msva-query-agent(1) [debian man page]
MSVA-QUERY-AGENT(1) User Contributed Perl Documentation MSVA-QUERY-AGENT(1) NAME
msva-query-agent - query a Monkeysphere Validation Agent SYNOPSIS
msva-query-agent CONTEXT PEER PKC_TYPE [PEER_TYPE] < /path/to/public_key_carrier ABSTRACT
msva-query-agent validates certificates for a given use by querying a running Monkeysphere Validation Agent. USAGE
msva-query-agent reads a certificate from standard input, and posts it to the running Monkeysphere Validation Agent. The return code indicates the validity (as determined by the agent) of the certificate for the specified purpose. The agent's return message (if any) is emitted on stdout. The first three command-line arguments are all required, supplied in order, as follows: CONTEXT Context in which the certificate is being validated (e.g. 'https', 'ssh', 'ike') PEER The name of the intended peer. When validating a certificate for a service, supply the host's full DNS name (e.g. 'foo.example.net') PKC_TYPE The format of public key carrier data provided on standard input (e.g. 'x509der', 'x509pem', 'opensshpubkey', 'rfc4716') The fourth argument is optional: PEER_TYPE The type of peer we are inquiring about (e.g. 'client', 'server') RETURN CODE
If the certificate is valid for the requested peer in the given context, the return code is 0. Otherwise, the return code is 1. ENVIRONMENT VARIABLES
msva-query-agent's behavior is controlled by environment variables: MONKEYSPHERE_VALIDATION_AGENT_SOCKET Socket over which to query the validation agent. If unset, the default value is 'http://127.0.0.1:8901'. MSVA_LOG_LEVEL Log messages about its operation to stderr. MSVA_LOG_LEVEL controls its verbosity, and should be one of (in increasing verbosity): silent, quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3. Default is 'error'. COMMUNICATION PROTOCOL DETAILS
Communications with the Monkeysphere Validation Agent are in the form of JSON requests over plain HTTP. Responses from the agent are also JSON objects. For details on the structure of the requests and responses, please see http://web.monkeysphere.info/validation-agent/protocol SEE ALSO
msva-perl(1), monkeysphere(1), monkeysphere(7) BUGS AND FEEDBACK
Bugs or feature requests for msva-perl and associated tools should be filed with the Monkeysphere project's bug tracker at https://labs.riseup.net/code/projects/monkeysphere/issues/ AUTHORS AND CONTRIBUTORS
Jameson Graef Rollins <jrollins@finestructure.net<gt> Daniel Kahn Gillmor <dkg@fifthhorseman.net<gt> The Monkeysphere Team http://web.monkeysphere.info/ COPYRIGHT AND LICENSE
Copyright AX 2010, Jameson Graef Rollins and others from the Monkeysphere team. msva-query-agent is free software, distributed under the GNU Public License, version 3 or later. perl v5.14.2 2013-04-05 MSVA-QUERY-AGENT(1)
Check Out this Related Man Page
MONKEYSPHERE(7) System Frameworks MONKEYSPHERE(7) NAME
monkeysphere - ssh and TLS authentication framework using OpenPGP Web of Trust DESCRIPTION
Monkeysphere is a framework to leverage the OpenPGP web of trust for OpenSSH and TLS key-based authentication. OpenPGP keys are tracked via GnuPG, and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. Monkeysphere can also be used by a validation agent to validate TLS connections (e.g. https). IDENTITY CERTIFIERS
Each host that uses the Monkeysphere to authenticate its remote users needs some way to determine that those users are who they claim to be. SSH permits key-based authentication, but we want instead to bind authenticators to human-comprehensible user identities. This switch from raw keys to User IDs makes it possible for administrators to see intuitively who has access to an account, and it also enables end users to transition keys (and revoke compromised ones) automatically across all Monkeysphere-enabled hosts. The User IDs and certifica- tions that the Monkeysphere relies on are found in the OpenPGP Web of Trust. However, in order to establish this binding, each host must know whose cerifications to trust. Someone who a host trusts to certify User Identities is called an Identity Certifier. A host must have at least one Identity Certifier in order to bind User IDs to keys. Commonly, every ID Certifier would be trusted by the host to fully identify any User ID, but more nuanced approaches are possible as well. For exam- ple, a given host could specify a dozen ID certifiers, but assign them all "marginal" trust. Then any given User ID would need to be cer- tified in the OpenPGP Web of Trust by at least three of those certifiers. It is also possible to limit the scope of trust for a given ID Certifier to a particular domain. That is, a host can be configured to fully (or marginally) trust a particular ID Certifier only when they certify identities within, say, example.org (based on the e-mail address in the User ID). KEY ACCEPTABILITY
The monkeysphere commands work from a set of user IDs to determine acceptable keys for ssh and TLS authentication. OpenPGP keys are con- sidered acceptable if the following criteria are met: capability The key must have the `authentication' (`a') usage flag set. validity The key itself must be valid, i.e. it must be well-formed, not expired, and not revoked. certification The relevant user ID must be signed by a trusted identity certifier. HOST IDENTIFICATION
The OpenPGP keys for hosts have associated `service names` (OpenPGP user IDs) that are based on URI specifications for the service. Some examples: ssh: ssh://host.example.com[:port] https: https://host.example.com[:port] AUTHOR
Written by: Jameson Rollins <jrollins@finestructure.net>, Daniel Kahn Gillmor <dkg@fifthhorseman.net> SEE ALSO
monkeysphere(1), monkeysphere-host(8), monkeysphere-authentication(8), openpgp2ssh(1), pem2openpgp(1), gpg(1), http://tools.ietf.org/html/rfc4880, ssh(1), http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ monkeysphere March 2010 MONKEYSPHERE(7)