added to the authorized_keys and known_hosts files used by OpenSSH for
connection authentication.
-\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility.
+\fBmonkeysphere\-host\fP is a Monkeysphere server admin utility for
+managing the host's OpenPGP host key.
.SH SUBCOMMANDS
\fBmonkeysphere\-host\fP takes various subcommands:
.TP
.B import\-key FILE NAME[:PORT]
-Import a pem-encoded ssh secret host key from file FILE. If FILE
-is `\-', then the key will be imported from stdin. NAME[:PORT] is used
-to specify the fully-qualified hostname (and port) used in the user ID
-of the new OpenPGP key. If PORT is not specified, the no port is
-added to the user ID, which means port 22 is assumed. `i' may be used
-in place of `import\-key'.
+Import a pem-encoded ssh secret host key from file FILE. If FILE is
+`\-', then the key will be imported from stdin. Only RSA keys are
+supported at the moment. NAME[:PORT] is used to specify the
+fully-qualified hostname (and port) used in the user ID of the new
+OpenPGP key. If PORT is not specified, then no port is added to the
+user ID, which means port 22 is assumed. `i' may be used in place of
+`import\-key'.
.TP
.B show\-key
Output information about host's OpenPGP and SSH keys. `s' may be used
used in place of `publish-key'. Note that there is no way to remove a
key from the public keyservers once it is published!
.TP
+.B version
+Show the monkeysphere version number. `v' may be used in place of
+`version'.
+.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
-.TP
-.B version
-show version number
Other commands:
.B diagnostics
Review the state of the monkeysphere server host key and report on
suggested changes. Among other checks, this includes making sure
-there is a valid host key, that the key is published, that the sshd
+there is a valid host key, that the key is not expired, that the sshd
configuration points to the right place, etc. `d' may be used in
place of `diagnostics'.
.SH SETUP HOST AUTHENTICATION
-To enable host verification via the monkeysphere, the host's key must
-be published to the Web of Trust. This is not done by default. To
-publish the host key to the keyservers, run the following command:
+To enable host verification via the monkeysphere, an OpenPGP key must
+be made out of the host's ssh key, and the key must be published to
+the Web of Trust. This is not done by default. The first step is to
+import the host's ssh key into a monkeysphere-style OpenPGP key. This
+is done with the import\-key command. When importing a key, you must
+specify the path to the host's ssh RSA key to import, and a hostname
+to use as the key's user ID:
+
+# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org
+
+On most systems, the ssh host RSA key is stored at
+/etc/ssh/ssh_host_rsa_key.
+
+Once the host key has been imported, it must be published to the Web
+of Trust so that users can retrieve the key when sshing to the host.
+The host key is published to the keyserver with the publish\-key
+command:
$ monkeysphere\-host publish\-key
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host's key. This is done using standard OpenPGP
keysigning techniques, usually: pull the key from the keyserver,
-verify and sign the key, and then re-publish the signature. Once an
-admin's signature is published, users logging into the host can use it
-to validate the host's key.
+verify and sign the key, and then re-publish the signature. Please
+see http://web.monkeysphere.info/signing-host-keys/ for more
+information. Once an admin's signature is published, users logging
+into the host can use it to validate the host's key without having to
+manually check the host key's fingerprint.
.SH ENVIRONMENT
the config file (defaults in parentheses):
.TP
MONKEYSPHERE_LOG_LEVEL
-Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
-increasing order of verbosity.
+Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity. (INFO)
.TP
MONKEYSPHERE_KEYSERVER
-OpenPGP keyserver to use (pool.sks\-keyservers.net).
+OpenPGP keyserver to use. (pool.sks\-keyservers.net)
.TP
MONKEYSPHERE_PROMPT
If set to `false', never prompt the user for confirmation. (true)
-
.SH FILES
.TP
/etc/monkeysphere/monkeysphere\-host.conf
-System monkeysphere-host config file.
+System monkeysphere\-host config file.
.TP
/var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg
A world-readable copy of the host's public key in OpenPGP format,
.SH AUTHOR
-Written by:
+This man page was written by:
Jameson Rollins <jrollins@fifthhorseman.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1),
-.BR sshd (8),
-
+.BR sshd (8)
projects / monkeysphere.git / blobdiff