Provided by: monkeysphere_0.28-1_all bug


       monkeysphere - ssh authentication framework using OpenPGP Web of Trust


       Monkeysphere  is  a  framework to leverage the OpenPGP web of trust for
       OpenSSH and TLS key-based authentication.  OpenPGP keys are tracked via
       GnuPG,  and  added to the authorized_keys and known_hosts files used by
       OpenSSH for connection authentication.  Monkeysphere can also  be  used
       by a validation agent to validate TLS connections (e.g. https).


       Each  host  that uses the Monkeysphere to authenticate its remote users
       needs some way to determine that those users are who they claim to  be.
       SSH  permits  key-based  authentication,  but  we  want instead to bind
       authenticators to human-comprehensible user  identities.   This  switch
       from  raw  keys to User IDs makes it possible for administrators to see
       intuitively who has access to an account, and it also enables end users
       to  transition  keys (and revoke compromised ones) automatically across
       all Monkeysphere-enabled hosts.  The User IDs and  certifications  that
       the Monkeysphere relies on are found in the OpenPGP Web of Trust.

       However,  in order to establish this binding, each host must know whose
       cerifications to trust.  Someone who a  host  trusts  to  certify  User
       Identities  is called an Identity Certifier.  A host must have at least
       one Identity Certifier in order to bind User IDs  to  keys.   Commonly,
       every  ID  Certifier would be trusted by the host to fully identify any
       User ID, but  more  nuanced  approaches  are  possible  as  well.   For
       example,  a  given host could specify a dozen ID certifiers, but assign
       them all "marginal" trust.  Then any given User ID  would  need  to  be
       certified  in  the  OpenPGP  Web  of  Trust  by at least three of those

       It is also possible to  limit  the  scope  of  trust  for  a  given  ID
       Certifier to a particular domain.  That is, a host can be configured to
       fully (or marginally) trust a particular ID Certifier  only  when  they
       certify  identities  within,  say,  (based  on  the e-mail
       address in the User ID).


       The monkeysphere commands work from a set  of  user  IDs  to  determine
       acceptable  keys  for  ssh  and  TLS  authentication.  OpenPGP keys are
       considered acceptable if the following criteria are met:

              The key must have the ‘authentication’ (‘a’) usage flag set.

              The key itself must be valid, i.e. it must be  well-formed,  not
              expired, and not revoked.

              The  relevant  user  ID  must  be  signed  by a trusted identity


       The OpenPGP keys for hosts have  associated  ‘service  names‘  (OpenPGP
       user  IDs)  that are based on URI specifications for the service.  Some

       ssh:   ssh://[:port]



       Written by: Jameson Rollins <>,  Daniel  Kahn
       Gillmor <>


       monkeysphere(1),  monkeysphere-host(8), monkeysphere-authentication(8),
       openpgp2ssh(1),                 pem2openpgp(1),                 gpg(1),,                             ssh(1),