Daniel Kahn Gillmor dkg at
Thu Dec 16 06:27:39 EST 2010

On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
> If there were a free/public SSH key server like
> for PGP/GPG keys, that would probably make a good default
> (thought I haven't found anything like this).

You could use monkeysphere [0] on these hosts and use the HKP keyserver
network (what i think you're referring to by, above, though
i recommend *not* using until they fix their keyserver).

If you know that your users' OpenPGP keys are going to all be signed by,
say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
put something like this in your preseed's late_command :

  aptitude install monkeysphere openssh-server
  monkeysphere-authentication add-identity-certifier "$CA_FPR"
  mkdir ~mary/.monkeysphere
  echo 'Mary Example <mary at>' >> \

  monkeysphere-authentication update-users
  echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
     >> /etc/ssh/sshd_config
  /etc/init.d/ssh restart

This also has the advantage that future runs of

  monkeysphere-authentication update-users

will cause revoked keys to be disabled without any additional work from
the user.

hope this is useful.  i'm one of the monkeysphere developers; feel free
to come ask questions on the project mailing list, or in #monkeysphere




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list