diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/man1/monkeysphere-ssh-proxycommand.1 | 53 | ||||
| -rw-r--r-- | man/man1/monkeysphere.1 | 94 | ||||
| -rw-r--r-- | man/man1/openpgp2ssh.1 | 91 | ||||
| -rw-r--r-- | man/man8/monkeysphere-server.8 | 102 |
4 files changed, 340 insertions, 0 deletions
diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 new file mode 100644 index 0000000..c4196f2 --- /dev/null +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -0,0 +1,53 @@ +.TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands" + +.SH NAME + +monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script + +.SH DESCRIPTION + +\fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used +to trigger a monkeysphere update of the known_hosts file for the hosts +that are being connected to. It is meant to be run as an ssh +ProxyCommand. This can either be done by specifying the proxy command +on the command line: + +.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ... + +or by adding the following line to your ~/.ssh/config script: + +.B ProxyCommand monkeysphere-ssh-proxycommand %h %p + +The script can easily be incorporated into other ProxyCommand scripts +by calling it with the "--no-connect" option, ie: + +.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT" + +This will run everything but will not exec netcat to make the tcp +connection to the host. + +.SH KEYSERVER CHECKING + +The proxy command has a fairly nuanced policy for when keyservers are +queried when processing host. If the host userID is not found in +either the user's keyring or in the known_hosts file, then the +keyserver is queried for the host userID. If the host userID is found +in the user's keyring, then the keyserver is not checked. This is +because... If the host userID is not found in the user's keyring, but +the host is listed in the known_hosts file, then defered check is +scheduled. + +.SH ENVIRONMENT VARIABLES + +.TP +KEYSERVER The keyserver to query. + +.SH AUTHOR + +Written by Jameson Rollins <jrollins@fifthhorseman.net> + +.SH SEE ALSO + +.BR monkeypshere (1), +.BR ssh (1), +.BR gpg (1) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 new file mode 100644 index 0000000..30e35bb --- /dev/null +++ b/man/man1/monkeysphere.1 @@ -0,0 +1,94 @@ +.TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" + +.SH NAME + +monkeysphere \- MonkeySphere client user interface + +.SH SYNOPSIS + +.B monkeysphere \fIcommand\fP [\fIargs\fP] + +.SH DESCRIPTION + +MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh +authentication and encryption. OpenPGP keys are tracked via GnuPG, +and added to the ssh authorized_keys and known_hosts files to be used +for authentication of ssh connections. + +\fBmonkeysphere\fP is the MonkeySphere client utility. + +.SH SUBCOMMANDS + +\fBmonkeysphere\fP takes various subcommands: +.TP +.B update-known_hosts [HOST]... +Update the known_hosts file. For each specified host, gpg will be +queried for a key associated with the host URI (see HOST URIs), +querying a keyserver if specified. If a key is found, it will be +converted to an ssh key, and any matching ssh keys will be removed +from the user's known_hosts file. If the found key is acceptable (see +KEY ACCEPTABILITY), then the key will be updated and re-added to the +known_hosts file. If no gpg key is found for the host, then nothing +is done. If no hosts are specified, all hosts listed in the +known_hosts file will be processed. `k' may be used in place of +`update-known_hosts'. +.TP +.B update-authorized_keys +Update the monkeysphere authorized_keys file. For each user ID in the +user's authorized_user_ids file, gpg will be queried for keys +associated with that user ID, querying a keyserver if specified. If a +key is found, it will be converted to an ssh key, and any matching ssh +keys will be removed from the user's authorized_keys file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the key will be +updated and re-added to the authorized_keys file. If no gpg key is +found for the user ID, then nothing is done. `a' may be used in place +of `update-authorized_keys'. +.TP +.B gen-subkey KEYID +Generate an `a` capable subkey. For the primary key with the +specified key ID, generate a subkey with "authentication" capability +that can be used for MonkeySphere transactions. `g' may be used in +place of `gen-subkey'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. + +.SH HOST URIs + +Host OpenPGP keys have associated user IDs that use the ssh URI +specification for the host, ie. "ssh://host.full.domain". + +.SH KEY ACCEPTABILITY + +GPG keys are considered acceptable if the following criteria are met: +.TP +.B capability +The key must have the "authentication" ("a") usage flag set. +.TP +.B validity +The key must be "fully" valid, and must not be expired or revoked. + +.SH FILES + +.TP +~/.config/monkeysphere/monkeysphere.conf +User monkeysphere config file. +.TP +/etc/monkeysphere/monkeysphere.conf +System-wide monkeysphere config file. +.TP +~/.config/monkeysphere/authorized_user_ids +OpenPGP user IDs associated with keys that will be checked for +addition to the authorized_keys file. + +.SH AUTHOR + +Written by Jameson Rollins <jrollins@fifthhorseman.net> + +.SH SEE ALSO + +.BR monkeysphere-ssh-proxycommand (1), +.BR monkeysphere-server (8), +.BR ssh (1), +.BR gpg (1) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 new file mode 100644 index 0000000..bea1da5 --- /dev/null +++ b/man/man1/openpgp2ssh.1 @@ -0,0 +1,91 @@ +.\" -*- nroff -*- +.Dd $Mdocdate: June 11, 2008 $ +.Dt OPENPGP2SSH 1 +.Os +.Sh NAME +openpgp2ssh +.Nd translate OpenPGP keys to SSH keys +.Sh SYNOPSIS +.Nm openpgp2ssh < mykey.gpg +.Pp +.Nm gpg --export $KEYID | openpgp2ssh $KEYID +.Pp +.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID +.Sh DESCRIPTION +.Nm +takes an OpenPGP-formatted primary key and associated +subkeys on standard input, and spits out the requested equivalent +SSH-style key on standard output. +.Pp +If the data on standard input contains no subkeys, you can invoke +.Nm +without arguments. If the data on standard input contains +multiple keys (e.g. a primary key and associated subkeys), you must +specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or +fingerprint as the first argument to indicate which key to export. +The keyid must be exactly 16 hex characters. +.Pp +If the input contains an OpenPGP RSA or DSA public key, it will be +converted to the OpenSSH-style single-line keystring, prefixed with +the key type. This format is suitable (with minor alterations) for +insertion into known_hosts files and authorized_keys files. +.Pp +If the input contains an OpenPGP RSA or DSA secret key, it will be +converted to the equivalent PEM-encoded private key. +.Pp +.Nm +is part of the +.Xr monkeysphere 1 +framework for providing a PKI for SSH. +.Sh CAVEATS +The keys produced by this process are stripped of all identifying +information, including certifications, self-signatures, etc. This is +intentional, since ssh attaches no inherent significance to these +features. +.Pp +.Nm +only works with RSA or DSA keys, because those are the +only ones which work with ssh. +.Pp +Assuming a valid key type, though, +.Nm +will produce output for +any requested key. This means, among other things, that it will +happily export revoked keys, unverifiable keys, expired keys, etc. +Make sure you do your own key validation before using this tool! +.Sh EXAMPLES +.Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin +.Pp +This pushes the secret key into the active +.Xr ssh-agent 1 . +Tools such as +.Xr ssh 1 +which know how to talk to the +.Xr ssh-agent 1 +can now rely on the key. +.Sh AUTHOR +.Nm +and this man page were written by Daniel Kahn Gillmor +<dkg@fifthhorseman.net>. +.Sh BUGS +.Nm +Currently only exports into formats used by the OpenSSH. +It should support other key output formats, such as those used by +lsh(1) and putty(1). +.Pp +Secret key output is currently not passphrase-protected. +.Pp +.Nm +currently cannot handle passphrase-protected secret keys on input. +.Pp +It would be nice to be able to use keyids shorter or longer than 16 +hex characters. +.Pp +.Nm +only acts on keys associated with the first primary key +passed in. If you send it more than one primary key, it will silently +ignore later ones. +.Sh SEE ALSO +.Xr monkeysphere 1 , +.Xr ssh 1 , +.Xr monkeysphere-server 8 diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 new file mode 100644 index 0000000..2b5af5e --- /dev/null +++ b/man/man8/monkeysphere-server.8 @@ -0,0 +1,102 @@ +.TH MONKEYSPHERE-SERVER "1" "June 2008" "monkeysphere 0.1" "User Commands" + +.SH NAME + +monkeysphere-server \- monkeysphere server admin user interface + +.SH SYNOPSIS + +.B monkeysphere-server \fIcommand\fP [\fIargs\fP] + +.SH DESCRIPTION + +\fBMonkeySphere\fP is a system to leverage the OpenPGP Web of Trust +for ssh authentication and encryption. OpenPGP keys are tracked via +GnuPG, and added to the ssh authorized_keys and known_hosts files to +be used for authentication of ssh connections. + +\fBmonkeysphere-server\fP is the MonkeySphere server admin utility. + +.SH SUBCOMMANDS + +\fBmonkeysphere-server\fP takes various subcommands: +.TP +.B update-users [USER]... +Update the admin-controlled authorized_keys files for user. For each +user specified, user ID's listed in the user's authorized_user_ids +file are processed, and the user's authorized_keys file in +/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' +for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is +set, then a user-controlled authorized_keys file (usually +~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k' +may be used in place of `update-known_hosts'. +.TP +.B gen-key +Generate a gpg key for the host. `g' may be used in place of +`gen-key'. +.TP +.B show-fingerprint +Show the fingerprint for the host's OpenPGP key. `f' may be used in place of +`show-fingerprint'. +.TP +.B publish-key +Publish the host's gpg key to the keyserver. `p' may be used in place +of `publish-key'. +.TP +.B trust-keys KEYID... +Mark key specified with key IDs with full owner trust. `t' may be used +in place of `trust-keys'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. + +.SH SETUP + +In order to start using the monkeysphere, there are a couple of things +you need to do first. The first is to generate an OpenPGP key for the +server and convert that key to an ssh key that can be used by ssh for +host authentication. To do this, run the "gen-key" subcommand. Once +that is done, publish the key to a keyserver with "publish-key" +subcommand. Finally, you need to modify the sshd_config to tell sshd +where the new server host key: + +HostKey /etc/monkeysphere/ssh_host_rsa_key + +If the server will also handle user authentication through +monkeysphere-generated authorized_keys files, set the following: + +AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u + +Once those changes are made, restart the ssh server. + +.SH FILES + +.TP +/etc/monkeysphere/monkeysphere-server.conf +System monkeysphere-server config file. +.TP +/etc/monkeysphere/monkeysphere.conf +System-wide monkeysphere config file. +.TP +/etc/monkeysphere/gnupg +Monkeysphere GNUPG home directory. +.TP +/etc/monkeysphere/ssh_host_rsa_key +Copy of the host's private key in ssh format, suitable for use by sshd. +.TP +/etc/monkeysphere/authorized_user_ids/USER +Server maintained authorized_user_ids files for users. +.TP +/var/cache/monkeysphere/authorized_keys/USER +User authorized_keys file. + +.SH AUTHOR + +Written by Jameson Rollins <jrollins@fifthhorseman.net> + +.SH SEE ALSO + +.BR monkeysphere (1), +.BR gpg (1), +.BR ssh (1) |