--- /dev/null
+It's a good idea to periodically replace old [[PGP]] encryption keys
+to minimize the amount of data exposed by cracking the old key.
+
+ $ gpg --edit-key F15F5BE8
+ ...
+ pub 1024D/F15F5BE8 created: 2008-08-09 expires: 2011-08-08 usage: SC
+ trust: ultimate validity: ultimate
+ sub 2048g/42407C74 created: 2008-08-09 expired: 2009-08-09 usage: E
+ sub 2048g/4DA3FC0B created: 2009-07-26 expired: 2010-08-08 usage: E
+ sub 1024D/EB357E60 created: 2009-07-26 expired: 2010-08-08 usage: S
+ [ultimate] (1). William Trevor King <wking@drexel.edu>
+ [ultimate] (2) William Trevor King <tvrkng@gmail.com>
+
+The usage characters are:
+
+* e = encrypt/decrypt
+* s = sign
+* c = certify (sign another key)
+* a = authenticate (e.g. log in to SSH with a PGP key)
+
+See `doc/DETAILS` in the GnuPG source directory for details on the
+output format (and the related colon listing format).
+
+Note that my encryption keys have expired. This makes it hard for
+people to send me encrypted mail. Create a new encryption key with
+
+ gpg> addkey
+
+Answering the prompts as you see fit (I usually pick Elgamal for
+encryption). You can also add signing keys with `addkey` (I usually
+pick RSA for signing, since DSA keys are limited to 1024 bits, see
+[ssh-keygen(1)][keygen]).
+
+There doesn't seem to be much to [differentiate Elgamml vs. RSA for
+encryption][diff]. I pick Elgamal for encryption since I've already
+picked RSA for signing, and this spreads my eggs across more baskets.
+
+Several `gpg` operations require a particular subkey to be selected.
+Use `key` to select subkeys by index (marked with a `*`):
+
+ gpg> key 1
+
+ pub 1024D/F15F5BE8 created: 2008-08-09 expires: 2012-05-24 usage: SC
+ trust: ultimate validity: ultimate
+ sub* 2048g/42407C74 created: 2008-08-09 expired: 2009-08-09 usage: E
+ sub 2048g/4DA3FC0B created: 2009-07-26 expired: 2010-08-08 usage: E
+ sub 1024D/EB357E60 created: 2009-07-26 expired: 2010-08-08 usage: S
+ sub 2048g/3FB721E8 created: 2011-05-25 expires: 2012-05-24 usage: E
+ sub 2048R/9CADC4D9 created: 2011-05-25 expires: 2012-05-24 usage: S
+ [ultimate] (1). William Trevor King <wking@drexel.edu>
+ [ultimate] (2) William Trevor King <tvrkng@gmail.com>
+
+If you get confused, there's also a `help` command.
+
+Save and quit when you're done:
+
+ gpg> save
+
+Once you've got your key all fixed up, upload the new version to your
+chosen keyserver:
+
+ $ gpg --send-keys F15F5BE8
+
+You probably also want to post your new key somewhere on your website:
+
+ $ gpg --export --armor -o ~/.gnupg/pubkey.txt F15F5BE8
+ $ scp ~/.gnupg/pubkey.txt you@somewhere:public_html/pubkey.txt
+
+Checking signatures
+-------------------
+
+Here are some quick notes on checking signatures:
+
+ $ gpg --check-sigs F15F5BE8
+
+will list the status of signatures for which you have the signing key
+in your keyring. However, if you are missing one of the signing keys,
+you may get a message like
+
+ 10 signatures not checked due to missing keys
+
+If you run
+
+ $ gpg --list-sigs F15F5BE8
+
+you'll see all the signatures, and you can use the usual `gpg --recv-key
+KEYID` to check out the ones you don't have.
+
+[keygen]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1
+[diff]: http://www.samsimpson.com/static/pgpfaq#SubRSADH
+
+[[!tag tags/fun]]
+[[!tag tags/linux]]
the WoT, rather than by getting fingerprints directly from the server
admin (or however it is that you currently decide to accept SSH keys.
You don't just accept them without checking, do you? :p). The
-Monkeysphere [README][] has details on common tasks.
+[Monkeysphere docs][docs] have details on common tasks.
-I've added a Monkeysphere ebuild to my [[Gentoo overlay]], as it is
-not currently in the base tree.
+Maintaining a client SSH key
+----------------------------
+
+You can generate a new SSH key attached to your PGP key with
+
+ $ monkeysphere gen-subkey
+
+Which adds a new RSA subkey to your `gpg` keyring. The new key is set
+to never expire, so you may want to set an expiration date by hand
+(See [[GnuPG maintenance]]).
+
+You can export your new public key in the usual OpenSSH format with
+
+ $ monkeysphere keys-for-userid "Jane Doe <jdoe@example.com>"
+ ssh-rsa ...==
+
+You can then use this public key in the usual way (see my [[SSH]]
+post), if you don't want to use Monkeysphere to manage your
+`~/.ssh/authorized-keys` file automatically.
+
+You can add the private part of your RSA key to your `ssh-agent` with
+
+ $ monkeysphere subkey-to-ssh-agent
+
+If you're running an OpenSSH version >=5.7p1 and <5.9, you may be bit
+by [this OpenSSH regression][fifo]. If you are affected by this bug
+but don't want to recompile a patched OpenSSH, you can work around the
+problem with [[these changes|fifo.patch]] to the current Monkeysphere
+source (the patch also removes the passphrase prompt, so you should
+only use the patch if you're using GnuPGv2+, which uses `pinentry` for
+out-of-band passphrase entry).
+
+You can list the current SSH keys in your agent with `ssh-add -l`.
+
+You can get the OpenSSH fingerprint for a key with
+
+ $ monkeysphere sshfprs-for-userid "Jane Doe <jdoe@example.com>"
+ 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef
+
+By default, `monkeysphere` will fetch that key from a keyserver if you
+do not already have it in your keyring (see
+`MONKEYSPHERE_CHECK_KEYSERVER` in `monkeyserver(1)`).
+
+Maintaining a host SSH key
+--------------------------
+
+Import a SSH key with
+
+ $ monkeysphere-host import-key /path/to/secret/key ssh://server.example.net
+ ms: host key imported:
+ pub 2048R/01234567 2011-05-28
+ uid ssh://server.example.net
+ OpenPGP fingerprint: 0123456789ABCDF0123456789ABCDF0123456789
+ ssh fingerprint: 2048 01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF (RSA)
+
+Show known keys with
+
+ $ monkeysphere-host show-keys
+
+If you don't want to publish this key on a public keyserver, you can
+export it using the usual
+
+ $ GNUPGHOME=/var/lib/monkeysphere/host/ gpg --no-permission-warning --armor --export 01234567
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ ...
+ -----END PGP PUBLIC KEY BLOCK-----
+
+where `/var/lib/monkeysphere/host/` is the location in which
+`monkeysphere-host` keeps its keyrings and `--no-permission-warning`
+ignores the group read/write/execute permissions I'd set there so I
+could run `monkeysphere-host` as my usual user.
+
+Once you've created the host key, you'll need to sign it. Import the
+key as your usual user and run
+
+ $ gpg --sign-key '=ssh://server.example.net'
+
+You can list current signatures on the key with
+
+ $ gpg --check-sigs '=ssh://server.example.net'
+
+Now post that signed key somewhere (e.g. a keyserver). You should
+also probably import the signature into the `monkeysphere-host`
+keyring:
+
+ $ gpg --armor --export '=ssh://server.example.net' \
+ | GNUPGHOME=/var/lib/monkeysphere/host/ gpg --no-permission-warning --import
+
+Checking a host SSH key
+-----------------------
+
+Once you have a signed host key on your keyring, you can check the
+fingerprints with the same command you use check user fingerprints:
+
+ $ monkeysphere sshfprs-for-userid 'ssh://server.example.net'
+
+You can add `known_hosts` entries for any host in your keyring with
+
+ $ monkeysphere update-known_hosts 'server.example.net'
+
+and update any hosts in your `known_hosts` file that monkeysphere
+already knows about with
+
+ $ MONKEYSPHERE_CHECK_KEYSERVER=false monkeysphere update-known_hosts
+
+Without the `MONKEYSPHERE_CHECK_KEYSERVER=false`, `monkeysphere` will
+search the keyserver for current keys which may be useful when you
+don't yet have a key for that server, or if you're worried the key you
+have may be out of date (expired, revoked, etc.).
+
+Validating HTTPS connections
+----------------------------
+
+The OpenPGP side of this is similar to the SSH protocol, with public
+keys for `https://server.example.net` etc. stored in your keyring. As
+far as I can tell, there is currently no way to print the key
+fingerprint for a given host (analagous to `sshfprs-for-userid`), but
+there's a neat little server `msva-perl` that checks your trust in a
+particular (*context*, *peer*, *PKC type*, *peer type*, *PKC data*)
+tuple (e.g. (`https`, `server.example.net`, `x509pem`, `server`,
+`cert.pem`)), which you can do by hand (via `msva-query-agent`).
+There's also a XUL extension (works in Firefox and related tools) that
+uses the `msva` server to validate HTTPS connections automatically.
+Nice.
+
+Packages
+--------
+
+I've added `app-crypt/monkeysphere`, `app-crypt/msva-perl`, and
+`virtual/monkeysphere-validation-agent` ebuilds to my [[Gentoo
+overlay]], as they are not currently in the base tree.
[Monkeysphere]: http://web.monkeysphere.info/
-[README]: http://web.monkeysphere.info/why/#index2h2
+[docs]: http://web.monkeysphere.info/doc/
+[fifo]: https://bugzilla.mindrot.org/show_bug.cgi?id=1869
--- /dev/null
+diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent
+index 4bd2234..ad4b85b 100644
+--- a/src/share/m/subkey_to_ssh_agent
++++ b/src/share/m/subkey_to_ssh_agent
+@@ -105,14 +105,12 @@ You might want to run 'monkeysphere gen-subkey'."
+ (cd "$workingdir" && ssh-add -d "$kname") || keysuccess="$?"
+ else
+ # we're adding the subkey:
+- mkfifo "$workingdir/$kname"
+- gpg_user --passphrase-fd 3 3<"$workingdir/passphrase" \
++ #mkfifo "$workingdir/$kname"
++ gpg_user \
+ --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
+- --export-secret-subkeys --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" &
+- (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" </dev/null )&
+-
+- passphrase_prompt "Enter passphrase for key $kname: " "$workingdir/passphrase"
+- wait %2 || keysuccess="$?"
++ --export-secret-subkeys --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname"
++ cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" </dev/null
++ keysuccess="$?"
+ fi
+
+ rm -f "$workingdir/$kname"