Provided by: monkeysphere_0.26-1_all bug


       monkeysphere-host - Monkeysphere host admin tool.


       monkeysphere-host subcommand [args]


       Monkeysphere  is  a  framework to leverage the OpenPGP web of trust for
       OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and  added
       to  the  authorized_keys  and  known_hosts  files  used  by OpenSSH for
       connection authentication.

       monkeysphere-host is a Monkeysphere server admin utility  for  managing
       the host’s OpenPGP host key.


       monkeysphere-host takes various subcommands:

       import-key FILE NAME[:PORT]
              Import  a  pem-encoded  ssh  secret host key from file FILE.  If
              FILE is ‘-’, then the key will be imported from stdin.  Only RSA
              keys  are  supported  at  the  moment.   NAME[:PORT]  is used to
              specify the fully-qualified hostname (and port) used in the user
              ID  of  the  new OpenPGP key.  If PORT is not specified, then no
              port is added to the user ID, which means port  22  is  assumed.
              ‘i’ may be used in place of ‘import-key’.

              Output  information  about host’s OpenPGP and SSH keys.  ‘s’ may
              be used in place of ‘show-key’.

       set-expire [EXPIRE]
              Extend the validity of the OpenPGP key for the host until EXPIRE
              from  the  present.   If  EXPIRE is not specified, then the user
              will  be  prompted  for  the  extension  term.   Expiration   is
              specified as with GnuPG (measured from today’s date):
                       0 = key does not expire
                    <n>  = key expires in n days
                    <n>w = key expires in n weeks
                    <n>m = key expires in n months
                    <n>y = key expires in n years
              ‘e’ may be used in place of ‘set-expire’.

       add-hostname HOSTNAME
              Add a hostname user ID to the server host key.  ‘n+’ may be used
              in place of ‘add-hostname’.

       revoke-hostname HOSTNAME
              Revoke a hostname user ID from the server host key.  ‘n-’ may be
              used in place of ‘revoke-hostname’.

       add-revoker KEYID|FILE
              Add  a  revoker  to  the host’s OpenPGP key.  The key ID will be
              loaded from the keyserver.  A file  may  be  loaded  instead  of
              pulling the key from the keyserver by specifying the path to the
              file as the argument, or by specifying ‘-’ to load  from  stdin.
              ‘r+’ may be be used in place of ‘add-revoker’.

              Generate  (with  the option to publish) a revocation certificate
              for the host’s OpenPGP key.  If such a certificate is published,
              your host key will be permanently revoked.  This subcommand will
              ask  you  a  series  of  questions,  and  then  generate  a  key
              revocation certificate, sending it to stdout.  If you explicitly
              tell it to publish the revocation  certificate  immediately,  it
              will send it to the public keyservers.  USE WITH CAUTION!

              Publish  the  host’s  OpenPGP key to the public keyservers.  ‘p’
              may be used in place of ‘publish-key’.  Note that  there  is  no
              way  to  remove  a  key  from  the  public keyservers once it is

              Show the monkeysphere version number.  ‘v’ may be used in  place
              of ‘version’.

       help   Output  a  brief usage summary.  ‘h’ or ‘?’ may be used in place
              of ‘help’.

              Other commands:

              Review the state of the monkeysphere server host key and  report
              on  suggested changes.  Among other checks, this includes making
              sure there is a valid host key, that the  key  is  not  expired,
              that the sshd configuration points to the right place, etc.  ‘d’
              may be used in place of ‘diagnostics’.


       To enable host verification via the monkeysphere, an OpenPGP  key  must
       be made out of the host’s ssh key, and the key must be published to the
       Web of Trust.  This is not done by  default.   The  first  step  is  to
       import  the host’s ssh key into a monkeysphere-style OpenPGP key.  This
       is done with the import-key command.  When importing a  key,  you  must
       specify the path to the host’s ssh RSA key to import, and a hostname to
       use as the key’s user ID:

       #      monkeysphere-host      import-key      /etc/ssh/ssh_host_rsa_key

       On    most   systems,   the   ssh   host   RSA   key   is   stored   at

       Once the host key has been imported, it must be published to the Web of
       Trust  so that users can retrieve the key when sshing to the host.  The
       host key is published to the keyserver with the publish-key command:

       $ monkeysphere-host publish-key

       In order for users logging into the system to be able to  identify  the
       host  via  the  monkeysphere, at least one person (e.g. a server admin)
       will need to sign the host’s key.  This is done using standard  OpenPGP
       keysigning techniques, usually: pull the key from the keyserver, verify
       and sign the key,  and  then  re-publish  the  signature.   Please  see  for  more information.
       Once an admin’s signature is published, users logging into the host can
       use  it to validate the host’s key without having to manually check the
       host key’s fingerprint.


       The following environment variables will override  those  specified  in
       the config file (defaults in parentheses):

              Set  the log level.  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG,
              in increasing order of verbosity. (INFO)

              OpenPGP keyserver to use. (

              If set to ‘false’,  never  prompt  the  user  for  confirmation.


              System monkeysphere-host config file.

              A  world-readable  copy  of  the  host’s  public  key in OpenPGP
              format, including all relevant self-signatures.


       This    man    page     was     written     by:     Jameson     Rollins
       <>,         Daniel        Kahn        Gillmor
       <>, Matthew Goins <>


       monkeysphere(1),    monkeysphere-authentication(8),    monkeysphere(7),
       gpg(1), ssh(1), sshd(8)