Monkeysphere README =================== Default files locations (by variable): MS_HOME=~/.config/monkeysphere MS_CONF=$MS_HOME/monkeysphere.conf AUTH_HOST_FILE=$MS_HOME/auth_host_ids AUTH_USER_FILE=$MS_HOME/auth_user_ids GNUPGHOME=~/.gnupg STAGING_AREA=$MS_HOME $STAGING_AREA/host_keys/KEYHASH $STAGING_AREA/known_hosts $STAGING_AREA/user_keys/KEYHASH $STAGING_AREA/authorized_keys user usage ---------- For a user to update their ms known_hosts file: $ rhesus --known_hosts For a user to update their ms authorized_keys file: $ rhesus --authorized_keys server service publication -------------------------- To publish a server host key use the "howler" component: # howler gen-key # howler publish-key This will generate the key for server with the service URI (ssh://server.hostname). The server admin should now sign the server key so that people in the admin's web of trust can authenticate the server without manual host key checking: $ gpg --search ='ssh://server.hostname' $ gpg --sign-key 'ssh://server.hostname' server authorized_keys maintenance ---------------------------------- A system can maintain ms authorized_keys files for it's users. Some different variables need to be defined to help manage this. The way this is done is by first defining a new MS_HOME: MS_HOME=/etc/monkeysphere This directory would then have a monkeysphere.conf which defines the following variables: AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER" STAGING_AREA=/var/lib/monkeysphere/stage/$USER GNUPGHOME=$MS_HOME/gnupg For each user account on the server, the userids of people authorized to log into that account would be placed in the AUTH_USER_FILE for that user. However, in order for users to become authenticated, the server must determine that the user keys have "full" validity. This means that the server must fully trust at least one person whose signature on the connecting users key would validate the user. This would generally be the server admin. If the server admin's keyid is XXXXXXXX, then on the server run: # howler trust-key XXXXXXXX To update the ms authorized_keys file for user "bob", the system would then run the following: # USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys To update the ms authorized_keys file for all users on the the system: MS_HOME=/etc/monkeysphere for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do rhesus --authorized_keys done