Provided by: monkeysphere_0.26-1_all
monkeysphere-host - Monkeysphere host admin tool.
monkeysphere-host subcommand [args]
Monkeysphere is a framework to leverage the OpenPGP web of trust for
OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added
to the authorized_keys and known_hosts files used by OpenSSH for
monkeysphere-host is a Monkeysphere server admin utility for managing
the host’s OpenPGP host key.
monkeysphere-host takes various subcommands:
import-key FILE NAME[:PORT]
Import a pem-encoded ssh secret host key from file FILE. If
FILE is ‘-’, then the key will be imported from stdin. Only RSA
keys are supported at the moment. NAME[:PORT] is used to
specify the fully-qualified hostname (and port) used in the user
ID of the new OpenPGP key. If PORT is not specified, then no
port is added to the user ID, which means port 22 is assumed.
‘i’ may be used in place of ‘import-key’.
Output information about host’s OpenPGP and SSH keys. ‘s’ may
be used in place of ‘show-key’.
Extend the validity of the OpenPGP key for the host until EXPIRE
from the present. If EXPIRE is not specified, then the user
will be prompted for the extension term. Expiration is
specified as with GnuPG (measured from today’s date):
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
‘e’ may be used in place of ‘set-expire’.
Add a hostname user ID to the server host key. ‘n+’ may be used
in place of ‘add-hostname’.
Revoke a hostname user ID from the server host key. ‘n-’ may be
used in place of ‘revoke-hostname’.
Add a revoker to the host’s OpenPGP key. The key ID will be
loaded from the keyserver. A file may be loaded instead of
pulling the key from the keyserver by specifying the path to the
file as the argument, or by specifying ‘-’ to load from stdin.
‘r+’ may be be used in place of ‘add-revoker’.
Generate (with the option to publish) a revocation certificate
for the host’s OpenPGP key. If such a certificate is published,
your host key will be permanently revoked. This subcommand will
ask you a series of questions, and then generate a key
revocation certificate, sending it to stdout. If you explicitly
tell it to publish the revocation certificate immediately, it
will send it to the public keyservers. USE WITH CAUTION!
Publish the host’s OpenPGP key to the public keyservers. ‘p’
may be used in place of ‘publish-key’. Note that there is no
way to remove a key from the public keyservers once it is
Show the monkeysphere version number. ‘v’ may be used in place
help Output a brief usage summary. ‘h’ or ‘?’ may be used in place
Review the state of the monkeysphere server host key and report
on suggested changes. Among other checks, this includes making
sure there is a valid host key, that the key is not expired,
that the sshd configuration points to the right place, etc. ‘d’
may be used in place of ‘diagnostics’.
SETUP HOST AUTHENTICATION
To enable host verification via the monkeysphere, an OpenPGP key must
be made out of the host’s ssh key, and the key must be published to the
Web of Trust. This is not done by default. The first step is to
import the host’s ssh key into a monkeysphere-style OpenPGP key. This
is done with the import-key command. When importing a key, you must
specify the path to the host’s ssh RSA key to import, and a hostname to
use as the key’s user ID:
# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key
On most systems, the ssh host RSA key is stored at
Once the host key has been imported, it must be published to the Web of
Trust so that users can retrieve the key when sshing to the host. The
host key is published to the keyserver with the publish-key command:
$ monkeysphere-host publish-key
In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host’s key. This is done using standard OpenPGP
keysigning techniques, usually: pull the key from the keyserver, verify
and sign the key, and then re-publish the signature. Please see
http://web.monkeysphere.info/signing-host-keys/ for more information.
Once an admin’s signature is published, users logging into the host can
use it to validate the host’s key without having to manually check the
host key’s fingerprint.
The following environment variables will override those specified in
the config file (defaults in parentheses):
Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG,
in increasing order of verbosity. (INFO)
OpenPGP keyserver to use. (pool.sks-keyservers.net)
If set to ‘false’, never prompt the user for confirmation.
System monkeysphere-host config file.
A world-readable copy of the host’s public key in OpenPGP
format, including all relevant self-signatures.
This man page was written by: Jameson Rollins
<firstname.lastname@example.org>, Daniel Kahn Gillmor
<email@example.com>, Matthew Goins <firstname.lastname@example.org>
monkeysphere(1), monkeysphere-authentication(8), monkeysphere(7),
gpg(1), ssh(1), sshd(8)