On your desktop
Reference: https://demo.monkeysphere.info/
PGP Auth Keys
Your PGP key may not have the authorization subkey that's required for Monkeysphere PGP authentication. If the following code requests that you create an authorization subkey, follow the steps in this section. Otherwise, skip to the "Export PGP Certificate" section.
if [[ `gpg --list-secret-keys --with-colons | egrep "^(pub|sub)" | cut -d: -f12 | awk '/a/ { print $1 }' | wc -l` > 0 ]]; then echo "Yes, authorization keys are available."; else echo "No authorization keys are available, please create an authorization subkey."; fi
To add an authorization key to your PGP key, you need to edit your key:
gpg --expert --edit-key (key id)
GPG will ask you a number of questions, here's how to answer them, excluding the part after the #, which is a comment:
addkey 8 # RSA (set your own capabilities) (enable only authentication) 4096 # bits (expires when your key expires, 5y?) Y # Really create. save
Export PGP certificate
Download the dependencies:
sudo apt-get install libcrypt-x509-perl
Download the latest version of msva-perl code to get the OPENPGP2X509 script:
git clone git://git.monkeysphere.info/msva-perl
Unfortunately the download process is not authenticated and the git repository does not contain signed commits so use network perspective to verify you have the correct git repo. To do that you can download multiple times from different places and a few times from different Tor exit nodes. In addition, you should revert to the latest tag, which is OpenPGP signed and verify it:
git tag --verify openpgp2x509-pkcs12 && git checkout openpgp2x509-pkcs12
Export your PGP certificate as a x509 certificate:
export OPENPGP2X509_EMIT_PKCS12=true msva-perl/openpgp2x509 'Marc Jones <mjones@softwarefreedom.org>' > ~/mjones.p12
If the produced p12 file is empty, check your keyring for an authentication subkey:
gpg --list-keys --with-colons AC9364C7
If none of the subkeys end in ":a:", you don't have an authentication subkey. Add an authentication subkey and try again: http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
Then, export the key to a keyserver.
Import your certificate into Iceweasel
Open ?FireFox
Navigate to: Preferences -> Advanced -> Certificates -> View Certificates -> Import
- Select the .p12 created using openpgpg2x509
Unlock your ?FireFox security credentials
- Unlock the .p12 file
Configure mod_gnu_tls for your FreedomBox
reference: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2014-March/006260.html
Install Debian testing
# Add Debian unstable to your sources.list first sudo apt-get install apache2 monkeysphere msva-perl sudo apt-get install -t unstable libapache2-mod-gnutls
Import PGP keys
Import the PGP keys as the user that you will run Monkeysphere Validation Agent (msva.sh.) Make sure you import the key of a user that has signed your gpg key that you are willing to trust ultimately. Keep in mind you may not have signed your own key.
gpg --search-keys mjones@softwarefreedom.org
Trust the key
gpg --edit-key Marc Jones trust
Configure Apache2
Configure apache to use the Monksphere validation agent:
echo 'export MONKEYSPHERE_VALIDATION_AGENT_SOCKET=http://127.0.0.1:5000'| sudo tee -a /etc/apache2/envvars
Configure SSL key for Apache
If you're running these steps on a FreedomBox, the snakeoil key has already been created for you (skip this next step).
Create a snakeoil key:
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
Create a script to display all of the Apache Variables to test the configuration:
sudo touch /usr/lib/cgi-bin/showenv.cgi
#!/bin/sh echo "Content-type: text/plain" echo env
Create a new Apache site configuration file that uses mod_gnu_tls:
sudo touch /etc/apache2/sites-available/gnutls.conf
<IfModule mod_gnutls.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined GnuTLSEnable On GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem GnuTLSKeyFile /etc/ssl/private/ssl-cert-snakeoil.key GnuTLSPriorities NORMAL:!VERS-SSL3.0:!VERS-TLS1.0 GnuTLSClientVerifyMethod msva GnuTLSClientVerify require </VirtualHost> </IfModule>
Enable mod_gnu_tls in Apache and configure the CGI test script to run:
# swap out multi-processing modules sudo a2dismod mpm_event sudo a2dismod mpm_worker sudo a2enmod mpm_prefork # swap out cgi modules sudo a2dismod cgid sudo a2enmod cgi # swap out ssl modules sudo a2dismod ssl sudo a2enmod gnutls # enable gnutls site sudo a2ensite gnutls sudo chmod +x /usr/lib/cgi-bin/showenv.cgi sudo service apache2 restart
Configure Monkeysphere Validation Agent
Create a systemd unit in /etc/systemd/system/msva.service that will run the monkeysphere validation agent with appropriate environmental variables:
[Service] Environment="MSVA_ALLOWED_USERS=www-data" Environment="MSVA_KEYSERVER=hkp://pool.sks-keyservers.net" Environment="MSVA_LOG_LEVEL=debug" Environment="MSVA_PORT=5000" ExecStart=/usr/bin/msva-perl User=wwwmsva Restart=always StandardOutput=syslog StandardError=syslog SyslogIdentifier=msva [Install] WantedBy=multi-user.target #TODO: declare apache as a dependent?
Enable and start the unit.
systemctl enable msva.service systemctl start msva.service
Test your configuration
Visit https://yourfreedombox.local/cgi-bin/showenv.cgi to test your configuration.
Look for SSL_CLIENT_VERIFY=SUCCESS. If SSL_CLIENT_VERIFY is not set to success you probably did not set the trust level for a key that signed your certificate to 'Ultimate.'
The variable SSL_CLIENT_S_AN0 will should be set to a string containing "RFC822NAME:" concatenated with your email address.
ex: SSL_CLIENT_S_AN0=RFC822NAME:mjones@softwarefreedom.org
Configure mod_auth_env
mod_auth_env provides the ability to transparently specify the name of a authenticated remote user based on internal environment variables available at the time of the Apache authentication verification step or a literal string. It specifically ensures that GnuTLS is load first, so that Variables from GnuTLS client certificate verification can be used to specific the Apache authenticated user.
You can download the code from Github (https://github.com/matujo/mod_auth_env).
git clone https://github.com/matujo/mod_auth_env.git
The source code is compiled and installed by apxs2 (from apache2-dev), like so:
sudo apxs2 -c -i mod_auth_env.c
You will need to configure apache to load the module. Create /etc/apache2/mods-available/auth_env.load
The contents of the auth_env.load file are
LoadModule auth_env_module /usr/lib/apache2/modules/mod_auth_env.so
Enable the module
sudo a2enmod auth_env
Configure mod_auth_env to use a variable from mod_gnu_tls to specify the REMOTE USER:
<Location /> AuthType Env AuthEnvUser SSL_CLIENT_S_AN0 #AuthEnvUser Marc #AuthGroupFile /etc/apache2/groups Require group freedombox #Require valid-user Require user RFC822NAME:mjones@softwarefreedom.org </Location>
Note you can use groupfile authorization as well.
Create a groupfile called /etc/apache2/groups
freedombox: RFC822NAME:mjones@softwarefreedom.org RFC822NAME:myfriendsname@example.org