1MONKEYSPHERE-AUTHENTICATION(8)  System Commands MONKEYSPHERE-AUTHENTICATION(8)
2
3
4

NAME

6       monkeysphere-authentication - Monkeysphere authentication admin tool.
7
8

SYNOPSIS

10       monkeysphere-authentication subcommand [args]
11
12

DESCRIPTION

14       Monkeysphere  is a framework to leverage the OpenPGP Web of Trust (WoT)
15       for key-based authentication.  OpenPGP keys are tracked via GnuPG,  and
16       added  to  the  authorized_keys  files  used  by OpenSSH for connection
17       authentication.
18
19       monkeysphere-authentication is a Monkeysphere server admin utility  for
20       configuring and managing SSH user authentication through the WoT.
21
22

SUBCOMMANDS

24       monkeysphere-authentication takes various subcommands:
25
26       update-users [USER]...
27              Rebuild  the monkeysphere-controlled authorized_keys files.  For
28              each specified account, the user ID's listed  in  the  account's
29              authorized_user_ids  file  are processed.  For each user ID, gpg
30              will be queried for keys associated with that user  ID,  option‐
31              ally  querying  a keyserver.  If an acceptable key is found (see
32              KEY ACCEPTABILITY in monkeysphere(7)), the key is added  to  the
33              account's  monkeysphere-controlled authorized_keys file.  If the
34              RAW_AUTHORIZED_KEYS variable is  set,  then  a  separate  autho‐
35              rized_keys file (usually ~USER/.ssh/authorized_keys) is appended
36              to the  monkeysphere-controlled  authorized_keys  file.   If  no
37              accounts are specified, then all accounts on the system are pro‐
38              cessed.  `u' may be used in place of `update-users'.
39
40       keys-for-user USER
41              Output to stdout authorized_keys lines for USER.   This  command
42              behaves  exactly  like  update-users  (above),  except  that the
43              resulting authorized_keys lines are output to stdout, instead of
44              being  written  to  the  monkeysphere-controlled authorized_keys
45              file.
46
47       refresh-keys
48              Refresh all keys in the monkeysphere-authentication keyring.  If
49              no  accounts  are specified, then all accounts on the system are
50              processed.  `r' may be used in place of `refresh-keys'.
51
52       add-id-certifier KEYID|FILE
53              Instruct system to trust user identity  certifications  made  by
54              KEYID.   The  key  ID will be loaded from the keyserver.  A file
55              may be loaded instead of pulling the key from the  keyserver  by
56              specifying  the path to the file as the argument, or by specify‐
57              ing `-' to load from stdin.  Using the `-n' or `--domain' option
58              allows  you  to  indicate that you only trust the given KEYID to
59              make identifications within a specific domain (e.g. "trust KEYID
60              to  certify user identities within the @example.org domain").  A
61              certifier  trust  level  can  be  specified  with  the  `-t'  or
62              `--trust'  option  (possible  values  are  `marginal' and `full'
63              (default is `full')).  A certifier trust depth can be  specified
64              with  the  `-d' or `--depth' option (default is 1).  `c+' may be
65              used in place of `add-id-certifier'.
66
67       remove-id-certifier KEYID
68              Instruct system to ignore user identity certifications  made  by
69              KEYID.  `c-' may be used in place of `remove-id-certifier'.
70
71       list-id-certifiers
72              List  key  IDs trusted by the system to certify user identities.
73              `c' may be used in place of `list-id-certifiers'.
74
75       version
76              Show the monkeysphere version number.  `v' may be used in  place
77              of `version'.
78
79       help   Output  a  brief usage summary.  `h' or `?' may be used in place
80              of `help'.
81
82
83              Other commands:
84
85       setup  Setup the server in preparation for Monkeysphere user  authenti‐
86              cation.  This command is idempotent and run automatically by the
87              other commands, and should therefore not usually need to be  run
88              manually.  `s' may be used in place of `setup'.
89
90       diagnostics
91              Review  the  state of the server with respect to authentication.
92              `d' may be used in place of `diagnostics'.
93
94       gpg-cmd
95              Execute a gpg command, as the monkeysphere user, on the  monkey‐
96              sphere  authentication  `sphere'  keyring.   This takes a single
97              argument (i.e. multiple gpg arguments  need  to  be  quoted  all
98              together).   Use  this  command  with  caution, as modifying the
99              authentication sphere keyring can affect  ssh  user  authentica‐
100              tion.
101
102

SETUP USER AUTHENTICATION

104       If the server will handle user authentication through monkeysphere-gen‐
105       erated authorized_keys files, the server must be told which  keys  will
106       act  as  identity  certifiers.   This is done with the add-id-certifier
107       command:
108
109       # monkeysphere-authentication add-id-certifier KEYID
110
111       where KEYID is the key ID of the server admin, or whoever's  certifica‐
112       tions  should be acceptable to the system for the purposes of authenti‐
113       cating remote users.  You can run this command multiple times to  indi‐
114       cate  that  multiple  certifiers  are  trusted.  You may also specify a
115       filename instead of a key ID, as long as the  file  contains  a  single
116       OpenPGP  public key.  Certifiers can be removed with the remove-id-cer‐
117       tifier command, and listed with the list-id-certifiers command.
118
119       A remote user will be granted access to a local account  based  on  the
120       appropriately-signed  and valid keys associated with user IDs listed in
121       that  account's  authorized_user_ids  file.   By  default,  the  autho‐
122       rized_user_ids   file   for   an   account   is  ~/.monkeysphere/autho‐
123       rized_user_ids.  This can be changed  in  the  monkeysphere-authentica‐
124       tion.conf file.
125
126       The  update-users command is used to generate authorized_keys files for
127       a local account based on the user IDs listed in  the  account's  autho‐
128       rized_user_ids file:
129
130       # monkeysphere-authentication update-users USER
131
132       Not  specifying  USER will cause all accounts on the system to updated.
133       The ssh server can  use  these  monkeysphere-generated  authorized_keys
134       files  to grant access to user accounts for remote users.  In order for
135       sshd to look at the  monkeysphere-generated  authorized_keys  file  for
136       user  authentication,  the  AuthorizedKeysFile parameter must be set in
137       the sshd_config to point to the monkeysphere-generated  authorized_keys
138       files:
139
140       AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
141
142       It  is recommended to add "monkeysphere-authentication update-users" to
143       a system crontab, so that user keys are kept up-to-date, and key  revo‐
144       cations and expirations can be processed in a timely manner.
145
146

ENVIRONMENT

148       The  following  environment  variables will override those specified in
149       the config file (defaults in parentheses):
150
151       MONKEYSPHERE_MONKEYSPHERE_USER
152              User to control authentication keychain. (monkeysphere)
153
154       MONKEYSPHERE_LOG_LEVEL
155              Set the log level.  Can be SILENT, ERROR, INFO, VERBOSE,  DEBUG,
156              in increasing order of verbosity. (INFO)
157
158       MONKEYSPHERE_KEYSERVER
159              OpenPGP keyserver to use. (pool.sks-keyservers.net)
160
161       MONKEYSPHERE_CHECK_KEYSERVER
162              Whether  or  not to check the keyserver when making gpg queries.
163              (true)
164
165       MONKEYSPHERE_AUTHORIZED_USER_IDS
166              Path to user's authorized_user_ids file. %h gets  replaced  with
167              the   user's   homedir,  %u  with  the  username.   (%h/.monkey‐
168              sphere/authorized_user_ids)
169
170       MONKEYSPHERE_RAW_AUTHORIZED_KEYS
171              Path to regular ssh-style authorized_keys file to append to mon‐
172              keysphere-generated  authorized_keys.   `none'  means not to add
173              any raw authorized_keys file.  %h gets replaced with the  user's
174              homedir, %u with the username. (%h/.ssh/authorized_keys)
175
176       MONKEYSPHERE_PROMPT
177              If  set  to  `false',  never  prompt  the user for confirmation.
178              (true)
179
180       MONKEYSPHERE_STRICT_MODES
181              If set to `false', ignore too-loose permissions on  known_hosts,
182              authorized_keys,  and  authorized_user_ids files.  NOTE: setting
183              this to false may expose users to abuse by other  users  on  the
184              system. (true)
185
186

FILES

188       /etc/monkeysphere/monkeysphere-authentication.conf
189              System monkeysphere-authentication config file.
190
191       /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt       or
192       /etc/monkeysphere/monkeysphere-x509-anchors.crt
193              If monkeysphere-authentication is configured to  query  an  hkps
194              keyserver,  it will use X.509 Certificate Authority certificates
195              in this file to validate any X.509 certificates used by the key‐
196              server.    If   the   monkeysphere-authentication-x509  file  is
197              present, the monkeysphere-x509 file will be ignored.
198
199       /var/lib/monkeysphere/authorized_keys/USER
200              Monkeysphere-controlled user authorized_keys files.
201
202       ~/.monkeysphere/authorized_user_ids
203              A list of OpenPGP user IDs, one per line.  OpenPGP keys with  an
204              exactly-matching  User  ID  (calculated  valid by the designated
205              identity certifiers), will have any valid  authorization-capable
206              keys  or subkeys added to the given user's authorized_keys file.
207              Any line with initial whitespace  will  be  interpreted  as  ssh
208              authorized_keys options applicable to the preceding User ID.
209
210

AUTHOR

212       This  man  page  was  written  by: Jameson Rollins <jrollins@finestruc‐
213       ture.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>,  Matthew  Goins
214       <mjgoins@openflows.com>
215
216

SEE ALSO

218       monkeysphere(1), monkeysphere-host(8), monkeysphere(7), gpg(1), ssh(1),
219       sshd(8), sshd_config(5)
220
221
222
223monkeysphere                     July 3, 2010   MONKEYSPHERE-AUTHENTICATION(8)
Impressum