summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: 78b6b4a375afdaf680b5ab8b5e9a745e75c32d38 (plain) 
    

  1. .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
    2. 

  2. 

  3. .SH NAME
    4. 

  4. 

  5. monkeysphere-host \- Monkeysphere host admin tool.
    6. 

  6. 

  7. .SH SYNOPSIS
    8. 

  8. 

  9. .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
    10. 

  10. .br
    11. 

  11. .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
    12. 

  12. 

  13. .SH DESCRIPTION
    14. 

  14. 

  15. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
    16. 

  16. for OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and
    17. 

  17. added to the authorized_keys and known_hosts files used by OpenSSH for
    18. 

  18. connection authentication.
    19. 

  19. 

  20. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
    21. 

  21. 

  22. .SH SUBCOMMANDS
    23. 

  23. 

  24. \fBmonkeysphere-host\fP takes various subcommands:
    25. 

  25. .TP
    26. 

  26. .B show-key
    27. 

  27. Output information about host's OpenPGP and SSH keys.  `s' may be used
    28. 

  28. in place of `show-key'.
    29. 

  29. .TP
    30. 

  30. .B extend-key EXPIRE
    31. 

  31. Extend the validity of the OpenPGP key for the host until EXPIRE from
    32. 

  32. the present.  If EXPIRE is not specified, then the user will be
    33. 

  33. prompted for the extension term.  Expiration is specified like GnuPG
    34. 

  34. does:
    35. 

  35. .nf
    36. 

  36.          0 = key does not expire
    37. 

  37.       <n>  = key expires in n days
    38. 

  38.       <n>w = key expires in n weeks
    39. 

  39.       <n>m = key expires in n months
    40. 

  40.       <n>y = key expires in n years
    41. 

  41. .fi
    42. 

  42. `e' may be used in place of `extend-key'.
    43. 

  43. .TP
    44. 

  44. .B add-hostname HOSTNAME
    45. 

  45. Add a hostname user ID to the server host key.  `n+' may be used in
    46. 

  46. place of `add-hostname'.
    47. 

  47. .TP
    48. 

  48. .B revoke-hostname HOSTNAME
    49. 

  49. Revoke a hostname user ID from the server host key.  `n-' may be used
    50. 

  50. in place of `revoke-hostname'.
    51. 

  51. .TP
    52. 

  52. .B add-revoker FINGERPRINT
    53. 

  53. Add a revoker to the host's OpenPGP key.  `o' may be be used in place
    54. 

  54. of `add-revoker'.
    55. 

  55. .TP
    56. 

  56. .B revoke-key
    57. 

  57. Revoke the host's OpenPGP key.  `r' may be used in place of
    58. 

  58. `revoke-key'.
    59. 

  59. .TP
    60. 

  60. .B publish-key
    61. 

  61. Publish the host's OpenPGP key to the keyserver.  `p' may be used in
    62. 

  62. place of `publish-key'.
    63. 

  63. .TP
    64. 

  64. .B help
    65. 

  65. Output a brief usage summary.  `h' or `?' may be used in place of
    66. 

  66. `help'.
    67. 

  67. .TP
    68. 

  68. .B version
    69. 

  69. show version number
    70. 

  70. 

  71. .SH "EXPERT" SUBCOMMANDS
    72. 

  72. 

  73. Some commands are very unlikely to be needed by most administrators.
    74. 

  74. These commands must prefaced by the word `expert'.
    75. 

  75. .TP
    76. 

  76. .B gen-key [HOSTNAME]
    77. 

  77. Generate a OpenPGP key for the host.  If HOSTNAME is not specified,
    78. 

  78. then the system fully-qualified domain name will be user.  An
    79. 

  79. alternate key bit length can be specified with the `-l' or `--length'
    80. 

  80. option (default 2048).  An expiration length can be specified with the
    81. 

  81. `-e' or `--expire' option (prompt otherwise).  The expiration format
    82. 

  82. is the same as that of \fBextend-key\fP, below.  `g' may be used in
    83. 

  83. place of `gen-key'.
    84. 

  84. .TP
    85. 

  85. .B import-key
    86. 

  86. FIXME:
    87. 

  87.   import-key (i)                     import existing ssh key to gpg
    88. 

  88.    --hostname (-h) NAME[:PORT]         hostname for key user ID
    89. 

  89.    --keyfile (-f) FILE                 key file to import
    90. 

  90.    --expire (-e) EXPIRE                date to expire
    91. 

  91. .TP
    92. 

  92. .B diagnostics
    93. 

  93. Review the state of the monkeysphere server host key and report on
    94. 

  94. suggested changes.  Among other checks, this includes making sure
    95. 

  95. there is a valid host key, that the key is published, that the sshd
    96. 

  96. configuration points to the right place, etc.  `d' may be used in
    97. 

  97. place of `diagnostics'.
    98. 

  98. 

  99. .SH SETUP HOST AUTHENTICATION
    100. 

  100. 

  101. To enable host verification via the monkeysphere, the host's key must
    102. 

  102. be published to the Web of Trust.  This is not done by default.  To
    103. 

  103. publish the host key to the keyservers, run the following command:
    104. 

  104. 

  105. $ monkeysphere-host publish-key
    106. 

  106. 

  107. You must also modify the sshd_config on the server to tell sshd where
    108. 

  108. the new server host key is located:
    109. 

  109. 

  110. HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key
    111. 

  111. 

  112. In order for users logging into the system to be able to identify the
    113. 

  113. host via the monkeysphere, at least one person (e.g. a server admin)
    114. 

  114. will need to sign the host's key.  This is done using standard OpenPGP
    115. 

  115. keysigning techniques, usually: pull the key from the keyserver,
    116. 

  116. verify and sign the key, and then re-publish the signature.  Once an
    117. 

  117. admin's signature is published, users logging into the host can use it
    118. 

  118. to validate the host's key.
    119. 

  119. 

  120. .SH ENVIRONMENT
    121. 

  121. 

  122. The following environment variables will override those specified in
    123. 

  123. the config file (defaults in parentheses):
    124. 

  124. .TP
    125. 

  125. MONKEYSPHERE_LOG_LEVEL
    126. 

  126. Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
    127. 

  127. increasing order of verbosity.
    128. 

  128. .TP
    129. 

  129. MONKEYSPHERE_KEYSERVER
    130. 

  130. OpenPGP keyserver to use (pool.sks-keyservers.net).
    131. 

  131. 

  132. .SH FILES
    133. 

  133. 

  134. .TP
    135. 

  135. /etc/monkeysphere/monkeysphere-host.conf
    136. 

  136. System monkeysphere-host config file.
    137. 

  137. .TP
    138. 

  138. /var/lib/monkeysphere/host/ssh_host_rsa_key
    139. 

  139. Copy of the host's private key in ssh format, suitable for use by
    140. 

  140. sshd.
    141. 

  141. 

  142. .SH AUTHOR
    143. 

  143. 

  144. Written by:
    145. 

  145. Jameson Rollins <jrollins@fifthhorseman.net>,
    146. 

  146. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
    147. 

  147. Matthew Goins <mjgoins@openflows.com>
    148. 

  148. 

  149. .SH SEE ALSO
    150. 

  150. 

  151. .BR monkeysphere (1),
    152. 

  152. .BR monkeysphere-authentication (8),
    153. 

  153. .BR monkeysphere (7),
    154. 

  154. .BR gpg (1),
    155. 

  155. .BR ssh (1)
    156.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-24 12:52:39 +0000