Add Monkeysphere and GnuPG maintenance posts.

[blog.git] / posts / Monkeysphere.mdwn

[Monkeysphere][] is a project to verify identities of sites using the
[[PGP]] web of trust.  For example, you can verifiy [[SSH]] keys using
the WoT, rather than by getting fingerprints directly from the server
admin (or however it is that you currently decide to accept SSH keys.
You don't just accept them without checking, do you? :p).  The
[Monkeysphere docs][docs] have details on common tasks.

Maintaining a client SSH key
----------------------------

You can generate a new SSH key attached to your PGP key with

    $ monkeysphere gen-subkey

Which adds a new RSA subkey to your `gpg` keyring.  The new key is set
to never expire, so you may want to set an expiration date by hand
(See [[GnuPG maintenance]]).

You can export your new public key in the usual OpenSSH format with

    $ monkeysphere keys-for-userid "Jane Doe <jdoe@example.com>"
    ssh-rsa ...==

You can then use this public key in the usual way (see my [[SSH]]
post), if you don't want to use Monkeysphere to manage your
`~/.ssh/authorized-keys` file automatically.

You can add the private part of your RSA key to your `ssh-agent` with

    $ monkeysphere subkey-to-ssh-agent

If you're running an OpenSSH version >=5.7p1 and <5.9, you may be bit
by [this OpenSSH regression][fifo].  If you are affected by this bug
but don't want to recompile a patched OpenSSH, you can work around the
problem with [[these changes|fifo.patch]] to the current Monkeysphere
source (the patch also removes the passphrase prompt, so you should
only use the patch if you're using GnuPGv2+, which uses `pinentry` for
out-of-band passphrase entry).

You can list the current SSH keys in your agent with `ssh-add -l`.

You can get the OpenSSH fingerprint for a key with

    $ monkeysphere sshfprs-for-userid "Jane Doe <jdoe@example.com>"
    01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef

By default, `monkeysphere` will fetch that key from a keyserver if you
do not already have it in your keyring (see
`MONKEYSPHERE_CHECK_KEYSERVER` in `monkeyserver(1)`).

Maintaining a host SSH key
--------------------------

Import a SSH key with

    $ monkeysphere-host import-key /path/to/secret/key ssh://server.example.net
                ms: host key imported:
    pub   2048R/01234567 2011-05-28
    uid                  ssh://server.example.net
    OpenPGP fingerprint: 0123456789ABCDF0123456789ABCDF0123456789
    ssh fingerprint: 2048 01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF (RSA)

Show known keys with

    $ monkeysphere-host show-keys

If you don't want to publish this key on a public keyserver, you can
export it using the usual

    $ GNUPGHOME=/var/lib/monkeysphere/host/ gpg --no-permission-warning --armor --export 01234567
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    ...
    -----END PGP PUBLIC KEY BLOCK-----

where `/var/lib/monkeysphere/host/` is the location in which
`monkeysphere-host` keeps its keyrings and `--no-permission-warning`
ignores the group read/write/execute permissions I'd set there so I
could run `monkeysphere-host` as my usual user.

Once you've created the host key, you'll need to sign it.  Import the
key as your usual user and run

    $ gpg --sign-key '=ssh://server.example.net'

You can list current signatures on the key with

    $ gpg --check-sigs '=ssh://server.example.net'

Now post that signed key somewhere (e.g. a keyserver).  You should
also probably import the signature into the `monkeysphere-host`
keyring:

    $ gpg --armor --export '=ssh://server.example.net' \
      | GNUPGHOME=/var/lib/monkeysphere/host/ gpg --no-permission-warning --import

Checking a host SSH key
-----------------------

Once you have a signed host key on your keyring, you can check the
fingerprints with the same command you use check user fingerprints:

    $ monkeysphere sshfprs-for-userid 'ssh://server.example.net'

You can add `known_hosts` entries for any host in your keyring with

    $ monkeysphere update-known_hosts 'server.example.net'

and update any hosts in your `known_hosts` file that monkeysphere
already knows about with

    $ MONKEYSPHERE_CHECK_KEYSERVER=false monkeysphere update-known_hosts

Without the `MONKEYSPHERE_CHECK_KEYSERVER=false`, `monkeysphere` will
search the keyserver for current keys which may be useful when you
don't yet have a key for that server, or if you're worried the key you
have may be out of date (expired, revoked, etc.).

Validating HTTPS connections
----------------------------

The OpenPGP side of this is similar to the SSH protocol, with public
keys for `https://server.example.net` etc. stored in your keyring.  As
far as I can tell, there is currently no way to print the key
fingerprint for a given host (analagous to `sshfprs-for-userid`), but
there's a neat little server `msva-perl` that checks your trust in a
particular (*context*, *peer*, *PKC type*, *peer type*, *PKC data*)
tuple (e.g. (`https`, `server.example.net`, `x509pem`, `server`,
`cert.pem`)), which you can do by hand (via `msva-query-agent`).
There's also a XUL extension (works in Firefox and related tools) that
uses the `msva` server to validate HTTPS connections automatically.
Nice.

Packages
--------

I've added `app-crypt/monkeysphere`, `app-crypt/msva-perl`, and
`virtual/monkeysphere-validation-agent` ebuilds to my [[Gentoo
overlay]], as they are not currently in the base tree.

[Monkeysphere]: http://web.monkeysphere.info/
[docs]: http://web.monkeysphere.info/doc/
[fifo]: https://bugzilla.mindrot.org/show_bug.cgi?id=1869