Publishing host service keys with the Monkeysphere (monkeysphere-host)

One of the most important functions of the Monkeysphere is to give server administrators the ability to allow their users to verify their server host/service identities via the WoT. Since the Monkeysphere project currently provides clients for ssh and https host/service authentication, we will describe how to publish ssh and https host/service keys here.

The first step is to import your host RSA key into an OpenPGP certificate. This is done with the monkeysphere-host 'import-key' subcommand. You must provide the path to RSA key file (or '-' for stdin) and a user ID for the new OpenPGP certificate that corresponds to the service URI for your service.

For instance, for ssh, the command might look something like this:

# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://server.example.net

This will generate an OpenPGP certificate for the server based on the ssh host RSA key, where the primary user ID for this certificate is the ssh service URI for the host, (e.g. ssh://server.example.net). Remember that the name you provide here should probably be a fully qualified domain name for the host in order for your users to find it.

For https, you would provide the RSA key used for your site's existing X.509 certificate, if you have one, or you can use the 'snakeoil' cert provided with many distributions:

# monkeysphere-host import-key /etc/ssl/private/ssl-cert-snakeoil.key https://server.example.net

Now you can display information about the host's certificates with the 'show-key' command:

# monkeysphere-host show-key

Once a host key certificate has been generated, you'll probably want to publish it to the public keyservers which distribute the Web of Trust:

# monkeysphere-host publish-key

However, anyone could publish a simple self-signed certificate to the WoT with any name attached, including your servers. Your users should be able to tell that someone they know and trust with the machine (e.g. you, the administrators) has verified that this particular key is indeed the correct key. So your next step is to sign the host's key with your own OpenPGP key and publish that signature.

On your (the admin's) local machine retrieve the host key (it may take several minutes for the key to propagate across the keyserver network), and sign it:

$ gpg --search '=ssh://server.example.net'
$ gpg --sign-key '=ssh://server.example.net'

Make sure you compare the fingerprint of the retrieved certificate with the output from the 'show-key' command above!

Next, find out your key's Key ID, which is a hexadecimal string like "ABCDEF19"

$ gpg --list-keys '=ssh://server.example.net'

which will output something like:

pub   2048R/ABCDEF19 2009-05-07
uid       [  full  ] ssh://server.example.net

Finally, publish your signatures back to the keyservers, so that your users can automatically verify your machine when they connect:

$ gpg --send-key ABCDEF19

See signing service keys for more info.