MONKEYSPHERE-HOST(8) | System Commands | MONKEYSPHERE-HOST(8) |
monkeysphere-host - Monkeysphere host key administration tool.
monkeysphere-host subcommand [args]
Monkeysphere is a framework to leverage the OpenPGP web of trust for SSH and TLS key-based authentication.
monkeysphere-host stores and manages OpenPGP certificates for various services offered by the host.
Most subcommands take a KEYID argument, which identifies (by OpenPGP key ID (e.g. 0xDEADBEEF) or full OpenPGP fingerprint) which certificate is to be operated upon. If only one certificate is currently managed by monkeysphere-host, the KEYID argument may be omitted, and monkeysphere-host will operate on it.
monkeysphere-host takes various subcommands:
`e' may be used in place of `set-expire'.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
To enable users to verify your SSH host's key via the monkeysphere, an OpenPGP certificate must be made out of the host's RSA ssh key, and the certificate must be published to the Web of Trust. Certificate publication is not done by default. The first step is to import the host's ssh key into a monkeysphere-style OpenPGP certificate. This is done with the import-key command. For example:
# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://host.example.org
On most systems, sshd's RSA secret key is stored at /etc/ssh/ssh_host_rsa_key.
See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES for how to make sure your users can verify the ssh service offered by your host once the key is imported into monkeysphere-host.
You can set up your HTTPS-capable web server so that your users can verify it via the monkeysphere, without changing your server's software at all. You just need access to a (PEM-encoded) version of the server's RSA secret key (most secret keys are already stored PEM-encoded). The first step is to import the web server's key into a monkeysphere-style OpenPGP certificate. This is done with the import-key command. For example:
# monkeysphere-host import-key /etc/ssl/private/host.example.net-key.pem https://host.example.net
If you don't know where the web server's key is stored on your machine, consult the configuration files for your web server. Debian-based systems using the `ssl-cert' packages often have a default self-signed certificate stored in `/etc/ssl/private/ssl-cert-snakeoil.key' ; if you're using that key, your users are getting browser warnings about it. You can keep using the same key, but help them use the OpenPGP WoT to verify that it does belong to your web server by using something like:
# monkeysphere-host import-key /etc/ssl/private/ssl-cert-snakeoil.key https://$(hostname --fqdn)
If you offer multiple HTTPS websites using the same secret key, you should add the additional website names with the `add-servicename' subcommand.
See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES (the next section) for how to make sure your users can verify the https service offered by your host once the key is imported and any extra site names have been added. Note that you can add or remove additional servicenames at any time, but you'll need to certify any new ones separately.
Once the host key has been imported, the corresponding certificate must be published to the Web of Trust so that users can retrieve the cert when connecting to the host. The host certificates are published to the keyserver with the publish-key command:
$ monkeysphere-host publish-key --all
In order for users accessing the system to be able to identify the host's service via the monkeysphere, at least one person (e.g. a server admin) will need to sign the host's certificate. This is done using standard OpenPGP keysigning techniques. Usually: pull the host's OpenPGP certificate from the keyserver, verify and sign it, and then re-publish your signature. More than one person can certify any certificate. Please see https://web.monkeysphere.info/doc/host-keys/ for more information and details. Once an admin's signature is published, users accessing the host can use the certificate to validate the host's key without having to manually check the host key's fingerprint (in the case of ssh) or without seeing a nasty "security warning" in their browsers (in the case of https).
Note that monkeysphere-host currently caches a copy of all imported secret keys (stored in OpenPGP form for future manipulation) in /var/lib/monkeysphere/host/. Cleartext backups of files in this directory could expose secret key material if not handled sensitively.
The following environment variables will override those specified in the config file (defaults in parentheses):
This man page was written by: Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins <mjgoins@openflows.com>
monkeysphere(1), monkeysphere(7), gpg(1), monkeysphere-authentication(8), ssh(1), sshd(8)
January 2010 | monkeysphere |