diff options
-rw-r--r-- | COPYING | 2 | ||||
-rw-r--r-- | website/doc.mdwn | 4 | ||||
-rw-r--r-- | website/getting-started-admin.mdwn | 100 | ||||
-rw-r--r-- | website/index.mdwn | 9 | ||||
-rw-r--r-- | website/news/Monkeysphere-in-Debian.mdwn | 15 |
5 files changed, 96 insertions, 34 deletions
@@ -2,7 +2,7 @@ Monkeysphere is a system to use the OpenPGP web-of-trust to authenticate and encrypt ssh connections. It is free software, developed by: - Jameson Rollins <jrollins@fifthhorseman.net> + Jameson Graef Rollins <jrollins@finestructure.net> Daniel Kahn Gillmor <dkg@fifthhorseman.net> Jamie McClelland <jamie@mayfirst.org> Micah Anderson <micah@riseup.net> diff --git a/website/doc.mdwn b/website/doc.mdwn index cd7bc76..28db2ef 100644 --- a/website/doc.mdwn +++ b/website/doc.mdwn @@ -19,10 +19,12 @@ ## References ## - * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH) + * [OpenSSH](http://openssh.com/) + * [GnuPG](http://www.gnupg.org/) * [OpenPGP (RFC 4880)](http://tools.ietf.org/html/rfc4880) * [Secure Shell Authentication Protocol (RFC 4252)](http://tools.ietf.org/html/rfc4252) * [URI scheme for SSH, RFC draft](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/) + * [Initial Monkeysphere specifications at CMRG](http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH) ## Other ## diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn index 1c373ac..5c7203d 100644 --- a/website/getting-started-admin.mdwn +++ b/website/getting-started-admin.mdwn @@ -2,60 +2,106 @@ Monkeysphere Server Administrator README ======================================== As the administrator of an SSH server, you can take advantage of the -monkeysphere in two ways: you can publish the host key of your machine -so that your users can have it automatically verified, and you can set -up your machine to automatically identify connecting users by their -presence in the OpenPGP web of trust. +monkeysphere in two ways: +1. you can publish the host key of your machine so that your users can +have it automatically verified, and + +2. you can set up your machine to automatically identify connecting +users by their presence in the OpenPGP web of trust. + +These things are not mutually required, and it is in fact possible to +do one without the other. However, it is highly recommend that you at +least do the first. Even if you decide that you do not want to use +the monkeysphere to authenticate users to your system, you should at +least the host key into the Web of Trust so that your users can be +sure they're connecting to the correct machine. + + +Monkeysphere for host verification +================================== Server host key publication --------------------------- -To generate and publish a server host key: + +To begin, you must first generate a server host key: # monkeysphere-server gen-key - # monkeysphere-server publish-key This will generate the key for server with the service URI -(`ssh://server.example.net`). The server admin should now sign the -server key so that people in the admin's web of trust can identify the -server without manual host key checking: +(`ssh://server.example.net`). Output the new key information with the +'show-key' command: + + # monkeysphere-server show-key + +Once the key has been generated, it needs to be publish to the Web of +Trust: + + # monkeysphere-server publish-key + +The server admin should now sign the server key so that people in the +admin's web of trust can identify the server without manual host key +checking. On your (the admin's) local machine retrieve the host key: $ gpg --search '=ssh://server.example.net' + +Now sign the server key: + $ gpg --sign-key '=ssh://server.example.net' +Make sure you compare the fingerprint of the retrieved with the one +output with the 'show-key' command above, to verify you are signing +the correct key. Finally, publish your signatures back to the +keyservers: + + $ gpg --send-key '=ssh://server.example.net' Update OpenSSH configuration files ---------------------------------- To use the newly-generated host key for ssh connections, put the -following line in `/etc/ssh/sshd_config` (be sure to remove references -to any other keys): +following line in `/etc/ssh/sshd_config` (be sure to comment out or +remove any other HostKey references): HostKey /var/lib/monkeysphere/ssh_host_rsa_key -FIXME: should we just suggest symlinks in the filesystem here instead? +FIXME: What about DSA host keys? The SSH RFC seems to require +implementations support DSA, though OpenSSH will work without a DSA +host key. -FIXME: What about DSA host keys? The SSH RFC seems to require implementations support DSA, though OpenSSH will work without a DSA host key. -To enable users to use the monkeysphere to authenticate using the -OpenPGP web of trust, add this line to `/etc/ssh/sshd_config` (again, -making sure that no other AuthorizedKeysFile directive exists): +Monkeysphere for user authentication +==================================== - AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u +A host can maintain ssh `authorized_keys` files automatically for its +users with the Monkeysphere. These `authorized_keys` files can then +be used to enable users to use the monkeysphere to authenticate to +your machine using the OpenPGP web of trust. + +Before this can happen, the host must first have a host key to use for +user key verification. If you have not already generated a host key +(as in the host verification instructions above), generate one now: + + # monkeysphere-server gen-key -And then read the section below about how to ensure these files are -maintained. You'll need to restart `sshd` to have your changes take -effect. As with any change to `sshd_config`, be sure to retain an -existing session to the machine while you test your changes so you -don't get locked out. +Update OpenSSH configuration files +---------------------------------- + +SSH must be configured to point to the monkeysphere generated +`authorized_keys` file. Add this line to `/etc/ssh/sshd_config` +(again, making sure that no other AuthorizedKeysFile directive is left +uncommented): + AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u + +You'll need to restart `sshd` to have your changes take effect. As +with any change to `sshd_config`, be sure to retain an existing +session to the machine while you test your changes so you don't get +locked out. Monkeysphere authorized_keys maintenance ---------------------------------------- -A host can maintain ssh authorized_keys files automatically for its -users with the Monkeysphere. - For each user account on the server, the userids of people authorized to log into that account would be placed in: @@ -72,12 +118,12 @@ If the admin's OpenPGP keyid is `$GPGID`, then on the server run: # monkeysphere-server add-identity-certifier $GPGID -To update the monkeysphere authorized_keys file for user "bob" using +To update the monkeysphere `authorized_keys` file for user "bob" using the current set of identity certifiers, run: # monkeysphere-server update-users bob -To update the monkeysphere authorized_keys file for all users on the +To update the monkeysphere `authorized_keys` file for all users on the the system, run the same command with no arguments: # monkeysphere-server update-users diff --git a/website/index.mdwn b/website/index.mdwn index 2e756ae..4abeea0 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -69,12 +69,11 @@ To emphasize: ***no modifications to SSH are required to use the Monkeysphere***. OpenSSH can be used as is; completely unpatched and "out of the box". -## Links ## +## License ## -* [OpenSSH](http://openssh.com/) -* [GnuPG](http://www.gnupg.org/) -* [Secure Shell Authentication Protocol RFC 4252](http://tools.ietf.org/html/rfc4252) -* [OpenPGP RFC 4880](http://tools.ietf.org/html/rfc4880) +All Monkeysphere software is copyright, 2007, by [the +authors](community), and released under [GPL, version 3 or +later](http://www.gnu.org/licenses/gpl-3.0.html). ---- diff --git a/website/news/Monkeysphere-in-Debian.mdwn b/website/news/Monkeysphere-in-Debian.mdwn new file mode 100644 index 0000000..acba904 --- /dev/null +++ b/website/news/Monkeysphere-in-Debian.mdwn @@ -0,0 +1,15 @@ +[[meta title="Monkeysphere now in Debian!"]] + +[The Monkeysphere has made it into +Debian!](http://packages.debian.org/sid/monkeysphere) + +It is in Debian unstable (sid) now, which means it won't make it into +the next unstable release (lenny), but hopefully will be in the stable +release after that (squeeze). + +Congratulations to all the work by all the [monkeysphere +developers](/community), and to Micah Anderson for being our Debian +sponsor. + +Please feel free to start submitting bug reports to the [Debian +BTS](http://bugs.debian.org/monkeysphere). |