summaryrefslogtreecommitdiff
path: root/doc/MonkeySpec
blob: 66f44b05b8b08361392663b3e1e17cd5dbca6d27 (plain)
  1. THE MONKEYSPHERE
  2. ================
  3. Monkeysphere is authentication layer that allows the sysadmin to
  4. perform authorization on OpenPGP user identities instead of on keys.
  5. It also allows end users to authenticate/identify the ssh server they
  6. are connecting to by checking the sysadmin's certification.
  7. * GENERAL GOAL - use openpgp web-of-trust to authenticate ppl for SSH
  8. * SPECIFIC GOAL - allow openssh to tie into pgp web-of-trust without
  9. modifying the openpgp spec, gpg or openssh
  10. * DESIGN GOALS - authentication, use the existing generic OpenSSH
  11. client, the admin can make it default, although end-user should be
  12. decide to use monkeysphere or not
  13. * DESIGN GOAL - use of monkeysphere should not radically change
  14. connecting-to-server experience
  15. Host identity piece of monkeysphere could be used without buying into
  16. the user authentication component.
  17. USE CASE
  18. ========
  19. Dramatis Personae: http://en.wikipedia.org/wiki/Alice_and_Bob
  20. Backstory: http://www.conceptlabs.co.uk/alicebob.html
  21. Bob wants to sign on to the computer "mangabey.example.org" via
  22. monkeysphere framework. He doesn't yet have access to the machine,
  23. but he knows Alice, who is the admin of mangabey. Alice and Bob,
  24. being the conscientious netizens that they are, have already published
  25. their personal gpg keys to the web of trust, and being good friends,
  26. have both signed each other's keys and marked each others keys with
  27. "full" ownertrust.
  28. When Alice set up mangabey initially, she published an OpenPGP key for
  29. the machine with the special userid of "ssh://mangabey.example.org".
  30. She also signed mangabey's OpenPGP key and published this
  31. certification to commonly-used keyservers. Alice also configured
  32. mangabey to treat her own key with full ownertrust, so that it knows
  33. how to identify connecting users.
  34. Now, Alice creates a user account "bob" on mangabey, and puts Bob's
  35. userid ("Bob <bob@example.org>") in the authorized_user_ids file for
  36. user bob on mangabey. The monkeysphere automatically (via cron or
  37. inotify hook) takes each userid in bob's authorized_user_ids file, and
  38. looks on a keyserver to find all public keys associated with that user
  39. ID, with the goal of populating the authorized_keys file for
  40. bob@mangabey.
  41. In particular: for each key found, the server evaluates the calculated
  42. validity of the specified user ID based on the ownertrust rules it has
  43. configured ("trust alice's certifications fully", in this example).
  44. For each key for which the user ID in question is fully-valid, it
  45. extracts all DSA- or RSA-based primary or secondary keys marked with
  46. the authentication usage flag, and converts these OpenPGP public keys
  47. into ssh public keys. These keys are automatically placed into the
  48. authorized_keys file for bob.
  49. Bob now attempts to connect, by firing up a terminal and invoking:
  50. "ssh bob@mangabey.example.org". Bob's monkeysphere-enabled ssh client
  51. notices that mangabey.example.org isn't already available in bob's
  52. known_hosts file, and fetches the host key for mangabey from the
  53. public keyservers, with the goal of populating Bob's local known_hosts
  54. file.
  55. In particular: the monkeysphere queries its configured keyservers to
  56. find all public keys with User ID ssh://mangabey.example.org. For
  57. each public key found, it checks the relevant User ID's validity,
  58. converts any authentication-capable OpenPGP public keys into ssh
  59. public keys if the User ID validity is acceptable, and finally insert
  60. those keys into Bob's known_hosts file.
  61. On Bob's side, since mangabey's key had "full" validity (it was signed
  62. by Alice, whom he fully trusts), Bob's ssh client deems mangabey
  63. "known" and no further host key checking is required.
  64. On mangabey's side, since Bob's key has "full" validity (it had been
  65. signed by Alice, mangabey's trusted administrator), Bob is
  66. authenticated and therefore authorized to log into his account.