Provided by: monkeysphere_0.22-1_i386 bug


       monkeysphere-server - Monkeysphere server admin user interface


       monkeysphere-server subcommand [args]


       Monkeysphere  is  a  framework to leverage the OpenPGP web of trust for
       OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and  added
       to  the  authorized_keys  and  known_hosts  files  used  by OpenSSH for
       connection authentication.

       monkeysphere-server is the Monkeysphere server admin utility.


       monkeysphere-server takes various subcommands:

       update-users [ACCOUNT]...
              Rebuild the monkeysphere-controlled authorized_keys files.   For
              each  specified  account,  the user ID’s listed in the account’s
              authorized_user_ids file are processed.  For each user  ID,  gpg
              will   be  queried  for  keys  associated  with  that  user  ID,
              optionally querying a keyserver.  If an acceptable key is  found
              (see  KEY ACCEPTABILITY in monkeysphere(7)), the key is added to
              the account’s monkeysphere-controlled authorized_keys file.   If
              the   RAW_AUTHORIZED_KEYS  variable  is  set,  then  a  separate
              authorized_keys  file  (usually  ~USER/.ssh/authorized_keys)  is
              appended  to  the  monkeysphere-controlled authorized_keys file.
              If no accounts are specified, then all accounts  on  the  system
              are processed.  ‘u’ may be used in place of ‘update-users’.

       gen-key [HOSTNAME]
              Generate  a  OpenPGP  key  for  the  host.   If  HOSTNAME is not
              specified, then the system fully-qualified domain name  will  be
              user.   An  alternate  key  bit length can be specified with the
              ‘-l’ or ‘--length’ option (default 2048).  An expiration  length
              can  be  specified  with  the  ‘-e’ or ‘--expire’ option (prompt
              otherwise).  The expiration  format  is  the  same  as  that  of
              extend-key,  below.   A key revoker fingerprint can be specified
              with the ‘-r’ or ‘--revoker’ option.  ‘g’ may be used  in  place
              of ‘gen-key’.

       extend-key EXPIRE
              Extend the validity of the OpenPGP key for the host until EXPIRE
              from the present.  If EXPIRE is not  specified,  then  the  user
              will   be  prompted  for  the  extension  term.   Expiration  is
              specified like GnuPG does:
                       0 = key does not expire
                    <n>  = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
              ‘e’ may be used in place of ‘extend-key’.

       add-hostname HOSTNAME
              Add a hostname user ID to the server host key.  ‘n+’ may be used
              in place of ‘add-hostname’.

       revoke-hostname HOSTNAME
              Revoke a hostname user ID from the server host key.  ‘n-’ may be
              used in place of ‘revoke-hostname’.

              Output gpg information about host’s OpenPGP  key.   ‘s’  may  be
              used in place of ‘show-key’.

              Publish  the  host’s  OpenPGP  key to the keyserver.  ‘p’ may be
              used in place of ‘publish-key’.

              Review the state of the server with respect to the  MonkeySphere
              in general and report on suggested changes.  Among other checks,
              this includes making sure there is a valid host  key,  that  the
              key  is  published,  that  the  sshd configuration points to the
              right place, and that there are at  least  some  valid  identity
              certifiers.  ‘d’ may be used in place of ‘diagnostics’.

       add-identity-certifier KEYID
              Instruct  system  to  trust user identity certifications made by
              KEYID.  Using the  ‘-n’  or  ‘--domain’  option  allows  you  to
              indicate   that   you   only  trust  the  given  KEYID  to  make
              identifications within a specific domain (e.g. "trust  KEYID  to
              certify  user  identities  within  the domain").  A
              certifier  trust  level  can  be  specified  with  the  ‘-t’  or
              ‘--trust’  option  (possible  values  are  ‘marginal’ and ‘full’
              (default is ‘full’)).  A certifier trust depth can be  specified
              with  the  ‘-d’ or ‘--depth’ option (default is 1).  ‘c+’ may be
              used in place of ‘add-identity-certifier’.

       remove-identity-certifier KEYID
              Instruct system to ignore user identity certifications  made  by
              KEYID.    ‘c-’   may  be  used  in  place  of  ‘remove-identity-

              List key IDs trusted by the system to certify  user  identities.
              ‘c’ may be used in place of ‘list-identity-certifiers’.

              Execute a gpg command on the gnupg-authentication keyring as the
              monkeysphere user.  This takes a single  command  (multiple  gpg
              arguments need to be quoted).  Use this command with caution, as
              modifying the gnupg-authentication keyring can affect  ssh  user

       help   Output  a  brief usage summary.  ‘h’ or ‘?’ may be used in place
              of ‘help’.


       In order to start using the monkeysphere, you must  first  generate  an
       OpenPGP  key for the server and convert that key to an ssh key that can
       be used by ssh for host authentication.  This can be done with the gen-
       key subcommand:

       $ monkeysphere-server gen-key

       To enable host verification via the monkeysphere, you must then publish
       the host’s key to the Web of Trust using  the  publish-key  command  to
       push  the  key to a keyserver.  You must also modify the sshd_config on
       the server to tell sshd where the new server host key is located:

       HostKey /var/lib/monkeysphere/ssh_host_rsa_key

       In order for users logging into the system to be able to  identify  the
       host  via  the  monkeysphere, at least one person (e.g. a server admin)
       will need to sign the host’s key.  This is done using standard  OpenPGP
       keysigning  techniques, usually: pul the key from the keyserver, verify
       and sign the key, and then re-publish the signature.  Once  an  admin’s
       signature  is  published,  users  logging  into  the host can use it to
       validate the host’s key.

       If  the  server  will   also   handle   user   authentication   through
       monkeysphere-generated  authorized_keys  files, the server must be told
       which keys will act as identity certifiers.  This is done with the add-
       identity-certifier command:

       $ monkeysphere-server add-identity-certifier KEYID

       where   KEYID  is  the  key  ID  of  the  server  admin,  or  whoever’s
       certifications should be acceptable to the system for the  purposes  of
       authenticating  remote  users.  You can run this command multiple times
       to indicate that multiple certifiers are trusted.  You may also specify
       a  filename  instead of a key ID, as long as the file contains a single
       OpenPGP public  key.   Certifiers  can  be  removed  with  the  remove-
       identity-certifier   command,   and   listed  with  the  list-identity-
       certifiers command.

       Remote users will then be granted access to a local  account  based  on
       the appropriately-signed and valid keys associated with user IDs listed
       in  that  account’s  authorized_user_ids   file.    By   default,   the
       authorized_user_ids       file       for       an       account      is
       ~/.monkeysphere/authorized_user_ids.   This  can  be  changed  in   the
       monkeysphere-server.conf file.

       The  update-users  command can then be used to generate authorized_keys
       file for local accounts based on the authorized user IDs listed in  the
       account’s authorized_user_ids file:

       $ monkeysphere-server update-users USER

       Not  specifying  USER will cause all accounts on the system to updated.
       sshd can then use these monkeysphere generated authorized_keys files to
       grant  access  to  user  accounts for remote users.  You must also tell
       sshd to look at the  monkeysphere-generated  authorized_keys  file  for
       user authentication by setting the following in the sshd_config:

       AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u

       It is recommended to add "monkeysphere-server update-users" to a system
       crontab, so that user keys are kept up-to-date, and key revocations and
       expirations can be processed in a timely manner.


       The  following  environment  variables will override those specified in
       the   monkeysphere-server.conf   configuration   file   (defaults    in

              User to control authentication keychain (monkeysphere).

              Set  the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE,
              DEBUG, in increasing order of verbosity.

              OpenPGP keyserver to use (

              Path       to        user        authorized_user_ids        file

              Path  to user-controlled authorized_keys file.  ‘-’ means not to
              add user-controlled file (%h/.ssh/authorized_keys).


              System monkeysphere-server config file.

              System-wide monkeysphere config file.

              Monkeysphere host GNUPG home gpg.conf

              Monkeysphere authentication GNUPG home gpg.conf

              Monkeysphere-generated user authorized_keys files.

              Copy of the host’s private key in ssh format, suitable  for  use
              by sshd.

              Monkeysphere host GNUPG home directory.

              Monkeysphere authentication GNUPG home directory.


       Written  by  Jameson  Rollins <>, Daniel Kahn
       Gillmor <>


       monkeysphere(1), monkeysphere(7), gpg(1), ssh(1)