[Pkg-privacy-commits] [Git][pkg-privacy-team/monkeysphere][debian/master] 2 commits: fix monkeysphere-host import-key (Closes: #909700)
Daniel Kahn Gillmor
dkg at debian.org
Fri May 10 22:09:57 BST 2019
Daniel Kahn Gillmor pushed to branch debian/master at Privacy Maintainers / monkeysphere
Commits:
0110778a by Daniel Kahn Gillmor at 2019-05-10T21:03:22Z
fix monkeysphere-host import-key (Closes: #909700)
All three of these patches are needed to really close the bug:
* we need the test to work without -m PEM
* we need to change the secret key creation to use ssh-add and
gpg-agent.
* we need to convert to the --quick-* functionality for
{add,revoke}_name, so that we don't have problems with
--export-secret-key from this kind of secret key creation (see
https://dev.gnupg.org/T4490).
These changes also require the use of a more modern version of GnuPG,
so we update the dependencies accordingly.
- - - - -
7fc9c071 by Daniel Kahn Gillmor at 2019-05-10T21:04:09Z
prepare debian release
- - - - -
6 changed files:
- debian/changelog
- debian/control
- + debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
- + debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
- + debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+monkeysphere (0.43-3) unstable; urgency=medium
+
+ * fix monkeysphere-host import-key (Closes: #909700)
+ * update GnuPG dependency
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net> Fri, 10 May 2019 16:55:04 -0400
+
monkeysphere (0.43-2) unstable; urgency=medium
* Autopkgtest should cover Ed25519 as well
=====================================
debian/control
=====================================
@@ -11,7 +11,7 @@ Build-Depends:
cpio,
debhelper-compat (= 12),
dpkg-dev (>= 1.17.14),
- gnupg (>= 2.1.11) <!nocheck>,
+ gnupg (>= 2.1.17) <!nocheck>,
gnupg-agent <!nocheck>,
libassuan-dev,
libcrypt-openssl-rsa-perl <!nocheck>,
@@ -31,7 +31,7 @@ Package: monkeysphere
Architecture: all
Depends:
adduser,
- gnupg (>= 2.1.11),
+ gnupg (>= 2.1.17),
libcrypt-openssl-rsa-perl,
libdigest-sha-perl,
lockfile-progs | procmail,
=====================================
debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
=====================================
@@ -0,0 +1,32 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Fri, 10 May 2019 12:15:00 -0400
+Subject: tests/basic: ensure functionality with output of standard OpenSSH
+ keygen
+
+Our "fix" to https://bugs.debian.org/909700 in
+d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
+actual typical default output of ssh-keygen.
+
+While this was fair to do in tests/keytrans, where it is exercised on
+pem2openpgp (which is explicitly defined as only accepting PEM input),
+this is inappropriate for testing monkeysphere in general.
+
+So now, the test suite breaks again, but we need to provide a proper
+fix.
+---
+ tests/basic | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/basic b/tests/basic
+index d5c4692..72a79a6 100755
+--- a/tests/basic
++++ b/tests/basic
+@@ -275,7 +275,7 @@ fi
+ echo
+ echo "##################################################"
+ echo "### import host key..."
+-ssh-keygen -m PEM -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
++ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
+
+ echo
=====================================
debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
=====================================
@@ -0,0 +1,62 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Fri, 10 May 2019 16:18:28 -0400
+Subject: Use gpg's reworked --quick-* interface for adding/revoking uids
+
+This interface stabilized in GnuPG 2.1.17, so we increase our
+versioned dependency.
+---
+ README | 2 +-
+ src/share/mh/add_name | 5 +----
+ src/share/mh/revoke_name | 10 +---------
+ 3 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/README b/README
+index b47a9bf..33f5a0d 100644
+--- a/README
++++ b/README
+@@ -19,7 +19,7 @@ Dependencies
+
+ Monkeysphere depends on:
+
+- * GnuPG >= 2.1.11
++ * GnuPG >= 2.1.17
+ * Perl
+ * Perl's Crypt::OpenSSL::RSA module
+ * lockfile-progs or procmail's lockfile
+diff --git a/src/share/mh/add_name b/src/share/mh/add_name
+index f37d9df..6357284 100644
+--- a/src/share/mh/add_name
++++ b/src/share/mh/add_name
+@@ -50,10 +50,7 @@ else
+ fi
+
+ # execute edit-key script
+-if gpg_host --export-secret-keys "$keyID" | \
+- PEM2OPENPGP_USAGE_FLAGS=authenticate \
+- "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \
+- | gpg_host --import ; then
++if gpg_host --quick-add-uid "$keyID" "$serviceName" ; then
+
+ gpg_host --check-trustdb
+
+diff --git a/src/share/mh/revoke_name b/src/share/mh/revoke_name
+index d807ac1..4e8d666 100644
+--- a/src/share/mh/revoke_name
++++ b/src/share/mh/revoke_name
+@@ -46,15 +46,7 @@ else
+ fi
+
+ # actually revoke:
+-
+-# the gpg secring might not contain the host key we are trying to
+-# revoke (let alone any selfsig over that host key), but the plain
+-# --export won't contain the secret key. "keytrans revokeuserid"
+-# needs access to both pieces, so we feed it both of them.
+-
+-if gpg_host --export-secret-keys "$keyID" \
+- | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \
+- | gpg_host --import ; then
++if gpg_host --quick-revoke-uid "$keyID" "$serviceName" ; then
+
+ gpg_host --check-trustdb
+
=====================================
debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
=====================================
@@ -0,0 +1,146 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Fri, 10 May 2019 16:30:11 -0400
+Subject: mh import-key: use ssh-add and gpg-agent for import (Closes:
+ #909700)
+
+This directly fixes the problem that monkeysphere-host was failing to
+import the style of SSH host key that was generated by default by
+ssh-keygen.
+
+As a side effect, we can now support all the host key algorithms that
+are supported by both gpg-agent (in its ssh-agent implementation) and
+ssh-add.
+
+The lockfile and the dancing around the gpg-agent run in
+$GNUPGHOME_HOST is a bit awkward. It would be nicer to use an
+ephemeral GnuPG homedir as recommended in the "Unattended Usage"
+section of the gnupg info pages, but to do that we'd need to be able
+to extract the secret key, which is blocked by
+https://dev.gnupg.org/T4490
+---
+ man/man8/monkeysphere-host.8 | 7 ++--
+ src/share/mh/import_key | 82 ++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 79 insertions(+), 10 deletions(-)
+
+diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
+index 3e37057..6ae30ed 100644
+--- a/man/man8/monkeysphere-host.8
++++ b/man/man8/monkeysphere-host.8
+@@ -27,9 +27,10 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
+ \fBmonkeysphere\-host\fP takes various subcommands:
+ .TP
+ .B import\-key FILE SCHEME://HOSTNAME[:PORT]
+-Import a PEM\-encoded host secret key from file FILE. If FILE is
+-`\-', then the key will be imported from stdin. Only RSA keys are
+-supported at the moment. SCHEME://HOSTNAME[:PORT] is used to specify
++Import an SSH host secret key from file FILE. If FILE is
++`\-', then the key will be imported from stdin, and must be an
++RSA key in PEM\-encoded format.
++SCHEME://HOSTNAME[:PORT] is used to specify
+ the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
+ used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
+ https://www.example.net). If PORT is not specified, then no port is
+diff --git a/src/share/mh/import_key b/src/share/mh/import_key
+index 0f362b8..ebe2cc3 100644
+--- a/src/share/mh/import_key
++++ b/src/share/mh/import_key
+@@ -18,7 +18,7 @@ local serviceName="$2"
+
+ # check that key file specified
+ if [ -z "$keyFile" ] ; then
+- failure "Must specify PEM-encoded key file to import, or specify '-' for stdin."
++ failure "Must specify key file to import, or specify '-' for PEM-encoded RSA key on stdin."
+ fi
+
+ # fail if hostname not specified
+@@ -37,16 +37,84 @@ mkdir -p "${MHDATADIR}"
+ mkdir -p "${GNUPGHOME_HOST}"
+ chmod 700 "${GNUPGHOME_HOST}"
+
+-# import pem-encoded key to an OpenPGP private key
++key_type_from_file() {
++ # translates from OpenSSH's pubkey format string to GnuPG's
++ # Key-Type parameter:
++ local keyType
++ if keyType=$(ssh-keygen -y -f "$keyFile" | awk '{ print $1 }'); then
++ case "$keyType" in
++ ssh-dss)
++ echo DSA
++ ;;
++ ecdsa-sha2-nistp256)
++ echo ECDSA
++ ;;
++ ssh-ed25519)
++ echo EDDSA
++ ;;
++ ssh-rsa)
++ echo RSA
++ ;;
++ *)
++ log error "unknown key type '$keyType' from file '$keyFile'"
++ return 1
++ ;;
++ esac
++ else
++ log error "ssh-keygen could not interpret '$keyFile'"
++ return 1
++ fi
++ return 0
++}
++
++
+ if [ "$keyFile" = '-' ] ; then
+- log verbose "importing key from stdin..."
++ # import PEM-encoded RSA stdin to an OpenPGP private key
++ log verbose "importing PEM-encoded RSA key from stdin..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+ | gpg_host --import
+ else
+- log verbose "importing key from file '$keyFile'..."
+- PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+- <"$keyFile" \
+- | gpg_host --import
++ # import some sort of file that OpenSSH's keygen can handle
++ if keyType=$(key_type_from_file "$keyFile"); then
++ # we lock to avoid concurrent interactions with gpg-agent and
++ # the sshcontrol file would be dubious
++ lock create "$GNUPGHOME_HOST/importlock"
++ if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
++ backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
++ log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
++ mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
++ fi
++
++ log verbose "importing $keyType key from file '$keyFile'..."
++ if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
++ echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
++ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
++ GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
++ fi
++ SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
++ if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
++ test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
++ gpg_host --batch --full-generate-key <<EOF
++Key-Type: $keyType
++Key-Grip: $keyGrip
++Key-Usage: auth
++Name-Real: $serviceName
++%no-protection
++%commit
++EOF
++ else
++ rm -f "$GNUPGHOME_HOST/sshcontrol"
++ lock remove "$GNUPGHOME_HOST/importlock"
++ failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
++ fi
++ rm -f "$GNUPGHOME_HOST/sshcontrol"
++ lock remove "$GNUPGHOME_HOST/importlock"
++ else
++ log error "falling back to pem2openpgp (which will probably still fail)..."
++ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
++ <"$keyFile" \
++ | gpg_host --import
++ fi
+ fi
+
+ # export to OpenPGP public key to file
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,6 @@
0001-Expose-sshd-logs-when-ssh-test-fails.patch
0002-Ensure-that-make-test-ed25519-works-when-no-tty-is-p.patch
0003-Dump-remaining-jobs-during-test-cleanup.patch
+0004-tests-basic-ensure-functionality-with-output-of-stan.patch
+0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
+0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/bc7f13332fd73936413a600dd42f0815ae363299...7fc9c0710377ca5b431f9c2ca30c8006f73aefe4
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/bc7f13332fd73936413a600dd42f0815ae363299...7fc9c0710377ca5b431f9c2ca30c8006f73aefe4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20190510/ff2a580b/attachment-0001.html>
More information about the Pkg-privacy-commits
mailing list