X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Findex.mdwn;h=853c75b88635417c07fb33a3dc7d3a25f3f291bc;hb=5001c4b2f12540425be9e74c84beba3096981b21;hp=f7f9c06ab4fd5197319979ead4d82ab36faeeec9;hpb=95fd733cb4c029b4221c162a38bb30eb1413b569;p=monkeysphere.git diff --git a/website/index.mdwn b/website/index.mdwn index f7f9c06..853c75b 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -1,50 +1,81 @@ -Monkeysphere is a framework to leverage the OpenPGP web of trust for -OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added -to the authorized\_keys and known\_hosts files used by OpenSSH for -connection authentication. +The Monkeysphere project's goal is to extend the web of trust model +and other features of OpenPGP to other areas of the Internet to help +us securely identify each other while we work online. + +Specifically, monkeysphere is a framework to leverage the OpenPGP +web of trust for OpenSSH authentication. In other words, it allows +you to use your OpenPGP keys when using secure shell to both identify +yourself and the servers you administer or connect to. OpenPGP keys +are tracked via GnuPG, and managed in the `known_hosts` and +`authorized_keys` files used by OpenSSH for connection authentication. [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] ## Conceptual overview ## -[OpenSSH](http://openssh.com/) provides a functional way for -management of explicit RSA and DSA keys (without any type of [Public -Key Infrastructure -(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure)). The -basic idea of this project is to create a framework that uses +Everyone who has used secure shell is familiar with the prompt given +the first time you log in to a new server, asking if you want to trust +the server's key by verifying the key fingerprint. Unfortunately, +unless you have access to the server's key fingerprint through a +secure out-of-band channel, there is no way to verify that the +fingerprint you are presented with is in fact that of the server your +really trying to connect to. + +Many users also take advantage of OpenSSH's ability to use RSA or DSA +keys for authenticating to a server (known as +"`PubkeyAuthentication`"), rather than relying on a password exchange. +But again, the public part of the key needs to be transmitted to the +server through a secure out-of-band channel (usually via a separate +password-based SSH connection) in order for this type of +authentication to work + +[OpenSSH](http://openssh.com/) currently provides a functional way to +managing the RSA and DSA keys required for these interactions through +the `known_hosts` and `authorized_keys` files. However, it lacks +any type of [Public Key Infrastructure +(PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that +can verify that the keys being used really are the one required or +expected. + +The basic idea of the Monkeysphere is to create a framework that uses [GnuPG](http://www.gnupg.org/)'s keyring manipulation capabilities and -public keyservers to generate files that OpenSSH will accept and -handle as intended. This offers users of OpenSSH an effective PKI, +public keyserver communication to manage the keys that OpenSSH uses +for connection authentication. + +The Monkeysphere therefore provides an effective PKI for OpenSSH, including the possibility for key transitions, transitive identifications, revocations, and expirations. It also actively invites broader participation in the [OpenPGP](http://en.wikipedia.org/wiki/Openpgp) [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). +## Technical details ## + Under the Monkeysphere, both parties to an OpenSSH connection (client -and server) have a responsibility to explicitly designate who they -trust to certify the identity of the other party. This trust -designation is explicitly indicated with traditional GPG keyring trust -model. No modification is made to the SSH protocol on the wire (it -continues to use raw RSA public keys), and it should work with -unpatched OpenSSH software. - -Monkeysphere does not modify ssh in any way, and ssh can be used "out -of the box". Monkeysphere is a set of tools that manages keys in the -known\_hosts and authorized\_keys files that ssh uses for connection -authentication. +and server) explicitly designate who they trust to certify the +identity of the other party. These trust designations are explicitly +indicated with traditional GPG keyring trust models. Monkeysphere +then manages the keys in the `known_hosts` and `authorized_keys` +files directly, in such a way that is completely transparent to SSH. +No modification is made to the SSH protocol on the wire (it continues +to use raw RSA public keys), and no modification is needed to the +OpenSSH software. + +To emphasize: *no modifications to SSH are required to use the +Monkeysphere*. OpenSSH can be used as is; completely unpatched and +"out of the box". ## Philosophy ## Humans (and [monkeys](http://www.scottmccloud.com/comics/mi/mi-17/mi-17.html)) -have innate capacity to keep track of the identity of a finite number -of people. After our social sphere exceeds several dozen or several -hundred (depending on the individual), our ability to remember and -distinguish people begins to break down. In other words, at a certain -point, we can't know for sure that the person we ran into in the -produce aisle really is the same person who we met at the party last -week. +have the innate capacity to keep track of the identities of only a +finite number of people. After our social sphere exceeds several dozen +or several hundred (depending on the individual), our ability to +remember and distinguish people begins to break down. In other words, +at a certain point, we can't know for sure that the person we ran into +in the produce aisle really is the same person who we met at the party +last week. For most of us, this limitation has not posed much of a problem in our daily, off-line lives. With the Internet, however, we have an ability @@ -57,7 +88,7 @@ Fortunately, with online communications we have easy access to tools that can help us navigate these problems. [OpenPGP](http://en.wikipedia.org/wiki/Openpgp) (a cryptographic protocol commonly used for sending signed and encrypted email -messagess) is one such tool. In its simplest form, it allows us to +messages) is one such tool. In its simplest form, it allows us to sign our communication in such a way that the recipient can verify the sender. @@ -66,7 +97,8 @@ the [web of trust](http://en.wikipedia.org/wiki/Web_of_trust). The web of trust allows people who have never met in person to communicate with a reasonable degree of certainty that they are who they say they are. It works like this: Person A trusts Person B. Person B verifies -Person C's identity. Then, Person A can verify Person C's identity. +Person C's identity. Then, Person A can verify Person C's identity +because of their trust of Person B. The Monkeyshpere's broader goals are to extend the use of OpenPGP from email communications to other activities, such as: @@ -78,11 +110,9 @@ email communications to other activities, such as: * [OpenSSH](http://openssh.com/) * [GnuPG](http://www.gnupg.org/) +* [Secure Shell Authentication Protocol RFC 4252](http://tools.ietf.org/html/rfc4252) * [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880) -* [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/) - ---- This wiki is powered by [ikiwiki](http://ikiwiki.info). -