 @@
+--- src/monkeysphere-host
++++ src/monkeysphere-host
+@@ -103,7 +103,7 @@ update_gpg_pub_file() {
+ load_fingerprint() {
+     if [ -f "$HOST_KEY_FILE" ] ; then
+ 	HOST_FINGERPRINT=$( \
+-	    (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
++	    (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \
+ 	    && gpg --quiet --import \
+ 	    && gpg --quiet --list-keys --with-colons --with-fingerprint \
+ 	    && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
diff --git a/security/monkeysphere/files/patch-src_share_keytrans b/security/monkeysphere/files/patch-src_share_keytrans
new file mode 100644
index 000000000000..9d584acbeed6
--- /dev/null
+++ b/security/monkeysphere/files/patch-src_share_keytrans
@@ -0,0 +1,11 @@
+--- src/share/keytrans	2009-03-01 13:39:50.000000000 -0500
++++ src/share/keytrans	2009-03-10 00:39:53.681890554 -0400
+@@ -199,7 +199,7 @@
+ sub simple_checksum {
+   my $bytes = shift;
+ 
+-  return unpack("%32W*",$bytes) % 65536;
++  return unpack("%32U*",$bytes) % 65536;
+ }
+ 
+ # calculate the multiplicative inverse of a mod b this is euclid's
diff --git a/security/monkeysphere/pkg-deinstall b/security/monkeysphere/pkg-deinstall
new file mode 100644
index 000000000000..3e69eabbb1dd
--- /dev/null
+++ b/security/monkeysphere/pkg-deinstall
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# a package removal script for monkeysphere (borrowing from
+# monkeysphere's debian/monkeysphere.postrm)
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Copyright 2008,2009
+
+# FIXME: is /var/monkeysphere the right place for this stuff on
+# FreeBSD?
+VARLIB="/var/monkeysphere"
+
+
+case $2 in
+POST-DEINSTALL)
+        USER=monkeysphere
+# FIXME: This doesn't do anything!  Under what circumstances do we
+# want to actually automatically purge all of /var/monkeysphere?
+
+# (note: FreeBSD does not seem to want the package-specific user to be
+# purged at package removal)
+	if pw user show "${USER}" 2>/dev/null >/dev/null; then
+	    echo "Warning: If you will *NOT* use this package anymore, please remove the monkeysphere user manually."
+	fi
+	if [ -d "$VARLIB" ] ; then
+	    echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB"
+	fi
+;;
+esac
diff --git a/security/monkeysphere/pkg-descr b/security/monkeysphere/pkg-descr
new file mode 100644
index 000000000000..9adc44f32979
--- /dev/null
+++ b/security/monkeysphere/pkg-descr
@@ -0,0 +1,7 @@
+SSH key-based authentication is tried-and-true, but it lacks a true
+Public Key Infrastructure for key certification, revocation and
+expiration.  Monkeysphere is a framework that uses the OpenPGP web of
+trust for these PKI functions.  It can be used in both directions: for
+users to get validated host keys, and for hosts to authenticate users.
+
+WWW: http://web.monkeysphere.info/
diff --git a/security/monkeysphere/pkg-install b/security/monkeysphere/pkg-install
new file mode 100644
index 000000000000..435c69ad12c0
--- /dev/null
+++ b/security/monkeysphere/pkg-install
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+# an installation script for monkeysphere (borrowing liberally from
+# postgresql and mysql pkg-install scripts, and from monkeysphere's
+# debian/monkeysphere.postinst)
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Copyright 2008,2009
+
+# FIXME: is /var/monkeysphere the right place for this stuff on
+# FreeBSD?
+
+# PostgreSQL puts its data in /usr/local/pgsql/data
+
+# MySQL puts its data in /var/db/mysql
+
+VARLIB="/var/monkeysphere"
+ETCDIR="/usr/local/etc/monkeysphere"
+
+case $2 in
+POST-INSTALL)
+        USER=monkeysphere
+        GROUP=${USER}
+        UID=641
+        GID=${UID}
+        SHELL=/usr/local/bin/bash
+
+        if pw group show "${GROUP}" >/dev/null 2>&1; then
+                echo "You already have a group \"${GROUP}\", so I will use it."
+        else
+                if pw groupadd ${GROUP} -g ${GID}; then
+                        echo "Added group \"${GROUP}\"."
+                else
+                        echo "Adding group \"${GROUP}\" failed..."
+                        exit 1
+                fi
+        fi
+
+	if pw user show "${USER}" >/dev/null 2>&1; then
+            oldshell=`pw user show "${USER}" 2>/dev/null | cut -f10 -d:`
+	    if [ x"$oldshell" != x"$SHELL" ]; then
+		echo "You already have a \"${USER}\" user, but its shell is '$oldshell'."
+		echo "This package requires that \"${USER}\"'s shell be '$SHELL'."
+		echo "You should fix this by hand and then re-install the package."
+		echo "   hint: pw usermod '$USER' -s '$SHELL'"
+		exit 1
+	    fi
+            echo "You already have a user \"${USER}\" with the proper shell, so I will use it."
+        else
+                if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \
+                        -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,,"
+                then
+                        echo "Added user \"${USER}\"."
+                else
+                        echo "Adding user \"${USER}\" failed..."
+                        exit 1
+                fi
+        fi
+
+	## set up the monkeysphere authentication cache directory:
+
+	monkeysphere-authentication setup
+        ;;
+esac
diff --git a/security/monkeysphere/pkg-plist b/security/monkeysphere/pkg-plist
new file mode 100644
index 000000000000..95afa0111dd0
--- /dev/null
+++ b/security/monkeysphere/pkg-plist
@@ -0,0 +1,49 @@
+sbin/monkeysphere-host
+sbin/monkeysphere-authentication
+share/doc/monkeysphere/TODO
+share/doc/monkeysphere/MonkeySpec
+share/doc/monkeysphere/getting-started-user.mdwn
+share/doc/monkeysphere/getting-started-admin.mdwn
+bin/openpgp2ssh
+bin/pem2openpgp
+bin/monkeysphere
+share/monkeysphere/mh/publish_key
+share/monkeysphere/mh/import_key
+share/monkeysphere/mh/set_expire
+share/monkeysphere/mh/diagnostics
+share/monkeysphere/mh/add_hostname
+share/monkeysphere/mh/add_revoker
+share/monkeysphere/mh/revoke_hostname
+share/monkeysphere/mh/revoke_key
+share/monkeysphere/keytrans
+share/monkeysphere/defaultenv
+share/monkeysphere/VERSION
+share/monkeysphere/transitions/0.23
+share/monkeysphere/transitions/README.txt
+share/monkeysphere/ma/list_certifiers
+share/monkeysphere/ma/add_certifier
+share/monkeysphere/ma/update_users
+share/monkeysphere/ma/setup
+share/monkeysphere/ma/remove_certifier
+share/monkeysphere/ma/diagnostics
+share/monkeysphere/common
+share/monkeysphere/m/gen_subkey
+share/monkeysphere/m/ssh_proxycommand
+share/monkeysphere/m/subkey_to_ssh_agent
+share/monkeysphere/m/import_subkey
+@unexec if cmp -s %D/etc/monkeysphere/monkeysphere.conf.sample %D/etc/monkeysphere/monkeysphere.conf; then rm -f %D/etc/monkeysphere/monkeysphere.conf; fi
+etc/monkeysphere/monkeysphere.conf.sample
+@exec if [ ! -f %D/etc/monkeysphere/monkeysphere.conf ] ; then cp -p %D/%F %B/monkeysphere.conf; fi
+@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-host.conf.sample %D/etc/monkeysphere/monkeysphere-host.conf; then rm -f %D/etc/monkeysphere/monkeysphere-host.conf; fi
+etc/monkeysphere/monkeysphere-host.conf.sample
+@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-host.conf ] ; then cp -p %D/%F %B/monkeysphere-host.conf; fi
+@unexec if cmp -s %D/etc/monkeysphere/monkeysphere-authentication.conf.sample %D/etc/monkeysphere/monkeysphere-authentication.conf; then rm -f %D/etc/monkeysphere/monkeysphere-authentication.conf; fi
+etc/monkeysphere/monkeysphere-authentication.conf.sample
+@exec if [ ! -f %D/etc/monkeysphere/monkeysphere-authentication.conf ] ; then cp -p %D/%F %B/monkeysphere-authentication.conf; fi
+@dirrm share/doc/monkeysphere
+@dirrm share/monkeysphere/transitions
+@dirrm share/monkeysphere/mh
+@dirrm share/monkeysphere/ma
+@dirrm share/monkeysphere/m
+@dirrm share/monkeysphere
+@dirrm etc/monkeysphere