summaryrefslogtreecommitdiff
path: root/man/man7/monkeysphere.7
blob: 4d1deca4d7d2c0706cbf87759eb54a319f776379 (plain) 
    

  1. .TH MONKEYSPHERE "7" "March 2010" "monkeysphere" "System Frameworks"
    2. 

  2. 

  3. .SH NAME
    4. 

  4. 

  5. monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust
    6. 

  6. 

  7. .SH DESCRIPTION
    8. 

  8. 

  9. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
    10. 

  10. for OpenSSH and TLS key-based authentication.  OpenPGP keys are
    11. 

  11. tracked via GnuPG, and added to the authorized_keys and known_hosts
    12. 

  12. files used by OpenSSH for connection authentication.  Monkeysphere can
    13. 

  13. also be used by a validation agent to validate TLS connections
    14. 

  14. (e.g. https).
    15. 

  15. 

  16. .SH IDENTITY CERTIFIERS
    17. 

  17. 

  18. Each host that uses the \fBMonkeysphere\fP to authenticate its remote
    19. 

  19. users needs some way to determine that those users are who they claim
    20. 

  20. to be.  SSH permits key-based authentication, but we want instead to
    21. 

  21. bind authenticators to human-comprehensible user identities.  This
    22. 

  22. switch from raw keys to User IDs makes it possible for administrators
    23. 

  23. to see intuitively who has access to an account, and it also enables
    24. 

  24. end users to transition keys (and revoke compromised ones)
    25. 

  25. automatically across all \fBMonkeysphere\fP-enabled hosts.  The User
    26. 

  26. IDs and certifications that the \fBMonkeysphere\fP relies on are found
    27. 

  27. in the OpenPGP Web of Trust.
    28. 

  28. 

  29. However, in order to establish this binding, each host must know whose
    30. 

  30. cerifications to trust.  Someone who a host trusts to certify User
    31. 

  31. Identities is called an Identity Certifier.  A host must have at least
    32. 

  32. one Identity Certifier in order to bind User IDs to keys.  Commonly,
    33. 

  33. every ID Certifier would be trusted by the host to fully identify any
    34. 

  34. User ID, but more nuanced approaches are possible as well.  For
    35. 

  35. example, a given host could specify a dozen ID certifiers, but assign
    36. 

  36. them all "marginal" trust.  Then any given User ID would need to be
    37. 

  37. certified in the OpenPGP Web of Trust by at least three of those
    38. 

  38. certifiers. 
    39. 

  39. 

  40. It is also possible to limit the scope of trust for a given ID
    41. 

  41. Certifier to a particular domain.  That is, a host can be configured
    42. 

  42. to fully (or marginally) trust a particular ID Certifier only when
    43. 

  43. they certify identities within, say, example.org (based on the e-mail
    44. 

  44. address in the User ID).
    45. 

  45. 

  46. .SH KEY ACCEPTABILITY
    47. 

  47. 

  48. The monkeysphere commands work from a set of user IDs to determine
    49. 

  49. acceptable keys for ssh and TLS authentication.  OpenPGP keys are
    50. 

  50. considered acceptable if the following criteria are met:
    51. 

  51. .TP
    52. 

  52. .B capability
    53. 

  53. The key must have the `authentication' (`a') usage flag set.
    54. 

  54. .TP
    55. 

  55. .B validity
    56. 

  56. The key itself must be valid, i.e. it must be well-formed, not
    57. 

  57. expired, and not revoked.
    58. 

  58. .TP
    59. 

  59. .B certification
    60. 

  60. The relevant user ID must be signed by a trusted identity certifier.
    61. 

  61. 

  62. .SH HOST IDENTIFICATION
    63. 

  63. 

  64. The OpenPGP keys for hosts have associated `service names` (OpenPGP
    65. 

  65. user IDs) that are based on URI specifications for the service.  Some
    66. 

  66. examples:
    67. 

  67. .TP
    68. 

  68. .B ssh:
    69. 

  69. ssh://host.example.com[:port]
    70. 

  70. .TP
    71. 

  71. .B https:
    72. 

  72. https://host.example.com[:port]
    73. 

  73. 

  74. .SH AUTHOR
    75. 

  75. 

  76. Written by:
    77. 

  77. Jameson Rollins <jrollins@finestructure.net>,
    78. 

  78. Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    79. 

  79. 

  80. .SH SEE ALSO
    81. 

  81. 

  82. .BR monkeysphere (1),
    83. 

  83. .BR monkeysphere\-host (8),
    84. 

  84. .BR monkeysphere\-authentication (8),
    85. 

  85. .BR openpgp2ssh (1),
    86. 

  86. .BR pem2openpgp (1),
    87. 

  87. .BR gpg (1),
    88. 

  88. .BR http://tools.ietf.org/html/rfc4880,
    89. 

  89. .BR ssh (1),
    90. 

  90. .BR http://tools.ietf.org/wg/secsh/draft\-ietf\-secsh\-scp\-sftp\-ssh\-uri/
    91.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-25 07:11:47 +0000