Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

monkeysphere(7) [debian man page]

MONKEYSPHERE(7) 						 System Frameworks						   MONKEYSPHERE(7)

NAME

       monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust

DESCRIPTION

       Monkeysphere  is  a  framework to leverage the OpenPGP web of trust for OpenSSH and TLS key-based authentication.  OpenPGP keys are tracked
       via GnuPG, and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication.  Monkeysphere can also	be
       used by a validation agent to validate TLS connections (e.g. https).

IDENTITY CERTIFIERS

       Each  host  that  uses the Monkeysphere to authenticate its remote users needs some way to determine that those users are who they claim to
       be.  SSH permits key-based authentication, but we want instead to bind authenticators to human-comprehensible user identities.  This switch
       from  raw  keys	to  User IDs makes it possible for administrators to see intuitively who has access to an account, and it also enables end
       users to transition keys (and revoke compromised ones) automatically across all Monkeysphere-enabled hosts.  The User  IDs  and	certifica-
       tions that the Monkeysphere relies on are found in the OpenPGP Web of Trust.

       However,  in  order to establish this binding, each host must know whose cerifications to trust.  Someone who a host trusts to certify User
       Identities is called an Identity Certifier.  A host must have at least one Identity Certifier in order to bind User IDs to keys.  Commonly,
       every ID Certifier would be trusted by the host to fully identify any User ID, but more nuanced approaches are possible as well.  For exam-
       ple, a given host could specify a dozen ID certifiers, but assign them all "marginal" trust.  Then any given User ID would need to be  cer-
       tified in the OpenPGP Web of Trust by at least three of those certifiers.

       It  is  also  possible  to  limit the scope of trust for a given ID Certifier to a particular domain.  That is, a host can be configured to
       fully (or marginally) trust a particular ID Certifier only when they certify identities within,	say,  example.org  (based  on  the  e-mail
       address in the User ID).

KEY ACCEPTABILITY

       The  monkeysphere  commands work from a set of user IDs to determine acceptable keys for ssh and TLS authentication.  OpenPGP keys are con-
       sidered acceptable if the following criteria are met:

       capability
	      The key must have the `authentication' (`a') usage flag set.

       validity
	      The key itself must be valid, i.e. it must be well-formed, not expired, and not revoked.

       certification
	      The relevant user ID must be signed by a trusted identity certifier.

HOST IDENTIFICATION

       The OpenPGP keys for hosts have associated `service names` (OpenPGP user IDs) that are based on URI specifications for the  service.   Some
       examples:

       ssh:   ssh://host.example.com[:port]

       https: https://host.example.com[:port]

AUTHOR

       Written by: Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>

SEE ALSO

       monkeysphere(1),       monkeysphere-host(8),	  monkeysphere-authentication(8),	openpgp2ssh(1),       pem2openpgp(1),	   gpg(1),
       http://tools.ietf.org/html/rfc4880, ssh(1), http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/

monkeysphere							    March 2010							   MONKEYSPHERE(7)

Check Out this Related Man Page

ssh-keysign(1M)                                                                                                                    ssh-keysign(1M)

NAME

       ssh-keysign - ssh helper program for host-based authentication

SYNOPSIS

       ssh-keysign

       ssh-keysign  is  used  by ssh(1) to access the local host keys and generate the digital signature required during host-based authentication
       with SSH protocol version 2. This signature is of data that includes, among other items, the name of the client host and the  name  of  the
       client user.

       ssh-keysign  is  disabled  by  default and can be enabled only in the global client configuration file /etc/ssh/ssh_config by setting Host-
       basedAuthentication to yes.

       ssh-keysign is not intended to be invoked by the user, but from ssh. See ssh(1) and sshd(1M) for more information about host-based  authen-
       tication.

       /etc/ssh/ssh_config

           Controls whether ssh-keysign is enabled.

       /etc/ssh/ssh_host_dsa_key
       /etc/ssh/ssh_host_rsa_key

           These  files  contain the private parts of the host keys used to generate the digital signature. They should be owned by root, readable
           only by root, and not accessible to others. Because they are readable only by root, ssh-keysign must  be  set-uid  root  if  host-based
           authentication is used.

       ssh-keysign will not sign host-based authentication data under the following conditions:

         o  If the HostbasedAuthentication client configuration parameter is not set to yes in /etc/ssh/ssh_config. This setting cannot be overri-
            den in users' ~/.ssh/ssh_config files.

         o  If the client hostname and username in /etc/ssh/ssh_config do not match the canonical hostname of  the  client  where  ssh-keysign  is
            invoked and the name of the user invoking ssh-keysign.

       In  spite of ssh-keysign's restrictions on the contents of the host-based authentication data, there remains the ability of users to use it
       as an avenue for obtaining the client's private host keys. For this reason host-based authentication is turned off by default.

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Availability                 |SUNWsshu                     |
       +-----------------------------+-----------------------------+
       |Interface Stability          |Evolving                     |
       +-----------------------------+-----------------------------+

       ssh(1), sshd(1M), ssh_config(4), attributes(5)

AUTHORS

       Markus Friedl, markus@openbsd.org

HISTORY

       ssh-keysign first appeared in Ox 3.2.

                                                                    9 Jun 2004                                                     ssh-keysign(1M)
Man Page