summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: c457711e831fc6a562ad626ccd99b36f4b311ea6 (plain) 
    

  1. .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
    2. 

  2. 

  3. .SH NAME
    4. 

  4. 

  5. monkeysphere-host \- Monkeysphere host admin tool.
    6. 

  6. 

  7. .SH SYNOPSIS
    8. 

  8. 

  9. .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
    10. 

  10. 

  11. .SH DESCRIPTION
    12. 

  12. 

  13. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
    14. 

  14. for OpenSSH authentication.  OpenPGP keys are tracked via GnuPG, and
    15. 

  15. added to the authorized_keys and known_hosts files used by OpenSSH for
    16. 

  16. connection authentication.
    17. 

  17. 

  18. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
    19. 

  19. 

  20. .SH SUBCOMMANDS
    21. 

  21. 

  22. \fBmonkeysphere-host\fP takes various subcommands:
    23. 

  23. .TP
    24. 

  24. .B import-key FILE NAME[:PORT]
    25. 

  25. Import a pem-encoded ssh secret host key from file FILE.  If FILE
    26. 

  26. is '-', then the key will be imported from stdin.  NAME[:PORT] is used
    27. 

  27. to specify the fully-qualified hostname (and port) used in the user ID
    28. 

  28. of the new OpenPGP key.  If PORT is not specified, the no port is
    29. 

  29. added to the user ID, which means port 22 is assumed.  `i' may be used
    30. 

  30. in place of `import-key'.
    31. 

  31. .TP
    32. 

  32. .B show-key
    33. 

  33. Output information about host's OpenPGP and SSH keys.  `s' may be used
    34. 

  34. in place of `show-key'.
    35. 

  35. .TP
    36. 

  36. .B extend-key [EXPIRE]
    37. 

  37. Extend the validity of the OpenPGP key for the host until EXPIRE from
    38. 

  38. the present.  If EXPIRE is not specified, then the user will be
    39. 

  39. prompted for the extension term.  Expiration is specified as with
    40. 

  40. GnuPG:
    41. 

  41. .nf
    42. 

  42.          0 = key does not expire
    43. 

  43.       <n>  = key expires in n days
    44. 

  44.       <n>w = key expires in n weeks
    45. 

  45.       <n>m = key expires in n months
    46. 

  46.       <n>y = key expires in n years
    47. 

  47. .fi
    48. 

  48. `e' may be used in place of `extend-key'.
    49. 

  49. .TP
    50. 

  50. .B add-hostname HOSTNAME
    51. 

  51. Add a hostname user ID to the server host key.  `n+' may be used in
    52. 

  52. place of `add-hostname'.
    53. 

  53. .TP
    54. 

  54. .B revoke-hostname HOSTNAME
    55. 

  55. Revoke a hostname user ID from the server host key.  `n-' may be used
    56. 

  56. in place of `revoke-hostname'.
    57. 

  57. .TP
    58. 

  58. .B add-revoker KEYID|FILE
    59. 

  59. Add a revoker to the host's OpenPGP key.  The key ID will be loaded
    60. 

  60. from the keyserver.  A file may be loaded instead of pulling the key
    61. 

  61. from the keyserver by specifying the path to the file as the argument,
    62. 

  62. or by specifying `-` to load from stdin.  `r+' may be be used in place
    63. 

  63. of `add-revoker'.
    64. 

  64. .TP
    65. 

  65. .B revoke-key
    66. 

  66. Generate (with the option to publish) a revocation certificate for the
    67. 

  67. host's OpenPGP key.  If such a certificate is published, your host key
    68. 

  68. will be permanently revoked.  This subcommand will ask you a series of
    69. 

  69. questions, and then generate a key revocation certificate, sending it
    70. 

  70. to stdout.  If you explicitly tell it to publish the revocation
    71. 

  71. certificate immediately, it will send it to the public keyservers.
    72. 

  72. USE WITH CAUTION!
    73. 

  73. .TP
    74. 

  74. .B publish-key
    75. 

  75. Publish the host's OpenPGP key to the keyserver.  `p' may be used in
    76. 

  76. place of `publish-key'.
    77. 

  77. .TP
    78. 

  78. .B help
    79. 

  79. Output a brief usage summary.  `h' or `?' may be used in place of
    80. 

  80. `help'.
    81. 

  81. .TP
    82. 

  82. .B version
    83. 

  83. show version number
    84. 

  84. 

  85. 

  86. Other commands:
    87. 

  87. .TP
    88. 

  88. .B diagnostics
    89. 

  89. Review the state of the monkeysphere server host key and report on
    90. 

  90. suggested changes.  Among other checks, this includes making sure
    91. 

  91. there is a valid host key, that the key is published, that the sshd
    92. 

  92. configuration points to the right place, etc.  `d' may be used in
    93. 

  93. place of `diagnostics'.
    94. 

  94. 

  95. .SH SETUP HOST AUTHENTICATION
    96. 

  96. 

  97. To enable host verification via the monkeysphere, the host's key must
    98. 

  98. be published to the Web of Trust.  This is not done by default.  To
    99. 

  99. publish the host key to the keyservers, run the following command:
    100. 

  100. 

  101. $ monkeysphere-host publish-key
    102. 

  102. 

  103. In order for users logging into the system to be able to identify the
    104. 

  104. host via the monkeysphere, at least one person (e.g. a server admin)
    105. 

  105. will need to sign the host's key.  This is done using standard OpenPGP
    106. 

  106. keysigning techniques, usually: pull the key from the keyserver,
    107. 

  107. verify and sign the key, and then re-publish the signature.  Once an
    108. 

  108. admin's signature is published, users logging into the host can use it
    109. 

  109. to validate the host's key.
    110. 

  110. 

  111. .SH ENVIRONMENT
    112. 

  112. 

  113. The following environment variables will override those specified in
    114. 

  114. the config file (defaults in parentheses):
    115. 

  115. .TP
    116. 

  116. MONKEYSPHERE_LOG_LEVEL
    117. 

  117. Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
    118. 

  118. increasing order of verbosity.
    119. 

  119. .TP
    120. 

  120. MONKEYSPHERE_KEYSERVER
    121. 

  121. OpenPGP keyserver to use (pool.sks-keyservers.net).
    122. 

  122. .TP
    123. 

  123. MONKEYSPHERE_PROMPT
    124. 

  124. If set to `false', never prompt the user for confirmation. (true)
    125. 

  125. 

  126. 

  127. .SH FILES
    128. 

  128. 

  129. .TP
    130. 

  130. /etc/monkeysphere/monkeysphere-host.conf
    131. 

  131. System monkeysphere-host config file.
    132. 

  132. .TP
    133. 

  133. /var/lib/monkeysphere/host/ssh_host_rsa_key
    134. 

  134. Copy of the host's private key in ssh format, suitable for use by
    135. 

  135. sshd.
    136. 

  136. 

  137. .SH AUTHOR
    138. 

  138. 

  139. Written by:
    140. 

  140. Jameson Rollins <jrollins@fifthhorseman.net>,
    141. 

  141. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
    142. 

  142. Matthew Goins <mjgoins@openflows.com>
    143. 

  143. 

  144. .SH SEE ALSO
    145. 

  145. 

  146. .BR monkeysphere (1),
    147. 

  147. .BR monkeysphere-authentication (8),
    148. 

  148. .BR monkeysphere (7),
    149. 

  149. .BR gpg (1),
    150. 

  150. .BR ssh (1)
    151.
generated by cgit v1.2.3 (git 2.46.0) at 2024-11-05 02:53:45 +0000