Skip to content
Commits on Source (2)
Expand all Hide whitespace changes
Inline Side-by-side
Makefile
View file @ 6d52201d
......@@ -74,11 +74,6 @@ install: all installman
install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere
install -m 0644 replaced/src/share/defaultenv $(DESTDIR)$(PREFIX)/share/monkeysphere
install -m 0755 src/share/checkperms $(DESTDIR)$(PREFIX)/share/monkeysphere
install -m 0755 src/share/keytrans $(DESTDIR)$(PREFIX)/share/monkeysphere
ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/pem2openpgp
ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2ssh
ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2pem
ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2spki
install -m 0755 src/agent-transfer/agent-transfer $(DESTDIR)$(PREFIX)/bin
install -m 0744 replaced/src/transitions/* $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
install -m 0644 src/transitions/README.txt $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
......@@ -97,15 +92,13 @@ installman: $(REPLACED_COMPRESSED_MANPAGES)
install replaced/man/man1/* $(DESTDIR)$(MANPREFIX)/man1
install replaced/man/man7/* $(DESTDIR)$(MANPREFIX)/man7
install replaced/man/man8/* $(DESTDIR)$(MANPREFIX)/man8
ln -sf openpgp2ssh.1.gz $(DESTDIR)$(MANPREFIX)/man1/openpgp2pem.1.gz
ln -sf openpgp2ssh.1.gz $(DESTDIR)$(MANPREFIX)/man1/openpgp2spki.1.gz
# this target depends on you having the monkeysphere-docs
# repo checked out as a peer of your monkeysphere repo.
releasenote:
../monkeysphere-docs/utils/build-releasenote
test: test-keytrans test-basic test-ed25519
test: test-basic test-ed25519
check: test
......@@ -115,7 +108,4 @@ test-basic: src/agent-transfer/agent-transfer
test-ed25519: src/agent-transfer/agent-transfer
MONKEYSPHERE_TEST_NO_EXAMINE=true MONKEYSPHERE_TEST_USE_ED25519=true ./tests/basic
test-keytrans: src/agent-transfer/agent-transfer
MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/keytrans
.PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test check
man/man1/openpgp2ssh.1 deleted 100644 → 0
View file @ ecba7302
.\" -*- nroff -*-
.Dd $Mdocdate: January 18, 2013 $
.Dt OPENPGP2SSH 1
.Os
.Sh NAME
openpgp2ssh
.Nd translate OpenPGP keys to SSH keys
.Sh SYNOPSIS
.Nm openpgp2ssh < mykey.gpg
.Pp
.Nm gpg \-\-export $KEYID | openpgp2ssh $KEYID
.Pp
.Nm gpg \-\-export $KEYID | openpgp2pem $KEYID
.Pp
.Nm gpg \-\-export $KEYID | openpgp2spki $KEYID
.Pp
.Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID
.Sh DESCRIPTION
.Nm
takes an OpenPGP-formatted primary key and associated
subkeys on standard input, and spits out the requested equivalent
SSH-style (or PEM-encoded) key on standard output.
.Pp
If the data on standard input contains no subkeys, you can invoke
.Nm
without arguments. If the data on standard input contains multiple
keys (e.g. a primary key and associated subkeys), you must specify a
specific OpenPGP key identifier as the first argument to indicate
which key to export. The key ID is normally the 40 hex digit OpenPGP
fingerprint of the key or subkey desired, but
.Nm
will accept as few as the last 8 digits of the fingerprint as a key
ID.
.Pp
If the input contains an OpenPGP RSA public key, it will be converted
to the OpenSSH-style single-line keystring, prefixed with the key type
(`ssh\-rsa'). This format is suitable (with minor alterations) for
insertion into known_hosts files and authorized_keys files. If
invoked as `openpgp2pem', a PEM-encoded public key will be emitted
instead.
.Pp
If invoked as `openpgp2spki', a PEM-encoded subjectPublicKeyInfo (as
defined in the X.509 standard) will be emitted instead.
.Pp
If the input contains an OpenPGP RSA secret key, it will be converted
to the equivalent PEM-encoded private key.
.Pp
.Nm
is part of the
.Xr monkeysphere 7
framework for providing a PKI for SSH.
.Sh CAVEATS
The keys produced by this process are stripped of all identifying
information, including certifications, self-signatures, etc. This is
intentional, since ssh attaches no inherent significance to these
features.
.Pp
.Nm
will produce output for any requested RSA key. This means, among
other things, that it will happily export revoked keys, unverifiable
keys, expired keys, etc. Make sure you do your own key validation
before using this tool!
.Sh EXAMPLES
.Nm gpg \-\-export\-secret\-key $KEYID | openpgp2ssh $KEYID | ssh\-add \-c /dev/stdin
.Pp
This pushes the secret key into the active
.Xr ssh\-agent 1 .
Tools such as
.Xr ssh 1
which know how to talk to the
.Xr ssh\-agent 1
can now rely on the key.
.Sh AUTHOR
.Nm
and this man page were written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net>.
.Sh BUGS
.Nm
only works with RSA keys. DSA keys are the only other key type
available in both OpenPGP and SSH, but they are currently unsupported
by this utility.
.Pp
.Nm
only accepts raw OpenPGP packets on standard input. It does not
accept ASCII-armored input.
.Nm
Currently only exports into formats used by the OpenSSH.
It should support other key output formats, such as those used by
.Xr lsh 1
and
.Xr putty 1 .
.Pp
Secret key output is currently not passphrase-protected.
.Pp
.Nm
currently cannot handle passphrase-protected secret keys on input.
.Sh SEE ALSO
.Xr pem2openpgp 1 ,
.Xr monkeysphere 1 ,
.Xr monkeysphere 7 ,
.Xr ssh 1 ,
.Xr monkeysphere-authentication 8 ,
.Xr monkeysphere-host 8
man/man1/pem2openpgp.1 deleted 100644 → 0
View file @ ecba7302
.\" -*- nroff -*-
.Dd $Mdocdate: Jan 22, 2019 $
.Dt PEM2OPENPGP 1
.Os
.Sh NAME
pem2openpgp
.Nd translate PEM-encoded RSA keys to OpenPGP certificates
.Sh SYNOPSIS
.Nm pem2openpgp "$USERID" < mykey.pem | gpg \-\-import
.Pp
.Nm PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS)) PEM2OPENPGP_USAGE_FLAGS=authenticate,certify pem2openpgp "$USERID" <mykey.pem
.Sh DESCRIPTION
.Nm
is a low-level utility for transforming raw, PEM-encoded RSA secret
keys into OpenPGP-formatted certificates. The generated certificates
include the secret key material, so they should be handled carefully.
.Pp
It works as an element within a pipeline: feed it the raw key on
stdin, supply the desired User ID as a command line argument. Note
that you may need to quote the string to ensure that it is entirely in
a single argument.
.Pp
Other choices about how to generate the new OpenPGP certificate are
governed by environment variables.
.Sh ENVIRONMENT
The following environment variables influence the behavior of
.Nm :
.Pp
.ti 3
\fBPEM2OPENPGP_TIMESTAMP\fP controls the timestamp (measured in
seconds since the UNIX epoch) indicated as the creation time (a.k.a
"not valid before") of the generated certificate (self-signature) and
the key itself. By default,
.Nm
uses the current time.
.Pp
.ti 3
\fBPEM2OPENPGP_KEY_TIMESTAMP\fP controls the timestamp (measured in
seconds since the UNIX epoch) indicated as the creation time of just
the key itself (not the self-signature). By default,
.Nm
uses the value from PEM2OPENPGP_TIMESTAMP.
.Pp
.ti 3
\fBPEM2OPENPGP_USAGE_FLAGS\fP should contain a comma-separated list of
valid OpenPGP usage flags (see section 5.2.3.21 of RFC 4880 for what
these mean). The available choices are: certify, sign, encrypt_comms,
encrypt_storage, encrypt (this means both encrypt_comms and
encrypt_storage), authenticate, split, shared. By default,
.Nm
only sets the certify flag.
.Pp
.ti 3
\fBPEM2OPENPGP_EXPIRATION\fP sets an expiration (measured in seconds
after the creation time of the key) in each self-signature packet. By
default, no expiration subpacket is included.
.Pp
.ti 3
\fBPEM2OPENPGP_NEWKEY\fP indicates that
.Nm
should ignore stdin, and instead generate a new key internally and
build the certificate based on this new key. Set this variable to the
number of bits for the new RSA key (e.g. 3072). By default (when this is
unset),
.Nm
will read the key from stdin.
.Sh AUTHOR
.Nm
and this man page were written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net>.
.Sh BUGS
Only handles RSA keys at the moment. It might be nice to handle DSA
keys as well.
.Pp
Currently only creates certificates with a single User ID. Should be
able to create certificates with multiple User IDs.
.Pp
Currently only accepts unencrypted RSA keys. It should be able to
deal with passphrase-locked key material.
.Pp
Currently outputs OpenPGP certificates with cleartext secret key
material. It would be good to be able to lock the output with a
passphrase.
.Pp
If you find other bugs, please report them at
https://labs.riseup.net/code/projects/show/monkeysphere
.Sh SEE ALSO
.Xr openpgp2ssh 1 ,
.Xr monkeysphere 1 ,
.Xr monkeysphere 7 ,
.Xr ssh 1 ,
.Xr monkeysphere\-host 8 ,
.Xr monkeysphere\-authentication 8
man/man7/monkeysphere.7
View file @ 6d52201d
......@@ -82,8 +82,6 @@ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
.BR monkeysphere (1),
.BR monkeysphere\-host (8),
.BR monkeysphere\-authentication (8),
.BR openpgp2ssh (1),
.BR pem2openpgp (1),
.BR gpg (1),
.BR https://tools.ietf.org/html/rfc4880,
.BR ssh (1),
......
src/share/keytrans deleted 100755 → 0
View file @ ecba7302
This diff is collapsed.
tests/basic
View file @ 6d52201d
......@@ -255,7 +255,7 @@ echo "### configuring sshd..."
cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG"
# write the sshd_config
cat <<EOF >> "$SSHD_CONFIG"
HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_key
AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u
EOF
......@@ -275,8 +275,12 @@ fi
echo
echo "##################################################"
echo "### import host key..."
ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
if [ "$MONKEYSPHERE_TEST_USE_ED25519" = true ]; then
ssh-keygen -t ed25519 -N '' -f "$TEMPDIR"/ssh_host_key
else
ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_key
fi
monkeysphere-host import-key "$TEMPDIR"/ssh_host_key ssh://testhost.example
echo
echo "##################################################"
......@@ -377,7 +381,7 @@ monkeysphere-authentication update-users $(whoami)
echo
echo "##################################################"
echo "### testing monkeysphere keys-for-userid ..."
diff <( monkeysphere keys-for-userid ssh://testhost.example ) <( cut -f1,2 -d' ' < "$TEMPDIR"/ssh_host_rsa_key.pub )
diff <( monkeysphere keys-for-userid ssh://testhost.example ) <( cut -f1,2 -d' ' < "$TEMPDIR"/ssh_host_key.pub )
# connect to test sshd, using monkeysphere ssh-proxycommand to verify
# the identity before connection. This should work in both directions!
......
tests/keytrans deleted 100755 → 0
View file @ ecba7302
#!/usr/bin/env bash
# Tests to ensure that the monkeysphere is working
# Authors:
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Jameson Rollins <jrollins@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
#
# Copyright: 2008-2019
# License: GPL v3 or later
# these tests should all be able to run as a non-privileged user.
# all subcommands in this script should complete without failure:
set -e
# piped commands should return the code of the first non-zero return
set -o pipefail
declare -a child_procs=($(ps -o pid h --ppid $$))
if [ "${#child_procs[@]}" -gt 1 ]; then
printf 'found %d pre-existing child processes: %s\n' "${#child_procs[@]}" "${child_procs[*]}"
printf "spawning my own subprocess to avoid https://bugs.debian.org/920038...\n"
"$0" "$@"
exit
fi
# make sure the TESTDIR is an absolute path, not a relative one.
export TESTDIR=$(cd $(dirname "$0") && pwd)
source "$TESTDIR"/common
perl -MCrypt::OpenSSL::RSA -e 1 2>/dev/null || { echo "You must have the perl module Crypt::OpenSSL::RSA installed to run this test.
On debian-derived systems, you can set this up with:
apt-get install libcrypt-openssl-rsa-perl" ; exit 1; }
perl -MDigest::SHA -e 1 2>/dev/null || { echo "You must have the perl module Digest::SHA installed to run this test.
On debian-derived systems, you can set this up with:
apt-get install libdigest-sha1-perl" ; exit 1; }
######################################################################
### SETUP VARIABLES
## set up some variables to ensure that we're operating strictly in
## the tests, not system-wide:
mkdir -p "$TESTDIR"/tmp
TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/ms.XXX")
if [ -z "$MONKEYSPHERE_TEST_USE_SYSTEM" ] ; then
mkdir "$TEMPDIR"/bin
ln -s "$TESTDIR"/../src/share/keytrans "$TEMPDIR"/bin/openpgp2ssh
ln -s "$TESTDIR"/../src/share/keytrans "$TEMPDIR"/bin/pem2openpgp
ln -s "$TESTDIR"/../src/share/keytrans "$TEMPDIR"/bin/keytrans
# Use the local copy of executables first, instead of system ones.
# This should help us test without installing.
export PATH="$TEMPDIR"/bin:"$PATH"
else
export PATH=/usr/share/monkeysphere:"$PATH"
fi
## setup trap
trap failed_cleanup EXIT
######################################################################
### TEST KEYTRANS
echo "##################################################"
echo "### generating openpgp key..."
export GNUPGHOME="$TEMPDIR"
chmod 700 "$TEMPDIR"
# create the key with the same preferences that monkeysphere uses.
cat > "$TEMPDIR"/gpg.conf <<EOF
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 ZLIB BZIP2 ZIP AES256 AES192 AES CAST5 3DES
cert-digest-algo SHA256
list-options show-uid-validity,show-unusable-uids
fixed-list-mode
EOF
cat > "$TEMPDIR"/gpg-agent.conf <<EOF
pinentry-program $TESTDIR/phony-pinentry-nopass
EOF
# generate a key
gpg --batch --$(get_gpg_prng_arg) --gen-key <<EOF
Key-Type: RSA
Key-Length: 3072
Key-Usage: sign
Name-Real: testtest
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
%echo done
EOF
echo "##################################################"
echo "### retrieving key timestamp..."
timestamp=$(gpg --list-key --with-colons | \
grep ^pub: | cut -d: -f6)
echo "##################################################"
echo "### exporting key to ssh file..."
gpg --export-secret-keys | openpgp2ssh > \
"$TEMPDIR"/test.pem
gpg --export-secret-keys > "$TEMPDIR"/secret.key
PEM2OPENPGP_USAGE_FLAGS=sign,certify \
PEM2OPENPGP_TIMESTAMP="$timestamp" pem2openpgp testtest \
< "$TEMPDIR"/test.pem > "$TEMPDIR"/converted.secret.key
echo "##################################################"
echo "### reconvert key, and compare to key in gpg keyring..."
diff -u \
<(gpg --list-packets < "$TEMPDIR"/secret.key) \
<(gpg --list-packets < "$TEMPDIR"/converted.secret.key)
diff -u \
<(hd "$TEMPDIR"/secret.key) \
<(hd "$TEMPDIR"/converted.secret.key)
KEYFPR=$(gpg --fingerprint --with-colons --list-keys | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }')
KEYID=$(printf "%s" "$KEYFPR" | cut -b25-40)
echo "conversions look good!"
echo "Now working with key $KEYID at time $timestamp"
gpg --check-trustdb
gpg --list-keys
echo "##################################################"
echo "### test working with two primary keys ... "
ssh-keygen -m PEM -t rsa -b 3072 -N '' -f "$TEMPDIR"/newkey
PEM2OPENPGP_USAGE_FLAGS=authenticate,certify \
PEM2OPENPGP_TIMESTAMP="$(( $timestamp + 1 ))" pem2openpgp fubar \
< "$TEMPDIR"/newkey > "$TEMPDIR"/newkey.gpg
NEWKEYFPR=$(< "$TEMPDIR"/newkey.gpg gpg --with-colons --import-options import-show --dry-run --import | awk -F: '/^fpr:/{ print $10 }' )
NEWKEYID=$( printf "%s" "$NEWKEYFPR" | cut -b25-40)
< "$TEMPDIR"/newkey.gpg gpg --import
gpg --batch --no-tty --faked-system-time "$timestamp" --quick-add-uid "$KEYID" baz
cat >"$TEMPDIR"/expectedout <<EOF
pub:u:3072:1:$KEYID:$timestamp:::u:::scSC
uid:u::::$timestamp::8200BD0425CC70C7D698DF3FE412044EAAB83F94::testtest
sig:!::1:$KEYID:$timestamp::::testtest:13x::$KEYFPR:::8
uid:u::::$timestamp::EDDC32D783E7F4C7B6982D9AE5DC4A61000648BA::baz
sig:!::1:$KEYID:$timestamp::::testtest:13x::$KEYFPR:::8
pub:-:3072:1:$NEWKEYID:$(($timestamp + 1)):::-:::caCA
uid:-::::$(($timestamp + 1))::A0D708F51CC257DEFC01AEDE1E0A5F329DFD8F16::fubar
sig:!::1:$NEWKEYID:$(($timestamp + 1))::::fubar:13x::$NEWKEYFPR:::8
EOF
echo "test: diff expected gpg list output"
diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -vE '^(tru|fpr):' | cut -d: -f1-16 | sed 's/:*$//')
## FIXME: addtest: not testing subkeys at the moment.
trap - EXIT
echo "##################################################"
echo " Monkeysphere keytrans test completed successfully!"
echo "##################################################"
cleanup