diff options
author | Matthew James Goins <mjgoins@openflows.com> | 2010-03-20 15:07:30 -0400 |
---|---|---|
committer | Matthew James Goins <mjgoins@openflows.com> | 2010-03-20 15:07:30 -0400 |
commit | 2f9fe93b98ed32b662212899db6ba2174c1138d3 (patch) | |
tree | 099a0b3224b666bfc1289462f1a6d01a24763102 /website/signing-host-keys.mdwn | |
parent | 072e05ac7a9872edc3a3e18e103bbba2706254bf (diff) |
Removed docs and website. They will now reside (for my repo) at git://lair.fifthhorseman.net/~mjgoins/monkeysphere.info/
Diffstat (limited to 'website/signing-host-keys.mdwn')
-rw-r--r-- | website/signing-host-keys.mdwn | 127 |
1 files changed, 0 insertions, 127 deletions
diff --git a/website/signing-host-keys.mdwn b/website/signing-host-keys.mdwn deleted file mode 100644 index 1eb61a0..0000000 --- a/website/signing-host-keys.mdwn +++ /dev/null @@ -1,127 +0,0 @@ -# Signing a host's SSH key using OpenPGP # - -This page is meant to address the issue of signing OpenPGP-based SSH -host keys. Machines are not people, so the circumstances under which -one should sign a host key are different from those under which one -should sign another person's key. - -# Why are signatures on an SSH host key important? # - -In order for users to validate a host (an SSH server) in a -monkeysphere-enabled network, the host key must have *full* calculated -validity from the perspective of the connecting user. If the user has -not themselves signed the server's key, then the server's key can only -be valid if other people that the user trusts have signed the key. - -If only one person has signed the server's key, then the user must -fully trust the single person who has signed the host key. Full trust -should be granted sparingly and with consideration, though, so unless -the user knows the server admin very well, they will in general not -have full trust of this person. - -However, full trust of the host key can also be achieved if the -server key has been signed by three or more people that the user has - *marginal* trust of. In other words, three or more *marginally* -trusted signatures equals one *fully* trusted signature. It is much -more common for users to have marginal trust of other users in the Web -of Trust. For this reason, it is advisable to have as many people -sign the server key as possible. - -## What information should you have before signing a host key? ## - -Before signing the key of a person, you want to do two things: - -1. verify the identity of the person. -2. verify that the person is actually in control of the key that you -are signing. - -For a server, you want to do basically the same thing: - -1. verify the identity of the server. -2. verify that the server is actually in control of the key that you -are signing. - -However, verifying these things for a server is less intuitive than it -is for a human. - -Verifying that the host is in control of the key is, in principle, -straightforward. If you are logged on to the machine in question, -then you can check directly that the key exists on the system. - -What is not so straightforward is what exactly it means to "verify the -identity" of a remote server on the internet? The identity in this -case is the fully qualified domain name (FQDN) of the host. Verifying -this identity amounts to being sure that the host in question really -is located at that FQDN. - -## Signing the host key ## - -If you are the person (or persons) that actually setup the server and -configured Monkeysphere and ssh on the server, then you should sign -the host key as part of that process. When the server is first set -up, the administrators who set it up are the only ones who can -actually vouch for the server key, so their signatures are necessary -to get things going. Their signatures are also necessary so that they -can validate the host key themselves and log into the server via -monkeysphere-enabled ssh in the future. - -If you did not set up the server initially, you do not have an -accumulated full trust of the person(s) who did, and you do not -necessarily have console access to the server directly, it's hard to -confidently verify the server identity and key ownership. You would -like to be able to walk up to the server, log in at the console, and -get the fingerprint of the ssh host key directly. But this is usually -impossible. - -However, it is still possible to verify the server identity *and* -server ownership of the key, even in this case. - -## Remotely verifying host identity and key possession ## - -It is in fact possible to verify the identity and key ownership of a -server in one fell swoop with monkeysphere-enabled ssh. Here is the -procedure: - -> **Attempt to make a monkeysphere-enabled ssh connection to the host in -question. Monkeysphere will check that the ssh host key offered by the -host matches the OpenPGP key with the correct host FQDN user ID. If -the ssh host key and the OpenPGP key with the correct user ID match, -then you will have effectively:** - ->**1. verified the host identity, because you actually connected to the -host in question, which you know because you:** - ->**2. verified the host is in control of the key, because the ssh host -key offered by the host matches the OpenPGP key with correct host FQDN -user ID.** - -Here is an example: - - servo:~ 0$ ssh zimmermann.mayfirst.org - -------------------- Monkeysphere warning ------------------- - Monkeysphere found OpenPGP keys for this hostname, but none had full validity. - An OpenPGP key matching the ssh key offered by the host was found: - - pub 2048R/860E8F9C 2008-10-29 [expires: 2009-02-26] - uid [marginal] ssh://zimmermann.mayfirst.org - sig! 76CC057D 2008-11-15 Jamie McClelland <jamie@mayfirst.org> - sig!3 860E8F9C 2008-10-29 ssh://zimmermann.mayfirst.org - sig! D21739E9 2008-10-29 Daniel Kahn Gillmor <dkg@fifthhorseman.net> - sig! 1CF2D62A 2008-11-16 Micah Anderson <micah@riseup.net> - - RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e. - -------------------- ssh continues below -------------------- - The authenticity of host 'zimmermann.mayfirst.org (<no hostip for proxy command>)' can't be established. - RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e. - No matching host key fingerprint found in DNS. - Are you sure you want to continue connecting (yes/no)? no - Host key verification failed. - servo:~ 255$ - -I have attempted to connect to the host zimmermann.mayfirst.org. -zimmermann's host key has only *marginal* validity for the FQDN user -ID in question, so I am not able to connect. However, the -Monkeysphere has checked that the ssh host key actually does match the -OpenPGP key with the correct user ID `ssh://zimmermann.mayfirst.org`. -I have therefore verified the identity of zimmermann, and verified -that zimmermann is in possession of the key in question. |