.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" .SH NAME monkeysphere-host \- Monkeysphere host admin tool. .SH SYNOPSIS .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP] .br .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP] .SH DESCRIPTION \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility. .SH SUBCOMMANDS \fBmonkeysphere-host\fP takes various subcommands: .TP .B show-key Output information about host's OpenPGP and SSH keys. `s' may be used in place of `show-key'. .TP .B extend-key EXPIRE Extend the validity of the OpenPGP key for the host until EXPIRE from the present. If EXPIRE is not specified, then the user will be prompted for the extension term. Expiration is specified like GnuPG does: .nf 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years .fi `e' may be used in place of `extend-key'. .TP .B add-hostname HOSTNAME Add a hostname user ID to the server host key. `n+' may be used in place of `add-hostname'. .TP .B revoke-hostname HOSTNAME Revoke a hostname user ID from the server host key. `n-' may be used in place of `revoke-hostname'. .TP .B add-revoker FINGERPRINT Add a revoker to the host's OpenPGP key. `o' may be be used in place of `add-revoker'. .TP .B revoke-key Revoke the host's OpenPGP key. `r' may be used in place of `revoke-key'. .TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in place of `publish-key'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. .TP .B version show version number .SH "EXPERT" SUBCOMMANDS Some commands are very unlikely to be needed by most administrators. These commands must prefaced by the word `expert'. .TP .B gen-key [HOSTNAME] Generate a OpenPGP key for the host. If HOSTNAME is not specified, then the system fully-qualified domain name will be user. An alternate key bit length can be specified with the `-l' or `--length' option (default 2048). An expiration length can be specified with the `-e' or `--expire' option (prompt otherwise). The expiration format is the same as that of \fBextend-key\fP, below. `g' may be used in place of `gen-key'. .TP .B import-key FIXME: import-key (i) import existing ssh key to gpg --hostname (-h) NAME[:PORT] hostname for key user ID --keyfile (-f) FILE key file to import --expire (-e) EXPIRE date to expire .TP .B diagnostics Review the state of the monkeysphere server host key and report on suggested changes. Among other checks, this includes making sure there is a valid host key, that the key is published, that the sshd configuration points to the right place, etc. `d' may be used in place of `diagnostics'. .SH SETUP HOST AUTHENTICATION To enable host verification via the monkeysphere, the host's key must be published to the Web of Trust. This is not done by default. To publish the host key to the keyservers, run the following command: $ monkeysphere-host publish-key You must also modify the sshd_config on the server to tell sshd where the new server host key is located: HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) will need to sign the host's key. This is done using standard OpenPGP keysigning techniques, usually: pull the key from the keyserver, verify and sign the key, and then re-publish the signature. Once an admin's signature is published, users logging into the host can use it to validate the host's key. .SH ENVIRONMENT The following environment variables will override those specified in the config file (defaults in parentheses): .TP MONKEYSPHERE_LOG_LEVEL Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in increasing order of verbosity. .TP MONKEYSPHERE_KEYSERVER OpenPGP keyserver to use (pool.sks-keyservers.net). .SH FILES .TP /etc/monkeysphere/monkeysphere-host.conf System monkeysphere-host config file. .TP /var/lib/monkeysphere/host/ssh_host_rsa_key Copy of the host's private key in ssh format, suitable for use by sshd. .SH AUTHOR Written by: Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins .SH SEE ALSO .BR monkeysphere (1), .BR monkeysphere-authentication (8), .BR monkeysphere (7), .BR gpg (1), .BR ssh (1)