Identifying SSH servers through the Web of Trust

The Monkeysphere package can be used with the ssh client to identify ssh servers through the Web of Trust.

How to install

If you are using Debian or a Debian-derived system, you can install the monkeysphere package with apt:

# aptitude install monkeysphere

Please see the download page for more info and for instructions for other distributions.

How to use

The simplest way to identify ssh servers through the Web of Trust is to tell ssh to use monkeysphere ssh-proxycommand to connect, instead of connecting to the remote host directly. This command will make sure the known_hosts file is up-to-date for the host you are connecting to with ssh.

You can try this out when connecting to a server which has published their host key to the monkeysphere with:

$ ssh -oProxyCommand='monkeysphere ssh-proxycommand %h %p'

If you want to have ssh always do this, just add the following line to the "Host *" section of your ~/.ssh/config file:

ProxyCommand monkeysphere ssh-proxycommand %h %p

The "Host *" section specifies what ssh options to use for all connections. If you don't already have a "Host *" line, you can add it by entering:

Host *

on a line by itself. Add the ProxyCommand line just below it.

Note that the Monkeysphere will help you identify servers whose host keys are published in the WoT, and which are signed by people who you know and trust to identify such things!

If you aren't connected to your administrator(s) through the Web of Trust, you should talk to them and establish that relationship. If you have already established that relationship, but a server's host key isn't published, you might suggest to your administrator that they publish it.

Keeping your known_hosts file in sync with your keyring

If you want to keep your keyring updated without attempting connections to a remote host, you want to make sure that OpenSSH can still see the most recent trusted information about who the various hosts are. You might also want to check on hosts that were not originally in the Monkeysphere, to see if their host key is now published.

You can do this kind of independent update with the update-known_hosts command:

$ monkeysphere update-known_hosts

This command will check to see if there is an OpenPGP key for each (non-hashed) host listed in the known_hosts file, and then add the key for that host to the known_hosts file if one is found. This command could be added to a crontab, if desired.

Don't forget to keep your keyring up-to-date!