Dustin Kirkland kirkland at
Thu Dec 16 06:52:09 EST 2010

On Wed, Dec 15, 2010 at 1:27 PM, Daniel Kahn Gillmor
<dkg at> wrote:
> On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
>> If there were a free/public SSH key server like
>> for PGP/GPG keys, that would probably make a good default
>> (thought I haven't found anything like this).
> You could use monkeysphere [0] on these hosts and use the HKP keyserver
> network (what i think you're referring to by, above, though
> i recommend *not* using until they fix their keyserver).

Hi Daniel,

Right, I simply meant that I wasn't aware of any HKP keyserver network
specifically for public SSH keys.

> If you know that your users' OpenPGP keys are going to all be signed by,
> say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
> put something like this in your preseed's late_command :
>  aptitude install monkeysphere openssh-server
>  monkeysphere-authentication add-identity-certifier "$CA_FPR"
>  mkdir ~mary/.monkeysphere
>  echo 'Mary Example <mary at>' >> \
>    ~mary/.monkeysphere/authorized_user_ids
>  monkeysphere-authentication update-users
>  echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
>     >> /etc/ssh/sshd_config
>  /etc/init.d/ssh restart
> This also has the advantage that future runs of
>  monkeysphere-authentication update-users
> will cause revoked keys to be disabled without any additional work from
> the user.
> hope this is useful.  i'm one of the monkeysphere developers; feel free
> to come ask questions on the project mailing list, or in #monkeysphere
> on

Thanks for the pointers.  I'll give monkeysphere a try.

Still, it's not quite addressing the problem I think ssh-import-id
solves for us -- dead simple, fast, secure retrieval of a public SSH
keys by nothing more than a user name inserted into a URL.


Dustin Kirkland
Ubuntu Core Developer

More information about the openssh-unix-dev mailing list