1MONKEYSPHERE-AUTHENTICATION(8) System Commands MONKEYSPHERE-AUTHENTICATION(8)
2
6 monkeysphere-authentication - Monkeysphere authentication admin tool.
7
10 monkeysphere-authentication subcommand [args]
11
14 Monkeysphere is a framework to leverage the OpenPGP Web of Trust (WoT)
15 for key-based authentication. OpenPGP keys are tracked via GnuPG, and
16 added to the authorized_keys files used by OpenSSH for connection
17 authentication.
18 monkeysphere-authentication is a Monkeysphere server admin utility for
20 configuring and managing SSH user authentication through the WoT.
21
24 monkeysphere-authentication takes various subcommands:
25 update-users [USER]...
27 Rebuild the monkeysphere-controlled authorized_keys files. For
28 each specified account, the user ID's listed in the account's
29 authorized_user_ids file are processed. For each user ID, gpg
30 will be queried for keys associated with that user ID, option‐
31 ally querying a keyserver. If an acceptable key is found (see
32 KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the
33 account's monkeysphere-controlled authorized_keys file. If the
34 RAW_AUTHORIZED_KEYS variable is set, then a separate autho‐
35 rized_keys file (usually ~USER/.ssh/authorized_keys) is appended
36 to the monkeysphere-controlled authorized_keys file. If no
37 accounts are specified, then all accounts on the system are pro‐
38 cessed. `u' may be used in place of `update-users'.
39 keys-for-user USER
41 Output to stdout authorized_keys lines for USER. This command
42 behaves exactly like update-users (above), except that the
43 resulting authorized_keys lines are output to stdout, instead of
44 being written to the monkeysphere-controlled authorized_keys
45 file.
46 refresh-keys
48 Refresh all keys in the monkeysphere-authentication keyring. If
49 no accounts are specified, then all accounts on the system are
50 processed. `r' may be used in place of `refresh-keys'.
51 add-id-certifier KEYID|FILE
53 Instruct system to trust user identity certifications made by
54 KEYID. The key ID will be loaded from the keyserver. A file
55 may be loaded instead of pulling the key from the keyserver by
56 specifying the path to the file as the argument, or by specify‐
57 ing `-' to load from stdin. Using the `-n' or `--domain' option
58 allows you to indicate that you only trust the given KEYID to
59 make identifications within a specific domain (e.g. "trust KEYID
60 to certify user identities within the @example.org domain"). A
61 certifier trust level can be specified with the `-t' or
62 `--trust' option (possible values are `marginal' and `full'
63 (default is `full')). A certifier trust depth can be specified
64 with the `-d' or `--depth' option (default is 1). `c+' may be
65 used in place of `add-id-certifier'.
66 remove-id-certifier KEYID
68 Instruct system to ignore user identity certifications made by
69 KEYID. `c-' may be used in place of `remove-id-certifier'.
70 list-id-certifiers
72 List key IDs trusted by the system to certify user identities.
73 `c' may be used in place of `list-id-certifiers'.
74 version
76 Show the monkeysphere version number. `v' may be used in place
77 of `version'.
78 help Output a brief usage summary. `h' or `?' may be used in place
80 of `help'.
81 Other commands:
84 setup Setup the server in preparation for Monkeysphere user authenti‐
86 cation. This command is idempotent and run automatically by the
87 other commands, and should therefore not usually need to be run
88 manually. `s' may be used in place of `setup'.
89 diagnostics
91 Review the state of the server with respect to authentication.
92 `d' may be used in place of `diagnostics'.
93 gpg-cmd
95 Execute a gpg command, as the monkeysphere user, on the monkey‐
96 sphere authentication `sphere' keyring. This takes a single
97 argument (i.e. multiple gpg arguments need to be quoted all
98 together). Use this command with caution, as modifying the
99 authentication sphere keyring can affect ssh user authentica‐
100 tion.
101
104 If the server will handle user authentication through monkeysphere-gen‐
105 erated authorized_keys files, the server must be told which keys will
106 act as identity certifiers. This is done with the add-id-certifier
107 command:
108 # monkeysphere-authentication add-id-certifier KEYID
110 where KEYID is the key ID of the server admin, or whoever's certifica‐
112 tions should be acceptable to the system for the purposes of authenti‐
113 cating remote users. You can run this command multiple times to indi‐
114 cate that multiple certifiers are trusted. You may also specify a
115 filename instead of a key ID, as long as the file contains a single
116 OpenPGP public key. Certifiers can be removed with the remove-id-cer‐
117 tifier command, and listed with the list-id-certifiers command.
118 A remote user will be granted access to a local account based on the
120 appropriately-signed and valid keys associated with user IDs listed in
121 that account's authorized_user_ids file. By default, the autho‐
122 rized_user_ids file for an account is ~/.monkeysphere/autho‐
123 rized_user_ids. This can be changed in the monkeysphere-authentica‐
124 tion.conf file.
125 The update-users command is used to generate authorized_keys files for
127 a local account based on the user IDs listed in the account's autho‐
128 rized_user_ids file:
129 # monkeysphere-authentication update-users USER
131 Not specifying USER will cause all accounts on the system to updated.
133 The ssh server can use these monkeysphere-generated authorized_keys
134 files to grant access to user accounts for remote users. In order for
135 sshd to look at the monkeysphere-generated authorized_keys file for
136 user authentication, the AuthorizedKeysFile parameter must be set in
137 the sshd_config to point to the monkeysphere-generated authorized_keys
138 files:
139 AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
141 It is recommended to add "monkeysphere-authentication update-users" to
143 a system crontab, so that user keys are kept up-to-date, and key revo‐
144 cations and expirations can be processed in a timely manner.
145
148 The following environment variables will override those specified in
149 the config file (defaults in parentheses):
150 MONKEYSPHERE_MONKEYSPHERE_USER
152 User to control authentication keychain. (monkeysphere)
153 MONKEYSPHERE_LOG_LEVEL
155 Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG,
156 in increasing order of verbosity. (INFO)
157 MONKEYSPHERE_KEYSERVER
159 OpenPGP keyserver to use. (pool.sks-keyservers.net)
160 MONKEYSPHERE_CHECK_KEYSERVER
162 Whether or not to check the keyserver when making gpg queries.
163 (true)
164 MONKEYSPHERE_AUTHORIZED_USER_IDS
166 Path to user's authorized_user_ids file. %h gets replaced with
167 the user's homedir, %u with the username. (%h/.monkey‐
168 sphere/authorized_user_ids)
169 MONKEYSPHERE_RAW_AUTHORIZED_KEYS
171 Path to regular ssh-style authorized_keys file to append to mon‐
172 keysphere-generated authorized_keys. `none' means not to add
173 any raw authorized_keys file. %h gets replaced with the user's
174 homedir, %u with the username. (%h/.ssh/authorized_keys)
175 MONKEYSPHERE_PROMPT
177 If set to `false', never prompt the user for confirmation.
178 (true)
179 MONKEYSPHERE_STRICT_MODES
181 If set to `false', ignore too-loose permissions on known_hosts,
182 authorized_keys, and authorized_user_ids files. NOTE: setting
183 this to false may expose users to abuse by other users on the
184 system. (true)
185
188 /etc/monkeysphere/monkeysphere-authentication.conf
189 System monkeysphere-authentication config file.
190 /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt or
192 /etc/monkeysphere/monkeysphere-x509-anchors.crt
193 If monkeysphere-authentication is configured to query an hkps
194 keyserver, it will use X.509 Certificate Authority certificates
195 in this file to validate any X.509 certificates used by the key‐
196 server. If the monkeysphere-authentication-x509 file is
197 present, the monkeysphere-x509 file will be ignored.
198 /var/lib/monkeysphere/authorized_keys/USER
200 Monkeysphere-controlled user authorized_keys files.
201 ~/.monkeysphere/authorized_user_ids
203 A list of OpenPGP user IDs, one per line. OpenPGP keys with an
204 exactly-matching User ID (calculated valid by the designated
205 identity certifiers), will have any valid authorization-capable
206 keys or subkeys added to the given user's authorized_keys file.
207 Any line with initial whitespace will be interpreted as ssh
208 authorized_keys options applicable to the preceding User ID.
209
212 This man page was written by: Jameson Rollins <jrollins@finestruc‐
213 ture.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins
214 <mjgoins@openflows.com>
215
218 monkeysphere(1), monkeysphere-host(8), monkeysphere(7), gpg(1), ssh(1),
219 sshd(8), sshd_config(5)
220monkeysphere July 3, 2010 MONKEYSPHERE-AUTHENTICATION(8)