1MONKEYSPHERE-AUTHENTICATION(8)  System Commands MONKEYSPHERE-AUTHENTICATION(8)
2
3
4

NAME

6       monkeysphere-authentication - Monkeysphere authentication admin tool.
7
8

SYNOPSIS

10       monkeysphere-authentication subcommand [args]
11
12

DESCRIPTION

14       Monkeysphere  is a framework to leverage the OpenPGP Web of Trust (WoT)
15       for key-based authentication.  OpenPGP keys are tracked via GnuPG,  and
16       added  to  the  authorized_keys  files  used  by OpenSSH for connection
17       authentication.
18
19       monkeysphere-authentication is a Monkeysphere server admin utility  for
20       configuring and managing SSH user authentication through the WoT.
21
22

SUBCOMMANDS

24       monkeysphere-authentication takes various subcommands:
25
26       update-users [USER]...
27              Rebuild  the monkeysphere-controlled authorized_keys files.  For
28              each specified account, the user ID's listed  in  the  account's
29              authorized_user_ids  file  are processed.  For each user ID, gpg
30              will be queried for keys associated with that user  ID,  option‐
31              ally  querying  a keyserver.  If an acceptable key is found (see
32              KEY ACCEPTABILITY in monkeysphere(7)), the key is added  to  the
33              account's  monkeysphere-controlled authorized_keys file.  If the
34              RAW_AUTHORIZED_KEYS variable is  set,  then  a  separate  autho‐
35              rized_keys file (usually ~USER/.ssh/authorized_keys) is appended
36              to the  monkeysphere-controlled  authorized_keys  file.   If  no
37              accounts are specified, then all accounts on the system are pro‐
38              cessed.  `u' may be used in place of `update-users'.
39
40       keys-for-user USER
41              Output to stdout authorized_keys lines for USER.   This  command
42              behaves  exactly  like  update-users  (above),  except  that the
43              resulting authorized_keys lines are output to stdout, instead of
44              being  written  to  the  monkeysphere-controlled authorized_keys
45              file.
46
47       refresh-keys
48              Refresh all keys in the monkeysphere-authentication keyring.  If
49              no  accounts  are specified, then all accounts on the system are
50              processed.  `r' may be used in place of `refresh-keys'.
51
52       add-id-certifier KEYID|FILE
53              Instruct system to trust user identity  certifications  made  by
54              KEYID.   The  key  ID will be loaded from the keyserver.  A file
55              may be loaded instead of pulling the key from the  keyserver  by
56              specifying  the path to the file as the argument, or by specify‐
57              ing `-' to load from stdin.  Using the `-n' or `--domain' option
58              allows  you  to  indicate that you only trust the given KEYID to
59              make identifications within a specific domain (e.g. "trust KEYID
60              to  certify user identities within the @example.org domain").  A
61              certifier  trust  level  can  be  specified  with  the  `-t'  or
62              `--trust'  option  (possible  values  are  `marginal' and `full'
63              (default is `full')).  A certifier trust depth can be  specified
64              with  the  `-d' or `--depth' option (default is 1).  `c+' may be
65              used in place of `add-id-certifier'.
66
67       remove-id-certifier KEYID
68              Instruct system to ignore user identity certifications  made  by
69              KEYID.  `c-' may be used in place of `remove-id-certifier'.
70
71       list-id-certifiers
72              List  key  IDs trusted by the system to certify user identities.
73              `c' may be used in place of `list-id-certifiers'.
74
75       version
76              Show the monkeysphere version number.  `v' may be used in  place
77              of `version'.
78
79       help   Output  a  brief usage summary.  `h' or `?' may be used in place
80              of `help'.
81
82
83              Other commands:
84
85       setup  Setup the server in preparation for Monkeysphere user  authenti‐
86              cation.  This command is idempotent and run automatically by the
87              other commands, and should therefore not usually need to be  run
88              manually.  `s' may be used in place of `setup'.
89
90       diagnostics
91              Review  the  state of the server with respect to authentication.
92              `d' may be used in place of `diagnostics'.
93
94       gpg-cmd
95              Execute a gpg command, as the monkeysphere user, on the  monkey‐
96              sphere  authentication  `sphere'  keyring.   As  of monkeysphere
97              0.36, this takes its  arguments  separately,  not  as  a  single
98              string.  Use this command with caution, as modifying the authen‐
99              tication sphere keyring can affect ssh user authentication.
100
101

SETUP USER AUTHENTICATION

103       If the server will handle user authentication through monkeysphere-gen‐
104       erated  authorized_keys  files, the server must be told which keys will
105       act as identity certifiers.  This is  done  with  the  add-id-certifier
106       command:
107
108       # monkeysphere-authentication add-id-certifier KEYID
109
110       where  KEYID is the key ID of the server admin, or whoever's certifica‐
111       tions should be acceptable to the system for the purposes of  authenti‐
112       cating  remote users.  You can run this command multiple times to indi‐
113       cate that multiple certifiers are trusted.   You  may  also  specify  a
114       filename  instead  of  a  key ID, as long as the file contains a single
115       OpenPGP public key.  Certifiers can be removed with the  remove-id-cer‐
116       tifier command, and listed with the list-id-certifiers command.
117
118       A  remote  user  will be granted access to a local account based on the
119       appropriately-signed and valid keys associated with user IDs listed  in
120       that  account's  authorized_user_ids  file.   By  default,  the  autho‐
121       rized_user_ids  file   for   an   account   is   ~/.monkeysphere/autho‐
122       rized_user_ids.   This  can  be changed in the monkeysphere-authentica‐
123       tion.conf file.
124
125       The update-users command is used to generate authorized_keys files  for
126       a  local  account  based on the user IDs listed in the account's autho‐
127       rized_user_ids file:
128
129       # monkeysphere-authentication update-users USER
130
131       Not specifying USER will cause all accounts on the system  to  updated.
132       The  ssh  server  can  use these monkeysphere-generated authorized_keys
133       files to grant access to user accounts for remote users.  In order  for
134       sshd  to  look  at  the monkeysphere-generated authorized_keys file for
135       user authentication, the AuthorizedKeysFile parameter must  be  set  in
136       the  sshd_config to point to the monkeysphere-generated authorized_keys
137       files:
138
139       AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
140
141       It is recommended to add "monkeysphere-authentication update-users"  to
142       a  system crontab, so that user keys are kept up-to-date, and key revo‐
143       cations and expirations can be processed in a timely manner.
144
145

ENVIRONMENT

147       The following environment variables will override  those  specified  in
148       the config file (defaults in parentheses):
149
150       MONKEYSPHERE_MONKEYSPHERE_USER
151              User to control authentication keychain. (monkeysphere)
152
153       MONKEYSPHERE_LOG_LEVEL
154              Set  the log level.  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG,
155              in increasing order of verbosity. (INFO)
156
157       MONKEYSPHERE_KEYSERVER
158              OpenPGP keyserver to use. (pool.sks-keyservers.net)
159
160       MONKEYSPHERE_CHECK_KEYSERVER
161              Whether or not to check the keyserver when making  gpg  queries.
162              (true)
163
164       MONKEYSPHERE_AUTHORIZED_USER_IDS
165              Path  to  user's authorized_user_ids file. %h gets replaced with
166              the  user's  homedir,  %u  with  the   username.    (%h/.monkey‐
167              sphere/authorized_user_ids)
168
169       MONKEYSPHERE_RAW_AUTHORIZED_KEYS
170              Path to regular ssh-style authorized_keys file to append to mon‐
171              keysphere-generated authorized_keys.  `none' means  not  to  add
172              any  raw authorized_keys file.  %h gets replaced with the user's
173              homedir, %u with the username. (%h/.ssh/authorized_keys)
174
175       MONKEYSPHERE_PROMPT
176              If set to `false',  never  prompt  the  user  for  confirmation.
177              (true)
178
179       MONKEYSPHERE_STRICT_MODES
180              If  set to `false', ignore too-loose permissions on known_hosts,
181              authorized_keys, and authorized_user_ids files.   NOTE:  setting
182              this  to  false  may expose users to abuse by other users on the
183              system. (true)
184
185

FILES

187       /etc/monkeysphere/monkeysphere-authentication.conf
188              System monkeysphere-authentication config file.
189
190       /etc/monkeysphere/monkeysphere-authentication-x509-anchors.crt       or
191       /etc/monkeysphere/monkeysphere-x509-anchors.crt
192              If  monkeysphere-authentication  is  configured to query an hkps
193              keyserver, it will use the PEM-encoded X.509 Certificate Author‐
194              ity certificates in this file to validate any X.509 certificates
195              used by the keyserver. If  the  monkeysphere-authentication-x509
196              file is present, the monkeysphere-x509 file will be ignored.
197
198       /var/lib/monkeysphere/authorized_keys/USER
199              Monkeysphere-controlled user authorized_keys files.
200
201       ~/.monkeysphere/authorized_user_ids
202              A  list of OpenPGP user IDs, one per line.  OpenPGP keys with an
203              exactly-matching User ID (calculated  valid  by  the  designated
204              identity  certifiers), will have any valid authorization-capable
205              keys or subkeys added to the given user's authorized_keys  file.
206              Any  line  with  initial  whitespace  will be interpreted as ssh
207              authorized_keys options applicable to the preceding User ID.
208
209

AUTHOR

211       This man page was  written  by:  Jameson  Rollins  <jrollins@finestruc‐
212       ture.net>,  Daniel  Kahn Gillmor <dkg@fifthhorseman.net>, Matthew Goins
213       <mjgoins@openflows.com>
214
215

SEE ALSO

217       monkeysphere(1), monkeysphere-host(8), monkeysphere(7), gpg(1), ssh(1),
218       sshd(8), sshd_config(5)
219
220
221
222monkeysphere                    March 13, 2013  MONKEYSPHERE-AUTHENTICATION(8)
Impressum