- The Monkeysphere uses the OpenPGP web of trust to provide a
- distributed Public Key Infrastructure (PKI) for users and
- administrators of ssh. This talk is about why the Monkeysphere is
- useful, how it works, and how you can use it to ease your workload and
- automatically fully authenticate people and servers.
- The Secure Shell protocol has offered public-key-based mutual
- authentication since its inception, but popular implementations offer
- no formalized public key infrastructure. This means there is no
- straightforward, computable method to signal re-keying events, key
- revocations, or even basic key-to-identity binding (e.g. "host
- foo.example.org has key X"). As a result, dealing with host keys is
- usually a manual process with the possibility of tedium, room for
- error, difficulty of maintenance, or users and administrators simply
- ignoring or skipping baseline cryptographic precautions.
- The OpenPGP specification offers a robust public key infrastructure
- that has traditionally only been used for e-mail and for encrypted
- storage. By its nature, the OpenPGP Web of Trust (WoT) is a
- distributed system, with no intrinsic chokepoints or global
- authorities. And the global key distribution network provides
- commonly-held, public infrastructure for rapid distribution of key
- changes, revocations, and identity binding.
- The Monkeysphere mixes the two to provide new functionality for ssh
- (key revocation, key expiry, re-keying, fewer unintelligible prompts,
- semantic authorization, etc) while taking advantage of existing but
- often-unused functionality in OpenPGP. Additionally, the Monkeysphere
- implementation does not require any patches to OpenSSH on the client
- or server, but takes advantage of existing hooks, which makes it easy
- to adopt.
- Specifically, the Monkeysphere allows users to automatically validate
- ssh host keys through the Web of Trust, and it allows servers to
- identify authorized users through the Web of Trust. Users decide
- which certifications in the Web of Trust they put stock in (so they
- are not spoofed by spurious certifications of host keys). Server
- administrators decide whose certifications the server should put stock
- in (so that the server is not spoofed by spurious certifications of
- user keys).
- This presentation will go over how the Monkeysphere works; how you can
- use it to increase the security of servers you maintain; how you can
- use it to increase the security of accounts you connect to with ssh;
- and we'll discuss future possibilities lurking in the ideas of the
- Monkeysphere.
- Monkeysphere is currently available in the main Debian repository and
- as a port in FreeBSD. A Slackbuild is available for Slackware, and
- Monkeysphere itself should work on any POSIX-ish system with the
- appropriate dependencies available.
- The Monkeysphere project began to coalesce in early 2008, and remains
- an ongoing collaboration of many people, including:
- * Micah Anderson
- * Mike Castleman
- * Daniel Kahn Gillmor
- * Ross Glover
- * Matthew James Goins
- * Greg Lyle
- * Jamie McClelland
- * Jameson Graef Rollins
- The project's main web site is http://web.monkeysphere.info/
|
