- Monkeysphere
- ------------
+Monkeysphere README
+===================
+Default files locations (by variable):
-This is the README!
+MS_HOME=~/.config/monkeysphere
+MS_CONF=$MS_HOME/monkeysphere.conf
+AUTH_HOST_FILE=$MS_HOME/auth_host_ids
+AUTH_USER_FILE=$MS_HOME/auth_user_ids
+GNUPGHOME=~/.gnupg
+STAGING_AREA=$MS_HOME
+
+$STAGING_AREA/host_keys/KEYHASH
+$STAGING_AREA/known_hosts
+$STAGING_AREA/user_keys/KEYHASH
+$STAGING_AREA/authorized_keys
+
+user usage
+----------
+For a user to update their ms known_hosts file:
+
+$ rhesus --known_hosts
+
+For a user to update their ms authorized_keys file:
+
+$ rhesus --authorized_keys
+
+server service publication
+--------------------------
+To publish a server host key use the "howler" component:
+
+# howler gen-key
+# howler publish-key
+
+This will generate the key for server with the service URI
+(ssh://server.hostname). The server admin should now sign the server
+key so that people in the admin's web of trust can authenticate the
+server without manual host key checking:
+
+$ gpg --search ='ssh://server.hostname'
+$ gpg --sign-key 'ssh://server.hostname'
+
+server authorized_keys maintenance
+----------------------------------
+A system can maintain ms authorized_keys files for it's users. Some
+different variables need to be defined to help manage this. The way
+this is done is by first defining a new MS_HOME:
+
+MS_HOME=/etc/monkeysphere
+
+This directory would then have a monkeysphere.conf which defines the
+following variables:
+
+AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER"
+STAGING_AREA=/var/lib/monkeysphere/stage/$USER
+GNUPGHOME=$MS_HOME/gnupg
+
+For each user account on the server, the userids of people authorized
+to log into that account would be placed in the AUTH_USER_FILE for
+that user. However, in order for users to become authenticated, the
+server must determine that the user keys have "full" validity. This
+means that the server must fully trust at least one person whose
+signature on the connecting users key would validate the user. This
+would generally be the server admin. If the server admin's keyid is
+XXXXXXXX, then on the server run:
+
+# howler trust-key XXXXXXXX
+
+To update the ms authorized_keys file for user "bob", the system would
+then run the following:
+
+# USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys
+
+To update the ms authorized_keys file for all users on the the system:
+
+MS_HOME=/etc/monkeysphere
+for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do
+ rhesus --authorized_keys
+done
projects / monkeysphere.git / blobdiff