1 .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
5 monkeysphere-host \- Monkeysphere host admin tool.
9 .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
11 .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
15 \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
16 for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
17 added to the authorized_keys and known_hosts files used by OpenSSH for
18 connection authentication.
20 \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
24 \fBmonkeysphere-host\fP takes various subcommands:
27 Output information about host's OpenPGP and SSH keys. `s' may be used
28 in place of `show-key'.
31 Extend the validity of the OpenPGP key for the host until EXPIRE from
32 the present. If EXPIRE is not specified, then the user will be
33 prompted for the extension term. Expiration is specified like GnuPG
36 0 = key does not expire
37 <n> = key expires in n days
38 <n>w = key expires in n weeks
39 <n>m = key expires in n months
40 <n>y = key expires in n years
42 `e' may be used in place of `extend-key'.
44 .B add-hostname HOSTNAME
45 Add a hostname user ID to the server host key. `n+' may be used in
46 place of `add-hostname'.
48 .B revoke-hostname HOSTNAME
49 Revoke a hostname user ID from the server host key. `n-' may be used
50 in place of `revoke-hostname'.
52 .B add-revoker FINGERPRINT
53 Add a revoker to the host's OpenPGP key. `o' may be be used in place
57 Revoke the host's OpenPGP key. `r' may be used in place of
61 Publish the host's OpenPGP key to the keyserver. `p' may be used in
62 place of `publish-key'.
64 .B import-key [NAME[:PORT]]
65 Import a pem-encoded ssh secret host key, from stdin. NAME[:PORT] is
66 used to specify the hostname (and port) used in the user ID of the new
67 OpenPGP key. If NAME is not specified, then the system
68 fully-qualified domain name will be used (ie. `hostname -f'). If PORT
69 is not specified, the no port is added to the user ID, which means
70 port 22 is assumed. `i' may be used in place of `import-key'.
73 Review the state of the monkeysphere server host key and report on
74 suggested changes. Among other checks, this includes making sure
75 there is a valid host key, that the key is published, that the sshd
76 configuration points to the right place, etc. `d' may be used in
77 place of `diagnostics'.
80 Output a brief usage summary. `h' or `?' may be used in place of
86 .SH SETUP HOST AUTHENTICATION
88 To enable host verification via the monkeysphere, the host's key must
89 be published to the Web of Trust. This is not done by default. To
90 publish the host key to the keyservers, run the following command:
92 $ monkeysphere-host publish-key
94 In order for users logging into the system to be able to identify the
95 host via the monkeysphere, at least one person (e.g. a server admin)
96 will need to sign the host's key. This is done using standard OpenPGP
97 keysigning techniques, usually: pull the key from the keyserver,
98 verify and sign the key, and then re-publish the signature. Once an
99 admin's signature is published, users logging into the host can use it
100 to validate the host's key.
104 The following environment variables will override those specified in
105 the config file (defaults in parentheses):
107 MONKEYSPHERE_LOG_LEVEL
108 Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
109 increasing order of verbosity.
111 MONKEYSPHERE_KEYSERVER
112 OpenPGP keyserver to use (pool.sks-keyservers.net).
117 /etc/monkeysphere/monkeysphere-host.conf
118 System monkeysphere-host config file.
120 /var/lib/monkeysphere/host/ssh_host_rsa_key
121 Copy of the host's private key in ssh format, suitable for use by
127 Jameson Rollins <jrollins@fifthhorseman.net>,
128 Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
129 Matthew Goins <mjgoins@openflows.com>
133 .BR monkeysphere (1),
134 .BR monkeysphere-authentication (8),
135 .BR monkeysphere (7),
projects / monkeysphere.git / blob