1 .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
5 monkeysphere-host \- Monkeysphere host admin tool.
9 .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
11 .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
15 \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
16 for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
17 added to the authorized_keys and known_hosts files used by OpenSSH for
18 connection authentication.
20 \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
24 \fBmonkeysphere-host\fP takes various subcommands:
26 .B import-key FILE [NAME[:PORT]]
27 Import a pem-encoded ssh secret host key from file FILE. If FILE
28 is '-', then the key will be imported from stdin. NAME[:PORT] is used
29 to specify the hostname (and port) used in the user ID of the new
30 OpenPGP key. If NAME is not specified, then the system
31 fully-qualified domain name will be used (ie. `hostname -f'). If PORT
32 is not specified, the no port is added to the user ID, which means
33 port 22 is assumed. `i' may be used in place of `import-key'.
36 Output information about host's OpenPGP and SSH keys. `s' may be used
37 in place of `show-key'.
39 .B extend-key [EXPIRE]
40 Extend the validity of the OpenPGP key for the host until EXPIRE from
41 the present. If EXPIRE is not specified, then the user will be
42 prompted for the extension term. Expiration is specified as with
45 0 = key does not expire
46 <n> = key expires in n days
47 <n>w = key expires in n weeks
48 <n>m = key expires in n months
49 <n>y = key expires in n years
51 `e' may be used in place of `extend-key'.
53 .B add-hostname HOSTNAME
54 Add a hostname user ID to the server host key. `n+' may be used in
55 place of `add-hostname'.
57 .B revoke-hostname HOSTNAME
58 Revoke a hostname user ID from the server host key. `n-' may be used
59 in place of `revoke-hostname'.
61 .B add-revoker KEYID|FILE
62 Add a revoker to the host's OpenPGP key. The key ID will be loaded
63 from the keyserver. A file may be loaded instead of pulling the key
64 from the keyserver by specifying the path to the file as the argument,
65 or by specifying `-` to load from stdin. `r+' may be be used in place
69 Generate (with the option to publish) a revocation certificate for the
70 host's OpenPGP key. If such a certificate is published, your host key
71 will be permanently revoked. This subcommand will ask you a series of
72 questions, and then generate a key revocation certificate, sending it
73 to stdout. If you explicitly tell it to publish the revocation
74 certificate immediately, it will send it to the public keyservers.
78 Publish the host's OpenPGP key to the keyserver. `p' may be used in
79 place of `publish-key'.
82 Output a brief usage summary. `h' or `?' may be used in place of
92 Review the state of the monkeysphere server host key and report on
93 suggested changes. Among other checks, this includes making sure
94 there is a valid host key, that the key is published, that the sshd
95 configuration points to the right place, etc. `d' may be used in
96 place of `diagnostics'.
98 .SH SETUP HOST AUTHENTICATION
100 To enable host verification via the monkeysphere, the host's key must
101 be published to the Web of Trust. This is not done by default. To
102 publish the host key to the keyservers, run the following command:
104 $ monkeysphere-host publish-key
106 In order for users logging into the system to be able to identify the
107 host via the monkeysphere, at least one person (e.g. a server admin)
108 will need to sign the host's key. This is done using standard OpenPGP
109 keysigning techniques, usually: pull the key from the keyserver,
110 verify and sign the key, and then re-publish the signature. Once an
111 admin's signature is published, users logging into the host can use it
112 to validate the host's key.
116 The following environment variables will override those specified in
117 the config file (defaults in parentheses):
119 MONKEYSPHERE_LOG_LEVEL
120 Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
121 increasing order of verbosity.
123 MONKEYSPHERE_KEYSERVER
124 OpenPGP keyserver to use (pool.sks-keyservers.net).
127 If set to `false', never prompt the user for confirmation. (true)
133 /etc/monkeysphere/monkeysphere-host.conf
134 System monkeysphere-host config file.
136 /var/lib/monkeysphere/host/ssh_host_rsa_key
137 Copy of the host's private key in ssh format, suitable for use by
143 Jameson Rollins <jrollins@fifthhorseman.net>,
144 Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
145 Matthew Goins <mjgoins@openflows.com>
149 .BR monkeysphere (1),
150 .BR monkeysphere-authentication (8),
151 .BR monkeysphere (7),