summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: 3e01105b660a03fb0e434276b74cd212ad1679d0 (plain)
  1. .TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands"
  2. .SH NAME
  3. monkeysphere\-host - Monkeysphere host admin tool.
  4. .SH SYNOPSIS
  5. .B monkeysphere\-host \fIsubcommand\fP [\fIargs\fP]
  6. .SH DESCRIPTION
  7. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
  8. for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
  9. added to the authorized_keys and known_hosts files used by OpenSSH for
  10. connection authentication.
  11. \fBmonkeysphere\-host\fP is a Monkeysphere server admin utility for
  12. managing the host's OpenPGP host key.
  13. .SH SUBCOMMANDS
  14. \fBmonkeysphere\-host\fP takes various subcommands:
  15. .TP
  16. .B import\-key FILE NAME[:PORT]
  17. Import a pem-encoded ssh secret host key from file FILE. If FILE is
  18. `\-', then the key will be imported from stdin. Only RSA keys are
  19. supported at the moment. NAME[:PORT] is used to specify the
  20. fully-qualified hostname (and port) used in the user ID of the new
  21. OpenPGP key. If PORT is not specified, the no port is added to the
  22. user ID, which means port 22 is assumed. `i' may be used in place of
  23. `import\-key'.
  24. .TP
  25. .B show\-key
  26. Output information about host's OpenPGP and SSH keys. `s' may be used
  27. in place of `show\-key'.
  28. .TP
  29. .B set\-expire [EXPIRE]
  30. Extend the validity of the OpenPGP key for the host until EXPIRE from
  31. the present. If EXPIRE is not specified, then the user will be
  32. prompted for the extension term. Expiration is specified as with
  33. GnuPG (measured from today's date):
  34. .nf
  35. 0 = key does not expire
  36. <n> = key expires in n days
  37. <n>w = key expires in n weeks
  38. <n>m = key expires in n months
  39. <n>y = key expires in n years
  40. .fi
  41. `e' may be used in place of `set\-expire'.
  42. .TP
  43. .B add\-hostname HOSTNAME
  44. Add a hostname user ID to the server host key. `n+' may be used in
  45. place of `add\-hostname'.
  46. .TP
  47. .B revoke\-hostname HOSTNAME
  48. Revoke a hostname user ID from the server host key. `n\-' may be used
  49. in place of `revoke\-hostname'.
  50. .TP
  51. .B add\-revoker KEYID|FILE
  52. Add a revoker to the host's OpenPGP key. The key ID will be loaded
  53. from the keyserver. A file may be loaded instead of pulling the key
  54. from the keyserver by specifying the path to the file as the argument,
  55. or by specifying `\-' to load from stdin. `r+' may be be used in place
  56. of `add-revoker'.
  57. .TP
  58. .B revoke\-key
  59. Generate (with the option to publish) a revocation certificate for the
  60. host's OpenPGP key. If such a certificate is published, your host key
  61. will be permanently revoked. This subcommand will ask you a series of
  62. questions, and then generate a key revocation certificate, sending it
  63. to stdout. If you explicitly tell it to publish the revocation
  64. certificate immediately, it will send it to the public keyservers.
  65. USE WITH CAUTION!
  66. .TP
  67. .B publish\-key
  68. Publish the host's OpenPGP key to the public keyservers. `p' may be
  69. used in place of `publish-key'. Note that there is no way to remove a
  70. key from the public keyservers once it is published!
  71. .TP
  72. .B help
  73. Output a brief usage summary. `h' or `?' may be used in place of
  74. `help'.
  75. .TP
  76. .B version
  77. show version number
  78. Other commands:
  79. .TP
  80. .B diagnostics
  81. Review the state of the monkeysphere server host key and report on
  82. suggested changes. Among other checks, this includes making sure
  83. there is a valid host key, that the key is not expired, that the sshd
  84. configuration points to the right place, etc. `d' may be used in
  85. place of `diagnostics'.
  86. .SH SETUP HOST AUTHENTICATION
  87. To enable host verification via the monkeysphere, an OpenPGP key must
  88. be made out of the host's ssh key, and the key must be published to
  89. the Web of Trust. This is not done by default. The first step is to
  90. import the host's ssh key into a monkeysphere-style OpenPGP key. This
  91. is done with the import\-key command. When importing a key, you must
  92. specify the path to the host's ssh RSA key to import, and a hostname
  93. to use as the key's user ID:
  94. # monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key host.example.org
  95. On most systems, the ssh host RSA key is stored at
  96. /etc/ssh/ssh_host_rsa_key.
  97. Once the host key has been imported, it must be published to the Web
  98. of Trust so that users can retrieve the key when sshing to the host.
  99. The host key is published to the keyserver with the publish\-key
  100. command:
  101. $ monkeysphere\-host publish\-key
  102. In order for users logging into the system to be able to identify the
  103. host via the monkeysphere, at least one person (e.g. a server admin)
  104. will need to sign the host's key. This is done using standard OpenPGP
  105. keysigning techniques, usually: pull the key from the keyserver,
  106. verify and sign the key, and then re-publish the signature. Please
  107. see http://web.monkeysphere.info/signing-host-keys/ for more
  108. information. Once an admin's signature is published, users logging
  109. into the host can use it to validate the host's key without having to
  110. manually check the host key's fingerprint.
  111. .SH ENVIRONMENT
  112. The following environment variables will override those specified in
  113. the config file (defaults in parentheses):
  114. .TP
  115. MONKEYSPHERE_LOG_LEVEL
  116. Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
  117. increasing order of verbosity. (INFO)
  118. .TP
  119. MONKEYSPHERE_KEYSERVER
  120. OpenPGP keyserver to use. (pool.sks\-keyservers.net)
  121. .TP
  122. MONKEYSPHERE_PROMPT
  123. If set to `false', never prompt the user for confirmation. (true)
  124. .SH FILES
  125. .TP
  126. /etc/monkeysphere/monkeysphere\-host.conf
  127. System monkeysphere\-host config file.
  128. .TP
  129. /var/lib/monkeysphere/host/ssh_host_rsa_key.pub.gpg
  130. A world-readable copy of the host's public key in OpenPGP format,
  131. including all relevant self-signatures.
  132. .SH AUTHOR
  133. This man page was written by:
  134. Jameson Rollins <jrollins@fifthhorseman.net>,
  135. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
  136. Matthew Goins <mjgoins@openflows.com>
  137. .SH SEE ALSO
  138. .BR monkeysphere (1),
  139. .BR monkeysphere\-authentication (8),
  140. .BR monkeysphere (7),
  141. .BR gpg (1),
  142. .BR ssh (1),
  143. .BR sshd (8)