November 18, 2008 10:29 AM   Subscribe

You can now use the OpenPGP Web of Trust to verify the identity of the remote party for Secure Shell (SSH) connections. Here's why.

Many folks are annoyed, confused, or frustrated by unintelligible Secure Shell (SSH) prompts about host keys. These prompts usually show up upon first connection to a machine from any particular client, or immediately after the host's SSH key has been changed by the adminstrator. These prompts are important components to the cryptographic security provided by SSH; But most people ignore them, leaving themselves open to potential man-in-the-middle attacks or other nastiness.

The Monkeysphere provides a framework to leverage OpenPGP's web of trust as a mechanism to verify the identity of the remote host during creation of an SSH session. This lets users automatically verify the identity of the remote machine, or (in marginal cases) at least see a list of the people who they know who have already certified the machine's identity.

The Monkeysphere is also useful in the other authentication direction, allowing OpenSSH servers to identify connecting users based on the user's OpenPGP key.

The framework also gives you the ability to revoke host and user keys (and certifications on those keys), and to re-key as needed. You no longer need to worry that setting up key-based authentication for a machine might compromise access to that machine in the future if you lose control of your key; just revoke your key as soon as you realize you've lost control, and Monkeysphere-enabled hosts will disable access based on that key.

Packages are available for debian (and debian derivatives like ubuntu) and FreeBSD, though it should run on any POSIX-compliant operating system where the dependencies can be met.

The Monkeysphere is Free Software.
posted by dkg (0 comments total)

« Older Bolaño Bolaño...   |   Condomunity... Newer »

You are not currently logged in. Log in or create a new account to post comments.