.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"

.SH NAME

monkeysphere-host \- Monkeysphere host admin tool.

.SH SYNOPSIS

.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
.br
.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]

.SH DESCRIPTION

\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
for OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and
added to the authorized_keys and known_hosts files used by OpenSSH for
connection authentication.

\fBmonkeysphere-host\fP is a Monkeysphere server admin utility.

.SH SUBCOMMANDS

\fBmonkeysphere-host\fP takes various subcommands:
.TP
.B import-key FILE [NAME[:PORT]]
Import a pem-encoded ssh secret host key from file FILE.  If FILE
is '-', then the key will be imported from stdin.  NAME[:PORT] is used
to specify the hostname (and port) used in the user ID of the new
OpenPGP key.  If NAME is not specified, then the system
fully-qualified domain name will be used (ie. `hostname -f').  If PORT
is not specified, the no port is added to the user ID, which means
port 22 is assumed.  `i' may be used in place of `import-key'.
.TP
.B show-key
Output information about host's OpenPGP and SSH keys.  `s' may be used
in place of `show-key'.
.TP
.B extend-key [EXPIRE]
Extend the validity of the OpenPGP key for the host until EXPIRE from
the present.  If EXPIRE is not specified, then the user will be
prompted for the extension term.  Expiration is specified as with
GnuPG:
.nf
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
.fi
`e' may be used in place of `extend-key'.
.TP
.B add-hostname HOSTNAME
Add a hostname user ID to the server host key.  `n+' may be used in
place of `add-hostname'.
.TP
.B revoke-hostname HOSTNAME
Revoke a hostname user ID from the server host key.  `n-' may be used
in place of `revoke-hostname'.
.TP
.B add-revoker KEYID|FILE
Add a revoker to the host's OpenPGP key.  The key ID will be loaded
from the keyserver.  A file may be loaded instead of pulling the key
from the keyserver by specifying the path to the file as the argument,
or by specifying `-` to load from stdin.  `r+' may be be used in place
of `add-revoker'.
.TP
.B revoke-key
Generate (with the option to publish) a revocation certificate for the
host's OpenPGP key.  If such a certificate is published, your host key
will be permanently revoked.  This subcommand will ask you a series of
questions, and then generate a key revocation certificate, sending it
to stdout.  If you explicitly tell it to publish the revocation
certificate immediately, it will send it to the public keyservers.
USE WITH CAUTION!
.TP
.B publish-key
Publish the host's OpenPGP key to the keyserver.  `p' may be used in
place of `publish-key'.
.TP
.B help
Output a brief usage summary.  `h' or `?' may be used in place of
`help'.
.TP
.B version
show version number


Other commands:
.TP
.B diagnostics
Review the state of the monkeysphere server host key and report on
suggested changes.  Among other checks, this includes making sure
there is a valid host key, that the key is published, that the sshd
configuration points to the right place, etc.  `d' may be used in
place of `diagnostics'.

.SH SETUP HOST AUTHENTICATION

To enable host verification via the monkeysphere, the host's key must
be published to the Web of Trust.  This is not done by default.  To
publish the host key to the keyservers, run the following command:

$ monkeysphere-host publish-key

In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host's key.  This is done using standard OpenPGP
keysigning techniques, usually: pull the key from the keyserver,
verify and sign the key, and then re-publish the signature.  Once an
admin's signature is published, users logging into the host can use it
to validate the host's key.

.SH ENVIRONMENT

The following environment variables will override those specified in
the config file (defaults in parentheses):
.TP
MONKEYSPHERE_LOG_LEVEL
Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
increasing order of verbosity.
.TP
MONKEYSPHERE_KEYSERVER
OpenPGP keyserver to use (pool.sks-keyservers.net).
.TP
MONKEYSPHERE_PROMPT
If set to `false', never prompt the user for confirmation. (true)


.SH FILES

.TP
/etc/monkeysphere/monkeysphere-host.conf
System monkeysphere-host config file.
.TP
/var/lib/monkeysphere/host/ssh_host_rsa_key
Copy of the host's private key in ssh format, suitable for use by
sshd.

.SH AUTHOR

Written by:
Jameson Rollins <jrollins@fifthhorseman.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>

.SH SEE ALSO

.BR monkeysphere (1),
.BR monkeysphere-authentication (8),
.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1)