12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333 |
- @node Using GNUnet
- @chapter Using GNUnet
- This tutorial is supposed to give a first introduction for users
- trying to do something real with GNUnet. Installation and
- configuration are specifically outside of the scope of this tutorial.
- Instead, we start by briefly checking that the installation works, and
- then dive into uncomplicated, concrete practical things that can be done
- with the framework provided by GNUnet.
- In short, this chapter of the ``GNUnet Reference Documentation'' will
- show you how to use the various peer-to-peer applications of the
- GNUnet system.
- As GNUnet evolves, we will add new sections for the various
- applications that are being created.
- Comments on the content of this chapter, and extensions of it are
- always welcome.
- @menu
- * Start and stop GNUnet::
- * First steps - Using the GNU Name System::
- * First steps - Using GNUnet Conversation::
- * First steps - Using the GNUnet VPN::
- * File-sharing::
- * The GNU Name System::
- * reclaimID Identity Provider::
- * Using the Virtual Public Network::
- @end menu
- @node Start and stop GNUnet
- @section Start and stop GNUnet
- Prior to using any GNUnet-based application, one has to start a node:
- @example
- $ gnunet-arm -s -l gnunet.log
- @end example
- To stop GNUnet:
- @example
- $ gnunet-arm -e
- @end example
- @node First steps - Using the GNU Name System
- @section First steps - Using the GNU Name System
- @menu
- * Preliminaries::
- * Managing Egos::
- * The GNS Tab::
- * Creating a Record::
- * Resolving GNS records::
- * Integration with Browsers::
- * Creating a Business Card::
- * Be Social::
- * Backup of Identities and Egos::
- * Revocation::
- * What's Next?::
- @end menu
- @node Preliminaries
- @subsection Preliminaries
- ``.pin'' is a default zone which points to a zone managed by gnunet.org.
- Use @code{gnunet-config -s gns} to view the GNS configuration, including
- all configured zones that are operated by other users. The respective
- configuration entry names start with a ``.'', i.e. ``.pin''.
- You can configure any number of top-level domains, and point them to
- the respective zones of your friends! For this, simply obtain the
- respective public key (you will learn how below) and extend the
- configuration:
- @example
- $ gnunet-config -s gns -n .myfriend -V PUBLIC_KEY
- @end example
- @node Managing Egos
- @subsection Managing Egos
- In GNUnet, identity management is about managing egos. Egos can
- correspond to pseudonyms or real-world identities. If you value your
- privacy, you are encouraged to use separate egos for separate
- activities.
- Technically, an ego is first of all a public-private key pair, and
- thus egos also always correspond to a GNS zone. Egos are managed by
- the IDENTITY service. Note that this service has nothing to do with
- the peer identity. The IDENTITY service essentially stores the
- private keys under human-readable names, and keeps a mapping of which
- private key should be used for particular important system functions.
- The existing identities can be listed using the command
- @command{gnunet-identity -d}
- @example
- gnu - JTDVJC69NHU6GQS4B5721MV8VM7J6G2DVRGJV0ONIT6QH7OI6D50
- rules - GO0T87F9BPMF8NKD5A54L2AH1T0GRML539TPFSRMCEA98182QD30
- @end example
- @node The GNS Tab
- @subsection The GNS Tab
- Maintaing your zones is through the NAMESTORE service and is discussed
- here. You can manage your zone using @command{gnunet-identity} and
- @command{gnunet-namestore}, or most conveniently using
- @command{gnunet-namestore-gtk}.
- We will use the GTK+ interface in this introduction. Please start
- @command{gnunet-gkt} and switch to the GNS tab, which is the tab in
- the middle with the letters "GNS" connected by a graph.
- Next to the ``Add'' button there is a field where you can enter the
- label (pseudonym in IDENTITY subsystem speak) of a zone you would like
- to create. Pushing the ``Add'' button will create the zone.
- Afterwards, you can change the label in the combo box below at any
- time. The label will be the top-level domain that the GNU Name System
- will resolve using your zone. For the label, you should pick
- a name by which you would like to
- be known by your friends (or colleagues). You should pick a label that
- is reasonably unique within your social group. Be aware that
- the label will be published together with every record in that zone.
- Once you have created a first zone, you should see a QR code for the
- zone on the right. Next to it is a "Copy" button to copy the public
- key string to the clipboard. You can also save the QR code image to
- disk.
- Furthermore, you now can see the bottom part of the dialog. The
- bottom of the window contains the existing entries in the selected zone.
- @node Creating a Record
- @subsection Creating a Record
- We will begin by creating a simple record in your master zone.
- To do this, click on the text "<new name>" in the table. The field is
- editable, allowing you to enter a fresh label. Labels are restricted
- to 63 characters and must not contain dots. For now, simply enter
- "test", then press ENTER to confirm. This will create a new (empty)
- record group under the label "test". Now click on "<new record>" next
- to the new label "test". In the drop-down menu, select "A" and push
- ENTER to confirm. Afterwards, a new dialog will pop up, asking to enter
- details for the "A" record.
- "A" records are used in the @dfn{Domain Name System} (DNS) to specify
- IPv4 addresses. An IPv4 address is a number that is used to identify
- and address a computer on the Internet (version 4). Please enter
- "217.92.15.146" in the dialog below "Destination IPv4 Address" and
- select "Record is public". Do not change any of the other options.
- Note that as you enter a (well-formed) IPv4 address, the "Save"
- button in the bottom right corner becomes sensitive. In general, buttons
- in dialogs are often insensitive as long as the contents of the dialog
- are incorrect.
- Once finished, press the "Save" button. Back in the main dialog, select
- the tiny triangle left of the "test" label. By doing so, you get to see
- all of the records under "test". Note that you can right-click a record
- to edit it later.
- @node Resolving GNS records
- @subsection Resolving GNS records
- Next, you should try resolving your own GNS records. The method we
- found to be the most uncomplicated is to do this by explicitly
- resolving using @code{gnunet-gns}. For this exercise, we will assume
- that you used the string ``gnu'' for the pseudonym (or label) of your
- GNS zone. If you used something else, replace ``.gnu'' with your real
- pseudonym in the examples below.
- In the shell, type:
- @example
- $ gnunet-gns -u test.gnu # what follows is the reply
- test.gnu:
- Got `A' record: 217.92.15.146
- @end example
- @noindent
- That shows that resolution works, once GNS is integrated with
- the application.
- @node Integration with Browsers
- @subsection Integration with Browsers
- While we recommend integrating GNS using the NSS module in the
- GNU libc Name Service Switch, you can also integrate GNS
- directly with your browser via the @code{gnunet-gns-proxy}.
- This method can have the advantage that the proxy can validate
- TLS/X.509 records and thus strengthen web security; however, the proxy
- is still a bit brittle, so expect subtle failures. We have had reasonable
- success with Chromium, and various frustrations with Firefox in this area
- recently.
- The first step is to start the proxy. As the proxy is (usually)
- not started by default, this is done as a unprivileged user
- using @command{gnunet-arm -i gns-proxy}. Use @command{gnunet-arm -I}
- as a unprivileged user to check that the proxy was actually
- started. (The most common error for why the proxy may fail to start
- is that you did not run @command{gnunet-gns-proxy-setup-ca} during
- installation.) The proxy is a SOCKS5 proxy running (by default)
- on port 7777. Thus, you need to now configure your browser to use
- this proxy. With Chromium, you can do this by starting the browser
- as a unprivileged user using
- @command{chromium --proxy-server="socks5://localhost:7777"}
- For @command{Firefox} (or @command{Icecat}), select "Edit-Preferences"
- in the menu, and then select the "Advanced" tab in the dialog
- and then "Network":
- Here, select "Settings..." to open the proxy settings dialog.
- Select "Manual proxy configuration" and enter @code{localhost}
- with port 7777 under SOCKS Host. Furthermore, set the
- checkbox ``Proxy DNS when using SOCKS v5'' at the bottom of
- the dialog. Finally, push "OK".
- You must also go to about:config and change the
- @code{browser.fixup.alternate.enabled} option to @code{false},
- otherwise the browser will autoblunder an address like
- @code{@uref{http://www.gnu/, www.gnu}} to
- @code{@uref{http://www.gnu.com/, www.gnu.com}}. If you want
- to resolve @@ in your own TLDs, you must additionally
- set @code{browser.fixup.dns_first_use_for_single_words} to @code{true}.
- After configuring your browser, you might want to first confirm that it
- continues to work as before. (The proxy is still experimental and if you
- experience "odd" failures with some webpages, you might want to disable
- it again temporarily.) Next, test if things work by typing
- "@uref{http://test.gnu/}" into the URL bar of your browser.
- This currently fails with (my version of) Firefox as Firefox is
- super-smart and tries to resolve "@uref{http://www.test.gnu/}" instead of
- "@uref{test.gnu}". Chromium can be convinced to comply if you explicitly
- include the "http://" prefix --- otherwise a Google search might be
- attempted, which is not what you want. If successful, you should
- see a simple website.
- Note that while you can use GNS to access ordinary websites, this is
- more an experimental feature and not really our primary goal at this
- time. Still, it is a possible use-case and we welcome help with testing
- and development.
- @pindex gnunet-bcd
- @node Creating a Business Card
- @subsection Creating a Business Card
- @c FIXME: Which parts of texlive are needed? Some systems offer a modular
- @c texlive (smaller size).
- Before we can really use GNS, you should create a business card.
- Note that this requires having @command{LaTeX} installed on your system.
- If you are using a Debian GNU/Linux based operating system, the
- following command should install the required components.
- Keep in mind that this @b{requires 3GB} of downloaded data and possibly
- @b{even more} when unpacked. On a GNU Guix based system texlive 2017 has
- returns a DAG size of 5032.4 MiB.
- @b{We welcome any help in identifying the required components of the
- TexLive Distribution. This way we could just state the required components
- without pulling in the full distribution of TexLive.}
- @example
- apt-get install texlive-full
- @end example
- @noindent
- Start creating a business card by clicking the "Copy" button
- in @command{gnunet-namestore-gtk}. Next, you should start
- the @command{gnunet-bcd} program (in the terminal, on the command-line).
- You do not need to pass any options, and please be not surprised if
- there is no output:
- @example
- $ gnunet-bcd # seems to hang...
- @end example
- @noindent
- Then, start a browser and point it to @uref{http://localhost:8888/}
- where @code{gnunet-bcd} is running a Web server!
- First, you might want to fill in the "GNS Public Key" field by
- right-clicking and selecting "Paste", filling in the public key
- from the copy you made in @command{gnunet-namestore-gtk}.
- Then, fill in all of the other fields, including your @b{GNS NICKname}.
- Adding a GPG fingerprint is optional.
- Once finished, click "Submit Query".
- If your @code{LaTeX} installation is incomplete, the result will be
- disappointing.
- Otherwise, you should get a PDF containing fancy 5x2 double-sided
- translated business cards with a QR code containing your public key
- and a GNUnet logo.
- We'll explain how to use those a bit later.
- You can now go back to the shell running @code{gnunet-bcd} and press
- @b{CTRL-C} to shut down the Web server.
- @node Be Social
- @subsection Be Social
- Next, you should print out your business card and be social.
- Find a friend, help them install GNUnet and exchange business cards with
- them. Or, if you're a desperate loner, you might try the next step with
- your own card. Still, it'll be hard to have a conversation with
- yourself later, so it would be better if you could find a friend.
- You might also want a camera attached to your computer, so
- you might need a trip to the store together.
- Before we get started, we need to tell @code{gnunet-qr} which zone
- it should import new records into. For this, run:
- @pindex gnunet-identity
- @example
- $ gnunet-identity -s namestore -e NAME
- @end example
- where NAME is the name of the zone you want to import records
- into. In our running example, this would be ``gnu''.
- @pindex gnunet-qr
- Henceforth, for every business card you collect, simply run:
- @example
- $ gnunet-qr
- @end example
- @noindent
- to open a window showing whatever your camera points at.
- Hold up your friend's business card and tilt it until
- the QR code is recognized. At that point, the window should
- automatically close. At that point, your friend's NICKname and their
- public key should have been automatically imported into your zone.
- Assuming both of your peers are properly integrated in the
- GNUnet network at this time, you should thus be able to
- resolve your friends names. Suppose your friend's nickname
- is "Bob". Then, type
- @pindex gnunet-gns
- @example
- $ gnunet-gns -u test.bob.gnu
- @end example
- @noindent
- to check if your friend was as good at following instructions
- as you were.
- @node Backup of Identities and Egos
- @subsection Backup of Identities and Egos
- One should always backup their files, especially in these SSD days (our
- team has suffered 3 SSD crashes over a span of 2 weeks). Backing up peer
- identity and zones is achieved by copying the following files:
- The peer identity file can be found
- in @file{~/.local/share/gnunet/private_key.ecc}
- The private keys of your egos are stored in the
- directory @file{~/.local/share/gnunet/identity/egos/}.
- They are stored in files whose filenames correspond to the zones'
- ego names. These are probably the most important files you want
- to backup from a GNUnet installation.
- Note: All these files contain cryptographic keys and they are
- stored without any encryption. So it is advisable to backup
- encrypted copies of them.
- @node Revocation
- @subsection Revocation
- Now, in the situation of an attacker gaining access to the private key of
- one of your egos, the attacker can create records in the respective
- GNS zone
- and publish them as if you published them. Anyone resolving your
- domain will get these new records and when they verify they seem
- authentic because the attacker has signed them with your key.
- To address this potential security issue, you can pre-compute
- a revocation certificate corresponding to your ego. This certificate,
- when published on the P2P network, flags your private key as invalid,
- and all further resolutions or other checks involving the key will fail.
- @pindex gnunet-revocation
- A revocation certificate is thus a useful tool when things go out of
- control, but at the same time it should be stored securely.
- Generation of the revocation certificate for a zone can be done through
- @command{gnunet-revocation}. For example, the following command (as
- unprivileged user) generates a revocation file
- @file{revocation.dat} for the zone @code{zone1}:
- @command{gnunet-revocation -f revocation.dat -R zone1}
- The above command only pre-computes a revocation certificate. It does
- not revoke the given zone. Pre-computing a revocation certificate
- involves computing a proof-of-work and hence may take up to 4 to 5 days
- on a modern processor. Note that you can abort and resume the
- calculation at any time. Also, even if you did not finish the
- calculation, the resulting file will contain the signature, which is
- sufficient to complete the revocation process even without access to
- the private key. So instead of waiting for a few days, you can just
- abort with CTRL-C, backup the revocation certificate and run the
- calculation only if your key actually was compromised. This has the
- disadvantage of revocation taking longer after the incident, but
- the advantage of saving a significant amount of energy. So unless
- you believe that a key compromise will need a rapid response, we
- urge you to wait with generating the revocation certificate.
- Also, the calculation is deliberately expensive, to deter people from
- doing this just for fun (as the actual revocation operation is expensive
- for the network, not for the peer performing the revocation).
- @c FIXME: The Manual should give away the command using an example that is
- @c very likely to never exist.
- To avoid TL;DR ones from accidentally revocating their zones, we are not
- giving away the command, but it is uncomplicated: the actual revocation is
- performed by using the @command{-p} option of @command{gnunet-revocation}.
- @node What's Next?
- @subsection What's Next?
- This may seem not like much of an application yet, but you have
- just been one of the first to perform a decentralized secure name
- lookup (where nobody could have altered the value supplied by your
- friend) in a privacy-preserving manner (your query on the network
- and the corresponding response were always encrypted). So what
- can you really do with this? Well, to start with, you can publish your
- GnuPG fingerprint in GNS as a "CERT" record and replace the public
- web-of-trust with its complicated trust model with explicit names
- and privacy-preserving resolution. Also, you should read the next
- chapter of the tutorial and learn how to use GNS to have a
- private conversation with your friend. Finally, help us
- with the next GNUnet release for even more applications
- using this new public key infrastructure.
- @pindex gnunet-conservation-gtk
- @node First steps - Using GNUnet Conversation
- @section First steps - Using GNUnet Conversation
- First, you should launch the graphical user interface. You can do
- this from the command-line by typing
- @example
- $ gnunet-conversation-gtk
- @end example
- @menu
- * Testing your Audio Equipment::
- * GNS Zones::
- @end menu
- @node Testing your Audio Equipment
- @subsection Testing your Audio Equipment
- First, you should use @code{gnunet-conversation-test} to check that your
- microphone and speaker are working correctly. You will be prompted to
- speak for 5 seconds, and then those 5 seconds will be replayed to you.
- The network is not involved in this test. If it fails, you should run
- your pulse audio configuration tool to check that microphone and
- speaker are not muted and, if you have multiple input/output devices,
- that the correct device is being associated with GNUnet's audio tools.
- @node GNS Zones
- @subsection GNS Zones
- @code{gnunet-conversation} uses GNS for addressing. This means that
- you need to have a GNS zone created before using it. Information
- about how to create GNS zones can be found here.
- @menu
- * Picking an Identity::
- * Calling somebody::
- @end menu
- @node Picking an Identity
- @subsubsection Picking an Identity
- To make a call with @code{gnunet-conversation}, you first
- need to choose an identity. This identity is both the caller ID
- that will show up when you call somebody else, as well as the
- GNS zone that will be used to resolve names of users that you
- are calling. Run
- @pindex gnunet-conversation
- @example
- gnunet-conversation -e zone-name
- @end example
- @noindent
- to start the command-line tool. You will see a message saying
- that your phone is now "active on line 0". You can connect
- multiple phones on different lines at the same peer. For the
- first phone, the line zero is of course a fine choice.
- Next, you should type in @command{/help} for a list of
- available commands. We will explain the important ones
- during this tutorial. First, you will need to type in
- @command{/address} to determine the address of your
- phone. The result should look something like this:
- @example
- /address
- 0-PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
- @end example
- @noindent
- Here, the "0" is your phone line, and what follows
- after the hyphen is your peer's identity. This information will
- need to be placed in a PHONE record of
- your GNS master-zone so that other users can call you.
- Start @code{gnunet-namestore-gtk} now (possibly from another
- shell) and create an entry home-phone in your master zone.
- For the record type, select PHONE. You should then see the
- PHONE dialog:
- @image{images/gnunet-namestore-gtk-phone,5in,,Dialog to publish a PHONE record}
- Note: Do not choose the expiry time to be 'Never'. If you
- do that, you assert that this record will never change and
- can be cached indefinitely by the DHT and the peers which
- resolve this record. A reasonable period is 1 year.
- Enter your peer identity under Peer and leave the line
- at zero. Select the first option to make the record public.
- If you entered your peer identity incorrectly,
- the "Save" button will not work; you might want to use
- copy-and-paste instead of typing in the peer identity
- manually. Save the record.
- @node Calling somebody
- @subsubsection Calling somebody
- Now you can call a buddy. Obviously, your buddy will have to have GNUnet
- installed and must have performed the same steps. Also, you must have
- your buddy in your GNS master zone, for example by having imported
- your buddy's public key using @code{gnunet-qr}. Suppose your buddy
- is in your zone as @code{buddy.mytld} and they also created their
- phone using a label "home-phone". Then you can initiate a call using:
- @example
- /call home-phone.buddy.mytld
- @end example
- It may take some time for GNUnet to resolve the name and to establish
- a link. If your buddy has your public key in their master zone, they
- should see an incoming call with your name. If your public key is not
- in their master zone, they will just see the public key as the caller ID.
- Your buddy then can answer the call using the "/accept" command. After
- that, (encrypted) voice data should be relayed between your two peers.
- Either of you can end the call using @command{/cancel}. You can exit
- @code{gnunet-conversation} using @command{/quit}.
- @node First steps - Using the GNUnet VPN
- @section First steps - Using the GNUnet VPN
- @menu
- * VPN Preliminaries::
- * GNUnet-Exit configuration::
- * GNS configuration::
- * Accessing the service::
- * Using a Browser::
- @end menu
- @node VPN Preliminaries
- @subsection VPN Preliminaries
- To test the GNUnet VPN, we should first run a web server.
- The easiest way to do this is to just start @code{gnunet-bcd},
- which will run a webserver on port @code{8888} by default.
- Naturally, you can run some other HTTP server for our little tutorial.
- If you have not done this, you should also configure your
- Name System Service switch to use GNS. In your @code{/etc/nsswitch.conf}
- you should fine a line like this:
- @example
- hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
- @end example
- @noindent
- The exact details may differ a bit, which is fine. Add the text
- @code{gns [NOTFOUND=return]} after @code{files}:
- @example
- hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4
- @end example
- @c TODO: outdated section, we no longer install this as part of the
- @c TODO: standard installation procedure and should point out the manual
- @c TODO: steps required to make it useful.
- @noindent
- You might want to make sure that @code{/lib/libnss_gns.so.2} exists on
- your system, it should have been created during the installation.
- If not, re-run
- @example
- $ configure --with-nssdir=/lib
- $ cd src/gns/nss; sudo make install
- @end example
- @noindent
- to install the NSS plugins in the proper location.
- @node GNUnet-Exit configuration
- @subsection GNUnet-Exit configuration
- Stop your peer (as user @code{gnunet}, run @command{gnunet-arm -e}) and
- run @command{gnunet-setup}. In @command{gnunet-setup}, make sure to
- activate the @strong{EXIT} and @strong{GNS} services in the General tab.
- Then select the Exit tab. Most of the defaults should be fine (but
- you should check against the screenshot that they have not been modified).
- In the bottom area, enter @code{bcd} under Identifier and change the
- Destination to @code{169.254.86.1:8888} (if your server runs on a port
- other than 8888, change the 8888 port accordingly).
- Now exit @command{gnunet-setup} and restart your peer
- (@command{gnunet-arm -s}).
- @node GNS configuration
- @subsection GNS configuration
- Now, using your normal user (not the @code{gnunet} system user), run
- @command{gnunet-namestore-gtk}. Add a new label www in your
- master zone. For the record type, select @code{VPN}. You should then
- see the VPN dialog:
- @image{images/gnunet-namestore-gtk-vpn,5in,,Dialog to publish a VPN record}
- Under peer, you need to supply the peer identity of your own peer. You can
- obtain the respective string by running @command{gnunet-peerinfo -sq}
- as the @code{gnunet} user. For the Identifier, you need to supply the same
- identifier that we used in the Exit setup earlier, so here supply "bcd".
- If you want others to be able to use the service, you should probably make
- the record public. For non-public services, you should use a passphrase
- instead of the string "bcd". Save the record and
- exit @command{gnunet-namestore-gtk}.
- @node Accessing the service
- @subsection Accessing the service
- You should now be able to access your webserver. Type in:
- @example
- $ wget http://www.gnu/
- @end example
- @noindent
- The request will resolve to the VPN record, telling the GNS resolver
- to route it via the GNUnet VPN. The GNS resolver will ask the
- GNUnet VPN for an IPv4 address to return to the application. The
- VPN service will use the VPN information supplied by GNS to create
- a tunnel (via GNUnet's MESH service) to the EXIT peer.
- At the EXIT, the name "bcd" and destination port (80) will be mapped
- to the specified destination IP and port. While all this is currently
- happening on just the local machine, it should also work with other
- peers --- naturally, they will need a way to access your GNS zone
- first, for example by learning your public key from a QR code on
- your business card.
- @node Using a Browser
- @subsection Using a Browser
- Sadly, modern browsers tend to bypass the Name Services Switch and
- attempt DNS resolution directly. You can either run
- a @code{gnunet-dns2gns} DNS proxy, or point the browsers to an
- HTTP proxy. When we tried it, Iceweasel did not like to connect to
- the socks proxy for @code{.gnu} TLDs, even if we disabled its
- autoblunder of changing @code{.gnu} to ".gnu.com". Still,
- using the HTTP proxy with Chrome does work.
- @node File-sharing
- @section File-sharing
- This chapter documents the GNUnet file-sharing application. The original
- file-sharing implementation for GNUnet was designed to provide
- @strong{anonymous} file-sharing. However, over time, we have also added
- support for non-anonymous file-sharing (which can provide better
- performance). Anonymous and non-anonymous file-sharing are quite
- integrated in GNUnet and, except for routing, share most of the concepts
- and implementation. There are three primary file-sharing operations:
- publishing, searching and downloading. For each of these operations,
- the user specifies an @strong{anonymity level}. If both the publisher and
- the searcher/downloader specify "no anonymity", non-anonymous
- file-sharing is used. If either user specifies some desired degree
- of anonymity, anonymous file-sharing will be used.
- After a short introduction, we will first look at the various concepts
- in GNUnet's file-sharing implementation. Then, we will discuss
- specifics as to how they impact users that publish, search or download
- files.
- @menu
- * fs-Searching::
- * fs-Downloading::
- * fs-Publishing::
- * fs-Concepts::
- * Namespace Management::
- * File-Sharing URIs::
- * GTK User Interface::
- @end menu
- @node fs-Searching
- @subsection Searching
- The command @command{gnunet-search} can be used to search
- for content on GNUnet. The format is:
- @example
- $ gnunet-search [-t TIMEOUT] KEYWORD
- @end example
- @noindent
- The @command{-t} option specifies that the query should timeout after
- approximately TIMEOUT seconds. A value of zero (``0'') is interpreted
- as @emph{no timeout}, which is the default. In this case,
- @command{gnunet-search} will never terminate (unless you press
- @command{CTRL-C}).
- If multiple words are passed as keywords, they will all be
- considered optional. Prefix keywords with a "+" to make them mandatory.
- Note that searching using
- @example
- $ gnunet-search Das Kapital
- @end example
- @noindent
- is not the same as searching for
- @example
- $ gnunet-search "Das Kapital"
- @end example
- @noindent
- as the first will match files shared under the keywords
- "Das" or "Kapital" whereas the second will match files
- shared under the keyword "Das Kapital".
- Search results are printed by @command{gnunet-search} like this:
- @c it will be better the avoid the ellipsis altogether because I don't
- @c understand the explanation below that
- @c ng0: who is ``I'' and what was the complete sentence?
- @example
- #15:
- gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
- @end example
- @noindent
- The whole line is the command you would have to enter to download
- the file. The first argument passed to @code{-o} is the suggested
- filename (you may change it to whatever you like).
- It is followed by the key for decrypting the file, the query for
- searching the file, a checksum (in hexadecimal) finally the size of
- the file in bytes.
- @node fs-Downloading
- @subsection Downloading
- In order to download a file, you need the whole line returned by
- @command{gnunet-search}.
- You can then use the tool @command{gnunet-download} to obtain the file:
- @example
- $ gnunet-download -o <FILENAME> <GNUNET-URL>
- @end example
- @noindent
- FILENAME specifies the name of the file where GNUnet is supposed
- to write the result. Existing files are overwritten. If the
- existing file contains blocks that are identical to the
- desired download, those blocks will not be downloaded again
- (automatic resume).
- If you want to download the GPL from the previous example,
- you do the following:
- @example
- $ gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
- @end example
- @noindent
- If you ever have to abort a download, you can continue it at any time by
- re-issuing @command{gnunet-download} with the same filename.
- In that case, GNUnet will @strong{not} download blocks again that are
- already present.
- GNUnet's file-encoding mechanism will ensure file integrity, even if the
- existing file was not downloaded from GNUnet in the first place.
- You may want to use the @command{-V} switch to turn on verbose
- reporting. In this case, @command{gnunet-download} will print the
- current number of bytes downloaded whenever new data was received.
- @node fs-Publishing
- @subsection Publishing
- The command @command{gnunet-publish} can be used to add content
- to the network. The basic format of the command is
- @example
- $ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME
- @end example
- For example
- @example
- $ gnunet-publish -m "description:GNU License" -k gpl -k test -m "mimetype:text/plain" COPYING
- @end example
- @menu
- * Important command-line options::
- * Indexing vs. Inserting::
- @end menu
- @node Important command-line options
- @subsubsection Important command-line options
- The option @code{-k} is used to specify keywords for the file that
- should be inserted. You can supply any number of keywords,
- and each of the keywords will be sufficient to locate and
- retrieve the file. Please note that you must use the @code{-k} option
- more than once -- one for each expression you use as a keyword for
- the filename.
- The -m option is used to specify meta-data, such as descriptions.
- You can use -m multiple times. The TYPE passed must be from the
- list of meta-data types known to libextractor. You can obtain this
- list by running @command{extract -L}. Use quotes around the entire
- meta-data argument if the value contains spaces. The meta-data
- is displayed to other users when they select which files to
- download. The meta-data and the keywords are optional and
- may be inferred using @code{GNU libextractor}.
- @command{gnunet-publish} has a few additional options to handle
- namespaces and directories. Refer to the man-page for details:
- @example
- man gnunet-publish
- @end example
- @node Indexing vs. Inserting
- @subsubsection Indexing vs Inserting
- By default, GNUnet indexes a file instead of making a full copy.
- This is much more efficient, but requires the file to stay unaltered
- at the location where it was when it was indexed. If you intend to move,
- delete or alter a file, consider using the option @code{-n} which will
- force GNUnet to make a copy of the file in the database.
- Since it is much less efficient, this is strongly discouraged for large
- files. When GNUnet indexes a file (default), GNUnet does @strong{not}
- create an additional encrypted copy of the file but just computes a
- summary (or index) of the file. That summary is approximately two percent
- of the size of the original file and is stored in GNUnet's database.
- Whenever a request for a part of an indexed file reaches GNUnet,
- this part is encrypted on-demand and send out. This way, there is no
- need for an additional encrypted copy of the file to stay anywhere
- on the drive. This is different from other systems, such as Freenet,
- where each file that is put online must be in Freenet's database in
- encrypted format, doubling the space requirements if the user wants
- to preserve a directly accessible copy in plaintext.
- Thus indexing should be used for all files where the user will keep
- using this file (at the location given to gnunet-publish) and does
- not want to retrieve it back from GNUnet each time. If you want to
- remove a file that you have indexed from the local peer, use the tool
- @command{gnunet-unindex} to un-index the file.
- The option @code{-n} may be used if the user fears that the file might
- be found on their drive (assuming the computer comes under the control
- of an adversary). When used with the @code{-n} flag, the user has a
- much better chance of denying knowledge of the existence of the file,
- even if it is still (encrypted) on the drive and the adversary is
- able to crack the encryption (e.g. by guessing the keyword.
- @node fs-Concepts
- @subsection Concepts
- For better results with filesharing it is useful to understand the
- following concepts.
- In addition to anonymous routing GNUnet attempts to give users a better
- experience in searching for content. GNUnet uses cryptography to safely
- break content into smaller pieces that can be obtained from different
- sources without allowing participants to corrupt files. GNUnet makes it
- difficult for an adversary to send back bogus search results. GNUnet
- enables content providers to group related content and to establish a
- reputation. Furthermore, GNUnet allows updates to certain content to be
- made available. This section is supposed to introduce users to the
- concepts that are used to achieve these goals.
- @menu
- * Files::
- * Keywords::
- * Directories::
- * Egos and File-Sharing::
- * Namespaces::
- * Advertisements::
- * Anonymity level::
- * Content Priority::
- * Replication::
- @end menu
- @node Files
- @subsubsection Files
- A file in GNUnet is just a sequence of bytes. Any file-format is allowed
- and the maximum file size is theoretically @math{2^64 - 1} bytes, except
- that it would take an impractical amount of time to share such a file.
- GNUnet itself never interprets the contents of shared files, except when
- using GNU libextractor to obtain keywords.
- @node Keywords
- @subsubsection Keywords
- Keywords are the most simple mechanism to find files on GNUnet.
- Keywords are @strong{case-sensitive} and the search string
- must always match @strong{exactly} the keyword used by the
- person providing the file. Keywords are never transmitted in
- plaintext. The only way for an adversary to determine the keyword
- that you used to search is to guess it (which then allows the
- adversary to produce the same search request). Since providing
- keywords by hand for each shared file is tedious, GNUnet uses
- GNU libextractor to help automate this process. Starting a
- keyword search on a slow machine can take a little while since
- the keyword search involves computing a fresh RSA key to formulate the
- request.
- @node Directories
- @subsubsection Directories
- A directory in GNUnet is a list of file identifiers with meta data.
- The file identifiers provide sufficient information about the files
- to allow downloading the contents. Once a directory has been created,
- it cannot be changed since it is treated just like an ordinary file
- by the network. Small files (of a few kilobytes) can be inlined in
- the directory, so that a separate download becomes unnecessary.
- Directories are shared just like ordinary files. If you download a
- directory with @command{gnunet-download}, you can use
- @command{gnunet-directory} to list its contents. The canonical
- extension for GNUnet directories when stored as files in your
- local file-system is ".gnd". The contents of a directory are URIs and
- meta data.
- The URIs contain all the information required by
- @command{gnunet-download} to retrieve the file. The meta data
- typically includes the mime-type, description, a filename and
- other meta information, and possibly even the full original file
- (if it was small).
- @node Egos and File-Sharing
- @subsubsection Egos and File-Sharing
- When sharing files, it is sometimes desirable to build a reputation as
- a source for quality information. With egos, publishers can
- (cryptographically) sign files, thereby demonstrating that various
- files were published by the same entity. An ego thus allows users to
- link different publication events, thereby deliberately reducing
- anonymity to pseudonymity.
- Egos used in GNUnet's file-sharing for such pseudonymous publishing
- also correspond to the egos used to identify and sign zones in the
- GNU Name System. However, if the same ego is used for file-sharing
- and for a GNS zone, this will weaken the privacy assurances provided
- by the anonymous file-sharing protocol.
- Note that an ego is NOT bound to a GNUnet peer. There can be multiple
- egos for a single user, and users could (theoretically) share
- the private keys of an ego by copying the respective private keys.
- @node Namespaces
- @subsubsection Namespaces
- A namespace is a set of files that were signed by the same ego.
- Today, namespaces are implemented independently of GNS zones, but
- in the future we plan to merge the two such that a GNS zone can
- basically contain files using a file-sharing specific record type.
- Files (or directories) that have been signed and placed into a
- namespace can be updated. Updates are identified as authentic if the
- same secret key was used to sign the update.
- @node Advertisements
- @subsubsection Advertisements
- Advertisements are used to notify other users about the existence of a
- namespace. Advertisements are propagated using the normal keyword
- search. When an advertisement is received (in response to a search),
- the namespace is added to the list of namespaces available in the
- namespace-search dialogs of gnunet-fs-gtk and printed by
- @code{gnunet-identity}. Whenever a namespace is created, an
- appropriate advertisement can be generated. The default keyword for
- the advertising of namespaces is "namespace".
- @node Anonymity level
- @subsubsection Anonymity level
- The anonymity level determines how hard it should be for an adversary to
- determine the identity of the publisher or the searcher/downloader. An
- anonymity level of zero means that anonymity is not required. The default
- anonymity level of "1" means that anonymous routing is desired, but no
- particular amount of cover traffic is necessary. A powerful adversary
- might thus still be able to deduce the origin of the traffic using
- traffic analysis. Specifying higher anonymity levels increases the
- amount of cover traffic required.
- The specific numeric value (for anonymity levels above 1) is simple:
- Given an anonymity level L (above 1), each request FS makes on your
- behalf must be hidden in L-1 equivalent requests of cover traffic
- (traffic your peer routes for others) in the same time-period. The
- time-period is twice the average delay by which GNUnet artificially
- delays traffic.
- While higher anonymity levels may offer better privacy, they can also
- significantly hurt performance.
- @node Content Priority
- @subsubsection Content Priority
- Depending on the peer's configuration, GNUnet peers migrate content
- between peers. Content in this sense are individual blocks of a file,
- not necessarily entire files. When peers run out of space (due to
- local publishing operations or due to migration of content from other
- peers), blocks sometimes need to be discarded. GNUnet first always
- discards expired blocks (typically, blocks are published with an
- expiration of about two years in the future; this is another option).
- If there is still not enough space, GNUnet discards the blocks with the
- lowest priority. The priority of a block is decided by its popularity
- (in terms of requests from peers we trust) and, in case of blocks
- published locally, the base-priority that was specified by the user
- when the block was published initially.
- @node Replication
- @subsubsection Replication
- When peers migrate content to other systems, the replication level
- of a block is used to decide which blocks need to be migrated most
- urgently. GNUnet will always push the block with the highest
- replication level into the network, and then decrement the replication
- level by one. If all blocks reach replication level zero, the
- selection is simply random.
- @node Namespace Management
- @subsection Namespace Management
- The @code{gnunet-identity} tool can be used to create egos.
- By default, @code{gnunet-identity -D} simply
- lists all locally available egos.
- @menu
- * Creating Egos::
- * Deleting Egos::
- @end menu
- @node Creating Egos
- @subsubsection Creating Egos
- With the @command{-C NICK} option it can also be used to create a new
- ego. An ego is the virtual identity of the entity in control of a
- namespace or GNS zone. Anyone can create any number of egos. The
- provided NICK name automatically corresponds to a GNU Name System
- domain name. Thus, henceforth name resolution for any name ending in
- ``.NICK'' will use the NICK's zone. You should avoid using NICKs that
- collide with well-known DNS names.
- @node Deleting Egos
- @subsubsection Deleting Egos
- With the @command{-D NICK} option egos can be deleted. Once the ego
- has been deleted it is impossible to add content to the corresponding
- namespace or zone. However, the existing GNS zone data is currently
- not dropped. This may change in the future.
- Deleting the pseudonym does not make the namespace or any content in
- it unavailable.
- @node File-Sharing URIs
- @subsection File-Sharing URIs
- GNUnet (currently) uses four different types of URIs for
- file-sharing. They all begin with "gnunet://fs/".
- This section describes the four different URI types in detail.
- For FS URIs empty KEYWORDs are not allowed. Quotes are allowed to
- denote whitespace between words. Keywords must contain a balanced
- number of double quotes. Doubles quotes can not be used in the actual
- keywords. This means that the the string '""foo bar""' will be turned
- into two OR-ed keywords 'foo' and 'bar', not into '"foo bar"'.
- @menu
- * Encoding of hash values in URIs::
- * Content Hash Key (chk)::
- * Location identifiers (loc)::
- * Keyword queries (ksk)::
- * Namespace content (sks)::
- @end menu
- @node Encoding of hash values in URIs
- @subsubsection Encoding of hash values in URIs
- Most URIs include some hash values. Hashes are encoded using
- base32hex (RFC 2938).
- @cindex chk-uri
- @node Content Hash Key (chk)
- @subsubsection Content Hash Key (chk)
- A chk-URI is used to (uniquely) identify a file or directory
- and to allow peers to download the file. Files are stored in
- GNUnet as a tree of encrypted blocks.
- The chk-URI thus contains the information to download and decrypt
- those blocks. A chk-URI has the format
- "gnunet://fs/chk/KEYHASH.QUERYHASH.SIZE". Here, "SIZE"
- is the size of the file (which allows a peer to determine the
- shape of the tree), KEYHASH is the key used to decrypt the file
- (also the hash of the plaintext of the top block) and QUERYHASH
- is the query used to request the top-level block (also the hash
- of the encrypted block).
- @cindex loc-uri
- @node Location identifiers (loc)
- @subsubsection Location identifiers (loc)
- For non-anonymous file-sharing, loc-URIs are used to specify which
- peer is offering the data (in addition to specifying all of the
- data from a chk-URI). Location identifiers include a digital
- signature of the peer to affirm that the peer is truly the
- origin of the data. The format is
- "gnunet://fs/loc/KEYHASH.QUERYHASH.SIZE.PEER.SIG.EXPTIME".
- Here, "PEER" is the public key of the peer (in GNUnet format in
- base32hex), SIG is the RSA signature (in GNUnet format in
- base32hex) and EXPTIME specifies when the signature expires
- (in milliseconds after 1970).
- @cindex ksk-uri
- @node Keyword queries (ksk)
- @subsubsection Keyword queries (ksk)
- A keyword-URI is used to specify that the desired operation
- is the search using a particular keyword. The format is simply
- "gnunet://fs/ksk/KEYWORD". Non-ASCII characters can be specified
- using the typical URI-encoding (using hex values) from HTTP.
- "+" can be used to specify multiple keywords (which are then
- logically "OR"-ed in the search, results matching both keywords
- are given a higher rank): "gnunet://fs/ksk/KEYWORD1+KEYWORD2".
- ksk-URIs must not begin or end with the plus ('+') character.
- Furthermore they must not contain '++'.
- @cindex sks-uri
- @node Namespace content (sks)
- @subsubsection Namespace content (sks)
- @b{Please note that the text in this subsection is outdated and needs}
- @b{to be rewritten for version 0.10!}
- @b{This especially concerns the terminology of Pseudonym/Ego/Identity.}
- Namespaces are sets of files that have been approved by some (usually
- pseudonymous) user --- typically by that user publishing all of the
- files together. A file can be in many namespaces. A file is in a
- namespace if the owner of the ego (aka the namespace's private key)
- signs the CHK of the file cryptographically. An SKS-URI is used to
- search a namespace. The result is a block containing meta data,
- the CHK and the namespace owner's signature. The format of a sks-URI
- is "gnunet://fs/sks/NAMESPACE/IDENTIFIER". Here, "NAMESPACE"
- is the public key for the namespace. "IDENTIFIER" is a freely
- chosen keyword (or password!). A commonly used identifier is
- "root" which by convention refers to some kind of index or other
- entry point into the namespace.
- @node GTK User Interface
- @subsection GTK User Interface
- This chapter describes first steps for file-sharing with GNUnet.
- To start, you should launch @command{gnunet-fs-gtk}.
- As we want to be sure that the network contains the data that we are
- looking for for testing, we need to begin by publishing a file.
- @menu
- * gtk-Publishing::
- * gtk-Searching::
- * gtk-Downloading::
- @end menu
- @node gtk-Publishing
- @subsubsection Publishing
- To publish a file, select "File Sharing" in the menu bar just below the
- "Statistics" icon, and then select "Publish" from the menu.
- Afterwards, the following publishing dialog will appear:
- @image{images/gnunet-gtk-0-10-fs-publish,5in,,The gnunet-fs-gtk publishing dialog}
- In this dialog, select the "Add File" button. This will open a
- file selection dialog:
- @image{images/gnunet-gtk-0-10-fs-publish-select,5in,,Dialog to select the file to publish (looks may differ for other Gtk+ versions)}
- Now, you should select a file from your computer to be published on
- GNUnet. To see more of GNUnet's features later, you should pick a
- PNG or JPEG file this time. You can leave all of the other options
- in the dialog unchanged. Confirm your selection by pressing the "OK"
- button in the bottom right corner. Now, you will briefly see a
- "Messages..." dialog pop up, but most likely it will be too short for
- you to really read anything. That dialog is showing you progress
- information as GNUnet takes a first look at the selected file(s).
- For a normal image, this is virtually instant, but if you later
- import a larger directory you might be interested in the progress dialog
- and potential errors that might be encountered during processing.
- After the progress dialog automatically disappears, your file
- should now appear in the publishing dialog:
- @image{images/gnunet-gtk-0-10-fs-publish-with-file,5in,,Publishing dialog with file added}
- Now, select the file (by clicking on the file name) and then click
- the "Edit" button. This will open the editing dialog:
- @image{images/gnunet-gtk-0-10-fs-publish-editing,5in,,Editing meta data of a file to be published}
- In this dialog, you can see many details about your file. In the
- top left area, you can see meta data extracted about the file,
- such as the original filename, the mimetype and the size of the image.
- In the top right, you should see a preview for the image
- (if GNU libextractor was installed correctly with the
- respective plugins). Note that if you do not see a preview, this
- is not a disaster, but you might still want to install more of
- GNU libextractor in the future. In the bottom left, the dialog contains
- a list of keywords. These are the keywords under which the file will be
- made available. The initial list will be based on the extracted meta data.
- Additional publishing options are in the right bottom corner. We will
- now add an additional keyword to the list of keywords. This is done by
- entering the keyword above the keyword list between the label "Keyword"
- and the "Add keyword" button. Enter "test" and select "Add keyword".
- Note that the keyword will appear at the bottom of the existing keyword
- list, so you might have to scroll down to see it. Afterwards, push the
- "OK" button at the bottom right of the dialog.
- You should now be back at the "Publish content on GNUnet" dialog. Select
- "Execute" in the bottom right to close the dialog and publish your file
- on GNUnet! Afterwards, you should see the main dialog with a new area
- showing the list of published files (or ongoing publishing operations
- with progress indicators).
- @node gtk-Searching
- @subsubsection Searching
- Below the menu bar, there are four entry widges labeled "Namespace",
- "Keywords", "Anonymity" and "Mime-type" (from left to right). These
- widgets are used to control searching for files in GNUnet. Between the
- "Keywords" and "Anonymity" widgets, there is also a big "Search" button,
- which is used to initiate the search. We will ignore the "Namespace",
- "Anonymity" and "Mime-type" options in this tutorial, please leave them
- empty. Instead, simply enter "test" under "Keywords" and press "Search".
- Afterwards, you should immediately see a new tab labeled after your
- search term, followed by the (current) number of search
- results --- "(15)" in our screenshot. Note that your results may
- vary depending on what other users may have shared and how your
- peer is connected.
- You can now select one of the search results. Once you do this,
- additional information about the result should be displayed on the
- right. If available, a preview image should appear on the top right.
- Meta data describing the file will be listed at the bottom right.
- Once a file is selected, at the bottom of the search result list
- a little area for downloading appears.
- @node gtk-Downloading
- @subsubsection Downloading
- In the downloading area, you can select the target directory (default is
- "Downloads") and specify the desired filename (by default the filename it
- taken from the meta data of the published file). Additionally, you can
- specify if the download should be anonymous and (for directories) if
- the download should be recursive. In most cases, you can simply start
- the download with the "Download!" button.
- Once you selected download, the progress of the download will be
- displayed with the search result. You may need to resize the result
- list or scroll to the right. The "Status" column shows the current
- status of the download, and "Progress" how much has been completed.
- When you close the search tab (by clicking on the "X" button next to
- the "test" label), ongoing and completed downloads are not aborted
- but moved to a special "*" tab.
- You can remove completed downloads from the "*" tab by clicking the
- cleanup button next to the "*". You can also abort downloads by right
- clicking on the respective download and selecting "Abort download"
- from the menu.
- That's it, you now know the basics for file-sharing with GNUnet!
- @node The GNU Name System
- @section The GNU Name System
- The GNU Name System (GNS) is secure and decentralized naming system.
- It allows its users to register names as @dfn{top-level domains} (TLDs) and
- resolve other namespaces within their TLDs.
- GNS is designed to provide:
- @itemize @bullet
- @item Censorship resistance
- @item Query privacy
- @item Secure name resolution
- @item Compatibility with DNS
- @end itemize
- For the initial configuration and population of your
- GNS installation, please follow the GNS setup instructions.
- The remainder of this chapter will provide some background on GNS
- and then describe how to use GNS in more detail.
- Unlike DNS, GNS does not rely on central root zones or authorities.
- Instead any user administers their own root and can can create arbitrary
- name value mappings. Furthermore users can delegate resolution to other
- users' zones just like DNS NS records do. Zones are uniquely identified
- via public keys and resource records are signed using the corresponding
- public key. Delegation to another user's zone is done using special PKEY
- records and petnames. A petname is a name that can be freely chosen by
- the user. This results in non-unique name-value mappings as
- @code{@uref{http://www.bob.gnu/, www.bob.gnu}} to one user might be
- @code{@uref{http://www.friend.gnu/, www.friend.gnu}} for someone else.
- @menu
- * Creating a Zone::
- * Maintaining your own Zones::
- * Obtaining your Zone Key::
- * Adding Links to Other Zones::
- * Using Public Keys as Top Level Domains::
- * Resource Records in GNS::
- * Synchronizing with legacy DNS::
- * Migrating an existing DNS zone into GNS::
- @end menu
- @node Creating a Zone
- @subsection Creating a Zone
- To use GNS, you probably should create at least one zone of your own.
- You can create any number of zones using the gnunet-identity tool
- using:
- @example
- $ gnunet-identity -C "myzone"
- @end example
- Henceforth, on your system you control the TLD ``myzone''.
- All of your zones can be listed (displayed) using the
- @command{gnunet-identity} command line tool as well:
- @example
- $ gnunet-identity -d
- @end example
- @node Maintaining your own Zones
- @subsection Maintaining your own Zones
- @noindent
- Now you can add (or edit, or remove) records in your GNS zone using the
- @command{gnunet-namestore-gtk} GUI or using the @command{gnunet-namestore}
- command-line tool.
- In either case, your records will be stored in an SQL database under
- control of the @command{gnunet-service-namestore}.
- Note that if multiple users use one peer, the namestore database will
- include the combined records of all users.
- However, users will not be able to see each other's records
- if they are marked as private.
- To provide a short example for editing your own zone, suppose you
- have your own web server with the IP @code{1.2.3.4}. Then you can put an
- @code{A} record (@code{A} records in DNS are for IPv4 IP addresses)
- into your local zone ``myzone'' using the command:
- @example
- $ gnunet-namestore -z myzone -a -n www -t A -V 1.2.3.4 -e never
- @end example
- @noindent
- Afterwards, you will be able to access your webpage under "www.myzone"
- (assuming your webserver does not use virtual hosting, if it does,
- please read up on setting up the GNS proxy).
- Similar commands will work for other types of DNS and GNS records,
- the syntax largely depending on the type of the record.
- Naturally, most users may find editing the zones using the
- @command{gnunet-namestore-gtk} GUI to be easier.
- @node Obtaining your Zone Key
- @subsection Obtaining your Zone Key
- Each zone in GNS has a public-private key. Usually, gnunet-namestore and
- gnunet-setup will access your private key as necessary, so you do not
- have to worry about those. What is important is your public key
- (or rather, the hash of your public key), as you will likely want to
- give it to others so that they can securely link to you.
- You can usually get the hash of your public key using
- @example
- $ gnunet-identity -d $options | grep myzone | awk '@{print $3@}'
- @end example
- @noindent
- For example, the output might be something like:
- @example
- DC3SEECJORPHQNVRH965A6N74B1M37S721IG4RBQ15PJLLPJKUE0
- @end example
- @noindent
- Alternatively, you can obtain a QR code with your zone key AND your
- pseudonym from gnunet-namestore-gtk. The QR code is displayed in the
- main window and can be stored to disk using the ``Save as'' button
- next to the image.
- @node Adding Links to Other Zones
- @subsection Adding Links to Other Zones
- A central operation in GNS is the ability to securely delegate to
- other zones. Basically, by adding a delegation you make all of the
- names from the other zone available to yourself. This section
- describes how to create delegations.
- Suppose you have a friend who you call 'bob' who also uses GNS.
- You can then delegate resolution of names to Bob's zone by adding
- a PKEY record to their local zone:
- @example
- $ gnunet-namestore -a -n bob --type PKEY -V XXXX -e never -Z myzone
- @end example
- @noindent
- Note that ``XXXX'' in the command above must be replaced with the hash
- of Bob's public key (the output your friend obtained using the
- @command{gnunet-identity} command from the previous section and told
- you, for example by giving you a business card containing this
- information as a QR code).
- Assuming Bob has an ``A'' record for their website under the name of
- ``www'' in his zone, you can then access Bob's website under
- ``www.bob.myzone'' --- as well as any (public) GNS record that Bob has
- in their zone by replacing www with the respective name of the
- record in Bob's zone.
- @c themselves? themself?
- Furthermore, if Bob has themselves a (public) delegation to Carol's
- zone under "carol", you can access Carol's records under
- ``NAME.carol.bob.myzone'' (where ``NAME'' is the name of Carol's
- record you want to access).
- @node Using Public Keys as Top Level Domains
- @subsection Using Public Keys as Top Level Domains
- GNS also assumes responsibility for any name that uses in a
- well-formed public key for the TLD. Names ending this way are then
- resolved by querying the respective zone. Such public key TLDs are
- expected to be used under rare circumstances where globally unique
- names are required, and for integration with legacy systems.
- @node Resource Records in GNS
- @subsection Resource Records in GNS
- GNS supports the majority of the DNS records as defined in
- @uref{http://www.ietf.org/rfc/rfc1035.txt, RFC 1035}. Additionally,
- GNS defines some new record types the are unique to the GNS system.
- For example, GNS-specific resource records are used to give petnames
- for zone delegation, revoke zone keys and provide some compatibility
- features.
- For some DNS records, GNS does extended processing to increase their
- usefulness in GNS. In particular, GNS introduces special names
- referred to as "zone relative names". Zone relative names are allowed
- in some resource record types (for example, in NS and CNAME records)
- and can also be used in links on webpages. Zone relative names end
- in ".+" which indicates that the name needs to be resolved relative
- to the current authoritative zone. The extended processing of those
- names will expand the ".+" with the correct delegation chain to the
- authoritative zone (replacing ".+" with the name of the location
- where the name was encountered) and hence generate a
- valid GNS name.
- GNS currently supports the following record types:
- @menu
- * NICK::
- * PKEY::
- * BOX::
- * LEHO::
- * VPN::
- * A AAAA and TXT::
- * CNAME::
- * GNS2DNS::
- * SOA SRV PTR and MX::
- * PLACE::
- * PHONE::
- * ID ATTR::
- * ID TOKEN::
- * ID TOKEN METADATA::
- * CREDENTIAL::
- * POLICY::
- * ATTRIBUTE::
- * ABE KEY::
- * ABE MASTER::
- * RECLAIM OIDC CLIENT::
- * RECLAIM OIDC REDIRECT::
- @end menu
- @node NICK
- @subsubsection NICK
- A NICK record is used to give a zone a name. With a NICK record, you
- can essentially specify how you would like to be called. GNS expects
- this record under the empty label ``@@'' in the zone's database
- (NAMESTORE); however, it will then automatically be copied into each
- record set, so that clients never need to do a separate lookup to
- discover the NICK record. Also, users do not usually have to worry
- about setting the NICK record: it is automatically set to the local
- name of the TLD.
- @b{Example}@
- @example
- Name: @@; RRType: NICK; Value: bob
- @end example
- @noindent
- This record in Bob's zone will tell other users that this zone wants
- to be referred to as 'bob'. Note that nobody is obliged to call Bob's
- zone 'bob' in their own zones. It can be seen as a
- recommendation ("Please call this zone 'bob'").
- @node PKEY
- @subsubsection PKEY
- PKEY records are used to add delegation to other users' zones and
- give those zones a petname.
- @b{Example}@
- Let Bob's zone be identified by the hash "ABC012". Bob is your friend
- so you want to give them the petname "friend". Then you add the
- following record to your zone:
- @example
- Name: friend; RRType: PKEY; Value: ABC012;
- @end example
- @noindent
- This will allow you to resolve records in bob's zone
- under "*.friend.gnu".
- @node BOX
- @subsubsection BOX
- BOX records are there to integrate information from TLSA or
- SRV records under the main label. In DNS, TLSA and SRV records
- use special names of the form @code{_port._proto.(label.)*tld} to
- indicate the port number and protocol (i.e. tcp or udp) for which
- the TLSA or SRV record is valid. This causes various problems, and
- is elegantly solved in GNS by integrating the protocol and port
- numbers together with the respective value into a "BOX" record.
- Note that in the GUI, you do not get to edit BOX records directly
- right now --- the GUI will provide the illusion of directly
- editing the TLSA and SRV records, even though they internally
- are BOXed up.
- @node LEHO
- @subsubsection LEHO
- The LEgacy HOstname of a server. Some webservers expect a specific
- hostname to provide a service (virtiual hosting). Also SSL
- certificates usually contain DNS names. To provide the expected
- legacy DNS name for a server, the LEHO record can be used.
- To mitigate the just mentioned issues the GNS proxy has to be used.
- The GNS proxy will use the LEHO information to apply the necessary
- transformations.
- @node VPN
- @subsubsection VPN
- GNS allows easy access to services provided by the GNUnet Virtual Public
- Network. When the GNS resolver encounters a VPN record it will contact
- the VPN service to try and allocate an IPv4/v6 address (if the queries
- record type is an IP address) that can be used to contact the service.
- @b{Example}@
- I want to provide access to the VPN service "web.gnu." on port 80 on peer
- ABC012:@
- Name: www; RRType: VPN; Value: 80 ABC012 web.gnu.
- The peer ABC012 is configured to provide an exit point for the service
- "web.gnu." on port 80 to it's server running locally on port 8080 by
- having the following lines in the @file{gnunet.conf} configuration file:
- @example
- [web.gnunet.]
- TCP_REDIRECTS = 80:localhost4:8080
- @end example
- @node A AAAA and TXT
- @subsubsection A AAAA and TXT
- Those records work in exactly the same fashion as in traditional DNS.
- @node CNAME
- @subsubsection CNAME
- As specified in RFC 1035 whenever a CNAME is encountered the query
- needs to be restarted with the specified name. In GNS a CNAME
- can either be:
- @itemize @bullet
- @item A zone relative name,
- @item A zkey name or
- @item A DNS name (in which case resolution will continue outside
- of GNS with the systems DNS resolver)
- @end itemize
- @node GNS2DNS
- @subsubsection GNS2DNS
- GNS can delegate authority to a legacy DNS zone. For this, the
- name of the DNS nameserver and the name of the DNS zone are
- specified in a GNS2DNS record.
- @b{Example}
- @example
- Name: pet; RRType: GNS2DNS; Value: gnunet.org@@a.ns.joker.com
- @end example
- @noindent
- Any query to @code{pet.gnu} will then be delegated to the DNS server at
- @code{a.ns.joker.com}. For example,
- @code{@uref{http://www.pet.gnu/, www.pet.gnu}} will result in a DNS query
- for @code{@uref{http://www.gnunet.org/, www.gnunet.org}} to the server
- at @code{a.ns.joker.com}. Delegation to DNS via NS records in GNS can
- be useful if you do not want to start resolution in the DNS root zone
- (due to issues such as censorship or availability).
- Note that you would typically want to use a relative name for the
- nameserver, i.e.
- @example
- Name: pet; RRType: GNS2DNS; Value: gnunet.org@@ns-joker.+@
- Name: ns-joker; RRType: A; Value: 184.172.157.218
- @end example
- @noindent
- This way, you can avoid involving the DNS hierarchy in the resolution of
- @code{a.ns.joker.com}. In the example above, the problem may not be
- obvious as the nameserver for "gnunet.org" is in the ".com" zone.
- However, imagine the nameserver was "ns.gnunet.org". In this case,
- delegating to "ns.gnunet.org" would mean that despite using GNS,
- censorship in the DNS ".org" zone would still be effective.
- @node SOA SRV PTR and MX
- @subsubsection SOA SRV PTR and MX
- The domain names in those records can, again, be either
- @itemize @bullet
- @item A zone relative name,
- @item A zkey name or
- @item A DNS name
- @end itemize
- The resolver will expand the zone relative name if possible.
- Note that when using MX records within GNS, the target mail
- server might still refuse to accept e-mails to the resulting
- domain as the name might not match. GNS-enabled mail clients
- should use the ZKEY zone as the destination hostname and
- GNS-enabled mail servers should be configured to accept
- e-mails to the ZKEY-zones of all local users.
- To add a SOA record via the gnunet-namestore command line
- tool use the following syntax for the value option. Choose
- the other options according to your preference, however in
- this example we will use a relative expiry, add the record
- under the label @ and add the records to the zone bar
- which already exists:
- @example
- $ gnunet-namestore -a -n @ -t SOA -z bar -e 3600s -V \
- > "rname=$PRIMARY_NS \
- > mname=$CONTACT_MAIL \
- > $SERIAL,$REFRESH,$RETRY,$EXPIRY,$MINIMUM_TTL"
- @end example
- The above command filled in with values looks like this:
- @example
- $ gnunet-namestore -a -n @ -t SOA -z bar -e 3600s -V \
- > "rname=ns1.bar \
- > mname=root.bar \
- > 2019081701,3600,1800,86400,7200"
- @end example
- MX records use a similar syntax which is outlined in the
- example below. $SERVER is a domain name as mentioned above.
- @example
- $ gnunet-namestore -a -n mail -t MX -z bar -e 3600s -V \
- > "$PRIORITY,$SERVER"
- @end example
- With the values substituted this is an example of a working
- command:
- @example
- $ gnunet-namestore -a -n mail -t MX -z bar -e 3600s -V \
- > "10,mail.bar"
- @end example
- @node PLACE
- @subsubsection PLACE
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for a social place.
- @node PHONE
- @subsubsection PHONE
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for a phone (of CONVERSATION).
- @node ID ATTR
- @subsubsection ID ATTR
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for identity attributes (of IDENTITY).
- @node ID TOKEN
- @subsubsection ID TOKEN
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for an identity token (of IDENTITY-TOKEN).
- @node ID TOKEN METADATA
- @subsubsection ID TOKEN METADATA
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for the private metadata of an identity token (of IDENTITY-TOKEN).
- @node CREDENTIAL
- @subsubsection CREDENTIAL
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for credential.
- @node POLICY
- @subsubsection POLICY
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for policies.
- @node ATTRIBUTE
- @subsubsection ATTRIBUTE
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for reverse lookups.
- @node ABE KEY
- @subsubsection ABE KEY
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for ABE records.
- @node ABE MASTER
- @subsubsection ABE MASTER
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for ABE master keys.
- @node RECLAIM OIDC CLIENT
- @subsubsection RECLAIM OIDC CLIENT
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for reclaim OIDC clients.
- @node RECLAIM OIDC REDIRECT
- @subsubsection RECLAIM OIDC REDIRECT
- @c TODO describe record type and give an example of how and
- @c when to use it
- Record type for reclaim OIDC redirect URIs.
- @node Synchronizing with legacy DNS
- @subsection Synchronizing with legacy DNS
- If you want to support GNS but the master database for a zone
- is only available and maintained in DNS, GNUnet includes the
- @command{gnunet-zoneimport} tool to monitor a DNS zone and
- automatically import records into GNS. Today, the tool does
- not yet support DNS AF(X)R, as we initially used it on the
- ``.fr'' zone which does not allow us to perform a DNS zone
- transfer. Instead, @command{gnunet-zoneimport} reads a list
- of DNS domain names from @code{stdin}, issues DNS queries for
- each, converts the obtained records (if possible) and stores
- the result in the namestore.
- @image{images/gns,6in,, picture of DNS-GNS data flow}
- The zonemaster service then takes the records from the namestore,
- publishes them into the DHT which makes the result available to the
- GNS resolver. In the GNS configuration, non-local zones can be
- configured to be intercepted by specifying ``.tld = PUBLICKEY'' in the
- configuration file in the ``[gns]'' section.
- Note that the namestore by default also populates the namecache.
- This pre-population is cryptographically expensive. Thus, on
- systems that only serve to import a large (millions of records)
- DNS zone and that do not have a local gns service in use, it
- is thus advisable to disable the namecache by setting the
- option ``DISABLE'' to ``YES'' in section ``[namecache]''.
- @node Migrating an existing DNS zone into GNS
- @subsection Migrating an existing DNS zone into GNS
- Ascension is a tool to migrate existing DNS zones into GNS.
- @xref{Migrating existing DNS zones into GNS}, for installation instructions and
- further information about Ascension.
- Compared to the gnunet-zoneimport tool it strictly uses AXFR or IXFR depending
- on whether or not there exists a SOA record for the zone. If that is the case it
- will take the serial as a reference point and request the zone. The server will
- either answer the IXFR request with a correct incremental zone or with the
- entire zone, which depends on the server configuration.
- After installing the tool according to the README file you have the following
- options:
- @example
- Ascension
- Usage:
- ascension <domain> [-d] [-p] [-s] [--minimum-ttl=<ttl>] \
- [--dry-run]
- ascension <domain> <port> [-d] [-p] [-s] \
- [--minimum-ttl=<ttl>] [--dry-run]
- ascension <domain> -n <transferns> [-d] [-p] \
- [-s] [--minimum-ttl=<ttl>] [--dry-run]
- ascension <domain> -n <transferns> <port> [-d] \
- [-p] [-s] [--minimum-ttl=<ttl>] [--dry-run]
- ascension -p | --public
- ascension -d | --debug
- ascension -s | --standalone
- ascension -h | --help
- ascension -v | --version
- Options:
- <domain> Domain to migrate
- <port> Port for zone transfer
- <transferns> DNS Server that does the zone transfer
- --minimum-ttl=<ttl> Minimum TTL for records to migrate \
- [default: 3600]
- --dry-run Only try if a zone transfer is allowed
- -p --public Make records public on the DHT
- -s --standalone Run ascension once
- -d --debug Enable debugging
- -h --help Show this screen.
- -v --version Show version.
- @end example
- Before you can migrate any zone though, you need to start a local GNUnet peer:
- @example
- $ gnunet-arm -s
- @end example
- To migrate the Syrian top level domain - one of the few top level domains that
- support zone transfers - into GNS use the following command:
- @example
- $ ascension sy. -n ns1.tld.sy. -p
- @end example
- The -p flag will tell GNS to put these records on the DHT so that other users
- may resolve these records by using the public key of the zone.
- Once the zone is migrated, Ascension will output a message telling you, that it
- will refresh the zone after the time has elapsed. You can resolve the names in
- the zone directly using GNS or if you want to use it with your browser, check
- out the GNS manual section. @ref{Configuring the GNU Name System}. To resolve
- the records from another system you need the respective zones PKEY. To get the
- zones public key, you can run the following command:
- @example
- $ gnunet-identity -dqe sy
- @end example
- Where "sy" is the name of the zone you want to migrate.
- You can share the PKEY of the zone with your friends. They can then resolve
- records in the zone by doing a lookup replacing the zone label with your PKEY:
- @example
- $ gnunet-gns -t SOA -u "$PKEY"
- @end example
- The program will continue to run as a daemon and update once the refresh time
- specified in the zones SOA record has elapsed.
- DNSCurve style records are supported in the latest release and they are added
- as a PKEY record to be referred to the respective GNS public key. Key
- distribution is still a problem but provided someone else has a public key
- under a given label it can be looked up.
- There is an unofficial Debian package called python3-ascension that adds a
- system user ascension and runs a GNUnet peer in the background.
- Ascension-bind is also an unofficial Debian package that on installation checks
- for running DNS zones and whether or not they are transferable using DNS zone
- transfer (AXFR). It asks the administrator which zones to migrate into GNS and
- installs a systemd unit file to keep the zone up to date. If you want to
- migrate different zones you might want to check the unit file from the package
- as a guide.
- @node reclaimID Identity Provider
- @section reclaimID Identity Provider
- The reclaimID Identity Provider (IdP) is a decentralized IdP service.
- It allows its users to manage and authorize third parties to access
- their identity attributes such as email or shipping addresses.
- It basically mimics the concepts of centralized IdPs, such as those
- offered by Google or Facebook.
- Like other IdPs, reclaimID features an (optional) OpenID-Connect
- 1.0-compliant protocol layer that can be used for websites to
- integrate reclaimID as an Identity Provider with little effort.
- @menu
- * Managing Attributes::
- * Sharing Attributes with Third Parties::
- * Revoking Authorizations of Third Parties::
- * OpenID Connect::
- @end menu
- @node Managing Attributes
- @subsection Managing Attributes
- Before adding attributes to an identity, you must first create an ego:
- @example
- $ gnunet-identity -C "user"
- @end example
- Henceforth, you can manage a new user profile of the user ``user''.
- To add an email address to your user profile, simply use the @command{gnunet-reclaim} command line tool::
- @example
- $ gnunet-reclaim -e "user" -a "email" -V "username@@example.gnunet"
- @end example
- All of your attributes can be listed using the @command{gnunet-reclaim}
- command line tool as well:
- @example
- $ gnunet-reclaim -e "user" -D
- @end example
- Currently, and by default, attribute values are interpreted as plain text.
- In the future there might be more value types such as X.509 certificate credentials.
- @node Sharing Attributes with Third Parties
- @subsection Sharing Attributes with Third Parties
- If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute:
- @example
- $ gnunet-reclaim -e "user" -r "PKEY" -i "attribute1,attribute2,..."
- @end example
- Where "PKEY" is the public key of the third party and "attribute1,attribute2,..." is a comma-separated list of attribute names, such as "email,name,...", that you want to share.
- The command will return a "ticket" string.
- You must give this "ticket" to the requesting third party.
- The third party can then retrieve your shared identity attributes using:
- @example
- $ gnunet-reclaim -e "friend" -C "ticket"
- @end example
- Where "friend" is the name for "user" that the requesting party is using.
- This will retrieve and list the shared identity attributes.
- The above command will also work if the user is currently offline since the attributes are retrieved from GNS.
- Further, the "ticket" can be re-used later to retrieve up-to-date attributes in case "friend" has changed the value(s). For instance, because his email address changed.
- To list all given authorizations (tickets) you can execute:
- @example
- $ gnunet-reclaim -e "friend" -T (TODO there is only a C and REST API for this at this time)
- @end example
- @node Revoking Authorizations of Third Parties
- @subsection Revoking Authorizations of Third Parties
- If you want to revoke the access of a third party to your attributes you can execute:
- @example
- $ gnunet-reclaim -e "user" -R "ticket"
- @end example
- This will prevent the third party from accessing the attribute in the future.
- Please note that if the third party has previously accessed the attribute, there is not way in which the system could have prevented the thiry party from storing the data.
- As such, only access to updated data in the future can be revoked.
- This behaviour is _exactly the same_ as with other IdPs.
- @node OpenID Connect
- @subsection OpenID Connect
- There is an OpenID Connect API for use with reclaimID.
- However, its use is quite complicated to setup.
- As a proof-of-concept, you can look at https://gitlab.com/reclaimid.
- In the PoC and by convention for reclaimID, the OpenID Connect Endpoints are
- found at:
- @example
- http://api.reclaim/openid/authorize
- http://api.reclaim/openid/token
- http://api.reclaim/openid/userinfo
- http://api.reclaim/openid/login
- @end example
- The token endpoint is protected using HTTP basic authentication.
- You can authenticate using any username and the password configured under:
- @example
- $ gnunet-config -s reclaim-rest-plugin -o PSW
- @end example
- The authorize endpoint is protected using a Cookie which can be obtained through
- a request against the login endpoint.
- This flow is meant to be used in the context of the OpenID Connect authorization
- flow to collect user consent interactively.
- Without a Cookie, the authorize endpoint redirects to a URI configured under:
- @example
- $ gnunet-config -s reclaim-rest-plugin -o ADDRESS
- @end example
- Our PoC includes a user interface (https://gitlab.com/reclaimid) which
- integrates this process is an OpenID Connect compatible fashion.
- The token endpoint is protected using OAuth2 and expects the grant
- which is retrieved from the authorization endpoint according to the standard.
- The userinfo endpoint is protected using OAuth2 and expects a bearer access
- token which is retrieved from a token request.
- In order to create and register a client you need to execute the following
- steps:
- @example
- $ gnunet-identity -C <client_name>
- $ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_REDIRECT -V <redirect_uri> -e 1d -p
- $ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p
- @end example
- The client_id will be the public key of the client.
- As a redirect URI, you may use any globally unique DNS or GNS URI.
- The client description will be displayed to the user on authorization.
- Any website or relying party must use the endpoint
- https://api.reclaim/openid/authorize in its authorization redirects, e.g.
- @example
- <a href="https://api.reclaim/openid/authorize?client_id=<PKEY>\
- &scope=email\
- &redirect_uri=<redirect_uri>\
- &nonce=<random>">Login</a>
- @end example
- This will direct the user's browser onto his local reclaimID instance.
- After giving consent, you will be provided with the OpenID Connect authorization
- code according to the specifications at your provided redirect URI.
- The example code for the PoC website can be found at https://gitlab.com/reclaimid/demo.
- @node Using the Virtual Public Network
- @section Using the Virtual Public Network
- @menu
- * Setting up an Exit node::
- * Fedora and the Firewall::
- * Setting up VPN node for protocol translation and tunneling::
- @end menu
- Using the GNUnet Virtual Public Network (VPN) application you can
- tunnel IP traffic over GNUnet. Moreover, the VPN comes
- with built-in protocol translation and DNS-ALG support, enabling
- IPv4-to-IPv6 protocol translation (in both directions).
- This chapter documents how to use the GNUnet VPN.
- The first thing to note about the GNUnet VPN is that it is a public
- network. All participating peers can participate and there is no
- secret key to control access. So unlike common virtual private
- networks, the GNUnet VPN is not useful as a means to provide a
- "private" network abstraction over the Internet. The GNUnet VPN
- is a virtual network in the sense that it is an overlay over the
- Internet, using its own routing mechanisms and can also use an
- internal addressing scheme. The GNUnet VPN is an Internet
- underlay --- TCP/IP applications run on top of it.
- The VPN is currently only supported on GNU/Linux systems.
- Support for operating systems that support TUN (such as FreeBSD)
- should be easy to add (or might not even require any coding at
- all --- we just did not test this so far). Support for other
- operating systems would require re-writing the code to create virtual
- network interfaces and to intercept DNS requests.
- The VPN does not provide good anonymity. While requests are routed
- over the GNUnet network, other peers can directly see the source
- and destination of each (encapsulated) IP packet. Finally, if you
- use the VPN to access Internet services, the peer sending the
- request to the Internet will be able to observe and even alter
- the IP traffic. We will discuss additional security implications
- of using the VPN later in this chapter.
- @node Setting up an Exit node
- @subsection Setting up an Exit node
- Any useful operation with the VPN requires the existence of an exit
- node in the GNUnet Peer-to-Peer network. Exit functionality can only
- be enabled on peers that have regular Internet access. If you want
- to play around with the VPN or support the network, we encourage
- you to setup exit nodes. This chapter documents how to setup an
- exit node.
- There are four types of exit functions an exit node can provide,
- and using the GNUnet VPN to access the Internet will only work
- nicely if the first three types are provided somewhere in
- the network. The four exit functions are:
- @itemize @bullet
- @item DNS: allow other peers to use your DNS resolver
- @item IPv4: allow other peers to access your IPv4 Internet connection
- @item IPv6: allow other peers to access your IPv6 Internet connection
- @item Local service: allow other peers to access a specific TCP or
- UDP service your peer is providing
- @end itemize
- By enabling "exit" in gnunet-setup and checking the respective boxes
- in the "exit" tab, you can easily choose which of the above exit
- functions you want to support.
- Note, however, that by supporting the first three functions you will
- allow arbitrary other GNUnet users to access the Internet via your
- system. This is somewhat similar to running a Tor exit node. The
- Torproject has a nice article about what to consider if you want
- to do this here. We believe that generally running a DNS exit node
- is completely harmless.
- The exit node configuration does currently not allow you to restrict the
- Internet traffic that leaves your system. In particular, you cannot
- exclude SMTP traffic (or block port 25) or limit to HTTP traffic using
- the GNUnet configuration. However, you can use your host firewall to
- restrict outbound connections from the virtual tunnel interface. This
- is highly recommended. In the future, we plan to offer a wider range
- of configuration options for exit nodes.
- Note that by running an exit node GNUnet will configure your kernel
- to perform IP-forwarding (for IPv6) and NAT (for IPv4) so that the
- traffic from the virtual interface can be routed to the Internet.
- In order to provide an IPv6-exit, you need to have a subnet routed
- to your host's external network interface and assign a subrange of
- that subnet to the GNUnet exit's TUN interface.
- When running a local service, you should make sure that the local
- service is (also) bound to the IP address of your EXIT interface
- (i.e. 169.254.86.1). It will NOT work if your local service is
- just bound to loopback. You may also want to create a "VPN" record
- in your zone of the GNU Name System to make it easy for others to
- access your service via a name instead of just the full service
- descriptor. Note that the identifier you assign the service can
- serve as a passphrase or shared secret, clients connecting to the
- service must somehow learn the service's name. VPN records in the
- GNU Name System can make this easier.
- @node Fedora and the Firewall
- @subsection Fedora and the Firewall
- When using an exit node on Fedora 15, the standard firewall can
- create trouble even when not really exiting the local system!
- For IPv4, the standard rules seem fine. However, for IPv6 the
- standard rules prohibit traffic from the network range of the
- virtual interface created by the exit daemon to the local IPv6
- address of the same interface (which is essentially loopback
- traffic, so you might suspect that a standard firewall would
- leave this traffic alone). However, as somehow for IPv6 the
- traffic is not recognized as originating from the local
- system (and as the connection is not already "established"),
- the firewall drops the traffic. You should still get ICMPv6
- packets back, but that's obviously not very useful.
- Possible ways to fix this include disabling the firewall (do you
- have a good reason for having it on?) or disabling the firewall
- at least for the GNUnet exit interface (or the respective
- IPv4/IPv6 address range). The best way to diagnose these kinds
- of problems in general involves setting the firewall to REJECT
- instead of DROP and to watch the traffic using wireshark
- (or tcpdump) to see if ICMP messages are generated when running
- some tests that should work.
- @node Setting up VPN node for protocol translation and tunneling
- @subsection Setting up VPN node for protocol translation and tunneling
- The GNUnet VPN/PT subsystem enables you to tunnel IP traffic over the
- VPN to an exit node, from where it can then be forwarded to the
- Internet. This section documents how to setup VPN/PT on a node.
- Note that you can enable both the VPN and an exit on the same peer.
- In this case, IP traffic from your system may enter your peer's VPN
- and leave your peer's exit. This can be useful as a means to do
- protocol translation. For example, you might have an application that
- supports only IPv4 but needs to access an IPv6-only site. In this case,
- GNUnet would perform 4to6 protocol translation between the VPN (IPv4)
- and the Exit (IPv6). Similarly, 6to4 protocol translation is also
- possible. However, the primary use for GNUnet would be to access
- an Internet service running with an IP version that is not supported
- by your ISP. In this case, your IP traffic would be routed via GNUnet
- to a peer that has access to the Internet with the desired IP version.
- Setting up an entry node into the GNUnet VPN primarily requires you
- to enable the "VPN/PT" option in "gnunet-setup". This will launch the
- "gnunet-service-vpn", "gnunet-service-dns" and "gnunet-daemon-pt"
- processes. The "gnunet-service-vpn" will create a virtual interface
- which will be used as the target for your IP traffic that enters the
- VPN. Additionally, a second virtual interface will be created by
- the "gnunet-service-dns" for your DNS traffic. You will then need to
- specify which traffic you want to tunnel over GNUnet. If your ISP only
- provides you with IPv4 or IPv6-access, you may choose to tunnel the
- other IP protocol over the GNUnet VPN. If you do not have an ISP
- (and are connected to other GNUnet peers via WLAN), you can also
- choose to tunnel all IP traffic over GNUnet. This might also provide
- you with some anonymity. After you enable the respective options
- and restart your peer, your Internet traffic should be tunneled
- over the GNUnet VPN.
- The GNUnet VPN uses DNS-ALG to hijack your IP traffic. Whenever an
- application resolves a hostname (i.e. 'gnunet.org'), the
- "gnunet-daemon-pt" will instruct the "gnunet-service-dns" to intercept
- the request (possibly route it over GNUnet as well) and replace the
- normal answer with an IP in the range of the VPN's interface.
- "gnunet-daemon-pt" will then tell "gnunet-service-vpn" to forward all
- traffic it receives on the TUN interface via the VPN to the original
- destination.
- For applications that do not use DNS, you can also manually create
- such a mapping using the gnunet-vpn command-line tool. Here, you
- specify the desired address family of the result (i.e. "-4"), and the
- intended target IP on the Internet ("-i 131.159.74.67") and
- "gnunet-vpn" will tell you which IP address in the range of your
- VPN tunnel was mapped.
- @command{gnunet-vpn} can also be used to access "internal" services
- offered by GNUnet nodes. So if you happen to know a peer and a
- service offered by that peer, you can create an IP tunnel to
- that peer by specifying the peer's identity, service name and
- protocol (--tcp or --udp) and you will again receive an IP address
- that will terminate at the respective peer's service.
|