+In order for users logging into the system to be able to identify the
+host via the monkeysphere, at least one person (e.g. a server admin)
+will need to sign the host's key. This is done using standard OpenPGP
+keysigning techniques, usually: pul the key from the keyserver, verify
+and sign the key, and then re-publish the signature. Once an admin's
+signature is published, users logging into the host can use it to
+validate the host's key.
+
+If the server will also handle user authentication through
+monkeysphere-generated authorized_keys files, the server must be told
+which keys will act as identity certifiers. This is done with the
+\fBadd-identity-certifier\fP command:
+
+$ monkeysphere-server add-identity-certifier KEYID
+
+where KEYID is the key ID of the server admin, or whoever's
+certifications should be acceptable to the system for the purposes of
+authenticating remote users. You can run this command multiple times
+to indicate that multiple certifiers are trusted. You may also
+specify a filename instead of a key ID, as long as the file contains a
+single OpenPGP public key. Certifiers can be removed with the
+\fBremove-identity-certifier\fP command, and listed with the
+\fBlist-identity-certifiers\fP command.
+
+Remote users will then be granted access to a local account based on
+the appropriately-signed and valid keys associated with user IDs
+listed in that account's authorized_user_ids file. By default, the
+authorized_user_ids file for an account is
+~/.monkeysphere/authorized_user_ids. This can be changed in the
+monkeysphere-server.conf file.
+
+The \fBupdate-users\fP command can then be used to generate
+authorized_keys file for local accounts based on the authorized user
+IDs listed in the account's authorized_user_ids file:
+
+$ monkeysphere-server update-users USER
+
+Not specifying USER will cause all accounts on the system to updated.
+sshd can then use these monkeysphere generated authorized_keys files
+to grant access to user accounts for remote users. You must also tell
+sshd to look at the monkeysphere-generated authorized_keys file for
+user authentication by setting the following in the sshd_config:
+
+AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+
+It is recommended to add "monkeysphere-server update-users" to a
+system crontab, so that user keys are kept up-to-date, and key
+revocations and expirations can be processed in a timely manner.
+
+.SH ENVIRONMENT
+
+The following environment variables will override those specified in
+the monkeysphere-server.conf configuration file (defaults in
+parentheses):
+.TP
+MONKEYSPHERE_MONKEYSPHERE_USER
+User to control authentication keychain (monkeysphere).
+.TP
+MONKEYSPHERE_LOG_LEVEL
+Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity.
+.TP
+MONKEYSPHERE_KEYSERVER
+OpenPGP keyserver to use (subkeys.pgp.net).
+.TP
+MONKEYSPHERE_AUTHORIZED_USER_IDS
+Path to user authorized_user_ids file
+(%h/.monkeysphere/authorized_user_ids).
+.TP
+MONKEYSPHERE_RAW_AUTHORIZED_KEYS
+Path to user-controlled authorized_keys file. `-' means not to add
+user-controlled file (%h/.ssh/authorized_keys).