Tool for authentication of Usenet control messages.
Original source: https://ftp.isc.org/pub/pgpcontrol/ and https://git.eyrie.org/?p=usenet/pgpcontrol.git
pgpverify | ||
README.html |
<HTML><!-- -*- sgml -*- --> <HEAD> <TITLE>Authentication of Usenet Group Changes</TITLE> <LINK REV="made" HREF="mailto:newgroups-request@uunet.uu.net"> </HEAD> <BODY> <H1>Authentication of Usenet Group Changes</H1> This document addresses a method for the authentication of the special types of Usenet articles that are used to maintain the namespace of Usenet groups. A basic familiarity with what the Usenet control message types "newgroup", "rmgroup" and "checkgroups" do is assumed; this is not a tutorial in namespace administration. <P> Usenet articles are notoriously easy to forge, and control messages are no exception. Since administrators often want to have their news systems automatically honor requests from some particular people to add or remove newsgroups, it is risky to trust the From: and Sender: headers to identify the real sender of a message, as has historically been done. Thus a system using Philip Zimmerman's <A HREF="#Getting PGP">Pretty Good Privacy</A>® (PGP® ) was developed to provide a more secure means of authenticating the sender of a control message. <P> Unlike traditional PGP authentication of messages, which just verifies that the contents of the body of a message are unchanged from when it was digitally "signed", this system also needed to sign a few headers of the control message to verify the action to be taken and to guard against certain other pitfalls. Another goal was to make the signature as unobtrusive as possible and require minimal changes to existing software in order to work. <P> <H2>How to Verify Control Messages</H2> Listed below are the steps you need to take to enable PGP authentication of control messages on your system. <P> Here is the short and simple version for someone who feels confident hacking around the news system and doesn't like to read a lot: <P> <OL> <LI>Get and configure the software: <UL> <LI> <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify</A> <LI> <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/</A> </UL> <LI>Add <A HREF="#Keys">maintainers' PGP public keys</A> to the news system key ring. <LI>Enable verification through the news system authorization system. <DL> <DT>INN: <DD>Use the action <B>verify-<I>pgp_userid</I></B> (possibly appended <B>=<I>logfile</I></B>) in <I>control.ctl</I>. <DT>Other systems: <DD>Sorry, not implemented yet. </DL> <LI>Test <I>pgpverify</I>. If you have the news.announce.newgroups key in your key ring, run <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control</A> through <I>pgpverify</I> on stdin. It should spit out the string "news.announce.newgroups" on stdout. </OL> <P> Here is a more verbose version of the instructions: <P> <OL> <LI> Get the software. <P> There are two pieces of code that will need to be added to a news server to make use of this authentication system: a stand-alone script that verifies an article is what it says it is, and a patch to hook it into the news server's processing of control messages. <P> The stand-alone program, <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify</A>, is a <A HREF="#Getting Perl">Perl</A> script that should work with Perl version 4 and up. (I have not tested it with earlier versions.) It does not contain any code making it dependent on any particular news server software. <P> <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/</A> has patches (currently "a patch" is more correct) for hooking the system into existing news server software. Choose the one for your system from the list below. <P> <UL> <LI> <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/inn1.4sec/pgpcontrol.pch"> INN version 1.4sec</A> </UL> <P> I regret that I do not have the time to develop more patches, but I will gladly add patches for other systems to this page as they are made available to me. I am particularly interested in getting patches for C News version CR.E and INN version unoff4. <P> <LI> Install it in your news system. <P> First you must ensure that the absolute paths to <I>perl</I> and to <I>pgp</I> are correct in the first few lines of the <I>pgpverify</I> program. No other configuration of options or pathnames should be needed. <P> Next, the following steps assume, solely for the sake of making it easy for me to write a simple recipe, that you have copied <I>pgpverify</I> and the patch for your system to your news server as <I>/tmp/pgpverify</I> and <I>/tmp/pgpcontrol.pch</I> respectively. I have tried to format this so that you should be able to cut and paste any of the lines in italics directly to your shell. <P> <UL> <LI>If you are running INN: <P> <PRE> cd to the executable program directory that has <I>ctlinnd</I> <I>mv /tmp/pgpverify pgpverify</I> cd to the root of your INN source tree <I>cd site</I> <I>patch < /tmp/pgpcontrol.pch</I> <I>make install</I> </PRE> <P> <LI>If you are running some other system: <P> You're out of luck until someone writes a patch and instructions for your system and makes it available to me for redistribution. <P> </UL> <P> <LI> Enable verification for the hierarchies that interest you. <P> To verify messages, you must have a <A HREF="#Keys">PGP public key for each signer</A> that you wish to trust. It should be entered in a key ring that is accessible to the user-id that runs the news system by running <I>pgp -ka</I> on a file containing the key to add. For example, at a site that runs the news server software as <I>news</I>, the following command run by the <I>news</I> user-id should add the key bounded by BEGIN and END "PGP PUBLIC KEY BLOCK" lines in the file <I>/tmp/key</I> to the default key ring that would be used for authentication: <PRE> <I>pgp -ka /tmp/key</I> </PRE> <P> As a general policy rule, control message signers will not use their control message keys to introduce other keys, so when PGP asks you a question similar to, "Would you trust this user to act as an introducer and certify other people's public keys to you?" answer that you would not. <P> After you have added the appropriate key to your key ring, you need to tell the news software to validate the control messages received. As implemented, the system will perform the requested action if the message can be authenticated and it will mail the message to the news system administrator if it cannot. Clearly there are other possible actions that could be implemented, but I wanted to keep the patches minimal. Future releases of the server software will probably have increased flexibility. <P> <UL> <LI>If you are running INN: <P> Automatic processing of control messages is handled by <I>control.ctl</I>, which you edit in the same <I>site</I> subdirectory where you patched <I>parsecontrol</I>. <I>control.ctl</I> has several lines at the beginning of it that describe the format of the file, and there is an even longer <I>control.ctl(5)</I> manual page. To enable PGP verification in addition to the normal authorization done by <I>control.ctl</I>, use the action <B>verify-<I>pgp_userid</I></B> in the fourth field. <P>For example, if you trust tale@uunet.uu.net to manage groups in the "Big 8" hierarchies, you could have lines line these: <P> <PRE> newgroup:tale@uunet.uu.net:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups rmgroup:tale@uunet.uu.net:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups checkgroups:tale@uunet.uu.net:\ comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\ verify-news.announce.newgroups </PRE> <P> Additionally, if you like the logging feature available with the action <B>doit=<I>logfile</I></B>, you can get the same logging by using <B>verify-<I>pgp_userid</I>=<I>logfile</I></B>. <P> <LI> If you are running some other system: <P> You're out of luck until someone writes a patch and instructions for your system and makes it available to me for redistribution. <P> </UL> <P> <LI> Test the system. <P> Get <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control</A> and save it to a file on your system; <I>/tmp/sample.control</I> will be used for this example. You'll use it to make sure things will work as expected. <P> To verify the control message, you will need the <A HREF="#news.announce.newgroups">key for news.announce.newgroups</A> and authorization in your news system for tale@uunet.uu.net to automatically perform "newgroup". Go ahead and enable it for the test even if you don't want to really allow this, because it is easy enough to rescind after the test by editing the control message authorization file and removing the key with <I>pgp -kr news.announce.newgroups</I>. <P> You can check that the <I>pgpverify</I> part of the system will work properly simply by feeding it the sample control message on stdin: <PRE> pgpverify < /tmp/sample.control </PRE> <P> If if could run pgp and find the correct key in the default key ring, the string <B>news.announce.newgroups</B> should be printed. The exit status of the script, found in most shells with the command <I>echo $?</I> as the next command after <I>pgpverify</I>, should be 0 (zero). <P> If it doesn't work and you've tried and tried to figure out why, <A HREF="mailto:tale@uunet.uu.net (David C Lawrence)">email me</A> a complete description of the problem you are having and how you have tried to remedy it. At a bare minimum, your mail should include a copy of the message you are trying to verify, a typescript of the attempted execution, and the output of <I>pgp -kc</I> and <I>pgp -kvc news.announce.newgroups</I>. <P> When <I>pgpverify</I> passes its test, use the appropriate procedure below for you news server to verify the authorization system. <P> <UL> <LI>If you are running INN: <P> First, cd to the directory where <I>parsecontrol</I> is installed. Then execute the following four lines, in order, as the user who owns the news system: <PRE> /bin/sh PROG=newgroup set -- tale@uunet.uu.net "" /tmp/sample.control (. ./parsecontrol "$@"; echo $ACTION) </PRE> <P> If the message verified correctly, the <I>echo</I> command should output <B>doit</B>; otherwise, verification failed and the output should be <B>mail</B>. <P> Edit <I>/tmp/sample.control</I> and change all occurences of <B>newusers</B> to <B>newgroups</B>. Then repeat the <I>parsecontrol</I> and <I>echo</I> lines. This time verification should fail. <P> <LI>If you are running some other system: <P> You're out of luck until someone writes a patch and instructions for your system and makes it available to me for redistribution. </UL> </OL> <H2>Frequently Asked Questions</H2> <OL> <H3><LI>How come this presumably valid messages doesn't check out with pgpverify?</H3> <UL> <LI>You don't have the correct key for the user that signed it in your key ring. <LI>You cut-and-pasted the message in your window system, which converted the tab characters in the original message into spaces in the message you are trying to decode. Having this handled completely correctly by the signing/verifying code is harder than you might first think. <LI>You are running <I>pgpverify</I> on a saved copy of the article that includes an extraneous trailing newline, such as might be inserted by saving the message from a mail handler or news reader, that was not present in the original message. </UL> </OL> <HR><HR> <H2><A NAME="Keys">List of PGP Public Keys for Newsgroup Administration</A></H2> This is a list of keys known to be used for maintaining various parts of the newsgroup namespace. They are listed alphabetically by the hierarchies they are used for, along with the email address they are sent by (for use in <I>control.ctl</I>) and the group that people should follow if they are interested in tracking announcements about the hierarchy. The "Check also" references point to locations that should have identical public key blocks; it is best if you confirm the block listed here by checking against the others. <P> The existence of key here only means that I, David Lawrence, trust the person who uses it to be a responsible maintainer of that particular hierarchy of groups. You are solely responsible for deciding whether you will use the keys here at your own site. <P> <A NAME="news.announce.newgroups"><HR></A> <H3>comp, humanities, misc, news, rec, sci, soc, talk</H3> Control message sender: <A HREF="mailto:newgroups-request@uunet.uu.net">tale@uunet.uu.net</A><BR> Administrative group: <A HREF="news:news.announce.newgroups">news.announce.newgroups</A><BR> Check also: <UL> <LI><A HREF="ftp://ftp.uu.net/usenet/news.announce.newgroups/PGP.PUBLICKEY"> ftp://ftp.uu.net/usenet/news.announce.newgroups/PGP.PUBLICKEY</A> <LI><A HREF="http://swissnet.ai.mit.edu:11371/pks/lookup?op=get&search=0xB88DA9C1"> pgp-public-keys-beta@pgp.ai.mit.edu</A> ("Subject: GET 0xB88DA9C1", empty body) </UL> <PRE> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7 mQCNAjFsLmQAAAEEAKPbDQI6oDtYJYPvYxt7I4PMxThaq51Z/5kqfW7C3dMn6vPL d+UsXHfRzMaQXkLBR4nIaQj5OHVtbKCjVTVIMtgfgsPeh9GRSONW870S5HUTQcB7 eDhQqvvst1ZEowhTf/CX01chaxOfWq3ZPB09VVohQTmvRJn2BMJdOtO4janBAAUR tBduZXdzLmFubm91bmNlLm5ld2dyb3Vwc4kAlQIFEDF33BHCXTrTuI2pwQEBiJQD /1uiv20adyB2a3tzBYESEEhKtugAVHGRJQJE4Ar5PrcnovF3aNpLFumslIaAzCwP XlCANMjFHg140IB6SgJ8W8XH15u+1cMOmqTbk0wtmVgeLOLaSMgNWt65FV4AUn7e RZdhK8j/JKxE0a+6gKu4S0PiUDrvnCEWUPjlXiqsbnjR =E8K8 -----END PGP PUBLIC KEY BLOCK----- </PRE> <P> <A NAME="fr.announce.newgroups"><HR></A> <H3>fr</H3> Control message sender: <!-- {A HREF="mailto:newgroups-request@uunet.uu.net"}tale@uunet.uu.net{/A} -- --> <BR> Administrative group: <A HREF="news:fr.announce.newgroups">fr.announce.newgroups</A><BR> Check also: <UL> <LI><A HREF="http://swissnet.ai.mit.edu:11371/pks/lookup?op=get&search=0x382B64FD"> pgp-public-keys-beta@pgp.ai.mit.edu</A> ("Subject: GET 0x382B64FD", empty body) </UL> <PRE> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2i mQCNAzF41OMAAAEEAOnjgblNPQ+Xhnxw3K/EMz1vm2sfi2Ci/XG8HsWg2yc+hQla fMGQbQciSDFsBK0Kmy7gNvC9c7qAsQfeqpvQqJ+3hJiUvbQIi6bj2ZOSqE58Vh80 7Y+Fx71R/AKGZ88dGbysUg1r5770aw6JP1wn6Ve29PRTdS7yasmXGhU4K2T9AAUT tBVmci5hbm5vdW5jZS5uZXdncm91cHOJAJUDBRAxf8MhyZcaFTgrZP0BAZ0ZA/0S nxzmcN/yI858v+80ZpWaMkO/OtdF49gCfv/yv8xrRQfdGkjLFIl+Gry/H9236MZD rTSjb5R2PaicExO3b0tcRAAGOXyrRwc1squDdSvldko2ewQE9giZ4T1+fJRou1yO hbwPmaOBOt2EropUpvRPfKNeu/vjdKv1GEREkhIZTQ== =o/05 -----END PGP PUBLIC KEY BLOCK----- </PRE> <P> <HR> <H3>humanities</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>misc</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>news</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>rec</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>sci</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>soc</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR> <H3>talk</H3> See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry. <HR><HR> <H2><A NAME="Signing">Signing Control Messages</A></H2> If you are responsible for sending control messages about authorized changes to a newsgroup hierarchy, then <A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/signcontrol"> ftp://ftp.uu.net/networking/news/misc/pgpcontrol/signcontrol</A> will sign your control messages so that <I>pgpverify</I> can authenticate them. It is a Perl script that requires Perl version 5 or higher to work. It has several configuration parameters that should be reviewed before use. <P> When establishing a PGP key and control message sender, please use tokens that are not tied to a particular individual. This makes it easier to transfer the administrative responsibility when it finally comes time. (The all-too-common "tale@uunet.uu.net" sender is still used for control messages because of its legacy in the installed server base; I would prefer to use newgroups-request@uunet.uu.net.) Please also do not sign other keys with the key that is used for control messages. <P> If you will be using this script to sign control messages, please <A HREF="mailto:tale@uunet.uu.net (David C Lawrence)">let me know</A> the hierarchy that you are responsible for maintaining and the information that you would like to appear in the <A HREF="#Keys">List of PGP Public Keys for Newsgroup Administration</A>. <HR><HR> <H2><A NAME="Getting PGP">How to Get PGP</A></H2> Information about obtaining PGP can be found in the <A HREF="http://www.cis.ohio-state.edu/hypertext/faq/usenet/pgp-faq/where-is-PGP/faq.html"> Where to get the latest PGP FAQ</A> article, posted regularly in the <A HREF="news:alt.security.pgp">alt.security.pgp</A> newsgroup. <H2><A NAME="Getting Perl">How to Get Perl</A></H2> Information about obtaining Perl can be found in the <A HREF="http://www.cis.ohio-state.edu/hypertext/faq/usenet/perl-faq/part1/faq.html"> comp.lang.perl.* FAQ 1/5 - Availability</A> article, posted regularly in the <A HREF="news:comp.lang.perl.misc">comp.lang.perl.misc</A> newsgroup. <HR> Last modified: 25 April 1996 <ADDRESS> David C Lawrence<BR> <A HREF="mailto:tale@uunet.uu.net (David C Lawrence)"> tale@uunet.uu.net</A> </ADDRESS> </BODY> </HTML>