diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/monkeysphere')
3 files changed, 143 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/monkeysphere/default.nix b/nixpkgs/pkgs/tools/security/monkeysphere/default.nix new file mode 100644 index 000000000000..bc267a9a7703 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/monkeysphere/default.nix @@ -0,0 +1,103 @@ +{ lib, stdenv, fetchurl, makeWrapper +, perl, libassuan, libgcrypt +, perlPackages, lockfileProgs, gnupg, coreutils +# For the tests: +, openssh, which, socat, cpio, hexdump, procps, openssl +}: + +let + # A patch is needed to run the tests inside the Nix sandbox: + # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell" + # sshd: "User nixbld not allowed because shell /noshell does not exist" + opensshUnsafe = openssh.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ]; + }); +in stdenv.mkDerivation rec { + pname = "monkeysphere"; + version = "0.44"; + + # The patched OpenSSH binary MUST NOT be used (except in the check phase): + disallowedRequisites = [ opensshUnsafe ]; + + src = fetchurl { + url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz"; + sha256 = "1ah7hy8r9gj96pni8azzjb85454qky5l17m3pqn37854l6grgika"; + }; + + patches = [ ./monkeysphere.patch ]; + + postPatch = '' + sed -i "s,/usr/bin/env,${coreutils}/bin/env," src/share/ma/update_users + ''; + + nativeBuildInputs = [ makeWrapper ]; + buildInputs = [ perl libassuan libgcrypt ] + ++ lib.optional doCheck + ([ gnupg opensshUnsafe which socat cpio hexdump procps lockfileProgs ] ++ + (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ])); + + makeFlags = [ + "PREFIX=/" + "DESTDIR=$(out)" + ]; + + # The tests should be run (and succeed) when making changes to this package + # but they aren't enabled by default because they "drain" entropy (GnuPG + # still uses /dev/random). + doCheck = false; + preCheck = lib.optionalString doCheck '' + patchShebangs tests/ + patchShebangs src/ + sed -i \ + -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \ + -e "s,/bin/true,${coreutils}/bin/true," \ + -e "s,/bin/false,${coreutils}/bin/false," \ + -e "s,openssl\ req,${openssl}/bin/openssl req," \ + tests/basic + sed -i "s/<(hd/<(hexdump/" tests/keytrans + ''; + + postFixup = + let wrapperArgs = runtimeDeps: + "--prefix PERL5LIB : " + + (with perlPackages; makePerlPath [ # Optional (only required for keytrans) + CryptOpenSSLRSA + CryptOpenSSLBignum + ]) + + lib.optionalString + (builtins.length runtimeDeps > 0) + " --prefix PATH : ${lib.makeBinPath runtimeDeps}"; + wrapMonkeysphere = runtimeDeps: program: + "wrapProgram $out/bin/${program} ${wrapperArgs runtimeDeps}\n"; + wrapPrograms = runtimeDeps: programs: lib.concatMapStrings + (wrapMonkeysphere runtimeDeps) + programs; + in wrapPrograms [ gnupg ] [ "monkeysphere-authentication" "monkeysphere-host" ] + + wrapPrograms [ gnupg lockfileProgs ] [ "monkeysphere" ] + + '' + # These 4 programs depend on the program name ($0): + for program in openpgp2pem openpgp2spki openpgp2ssh pem2openpgp; do + rm $out/bin/$program + ln -sf keytrans $out/share/monkeysphere/$program + makeWrapper $out/share/monkeysphere/$program $out/bin/$program \ + ${wrapperArgs [ ]} + done + ''; + + meta = with lib; { + homepage = "http://web.monkeysphere.info/"; + description = "Leverage the OpenPGP web of trust for SSH and TLS authentication"; + longDescription = '' + The Monkeysphere project's goal is to extend OpenPGP's web of + trust to new areas of the Internet to help us securely identify + servers we connect to, as well as each other while we work online. + The suite of Monkeysphere utilities provides a framework to + transparently leverage the web of trust for authentication of + TLS/SSL communications through the normal use of tools you are + familiar with, such as your web browser0 or secure shell. + ''; + license = licenses.gpl3Plus; + platforms = platforms.linux; + maintainers = with maintainers; [ primeos ]; + }; +} diff --git a/nixpkgs/pkgs/tools/security/monkeysphere/monkeysphere.patch b/nixpkgs/pkgs/tools/security/monkeysphere/monkeysphere.patch new file mode 100644 index 000000000000..8cdd85017b93 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/monkeysphere/monkeysphere.patch @@ -0,0 +1,23 @@ +diff --git a/Makefile b/Makefile +--- a/Makefile ++++ b/Makefile +@@ -52,7 +52,7 @@ clean: + replaced/%: % + mkdir -p $(dir $@) + sed < $< > $@ \ +- -e 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' \ ++ -e 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' \ + -e 's:__SYSCONFDIR_PREFIX__:$(ETCPREFIX):' \ + -e 's:__SYSDATADIR_PREFIX__:$(LOCALSTATEDIR):' + +diff --git a/src/share/keytrans b/src/share/keytrans +--- a/src/share/keytrans ++++ b/src/share/keytrans +@@ -1,4 +1,4 @@ +-#!/usr/bin/perl -T ++#!/usr/bin/perl + + # keytrans: this is an RSA key translation utility; it is capable of + # transforming RSA keys (both public keys and secret keys) between +-- +2.16.3 diff --git a/nixpkgs/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch b/nixpkgs/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch new file mode 100644 index 000000000000..2a9a1fc8dfa9 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch @@ -0,0 +1,17 @@ +diff --git a/auth.c b/auth.c +index d2a8cd65..811a129f 100644 +--- a/auth.c ++++ b/auth.c +@@ -580,6 +580,12 @@ getpwnamallow(const char *user) + #endif + + pw = getpwnam(user); ++ if (pw != NULL) { ++ // This is only for testing purposes, ++ // DO NOT USE THIS PATCH IN PRODUCTION! ++ char *shell = "/bin/sh"; ++ pw->pw_shell = shell; ++ } + + #if defined(_AIX) && defined(HAVE_SETAUTHDB) + aix_restoreauthdb(); |