summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: c457711e831fc6a562ad626ccd99b36f4b311ea6 (plain)
  1. .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
  2. .SH NAME
  3. monkeysphere-host \- Monkeysphere host admin tool.
  4. .SH SYNOPSIS
  5. .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
  6. .SH DESCRIPTION
  7. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
  8. for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
  9. added to the authorized_keys and known_hosts files used by OpenSSH for
  10. connection authentication.
  11. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
  12. .SH SUBCOMMANDS
  13. \fBmonkeysphere-host\fP takes various subcommands:
  14. .TP
  15. .B import-key FILE NAME[:PORT]
  16. Import a pem-encoded ssh secret host key from file FILE. If FILE
  17. is '-', then the key will be imported from stdin. NAME[:PORT] is used
  18. to specify the fully-qualified hostname (and port) used in the user ID
  19. of the new OpenPGP key. If PORT is not specified, the no port is
  20. added to the user ID, which means port 22 is assumed. `i' may be used
  21. in place of `import-key'.
  22. .TP
  23. .B show-key
  24. Output information about host's OpenPGP and SSH keys. `s' may be used
  25. in place of `show-key'.
  26. .TP
  27. .B extend-key [EXPIRE]
  28. Extend the validity of the OpenPGP key for the host until EXPIRE from
  29. the present. If EXPIRE is not specified, then the user will be
  30. prompted for the extension term. Expiration is specified as with
  31. GnuPG:
  32. .nf
  33. 0 = key does not expire
  34. <n> = key expires in n days
  35. <n>w = key expires in n weeks
  36. <n>m = key expires in n months
  37. <n>y = key expires in n years
  38. .fi
  39. `e' may be used in place of `extend-key'.
  40. .TP
  41. .B add-hostname HOSTNAME
  42. Add a hostname user ID to the server host key. `n+' may be used in
  43. place of `add-hostname'.
  44. .TP
  45. .B revoke-hostname HOSTNAME
  46. Revoke a hostname user ID from the server host key. `n-' may be used
  47. in place of `revoke-hostname'.
  48. .TP
  49. .B add-revoker KEYID|FILE
  50. Add a revoker to the host's OpenPGP key. The key ID will be loaded
  51. from the keyserver. A file may be loaded instead of pulling the key
  52. from the keyserver by specifying the path to the file as the argument,
  53. or by specifying `-` to load from stdin. `r+' may be be used in place
  54. of `add-revoker'.
  55. .TP
  56. .B revoke-key
  57. Generate (with the option to publish) a revocation certificate for the
  58. host's OpenPGP key. If such a certificate is published, your host key
  59. will be permanently revoked. This subcommand will ask you a series of
  60. questions, and then generate a key revocation certificate, sending it
  61. to stdout. If you explicitly tell it to publish the revocation
  62. certificate immediately, it will send it to the public keyservers.
  63. USE WITH CAUTION!
  64. .TP
  65. .B publish-key
  66. Publish the host's OpenPGP key to the keyserver. `p' may be used in
  67. place of `publish-key'.
  68. .TP
  69. .B help
  70. Output a brief usage summary. `h' or `?' may be used in place of
  71. `help'.
  72. .TP
  73. .B version
  74. show version number
  75. Other commands:
  76. .TP
  77. .B diagnostics
  78. Review the state of the monkeysphere server host key and report on
  79. suggested changes. Among other checks, this includes making sure
  80. there is a valid host key, that the key is published, that the sshd
  81. configuration points to the right place, etc. `d' may be used in
  82. place of `diagnostics'.
  83. .SH SETUP HOST AUTHENTICATION
  84. To enable host verification via the monkeysphere, the host's key must
  85. be published to the Web of Trust. This is not done by default. To
  86. publish the host key to the keyservers, run the following command:
  87. $ monkeysphere-host publish-key
  88. In order for users logging into the system to be able to identify the
  89. host via the monkeysphere, at least one person (e.g. a server admin)
  90. will need to sign the host's key. This is done using standard OpenPGP
  91. keysigning techniques, usually: pull the key from the keyserver,
  92. verify and sign the key, and then re-publish the signature. Once an
  93. admin's signature is published, users logging into the host can use it
  94. to validate the host's key.
  95. .SH ENVIRONMENT
  96. The following environment variables will override those specified in
  97. the config file (defaults in parentheses):
  98. .TP
  99. MONKEYSPHERE_LOG_LEVEL
  100. Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
  101. increasing order of verbosity.
  102. .TP
  103. MONKEYSPHERE_KEYSERVER
  104. OpenPGP keyserver to use (pool.sks-keyservers.net).
  105. .TP
  106. MONKEYSPHERE_PROMPT
  107. If set to `false', never prompt the user for confirmation. (true)
  108. .SH FILES
  109. .TP
  110. /etc/monkeysphere/monkeysphere-host.conf
  111. System monkeysphere-host config file.
  112. .TP
  113. /var/lib/monkeysphere/host/ssh_host_rsa_key
  114. Copy of the host's private key in ssh format, suitable for use by
  115. sshd.
  116. .SH AUTHOR
  117. Written by:
  118. Jameson Rollins <jrollins@fifthhorseman.net>,
  119. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
  120. Matthew Goins <mjgoins@openflows.com>
  121. .SH SEE ALSO
  122. .BR monkeysphere (1),
  123. .BR monkeysphere-authentication (8),
  124. .BR monkeysphere (7),
  125. .BR gpg (1),
  126. .BR ssh (1)