+that are being connected to. It is meant to be run as an ssh
+ProxyCommand. This can either be done by specifying the proxy command
+on the command line:
+
+.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ...
+
+or by adding the following line to your ~/.ssh/config script:
+
+.B ProxyCommand monkeysphere-ssh-proxycommand %h %p
+
+The script can easily be incorporated into other ProxyCommand scripts
+by calling it with the "--no-connect" option, i.e.:
+
+.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT"
+
+This will run everything but will not exec netcat to make the tcp
+connection to the host.
+
+.SH KEYSERVER CHECKING
+
+The proxy command has a fairly nuanced policy for when keyservers are
+queried when processing host. If the host userID is not found in
+either the user's keyring or in the known_hosts file, then the
+keyserver is queried for the host userID. If the host userID is found
+in the user's keyring, then the keyserver is not checked. This
+assumes that the keyring is kept up-to-date, in a cron job or the
+like, so that revocations are properly handled. If the host userID is
+not found in the user's keyring, but the host is listed in the
+known_hosts file, then the keyserver is not checked. This last policy
+might change in the future, possibly by adding a deferred check, so
+that hosts that go from non-monkeysphere-enabled to
+monkeysphere-enabled will be properly checked.
+
+.SH ENVIRONMENT VARIABLES
+
+All environment variables defined in monkeysphere(1) can also be used
+for the proxycommand, with one note:
+
+.TP
+MONKEYSPHERE_CHECK_KEYSERVER
+Setting this variable (to `true' or `false') will override the policy
+defined in KEYSERVER CHECKING above.
+