Merge commit 'jrollins/master'

[monkeysphere.git] / man / man8 / monkeysphere-host.8

diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index fd676a466fa85d5cf4d17cf94c65033c005f3b7c..2b7180759c187e744bb6108bbdf2f045080ea85b 100644 (file)
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -23,11 +23,24 @@ connection authentication.
 
 \fBmonkeysphere-host\fP takes various subcommands:
 .TP
 
 \fBmonkeysphere-host\fP takes various subcommands:
 .TP

-.B extend-key EXPIRE
+.B import-key FILE [NAME[:PORT]]
+Import a pem-encoded ssh secret host key from file FILE.  If FILE
+is '-', then the key will be imported from stdin.  NAME[:PORT] is used
+to specify the hostname (and port) used in the user ID of the new
+OpenPGP key.  If NAME is not specified, then the system
+fully-qualified domain name will be used (ie. `hostname -f').  If PORT
+is not specified, the no port is added to the user ID, which means
+port 22 is assumed.  `i' may be used in place of `import-key'.
+.TP
+.B show-key
+Output information about host's OpenPGP and SSH keys.  `s' may be used
+in place of `show-key'.
+.TP
+.B extend-key [EXPIRE]

 Extend the validity of the OpenPGP key for the host until EXPIRE from
 the present.  If EXPIRE is not specified, then the user will be
 Extend the validity of the OpenPGP key for the host until EXPIRE from
 the present.  If EXPIRE is not specified, then the user will be

-prompted for the extension term.  Expiration is specified like GnuPG
-does:
+prompted for the extension term.  Expiration is specified as with
+GnuPG:

 .nf
          0 = key does not expire
       <n>  = key expires in n days
 .nf
          0 = key does not expire
       <n>  = key expires in n days


@@ -36,7 +49,6 @@ does:
       <n>y = key expires in n years
 .fi
 `e' may be used in place of `extend-key'.
       <n>y = key expires in n years
 .fi
 `e' may be used in place of `extend-key'.

-

 .TP
 .B add-hostname HOSTNAME
 Add a hostname user ID to the server host key.  `n+' may be used in
 .TP
 .B add-hostname HOSTNAME
 Add a hostname user ID to the server host key.  `n+' may be used in


@@ -46,12 +58,16 @@ place of `add-hostname'.
 Revoke a hostname user ID from the server host key.  `n-' may be used
 in place of `revoke-hostname'.
 .TP
 Revoke a hostname user ID from the server host key.  `n-' may be used
 in place of `revoke-hostname'.
 .TP

-.B add-revoker FINGERPRINT
-
+.B add-revoker KEYID|FILE
+Add a revoker to the host's OpenPGP key.  The key ID will be loaded
+from the keyserver.  A file may be loaded instead of pulling the key
+from the keyserver by specifying the path to the file as the argument,
+or by specifying `-` to load from stdin.  `o' may be be used in place
+of `add-revoker'.

 .TP
 .TP

-.B show-key
-Output gpg information about host's OpenPGP key.  `s' may be used in
-place of `show-key'.
+.B revoke-key
+Revoke the host's OpenPGP key.  `r' may be used in place of
+`revoke-key'.

 .TP
 .B publish-key
 Publish the host's OpenPGP key to the keyserver.  `p' may be used in
 .TP
 .B publish-key
 Publish the host's OpenPGP key to the keyserver.  `p' may be used in


@@ -63,82 +79,65 @@ Output a brief usage summary.  `h' or `?' may be used in place of
 .TP
 .B version
 show version number
 .TP
 .B version
 show version number

-.SH "EXPERT" SUBCOMMANDS
-Some commands are very unlikely to be needed by most administrators.
-These commands must follow the word `expert'.
-.TP
-.B gen-key [HOSTNAME]
-Generate a OpenPGP key for the host.  If HOSTNAME is not specified,
-then the system fully-qualified domain name will be user.  An
-alternate key bit length can be specified with the `-l' or `--length'
-option (default 2048).  An expiration length can be specified with the
-`-e' or `--expire' option (prompt otherwise).  The expiration format
-is the same as that of \fBextend-key\fP, below.  A key revoker
-fingerprint can be specified with the `-r' or `--revoker' option.  `g'
-may be used in place of `gen-key'.

 
 

+
+Other commands:

 .TP
 .B diagnostics
 .TP
 .B diagnostics

-Review the state of the server with respect to the MonkeySphere in
-general and report on suggested changes.  Among other checks, this
-includes making sure there is a valid host key, that the key is
-published, that the sshd configuration points to the right place, and
-that there are at least some valid identity certifiers.  `d' may be
-used in place of `diagnostics'.
-.TP
-.B import-key
-FIXME:
-  import-key (i)                     import existing ssh key to gpg
-   --hostname (-h) NAME[:PORT]         hostname for key user ID
-   --keyfile (-f) FILE                 key file to import
-   --expire (-e) EXPIRE                date to expire
-
-.SH SETUP
+Review the state of the monkeysphere server host key and report on
+suggested changes.  Among other checks, this includes making sure
+there is a valid host key, that the key is published, that the sshd
+configuration points to the right place, etc.  `d' may be used in
+place of `diagnostics'.

 
 

-In order to start using the monkeysphere, you must first generate an
-OpenPGP key for the server and convert that key to an ssh key that can
-be used by ssh for host authentication.  This can be done with the
-\fBgen-key\fP subcommand:
+.SH SETUP HOST AUTHENTICATION

 
 

-$ monkeysphere-server gen-key
+To enable host verification via the monkeysphere, the host's key must
+be published to the Web of Trust.  This is not done by default.  To
+publish the host key to the keyservers, run the following command:

 
 

-To enable host verification via the monkeysphere, you must then
-publish the host's key to the Web of Trust using the \fBpublish-key\fP
-command to push the key to a keyserver.  You must also modify the
-sshd_config on the server to tell sshd where the new server host key
-is located:
-
-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
+$ monkeysphere-host publish-key

 
 In order for users logging into the system to be able to identify the
 host via the monkeysphere, at least one person (e.g. a server admin)
 will need to sign the host's key.  This is done using standard OpenPGP
 
 In order for users logging into the system to be able to identify the
 host via the monkeysphere, at least one person (e.g. a server admin)
 will need to sign the host's key.  This is done using standard OpenPGP

-keysigning techniques, usually: pul the key from the keyserver, verify
-and sign the key, and then re-publish the signature.  Once an admin's
-signature is published, users logging into the host can use it to
-validate the host's key.
+keysigning techniques, usually: pull the key from the keyserver,
+verify and sign the key, and then re-publish the signature.  Once an
+admin's signature is published, users logging into the host can use it
+to validate the host's key.
+
+.SH ENVIRONMENT

 
 

+The following environment variables will override those specified in
+the config file (defaults in parentheses):

 .TP
 MONKEYSPHERE_LOG_LEVEL
 Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
 increasing order of verbosity.
 .TP
 MONKEYSPHERE_KEYSERVER
 .TP
 MONKEYSPHERE_LOG_LEVEL
 Set the log level (INFO).  Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
 increasing order of verbosity.
 .TP
 MONKEYSPHERE_KEYSERVER

-OpenPGP keyserver to use (subkeys.pgp.net).
+OpenPGP keyserver to use (pool.sks-keyservers.net).
+.TP
+MONKEYSPHERE_PROMPT
+If set to `false', never prompt the user for confirmation. (true)
+

 
 .SH FILES
 
 .SH FILES

+

 .TP
 /etc/monkeysphere/monkeysphere-host.conf
 System monkeysphere-host config file.
 .TP
 .TP
 /etc/monkeysphere/monkeysphere-host.conf
 System monkeysphere-host config file.
 .TP

-/var/lib/monkeysphere/ssh_host_rsa_key
+/var/lib/monkeysphere/host/ssh_host_rsa_key

 Copy of the host's private key in ssh format, suitable for use by
 sshd.
 
 .SH AUTHOR
 
 Copy of the host's private key in ssh format, suitable for use by
 sshd.
 
 .SH AUTHOR
 

-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Matthew Goins <mjgoins@openflows.com>

 
 .SH SEE ALSO
 
 
 .SH SEE ALSO