summaryrefslogtreecommitdiff
path: root/man/man8/monkeysphere-host.8
blob: 2b7180759c187e744bb6108bbdf2f045080ea85b (plain)
  1. .TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
  2. .SH NAME
  3. monkeysphere-host \- Monkeysphere host admin tool.
  4. .SH SYNOPSIS
  5. .B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
  6. .br
  7. .B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
  8. .SH DESCRIPTION
  9. \fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
  10. for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
  11. added to the authorized_keys and known_hosts files used by OpenSSH for
  12. connection authentication.
  13. \fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
  14. .SH SUBCOMMANDS
  15. \fBmonkeysphere-host\fP takes various subcommands:
  16. .TP
  17. .B import-key FILE [NAME[:PORT]]
  18. Import a pem-encoded ssh secret host key from file FILE. If FILE
  19. is '-', then the key will be imported from stdin. NAME[:PORT] is used
  20. to specify the hostname (and port) used in the user ID of the new
  21. OpenPGP key. If NAME is not specified, then the system
  22. fully-qualified domain name will be used (ie. `hostname -f'). If PORT
  23. is not specified, the no port is added to the user ID, which means
  24. port 22 is assumed. `i' may be used in place of `import-key'.
  25. .TP
  26. .B show-key
  27. Output information about host's OpenPGP and SSH keys. `s' may be used
  28. in place of `show-key'.
  29. .TP
  30. .B extend-key [EXPIRE]
  31. Extend the validity of the OpenPGP key for the host until EXPIRE from
  32. the present. If EXPIRE is not specified, then the user will be
  33. prompted for the extension term. Expiration is specified as with
  34. GnuPG:
  35. .nf
  36. 0 = key does not expire
  37. <n> = key expires in n days
  38. <n>w = key expires in n weeks
  39. <n>m = key expires in n months
  40. <n>y = key expires in n years
  41. .fi
  42. `e' may be used in place of `extend-key'.
  43. .TP
  44. .B add-hostname HOSTNAME
  45. Add a hostname user ID to the server host key. `n+' may be used in
  46. place of `add-hostname'.
  47. .TP
  48. .B revoke-hostname HOSTNAME
  49. Revoke a hostname user ID from the server host key. `n-' may be used
  50. in place of `revoke-hostname'.
  51. .TP
  52. .B add-revoker KEYID|FILE
  53. Add a revoker to the host's OpenPGP key. The key ID will be loaded
  54. from the keyserver. A file may be loaded instead of pulling the key
  55. from the keyserver by specifying the path to the file as the argument,
  56. or by specifying `-` to load from stdin. `o' may be be used in place
  57. of `add-revoker'.
  58. .TP
  59. .B revoke-key
  60. Revoke the host's OpenPGP key. `r' may be used in place of
  61. `revoke-key'.
  62. .TP
  63. .B publish-key
  64. Publish the host's OpenPGP key to the keyserver. `p' may be used in
  65. place of `publish-key'.
  66. .TP
  67. .B help
  68. Output a brief usage summary. `h' or `?' may be used in place of
  69. `help'.
  70. .TP
  71. .B version
  72. show version number
  73. Other commands:
  74. .TP
  75. .B diagnostics
  76. Review the state of the monkeysphere server host key and report on
  77. suggested changes. Among other checks, this includes making sure
  78. there is a valid host key, that the key is published, that the sshd
  79. configuration points to the right place, etc. `d' may be used in
  80. place of `diagnostics'.
  81. .SH SETUP HOST AUTHENTICATION
  82. To enable host verification via the monkeysphere, the host's key must
  83. be published to the Web of Trust. This is not done by default. To
  84. publish the host key to the keyservers, run the following command:
  85. $ monkeysphere-host publish-key
  86. In order for users logging into the system to be able to identify the
  87. host via the monkeysphere, at least one person (e.g. a server admin)
  88. will need to sign the host's key. This is done using standard OpenPGP
  89. keysigning techniques, usually: pull the key from the keyserver,
  90. verify and sign the key, and then re-publish the signature. Once an
  91. admin's signature is published, users logging into the host can use it
  92. to validate the host's key.
  93. .SH ENVIRONMENT
  94. The following environment variables will override those specified in
  95. the config file (defaults in parentheses):
  96. .TP
  97. MONKEYSPHERE_LOG_LEVEL
  98. Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
  99. increasing order of verbosity.
  100. .TP
  101. MONKEYSPHERE_KEYSERVER
  102. OpenPGP keyserver to use (pool.sks-keyservers.net).
  103. .TP
  104. MONKEYSPHERE_PROMPT
  105. If set to `false', never prompt the user for confirmation. (true)
  106. .SH FILES
  107. .TP
  108. /etc/monkeysphere/monkeysphere-host.conf
  109. System monkeysphere-host config file.
  110. .TP
  111. /var/lib/monkeysphere/host/ssh_host_rsa_key
  112. Copy of the host's private key in ssh format, suitable for use by
  113. sshd.
  114. .SH AUTHOR
  115. Written by:
  116. Jameson Rollins <jrollins@fifthhorseman.net>,
  117. Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
  118. Matthew Goins <mjgoins@openflows.com>
  119. .SH SEE ALSO
  120. .BR monkeysphere (1),
  121. .BR monkeysphere-authentication (8),
  122. .BR monkeysphere (7),
  123. .BR gpg (1),
  124. .BR ssh (1)