Identifying SSH servers through the Web of Trust
The Monkeysphere package can be used with the ssh client to identify ssh servers through the Web of Trust.
How to install
If you are using Debian or a Debian-derived system, you can install the monkeysphere package with apt:
# aptitude install monkeysphere
Please see the download page for more info and for instructions for other distributions.
How to use
The simplest way to identify ssh servers through the Web of Trust is
ssh to use
monkeysphere ssh-proxycommand to connect,
instead of connecting to the remote host directly. This command will
make sure the
known_hosts file is up-to-date for the host you are
connecting to with ssh.
You can try this out when connecting to a server which has published their host key to the monkeysphere with:
$ ssh -oProxyCommand='monkeysphere ssh-proxycommand %h %p' server.example.net
If you want to have
ssh always do this, just add the following line
to the "Host *" section of your
ProxyCommand monkeysphere ssh-proxycommand %h %p
The "Host *" section specifies what ssh options to use for all connections. If you don't already have a "Host *" line, you can add it by entering:
on a line by itself. Add the ProxyCommand line just below it.
Note that the Monkeysphere will help you identify servers whose host keys are published in the WoT, and which are signed by people who you know and trust to identify such things!
If you aren't connected to your administrator(s) through the Web of Trust, you should talk to them and establish that relationship. If you have already established that relationship, but a server's host key isn't published, you might suggest to your administrator that they publish it.
known_hosts file in sync with your keyring
If you want to keep your keyring updated without attempting connections to a remote host, you want to make sure that OpenSSH can still see the most recent trusted information about who the various hosts are. You might also want to check on hosts that were not originally in the Monkeysphere, to see if their host key is now published.
You can do this kind of independent update with the
$ monkeysphere update-known_hosts
This command will check to see if there is an OpenPGP key for each
(non-hashed) host listed in the
known_hosts file, and then add the
key for that host to the
known_hosts file if one is found. This
command could be added to a crontab, if desired.