[[meta title="Advanced usage of the Monkeysphere"]]
Advanced usage of the monkeysphere
Keeping your known_hosts file in sync with your keyring
If you want to keep your keyring updated without attempting
connections to a remote host, you want to make sure that OpenSSH can
still see the most recent trusted information about who the various
hosts are. You might also want to check on hosts that were not
originally in the Monkeysphere, to see if their host key is now
published.
You can do this kind of independent update with the
update-known_hosts command:
$ monkeysphere update-known_hosts
This command will check to see if there is an OpenPGP key for each
(non-hashed) host listed in the known_hosts file, and then add the
key for that host to the known_hosts file if one is found. This
command could be added to a crontab, if desired.
Establishing trust
The Monkeysphere is predicated on the idea that users and
administrators know each other (or know people who know each other,
etc). It uses the Web of Trust to explicitly represent those links.
If you haven't used the Web of Trust explicitly, you will need to
establish an acceptable trust path to the admin(s) of the
monkeysphere-enabled servers that you will be connecting to. You need
to do this because the admin is certifying the host, and you need a
mechanism to validate that certification. The only way to do that is
by indicating who you trust to certify hosts. This is a two step
process: first you must sign the key, and then you have to indicate a
trust level. If you do not indicate that you trust the administrator
to certify host keys, then the monkeysphere will show you her
certification on every connection, but will not treat it as an
automatic verification.
The process of signing another key is outside the scope of this
document, however the gnupg
README
details the signing process and you can find good documentation
online detailing this
process.
If you have signed your admins' key, you need to denote some kind of
trust to that key. To do this you should edit the key and use the
'trust' command. For the Monkeysphere to trust the assertions that are
made about a host, you need full calculated validity to the host
certifiers. This can be done either by giving full trust to one
host-certifying key, or by giving marginal trust to three different
host-certifiers. In the following we demonstrate how to add full trust
validity to a host-certifying key:
$ gpg --edit-key 'Jane Admin'
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
trust: unknown validity: full
sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
[ full ] (1). Jane Admin <jane_admin@example.net>
Command> trust
pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
trust: unknown validity: full
sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
[ full ] (1). Jane Admin <jane_admin@example.net>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 4
pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
trust: full validity: full
sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
[ full ] (1). Jane Admin <jane_admin@example.net>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> save
Key not changed so no update needed.
$
Note: Due to a limitation with gnupg, it is not currently possible to
limit the domain scope properly, which means that if you fully trust
an admin, you'll trust all their certifications.
Because the Monkeysphere currently relies on GPG's definition of the
OpenPGP web of trust, it is important to understand how GPG
calculates User ID validity for a key.
Miscellaneous
Users can also maintain their own ~/.ssh/authorized_keys files with
the Monkeysphere directly. This is primarily useful for accounts on
hosts that are not already systematically using the Monkeysphere for
user authentication. If you're not sure whether this is the case for
your host, ask your system administrator.
If you want to do this as a regular user, use the
update-authorized_keys command:
$ monkeysphere update-authorized_keys
This command will take all the user IDs listed in the
~/.monkeysphere/authorized_user_ids file and check to see if
there are acceptable keys for those user IDs available. If so, they
will be added to the ~/.ssh/authorized_keys file.
You must have indicated reasonable ownertrust in some key for this
account, or no keys will be found with trusted certification paths.
If you find this useful, you might want to place this command in your
crontab so that revocations and rekeyings can take place
automatically.
