diff options
Diffstat (limited to 'man/man8/monkeysphere-host.8')
| -rw-r--r-- | man/man8/monkeysphere-host.8 | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 new file mode 100644 index 0000000..fd676a4 --- /dev/null +++ b/man/man8/monkeysphere-host.8 @@ -0,0 +1,149 @@ +.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" + +.SH NAME + +monkeysphere-host \- Monkeysphere host admin tool. + +.SH SYNOPSIS + +.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP] +.br +.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP] + +.SH DESCRIPTION + +\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust +for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and +added to the authorized_keys and known_hosts files used by OpenSSH for +connection authentication. + +\fBmonkeysphere-host\fP is a Monkeysphere server admin utility. + +.SH SUBCOMMANDS + +\fBmonkeysphere-host\fP takes various subcommands: +.TP +.B extend-key EXPIRE +Extend the validity of the OpenPGP key for the host until EXPIRE from +the present. If EXPIRE is not specified, then the user will be +prompted for the extension term. Expiration is specified like GnuPG +does: +.nf + 0 = key does not expire + <n> = key expires in n days + <n>w = key expires in n weeks + <n>m = key expires in n months + <n>y = key expires in n years +.fi +`e' may be used in place of `extend-key'. + +.TP +.B add-hostname HOSTNAME +Add a hostname user ID to the server host key. `n+' may be used in +place of `add-hostname'. +.TP +.B revoke-hostname HOSTNAME +Revoke a hostname user ID from the server host key. `n-' may be used +in place of `revoke-hostname'. +.TP +.B add-revoker FINGERPRINT + +.TP +.B show-key +Output gpg information about host's OpenPGP key. `s' may be used in +place of `show-key'. +.TP +.B publish-key +Publish the host's OpenPGP key to the keyserver. `p' may be used in +place of `publish-key'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.TP +.B version +show version number +.SH "EXPERT" SUBCOMMANDS +Some commands are very unlikely to be needed by most administrators. +These commands must follow the word `expert'. +.TP +.B gen-key [HOSTNAME] +Generate a OpenPGP key for the host. If HOSTNAME is not specified, +then the system fully-qualified domain name will be user. An +alternate key bit length can be specified with the `-l' or `--length' +option (default 2048). An expiration length can be specified with the +`-e' or `--expire' option (prompt otherwise). The expiration format +is the same as that of \fBextend-key\fP, below. A key revoker +fingerprint can be specified with the `-r' or `--revoker' option. `g' +may be used in place of `gen-key'. + +.TP +.B diagnostics +Review the state of the server with respect to the MonkeySphere in +general and report on suggested changes. Among other checks, this +includes making sure there is a valid host key, that the key is +published, that the sshd configuration points to the right place, and +that there are at least some valid identity certifiers. `d' may be +used in place of `diagnostics'. +.TP +.B import-key +FIXME: + import-key (i) import existing ssh key to gpg + --hostname (-h) NAME[:PORT] hostname for key user ID + --keyfile (-f) FILE key file to import + --expire (-e) EXPIRE date to expire + +.SH SETUP + +In order to start using the monkeysphere, you must first generate an +OpenPGP key for the server and convert that key to an ssh key that can +be used by ssh for host authentication. This can be done with the +\fBgen-key\fP subcommand: + +$ monkeysphere-server gen-key + +To enable host verification via the monkeysphere, you must then +publish the host's key to the Web of Trust using the \fBpublish-key\fP +command to push the key to a keyserver. You must also modify the +sshd_config on the server to tell sshd where the new server host key +is located: + +HostKey /var/lib/monkeysphere/ssh_host_rsa_key + +In order for users logging into the system to be able to identify the +host via the monkeysphere, at least one person (e.g. a server admin) +will need to sign the host's key. This is done using standard OpenPGP +keysigning techniques, usually: pul the key from the keyserver, verify +and sign the key, and then re-publish the signature. Once an admin's +signature is published, users logging into the host can use it to +validate the host's key. + +.TP +MONKEYSPHERE_LOG_LEVEL +Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. +.TP +MONKEYSPHERE_KEYSERVER +OpenPGP keyserver to use (subkeys.pgp.net). + +.SH FILES +.TP +/etc/monkeysphere/monkeysphere-host.conf +System monkeysphere-host config file. +.TP +/var/lib/monkeysphere/ssh_host_rsa_key +Copy of the host's private key in ssh format, suitable for use by +sshd. + +.SH AUTHOR + +Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn +Gillmor <dkg@fifthhorseman.net> + +.SH SEE ALSO + +.BR monkeysphere (1), +.BR monkeysphere-authentication (8), +.BR monkeysphere (7), +.BR gpg (1), +.BR ssh (1) |