specified, then all accounts on the system are processed. `u' may be
used in place of `update\-users'.
.TP
+.B refresh\-keys
+Refresh all keys in the monkeysphere-authentication keyring. If no
+accounts are specified, then all accounts on the system are processed.
+`r' may be used in place of `refresh\-keys'.
+.TP
.B add\-id\-certifier KEYID|FILE
Instruct system to trust user identity certifications made by KEYID.
The key ID will be loaded from the keyserver. A file may be loaded
List key IDs trusted by the system to certify user identities. `c'
may be used in place of `list\-id\-certifiers'.
.TP
+.B version
+Show the monkeysphere version number. `v' may be used in place of
+`version'.
+.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
-.TP
-.B version
-show version number
+
Other commands:
.TP
which keys will act as identity certifiers. This is done with the
\fBadd\-id\-certifier\fP command:
-$ monkeysphere\-authentication add\-id\-certifier KEYID
+# monkeysphere\-authentication add\-id\-certifier KEYID
where KEYID is the key ID of the server admin, or whoever's
certifications should be acceptable to the system for the purposes of
\fBremove\-id\-certifier\fP command, and listed with the
\fBlist\-id\-certifiers\fP command.
-Remote users will be granted access to local accounts based on the
+A remote user will be granted access to a local account based on the
appropriately-signed and valid keys associated with user IDs listed in
that account's authorized_user_ids file. By default, the
authorized_user_ids file for an account is
monkeysphere\-authentication.conf file.
The \fBupdate\-users\fP command is used to generate authorized_keys
-files for local accounts based on the authorized user IDs listed in
-the account's authorized_user_ids file:
+files for a local account based on the user IDs listed in the
+account's authorized_user_ids file:
-$ monkeysphere\-authentication update\-users USER
+# monkeysphere\-authentication update\-users USER
Not specifying USER will cause all accounts on the system to updated.
-The ssh server can then use these monkeysphere\-generated
-authorized_keys files to grant access to user accounts for remote
-users. In order for sshd to look at the monkeysphere\-generated
-authorized_keys file for user authentication, the AuthorizedKeysFile
-parameter must be set in the sshd_config to point to the
-monkeysphere\-generated authorized_keys files:
+The ssh server can use these monkeysphere-generated authorized_keys
+files to grant access to user accounts for remote users. In order for
+sshd to look at the monkeysphere-generated authorized_keys file for
+user authentication, the AuthorizedKeysFile parameter must be set in
+the sshd_config to point to the monkeysphere\-generated
+authorized_keys files:
AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u
-It is recommended to add "monkeysphere\-authentication update-users"
+It is recommended to add "monkeysphere\-authentication update\-users"
to a system crontab, so that user keys are kept up-to-date, and key
revocations and expirations can be processed in a timely manner.
.TP
/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
+.TP
+~/.monkeysphere/authorized_user_ids
+A list of OpenPGP user IDs, one per line. OpenPGP keys with an
+exactly-matching User ID (calculated valid by the designated identity
+certifiers), will have any valid authorization-capable keys or subkeys
+added to the given user's authorized_keys file.
.SH AUTHOR
-Written by:
+This man page was written by:
Jameson Rollins <jrollins@fifthhorseman.net>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
Matthew Goins <mjgoins@openflows.com>
.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1),
-.BR sshd (8)
+.BR sshd (8),
+.BR sshd_config (5)
projects / monkeysphere.git / blobdiff