1MONKEYSPHERE-AUTHENTICATION(8) System Commands MONKEYSPHERE-AUTHENTICATION(8)
2
3
4
6 monkeysphere-authentication - Monkeysphere authentication admin tool.
7
8
10 monkeysphere-authentication subcommand [args]
11
12
14 Monkeysphere is a framework to leverage the OpenPGP Web of Trust (WoT)
15 for key-based authentication. OpenPGP keys are tracked via GnuPG, and
16 added to the authorized_keys files used by OpenSSH for connection
17 authentication.
18
19 monkeysphere-authentication is a Monkeysphere server admin utility for
20 configuring and managing SSH user authentication through the WoT.
21
22
24 monkeysphere-authentication takes various subcommands:
25
26 update-users [USER]...
27 Rebuild the monkeysphere-controlled authorized_keys files. For
28 each specified account, the user ID's listed in the account's
29 authorized_user_ids file are processed. For each user ID, gpg
30 will be queried for keys associated with that user ID, option‐
31 ally querying a keyserver. If an acceptable key is found (see
32 KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the
33 account's monkeysphere-controlled authorized_keys file. If the
34 RAW_AUTHORIZED_KEYS variable is set, then a separate autho‐
35 rized_keys file (usually ~USER/.ssh/authorized_keys) is appended
36 to the monkeysphere-controlled authorized_keys file. If no
37 accounts are specified, then all accounts on the system are pro‐
38 cessed. `u' may be used in place of `update-users'.
39
40 keys-for-user USER
41 Output to stdout authorized_keys lines for USER. This command
42 behaves exactly like update-users (above), except that the
43 resulting authorized_keys lines are output to stdout, instead of
44 being written to the monkeysphere-controlled authorized_keys
45 file.
46
47 refresh-keys
48 Refresh all keys in the monkeysphere-authentication keyring. If
49 no accounts are specified, then all accounts on the system are
50 processed. `r' may be used in place of `refresh-keys'.
51
52 add-id-certifier KEYID|FILE
53 Instruct system to trust user identity certifications made by
54 KEYID. The key ID will be loaded from the keyserver. A file
55 may be loaded instead of pulling the key from the keyserver by
56 specifying the path to the file as the argument, or by specify‐
57 ing `-' to load from stdin. Using the `-n' or `--domain' option
58 allows you to indicate that you only trust the given KEYID to
59 make identifications within a specific domain (e.g. "trust KEYID
60 to certify user identities within the @example.org domain"). A
61 certifier trust level can be specified with the `-t' or
62 `--trust' option (possible values are `marginal' and `full'
63 (default is `full')). A certifier trust depth can be specified
64 with the `-d' or `--depth' option (default is 1). `c+' may be
65 used in place of `add-id-certifier'.
66
67 remove-id-certifier KEYID
68 Instruct system to ignore user identity certifications made by
69 KEYID. `c-' may be used in place of `remove-id-certifier'.
70
71 list-id-certifiers
72 List key IDs trusted by the system to certify user identities.
73 `c' may be used in place of `list-id-certifiers'.
74
75 version
76 Show the monkeysphere version number. `v' may be used in place
77 of `version'.
78
79 help Output a brief usage summary. `h' or `?' may be used in place
80 of `help'.
81
82
83 Other commands:
84
85 setup Setup the server in preparation for Monkeysphere user authenti‐
86 cation. This command is idempotent and run automatically by the
87 other commands, and should therefore not usually need to be run
88 manually. `s' may be used in place of `setup'.
89
90 diagnostics
91 Review the state of the server with respect to authentication.
92 `d' may be used in place of `diagnostics'.
93
94 gpg-cmd
95 Execute a gpg command, as the monkeysphere user, on the monkey‐
96 sphere authentication `sphere' keyring. As of monkeysphere
97 0.36, this takes its arguments separately, not as a single
98 string. Use this command with caution, as modifying the authen‐
99 tication sphere keyring can affect ssh user authentication.
100
101
103 If the server will handle user authentication through monkeysphere-gen‐
104 erated authorized_keys files, the server must be told which keys will
105 act as identity certifiers. This is done with the add-id-certifier
106 command:
107
108 # monkeysphere-authentication add-id-certifier KEYID
109
110 where KEYID is the key ID of the server admin, or whoever's certifica‐
111 tions should be acceptable to the system for the purposes of authenti‐
112 cating remote users. You can run this command multiple times to indi‐
113 cate that multiple certifiers are trusted. You may also specify a
114 filename instead of a key ID, as long as the file contains a single
115 OpenPGP public key. Certifiers can be removed with the remove-id-cer‐
116 tifier command, and listed with the list-id-certifiers command.
117
118 A remote user will be granted access to a local account based on the
119 appropriately-signed and valid keys associated with user IDs listed in
120 that account's authorized_user_ids file. By default, the autho‐
121 rized_user_ids file for an account is ~/.monkeysphere/autho‐
122 rized_user_ids. This can be changed in the monkeysphere-authentica‐
123 tion.conf file.
124
125 The update-users command is used to generate authorized_keys files for
126 a local account based on the user IDs listed in the account's autho‐
127 rized_user_ids file:
128
129 # monkeysphere-authentication update-users USER
130
131 Not specifying USER will cause all accounts on the system to updated.
132 The ssh server can use these monkeysphere-generated authorized_keys
133 files to grant access to user accounts for remote users. In order for
134 sshd to look at the monkeysphere-generated authorized_keys file for
135 user authentication, the AuthorizedKeysFile parameter must be set in
136 the sshd_config to point to the monkeysphere-generated authorized_keys
137 files:
138
139 AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
140
141 It is recommended to add "monkeysphere-authentication update-users" to
142 a system crontab, so that user keys are kept up-to-date, and key revo‐
143 cations and expirations can be processed in a timely manner.
144
145
147 The following environment variables will override those specified in
148 the config file (defaults in parentheses):
149
150 MONKEYSPHERE_MONKEYSPHERE_USER
151 User to control authentication keychain. (monkeysphere)
152
153 MONKEYSPHERE_LOG_LEVEL
154 Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG,
155 in increasing order of verbosity. (INFO)
156
157 MONKEYSPHERE_KEYSERVER
158 OpenPGP keyserver to use. (pool.sks-keyservers.net)
159
160 MONKEYSPHERE_CHECK_KEYSERVER
161 Whether or not to check the keyserver when making gpg queries.
162 (true)
163
164 MONKEYSPHERE_AUTHORIZED_USER_IDS
165 Path to user's authorized_user_ids file. %h gets replaced with
166 the user's homedir, %u with the username. (%h/.monkey‐
167 sphere/authorized_user_ids)
168
169 MONKEYSPHERE_RAW_AUTHORIZED_KEYS
170 Path to regular ssh-style authorized_keys file to append to mon‐
171 keysphere-generated authorized_keys. `none' means not to add
172 any raw authorized_keys file. %h gets replaced with the user's
173 homedir, %u with the username. (%h/.ssh/authorized_keys)
174
175 MONKEYSPHERE_PROMPT
176 If set to `false', never prompt the user for confirmation.
177 (true)
178
179 MONKEYSPHERE_STRICT_MODES
180 If set to `false', ignore too-loose permissions on known_hosts,
181 authorized_keys, and authorized_user_ids files. NOTE: setting
182 this to false may expose users to abuse by other users on the
183 system. (true)
184
185
187 /etc/monkeysphere/monkeysphere-authentication.conf
188 System monkeysphere-authentication config file.
189
190 /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt or
191 /etc/monkeysphere/monkeysphere-x509-anchors.crt
192 If monkeysphere-authentication is configured to query an hkps
193 keyserver, it will use the PEM-encoded X.509 Certificate Author‐
194 ity certificates in this file to validate any X.509 certificates
195 used by the keyserver. If the monkeysphere-authentication-x509
196 file is present, the monkeysphere-x509 file will be ignored.
197
198 /var/lib/monkeysphere/authorized_keys/USER
199 Monkeysphere-controlled user authorized_keys files.
200
201 ~/.monkeysphere/authorized_user_ids
202 A list of OpenPGP user IDs, one per line. OpenPGP keys with an
203 exactly-matching User ID (calculated valid by the designated
204 identity certifiers), will have any valid authorization-capable
205 keys or subkeys added to the given user's authorized_keys file.
206 Any line with initial whitespace will be interpreted as ssh
207 authorized_keys options applicable to the preceding User ID.
208
209
211 This man page was written by: Jameson Rollins <jrollins@finestruc‐
212 ture.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins
213 <mjgoins@openflows.com>
214
215
217 monkeysphere(1), monkeysphere-host(8), monkeysphere(7), gpg(1), ssh(1),
218 sshd(8), sshd_config(5)
219
220
221
222monkeysphere March 13, 2013 MONKEYSPHERE-AUTHENTICATION(8)