Provided by: monkeysphere_0.26-1_all bug


       monkeysphere - ssh authentication framework using OpenPGP Web of Trust


       Monkeysphere  is  a  framework to leverage the OpenPGP Web of Trust for
       ssh authentication.  OpenPGP keys are tracked via GnuPG, and  added  to
       the  authorized_keys  and  known_hosts files used by ssh for connection


       Each host that uses the Monkeysphere to authenticate its  remote  users
       needs  some way to determine that those users are who they claim to be.
       SSH permits key-based authentication,  but  we  want  instead  to  bind
       authenticators  to  human-comprehensible  user identities.  This switch
       from raw keys to User IDs makes it possible for administrators  to  see
       intuitively who has access to an account, and it also enables end users
       to transition keys (and revoke compromised ones)  automatically  across
       all  Monkeysphere-enabled  hosts.  The User IDs and certifications that
       the Monkeysphere relies on are found in the OpenPGP Web of Trust.

       However, in order to establish this binding, each host must know  whose
       cerifications  to  trust.   Someone  who  a host trusts to certify User
       Identities is called an Identity Certifier.  A host must have at  least
       one  Identity  Certifier  in order to bind User IDs to keys.  Commonly,
       every ID Certifier would be trusted by the host to fully  identify  any
       User  ID,  but  more  nuanced  approaches  are  possible  as well.  For
       example, a given host could specify a dozen ID certifiers,  but  assign
       them  all  "marginal"  trust.   Then any given User ID would need to be
       certified in the OpenPGP Web of  Trust  by  at  least  three  of  those

       It  is  also  possible  to  limit  the  scope  of  trust for a given ID
       Certifier to a particular domain.  That is, a host can be configured to
       fully  (or  marginally)  trust a particular ID Certifier only when they
       certify identities  within,  say,  (based  on  the  e-mail
       address in the User ID).


       During   known_host   and  authorized_keys  updates,  the  monkeysphere
       commands work from a set of user IDs to determine acceptable  keys  for
       ssh  authentication.   OpenPGP  keys  are  considered acceptable if the
       following criteria are met:

              The key must have the ‘authentication’ (‘a’) usage flag set.

              The key itself must be valid, i.e. it must be  well-formed,  not
              expired, and not revoked.

              The  relevant  user  ID  must  be  signed  by a trusted identity


       The OpenPGP keys for hosts have associated user IDs that  use  the  ssh
       URI specification for the host, i.e. ‘ssh://host.full.domain[:port]’.


       Written  by:  Jameson Rollins <>, Daniel Kahn
       Gillmor <>


       monkeysphere(1), monkeysphere-host(8),  monkeysphere-authentication(8),
       openpgp2ssh(1),                 pem2openpgp(1),                 gpg(1),,                             ssh(1),