.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"

.SH NAME

monkeysphere-host \- Monkeysphere host admin tool.

.SH SYNOPSIS

.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
.br
.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]

.SH DESCRIPTION

\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
for OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and
added to the authorized_keys and known_hosts files used by OpenSSH for
connection authentication.

\fBmonkeysphere-host\fP is a Monkeysphere server admin utility.

.SH SUBCOMMANDS

\fBmonkeysphere-host\fP takes various subcommands:
.TP
.B extend-key EXPIRE
Extend the validity of the OpenPGP key for the host until EXPIRE from
the present.  If EXPIRE is not specified, then the user will be
prompted for the extension term.  Expiration is specified like GnuPG
does:
.nf
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
.fi
`e' may be used in place of `extend-key'.

.TP
.B add-hostname HOSTNAME
Add a hostname user ID to the server host key.  `n+' may be used in
place of `add-hostname'.
.TP
.B revoke-hostname HOSTNAME
Revoke a hostname user ID from the server host key.  `n-' may be used
in place of `revoke-hostname'.
.TP
.B add-revoker FINGERPRINT

.TP
.B show-key
Output gpg information about host's OpenPGP key.  `s' may be used in
place of `show-key'.
.TP
.B publish-key
Publish the host's OpenPGP key to the keyserver.  `p' may be used in
place of `publish-key'.
.TP
.B help
Output a brief usage summary.  `h' or `?' may be used in place of
`help'.
.TP
.B version
show version number
.SH "EXPERT" SUBCOMMANDS
Some commands are very unlikely to be needed by most administrators.
These commands must follow the word `expert'.
.TP
.B gen-key [HOSTNAME]
Generate a OpenPGP key for the host.  If HOSTNAME is not specified,
then the system fully-qualified domain name will be user.  An
alternate key bit length can be specified with the `-l' or `--length'
option (default 2048).  An expiration length can be specified with the
`-e' or `--expire' option (prompt otherwise).  The expiration format
is the same as that of \fBextend-key\fP, below.  A key revoker
fingerprint can be specified with the `-r' or `--revoker' option.  `g'
may be used in place of `gen-key'.

.TP
.B diagnostics
Review the state of the server with respect to the MonkeySphere in
general and report on suggested changes.  Among other checks, this
includes making sure there is a valid host key, that the key is
published, that the sshd configuration points to the right place, and
that there are at least some valid identity certifiers.  `d' may be
used in place of `diagnostics'.
.TP
.B import-key
FIXME:
  import-key (i)                     import existing ssh key to gpg
   --hostname (-h) NAME[:PORT]         hostname for key user ID
   --keyfile (-f) FILE                 key file to import
   --expire (-e) EXPIRE                date to expire

.SH SETUP

In order to start using the monkeysphere, you must first generate an
OpenPGP key for the server and convert that key to an ssh key that can
be used by ssh for host authentication.  This can be done with the
\fBgen-key\fP subcommand:

$ monkeysphere-server gen-key

To enable host verification via the monkeysphere, you must then
publish the host's key to the Web of Trust using the \fBpublish-key\fP
command to push the key to a keyserver.  You must also modify the
sshd_config on the server to tell sshd where the new server host key
is located:

HostKey /var/lib/monkeysphere/ssh_host_rsa_key

In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host's key.  This is done using standard OpenPGP
keysigning techniques, usually: pul the key from the keyserver, verify
and sign the key, and then re-publish the signature.  Once an admin's
signature is published, users logging into the host can use it to
validate the host's key.

.TP
MONKEYSPHERE_LOG_LEVEL
Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
increasing order of verbosity.
.TP
MONKEYSPHERE_KEYSERVER
OpenPGP keyserver to use (subkeys.pgp.net).

.SH FILES
.TP
/etc/monkeysphere/monkeysphere-host.conf
System monkeysphere-host config file.
.TP
/var/lib/monkeysphere/ssh_host_rsa_key
Copy of the host's private key in ssh format, suitable for use by
sshd.

.SH AUTHOR

Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
Gillmor <dkg@fifthhorseman.net>

.SH SEE ALSO

.BR monkeysphere (1),
.BR monkeysphere-authentication (8),
.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1)