summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: 330b6107a20a28c2b4c2ce355039e62b90fa8a41 (plain) 
    

  1. .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
    2. 

  2. 

  3. .SH NAME
    4. 

  4. 

  5. monkeysphere-host \- Monkeysphere host admin tool.
    6. 

  6. 

  7. .SH SYNOPSIS
    8. 

  8. 

  9. .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
    10. 

  10. .br
    11. 

  11. .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
    12. 

  12. 

  13. .SH DESCRIPTION
    14. 

  14. 

  15. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
    16. 

  16. for OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and
    17. 

  17. added to the authorized_keys and known_hosts files used by OpenSSH for
    18. 

  18. connection authentication.
    19. 

  19. 

  20. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
    21. 

  21. 

  22. .SH SUBCOMMANDS
    23. 

  23. 

  24. \fBmonkeysphere-host\fP takes various subcommands:
    25. 

  25. .TP
    26. 

  26. .B import-key [NAME[:PORT]]
    27. 

  27. Import a pem-encoded ssh secret host key, from stdin.  NAME[:PORT] is
    28. 

  28. used to specify the hostname (and port) used in the user ID of the new
    29. 

  29. OpenPGP key.  If NAME is not specified, then the system
    30. 

  30. fully-qualified domain name will be used (ie. `hostname -f').  If PORT
    31. 

  31. is not specified, the no port is added to the user ID, which means
    32. 

  32. port 22 is assumed.  `i' may be used in place of `import-key'.
    33. 

  33. .TP
    34. 

  34. .B show-key
    35. 

  35. Output information about host's OpenPGP and SSH keys.  `s' may be used
    36. 

  36. in place of `show-key'.
    37. 

  37. .TP
    38. 

  38. .B extend-key EXPIRE
    39. 

  39. Extend the validity of the OpenPGP key for the host until EXPIRE from
    40. 

  40. the present.  If EXPIRE is not specified, then the user will be
    41. 

  41. prompted for the extension term.  Expiration is specified like GnuPG
    42. 

  42. does:
    43. 

  43. .nf
    44. 

  44.          0 = key does not expire
    45. 

  45.       <n>  = key expires in n days
    46. 

  46.       <n>w = key expires in n weeks
    47. 

  47.       <n>m = key expires in n months
    48. 

  48.       <n>y = key expires in n years
    49. 

  49. .fi
    50. 

  50. `e' may be used in place of `extend-key'.
    51. 

  51. .TP
    52. 

  52. .B add-hostname HOSTNAME
    53. 

  53. Add a hostname user ID to the server host key.  `n+' may be used in
    54. 

  54. place of `add-hostname'.
    55. 

  55. .TP
    56. 

  56. .B revoke-hostname HOSTNAME
    57. 

  57. Revoke a hostname user ID from the server host key.  `n-' may be used
    58. 

  58. in place of `revoke-hostname'.
    59. 

  59. .TP
    60. 

  60. .B add-revoker FINGERPRINT
    61. 

  61. Add a revoker to the host's OpenPGP key.  `o' may be be used in place
    62. 

  62. of `add-revoker'.
    63. 

  63. .TP
    64. 

  64. .B revoke-key
    65. 

  65. Revoke the host's OpenPGP key.  `r' may be used in place of
    66. 

  66. `revoke-key'.
    67. 

  67. .TP
    68. 

  68. .B publish-key
    69. 

  69. Publish the host's OpenPGP key to the keyserver.  `p' may be used in
    70. 

  70. place of `publish-key'.
    71. 

  71. .TP
    72. 

  72. .B help
    73. 

  73. Output a brief usage summary.  `h' or `?' may be used in place of
    74. 

  74. `help'.
    75. 

  75. .TP
    76. 

  76. .B version
    77. 

  77. show version number
    78. 

  78. 

  79. 

  80. Other commands:
    81. 

  81. .TP
    82. 

  82. .B diagnostics
    83. 

  83. Review the state of the monkeysphere server host key and report on
    84. 

  84. suggested changes.  Among other checks, this includes making sure
    85. 

  85. there is a valid host key, that the key is published, that the sshd
    86. 

  86. configuration points to the right place, etc.  `d' may be used in
    87. 

  87. place of `diagnostics'.
    88. 

  88. 

  89. .SH SETUP HOST AUTHENTICATION
    90. 

  90. 

  91. To enable host verification via the monkeysphere, the host's key must
    92. 

  92. be published to the Web of Trust.  This is not done by default.  To
    93. 

  93. publish the host key to the keyservers, run the following command:
    94. 

  94. 

  95. $ monkeysphere-host publish-key
    96. 

  96. 

  97. In order for users logging into the system to be able to identify the
    98. 

  98. host via the monkeysphere, at least one person (e.g. a server admin)
    99. 

  99. will need to sign the host's key.  This is done using standard OpenPGP
    100. 

  100. keysigning techniques, usually: pull the key from the keyserver,
    101. 

  101. verify and sign the key, and then re-publish the signature.  Once an
    102. 

  102. admin's signature is published, users logging into the host can use it
    103. 

  103. to validate the host's key.
    104. 

  104. 

  105. .SH ENVIRONMENT
    106. 

  106. 

  107. The following environment variables will override those specified in
    108. 

  108. the config file (defaults in parentheses):
    109. 

  109. .TP
    110. 

  110. MONKEYSPHERE_LOG_LEVEL
    111. 

  111. Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
    112. 

  112. increasing order of verbosity.
    113. 

  113. .TP
    114. 

  114. MONKEYSPHERE_KEYSERVER
    115. 

  115. OpenPGP keyserver to use (pool.sks-keyservers.net).
    116. 

  116. 

  117. .SH FILES
    118. 

  118. 

  119. .TP
    120. 

  120. /etc/monkeysphere/monkeysphere-host.conf
    121. 

  121. System monkeysphere-host config file.
    122. 

  122. .TP
    123. 

  123. /var/lib/monkeysphere/host/ssh_host_rsa_key
    124. 

  124. Copy of the host's private key in ssh format, suitable for use by
    125. 

  125. sshd.
    126. 

  126. 

  127. .SH AUTHOR
    128. 

  128. 

  129. Written by:
    130. 

  130. Jameson Rollins <jrollins@fifthhorseman.net>,
    131. 

  131. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
    132. 

  132. Matthew Goins <mjgoins@openflows.com>
    133. 

  133. 

  134. .SH SEE ALSO
    135. 

  135. 

  136. .BR monkeysphere (1),
    137. 

  137. .BR monkeysphere-authentication (8),
    138. 

  138. .BR monkeysphere (7),
    139. 

  139. .BR gpg (1),
    140. 

  140. .BR ssh (1)
    141.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-23 19:13:02 +0000