On your desktop

Reference: https://demo.monkeysphere.info/

PGP Auth Keys

Your PGP key may not have the authorization subkey that's required for Monkeysphere PGP authentication. If the following code requests that you create an authorization subkey, follow the steps in this section. Otherwise, skip to the "Export PGP Certificate" section.

if [[ `gpg --list-secret-keys --with-colons | egrep "^(pub|sub)" | cut -d: -f12 | awk '/a/ { print $1 }' | wc -l` > 0 ]]; then echo "Yes, authorization keys are available."; else echo "No authorization keys are available, please create an authorization subkey."; fi

To add an authorization key to your PGP key, you need to edit your key:

gpg --expert --edit-key (key id)

GPG will ask you a number of questions, here's how to answer them, excluding the part after the #, which is a comment:

8 # RSA (set your own capabilities)
(enable only authentication)
4096 # bits
(expires when your key expires, 5y?)
Y # Really create.

Export PGP certificate

Download the dependencies:

sudo apt-get install libcrypt-x509-perl

Download the latest version of msva-perl code to get the OPENPGP2X509 script:

git clone git://git.monkeysphere.info/msva-perl

/!\ Unfortunately the download process is not authenticated and the git repository does not contain signed commits so use network perspective to verify you have the correct git repo. To do that you can download multiple times from different places and a few times from different Tor exit nodes. In addition, you should revert to the latest tag, which is OpenPGP signed and verify it:

git tag --verify openpgp2x509-pkcs12 && git checkout openpgp2x509-pkcs12

Export your PGP certificate as a x509 certificate:

 export OPENPGP2X509_EMIT_PKCS12=true
 msva-perl/openpgp2x509 'Marc Jones <mjones@softwarefreedom.org>' > ~/mjones.p12

If the produced p12 file is empty, check your keyring for an authentication subkey:

gpg --list-keys --with-colons AC9364C7

If none of the subkeys end in ":a:", you don't have an authentication subkey. Add an authentication subkey and try again: http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

Then, export the key to a keyserver.

Import your certificate into Iceweasel

  1. Open ?FireFox

  2. Navigate to: Preferences -> Advanced -> Certificates -> View Certificates -> Import

  3. Select the .p12 created using openpgpg2x509
  4. Unlock your ?FireFox security credentials

  5. Unlock the .p12 file

Configure mod_gnu_tls for your FreedomBox

reference: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2014-March/006260.html

Install Debian testing

 # Add Debian unstable to your sources.list first
 sudo apt-get install apache2 monkeysphere msva-perl
 sudo apt-get install -t unstable libapache2-mod-gnutls

Import PGP keys

Import the PGP keys as the user that you will run Monkeysphere Validation Agent (msva.sh.) Make sure you import the key of a user that has signed your gpg key that you are willing to trust ultimately. Keep in mind you may not have signed your own key.

 gpg --search-keys mjones@softwarefreedom.org

Trust the key

 gpg --edit-key Marc Jones

Configure Apache2

Configure apache to use the Monksphere validation agent:

 echo 'export MONKEYSPHERE_VALIDATION_AGENT_SOCKET='| sudo tee -a  /etc/apache2/envvars

Configure SSL key for Apache

If you're running these steps on a FreedomBox, the snakeoil key has already been created for you (skip this next step).

Create a snakeoil key:

 sudo make-ssl-cert generate-default-snakeoil --force-overwrite

Create a script to display all of the Apache Variables to test the configuration:

 sudo touch /usr/lib/cgi-bin/showenv.cgi

 echo "Content-type: text/plain"

Create a new Apache site configuration file that uses mod_gnu_tls:

 sudo touch /etc/apache2/sites-available/gnutls.conf

 <IfModule mod_gnutls.c>
 <VirtualHost _default_:443>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/
  <Directory />
   Options FollowSymLinks
   AllowOverride None
  <Directory /var/www/>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Require all granted
  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
   AllowOverride None
   Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
   Require all granted

  ErrorLog ${APACHE_LOG_DIR}/error.log
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  GnuTLSEnable On
  GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
  GnuTLSKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  GnuTLSPriorities NORMAL:!VERS-SSL3.0:!VERS-TLS1.0
  GnuTLSClientVerifyMethod msva
  GnuTLSClientVerify require

Enable mod_gnu_tls in Apache and configure the CGI test script to run:

 # swap out multi-processing modules
 sudo a2dismod mpm_event
 sudo a2dismod mpm_worker
 sudo a2enmod mpm_prefork

 # swap out cgi modules
 sudo a2dismod cgid
 sudo a2enmod cgi

 # swap out ssl modules
 sudo a2dismod ssl
 sudo a2enmod gnutls

 # enable gnutls site
 sudo a2ensite gnutls

 sudo chmod +x /usr/lib/cgi-bin/showenv.cgi
 sudo service apache2 restart

Configure Monkeysphere Validation Agent

Create a systemd unit in /etc/systemd/system/msva.service that will run the monkeysphere validation agent with appropriate environmental variables:


#TODO: declare apache as a dependent?

Enable and start the unit.

systemctl enable msva.service
systemctl start msva.service

Test your configuration

Visit https://yourfreedombox.local/cgi-bin/showenv.cgi to test your configuration.

Look for SSL_CLIENT_VERIFY=SUCCESS. If SSL_CLIENT_VERIFY is not set to success you probably did not set the trust level for a key that signed your certificate to 'Ultimate.'

The variable SSL_CLIENT_S_AN0 will should be set to a string containing "RFC822NAME:" concatenated with your email address.

ex: SSL_CLIENT_S_AN0=RFC822NAME:mjones@softwarefreedom.org

Configure mod_auth_env

mod_auth_env provides the ability to transparently specify the name of a authenticated remote user based on internal environment variables available at the time of the Apache authentication verification step or a literal string. It specifically ensures that GnuTLS is load first, so that Variables from GnuTLS client certificate verification can be used to specific the Apache authenticated user.

You can download the code from Github (https://github.com/matujo/mod_auth_env).

git clone https://github.com/matujo/mod_auth_env.git

The source code is compiled and installed by apxs2 (from apache2-dev), like so:

sudo apxs2 -c -i mod_auth_env.c

You will need to configure apache to load the module. Create /etc/apache2/mods-available/auth_env.load

The contents of the auth_env.load file are

LoadModule auth_env_module /usr/lib/apache2/modules/mod_auth_env.so

Enable the module

sudo a2enmod auth_env

Configure mod_auth_env to use a variable from mod_gnu_tls to specify the REMOTE USER:

            <Location />
                AuthType Env
                AuthEnvUser SSL_CLIENT_S_AN0
                #AuthEnvUser Marc
                #AuthGroupFile /etc/apache2/groups
                Require group freedombox
                #Require valid-user
                Require user RFC822NAME:mjones@softwarefreedom.org

Note you can use groupfile authorization as well.

Create a groupfile called /etc/apache2/groups

freedombox: RFC822NAME:mjones@softwarefreedom.org RFC822NAME:myfriendsname@example.org