[Pkg-privacy-commits] [Git][pkg-privacy-team/monkeysphere][debian/master] 32 commits: Correct spacing of Changelog (helps generating correct releasenotes)

Daniel Kahn Gillmor dkg at debian.org
Mon May 20 00:26:33 BST 2019 


Daniel Kahn Gillmor pushed to branch debian/master at Privacy Maintainers / monkeysphere


Commits:
43629c46 by Daniel Kahn Gillmor at 2019-01-24T19:18:25Z
Correct spacing of Changelog (helps generating correct releasenotes)

- - - - -
27a86a05 by Daniel Kahn Gillmor at 2019-01-24T20:33:32Z
Expose sshd logs when ssh test fails

- - - - -
a8f4ac40 by Daniel Kahn Gillmor at 2019-01-24T21:57:26Z
Ensure that "make test-ed25519" works when no tty is present

- - - - -
318134aa by Daniel Kahn Gillmor at 2019-01-24T22:03:38Z
Dump remaining jobs during test cleanup

See https://bugs.debian.org/920038 for more information about why this
additional debugging information might be useful.

- - - - -
d558bf0a by Daniel Kahn Gillmor at 2019-03-04T21:18:09Z
Add superuser $PATH for crontab examples

Since monkeysphere-authentication typically relies on runuser, and ISC
cron typically sets only PATH=/usr/bin:/bin

So we need to include the expected superuser's $PATH when crontab
entry.

- - - - -
97ade311 by Daniel Kahn Gillmor at 2019-03-05T16:57:06Z
Avoid TIOCSTI abuse by the monkeysphere user

Since util-linux 2.31, runuser has has support (sometimes
undocumented) for defense against terminal hijacking via TIOCSTI or
other techniques, by passing a --pty argument.

That option is [no longer
experimental](https://github.com/karelzak/util-linux/issues/760), so
monkeysphere-authentication should use it if it is available.

This defends against a compromised monkeysphere user being able to
attack the superuser when invoked under a controlling terminal.

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>

- - - - -
48785b0e by Daniel Kahn Gillmor at 2019-03-05T19:19:34Z
tests/keytrans: Avoid hangs when run with subprocesses

When bash 5.0 uses process replacement [0], the main process gets
invoked with child processes already present.

This wreaks havoc with our understanding of what "wait" does, and can
make the test suite hang (see https://bugs.debian.org/920038).  So we
introduce this check to make sure that there are no running
subprocesses.

This is particularly problematic because debian's autopkgtest *does*
invoke the test suite in this way.

Note that there might be some weird race condition here -- we allow
there to be 1 subprocess, which is the spawned "ps" program itself.
but how ps works on a given platform, and whether it will notice (and
count) itself, i don't know.  But it WorksForMe™ on debian buster.

[0] e.g., bash's process replacement looks like this:

    tests/keytrans > >(tee $TMPDIR/stdout)

- - - - -
d419333a by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
update preparing-release to account for DEP-14 branch names

- - - - -
ba881b1a by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
tests/basic: ensure functionality with output of standard OpenSSH keygen

Our "fix" to https://bugs.debian.org/909700 in
d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
actual typical default output of ssh-keygen.

While this was fair to do in tests/keytrans, where it is exercised on
pem2openpgp (which is explicitly defined as only accepting PEM input),
this is inappropriate for testing monkeysphere in general.

So now, the test suite breaks again, but we need to provide a proper
fix.

- - - - -
198271a7 by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
Use gpg's reworked --quick-* interface for adding/revoking uids

This interface stabilized in GnuPG 2.1.17, so we increase our
versioned dependency.

- - - - -
84feb2ef by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
Drop unused keytrans subcommands adduserid and revokeuserid

These subcommands are explicitly undocumented and unmaintained, and we
are no longer using them.  Get rid of the cruft.

- - - - -
96d97ca1 by Daniel Kahn Gillmor at 2019-05-10T21:14:26Z
mh import-key: use ssh-add and gpg-agent for import (Closes: #909700)

This directly fixes the problem that monkeysphere-host was failing to
import the style of SSH host key that was generated by default by
ssh-keygen.

As a side effect, we can now support all the host key algorithms that
are supported by both gpg-agent (in its ssh-agent implementation) and
ssh-add.

The lockfile and the dancing around the gpg-agent run in
$GNUPGHOME_HOST is a bit awkward.  It would be nicer to use an
ephemeral GnuPG homedir as recommended in the "Unattended Usage"
section of the gnupg info pages, but to do that we'd need to be able
to extract the secret key, which is blocked by
https://dev.gnupg.org/T4490

- - - - -
3deb4f95 by Daniel Kahn Gillmor at 2019-05-10T21:53:06Z
drop keytrans listfprs subcommand

This is no longer being used, we can rip it out.

- - - - -
790e53df by Daniel Kahn Gillmor at 2019-05-10T22:03:56Z
drop keytrans openpgp2sshfpr subcommand

- - - - -
54ce0b7f by Daniel Kahn Gillmor at 2019-05-10T22:10:54Z
Remove keytrans sshfpr subcommand

Now that we're depending on ssh-keygen, we can just ask it to do the
fingerprinting directly.

This removes all the unsupported/unmaintained subcommands from
keytrans, and leaves monkeysphere dependent only on the documented
interfaces of keytrans (pem2openpgp, in particular, as well as
openpgp2ssh in examples/make-x509-certreqs).

- - - - -
badeb83c by Daniel Kahn Gillmor at 2019-05-12T17:39:47Z
examples/make-x509-certreqs: use gpgsm instead of openpgp2ssh

Ideally, we could just rely on gpgsm to generate the appropriate
certificate request.  However, that's not currently possible (see
https://dev.gnupg.org/T4503).

Note that this codebase doesn't yet work on systems where
monkeysphere-host had initially imported keys from classic GnuPG
(version 1.4), since gpgsm does not share secret key material with
classic GnuPG.

Fixing that properly would require an upgrade/transition step that
detects the older pubring.gpg and secring.gpg and imports them
correctly (possibly managing ownertrust at the same time).

- - - - -
3a93907b by Daniel Kahn Gillmor at 2019-05-12T17:46:35Z
drop unimplemented import-subkey

https://dev.gnupg.org/T4489 represents the best way to ensure that
something like import-subkey works given the current implementation of
monkeysphere.  If that works, and we can adopt it by increasing the
versioned dependency on GnuPG, then we can add this feature, but
currently we should not keep unimplemented code lingering.

- - - - -
87bd1dbc by Daniel Kahn Gillmor at 2019-05-12T18:00:12Z
ma/setup: use gpg --quick-gen-key instead of pem2openpgp's key creation

modern gpg permits clean, quiet key generation; by using it here, we
reduce our dependency on pem2openpgp.

- - - - -
bedd79cd by Daniel Kahn Gillmor at 2019-05-12T18:24:39Z
mh/import_key: avoid use of pem2openpgp

since ssh-add as of OpenSSH 6.0 can use - as stdin, we depend on that
codepath for all cases.  This removes the final dependence on keytrans
for the standard monkeysphere interface.

- - - - -
39d3d539 by Daniel Kahn Gillmor at 2019-05-12T19:13:56Z
reduce risky use of chown

In general, chown is risky business.  On most systems it can only be
done as root.  Even riskier is chowning a file in a directory that is
already owned by a non-privileged user, because (depending on kernel,
system configuration, filesystem boundaries, etc) it's possible that
the non-privileged user could control the file pointed to, and the
superuser accidentally chowns a file they didn't intend.

Attacks here are often racy (TOCTOU) and subtly depend on interactions
with other system parts (e.g. gaining r/w control over a specific file
in /var/lib/dpkg/ or /var/lib/).  Better to avoid these risks entirely
where possible.

- - - - -
ecba7302 by Daniel Kahn Gillmor at 2019-05-13T04:33:15Z
Revert "Avoid TIOCSTI abuse by the monkeysphere user"

This reverts commit 97ade311fc287985972bb73a47dd75450260c389.

With this changeset, we find that "monkeysphere setup" hangs
indefinitely as the superuser -- runuser --pty doesn't terminate as it
should when its child process exits, so this isn't an appropriate
change to try to ship.

- - - - -
5f4b6520 by Daniel Kahn Gillmor at 2019-05-13T04:49:07Z
enable ed25519 host keys as well when running test-ed25519

- - - - -
130cdadc by Daniel Kahn Gillmor at 2019-05-13T05:05:13Z
Stop asking for Perl's Crypt::OpenSSL::RSA

Neither the test suite nor the README should be encouraging people to
install Crypt::OpenSSL, since it's no longer necessary.

- - - - -
470abb02 by Daniel Kahn Gillmor at 2019-05-17T06:01:25Z
use bash variable substitution to avoid more perl

- - - - -
b670bc3a by Daniel Kahn Gillmor at 2019-05-17T06:59:21Z
avoid perl for base64-encoding

- - - - -
1d6dc18b by Daniel Kahn Gillmor at 2019-05-17T06:59:56Z
Drop checkperms perlscript for bash function

We implement checkperms using bash and POSIX-style find.  This is the
last bit of perl dependency that remains.

- - - - -
b36df8ae by Daniel Kahn Gillmor at 2019-05-19T18:24:07Z
agent-transfer: invoke gpgconf --list-dirs without needing a pipe

Since at least 2.1.16 (maybe earlier), "gpgconf --list-dirs $foo"
works just as well as "gpgconf --list-dirs | grep ^$foo:  | cut -f2 -d:"

So we go with the simpler option.  It would be even better to avoid
the shell that popen() invokes for future improvement, but this is a
win anyway.

- - - - -
94bc40e8 by Daniel Kahn Gillmor at 2019-05-19T22:24:27Z
agent-transfer: avoid the shell when invoking gpgconf --list-dirs

This commit cuts out one unnecessary shell execution that happens in
popen, at the cost of having to maintain our own error handling for
the pipe back from gpgconf.

- - - - -
0dac450f by Daniel Kahn Gillmor at 2019-05-19T23:04:59Z
prepare for 0.44 release

- - - - -
e9cc46cd by Daniel Kahn Gillmor at 2019-05-19T23:08:23Z
Merge tag 'monkeysphere_0.44' into debian/master

Tagging Monkeysphere 0.44

- - - - -
af2bbd47 by Daniel Kahn Gillmor at 2019-05-19T23:09:23Z
drop patches already upstream

- - - - -
6220877e by Daniel Kahn Gillmor at 2019-05-19T23:09:33Z
prepare debian release

- - - - -


30 changed files:

- Changelog
- Makefile
- README
- debian/changelog
- − debian/patches/0001-Expose-sshd-logs-when-ssh-test-fails.patch
- − debian/patches/0002-Ensure-that-make-test-ed25519-works-when-no-tty-is-p.patch
- − debian/patches/0003-Dump-remaining-jobs-during-test-cleanup.patch
- − debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
- − debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
- − debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
- − debian/patches/series
- etc/cron.hourly/monkeysphere
- examples/crontab
- examples/make-x509-certreqs
- man/man8/monkeysphere-host.8
- packaging/macports/Portfile
- src/agent-transfer/main.c
- src/monkeysphere
- src/monkeysphere-host
- − src/share/checkperms
- src/share/common
- src/share/keytrans
- − src/share/m/import_subkey
- src/share/m/ssh_proxycommand
- src/share/ma/setup
- src/share/ma/update_users
- src/share/mh/add_name
- src/share/mh/import_key
- src/share/mh/revoke_name
- tests/basic


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/7fc9c0710377ca5b431f9c2ca30c8006f73aefe4...6220877e514df2db43da63de680ca781fb4a2536

-- 
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/compare/7fc9c0710377ca5b431f9c2ca30c8006f73aefe4...6220877e514df2db43da63de680ca781fb4a2536
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20190519/91273284/attachment-0001.html>

More information about the Pkg-privacy-commits mailing list