-.TH MONKEYSPHERE-SERVER "1" "June 2008" "monkeysphere" "User Commands"
+.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
.SH NAME
-monkeysphere-server \- monkeysphere server admin user interface
+monkeysphere-server \- Monkeysphere server admin user interface
.SH SYNOPSIS
.SH DESCRIPTION
-\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust
-for ssh authentication. OpenPGP keys are tracked via GnuPG, and added
-to the authorized_keys and known_hosts files used by ssh for
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
+for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
+added to the authorized_keys and known_hosts files used by OpenSSH for
connection authentication.
-\fBmonkeysphere-server\fP is the MonkeySphere server admin utility.
+\fBmonkeysphere-server\fP is the Monkeysphere server admin utility.
.SH SUBCOMMANDS
.TP
.B add-identity-certifier KEYID
Instruct system to trust user identity certifications made by KEYID.
-A certifier domain can be specified with the `-n' or `--domain'
-option. A certifier trust level can be specified with the `-t' or
-`--trust' option (possible values are `1' for `marginal' and `2' for
-`full' (default is `2')). A certifier trust depth can be specified
+Using the `-n' or `--domain' option allows you to indicate that you
+only trust the given KEYID to make identifications within a specific
+domain (e.g. "trust KEYID to certify user identities within the
+@example.org domain"). A certifier trust level can be specified with
+the `-t' or `--trust' option (possible values are `marginal' and
+`full' (default is `full')). A certifier trust depth can be specified
with the `-d' or `--depth' option (default is 1). `a' may be used in
place of `add-identity-certifier'.
.TP
To enable host verification via the monkeysphere, you must then
publish the host's key to the Web of Trust using the \fBpublish-key\fP
-command to push the key to a keyserver. Then modify the sshd_config
-to tell sshd where the new server host key is located:
+command to push the key to a keyserver. You must also modify the
+sshd_config on the server to tell sshd where the new server host key
+is located:
HostKey /var/lib/monkeysphere/ssh_host_rsa_key
In order for users logging into the system to be able to verify the
-host via the monkeysphere, at least one person (i.e. a server admin)
-will need to sign the host's key. This is done in the same way that
-key signing is usually done, by pulling the host's key from the
-keyserver, signing the key, and re-publishing the signature. Once
-that is done, users logging into the host will be able to certify the
-host's key via the signature of the host admin.
+host via the monkeysphere, at least one person (e.g. a server admin)
+will need to sign the host's key. This is done using standard key
+signing techniquies, usually by pulling the key from the keyserver,
+signing the key, and re-publishing the signature. Once that is done,
+users logging into the host will be able to certify the host's key via
+the signature of the host admin.
If the server will also handle user authentication through
monkeysphere-generated authorized_keys files, the server must be told
$ monkeysphere-server add-certifier KEYID
where KEYID is the key ID of the server admin, or whoever's signature
-will be certifying users to the system. Certifiers can be later
-remove with the \fBremove-certifier\fP command, and listed with the
+will be certifying users to the system. Certifiers can be removed
+with the \fBremove-certifier\fP command, and listed with the
\fBlist-certifiers\fP command.
Remote user's will then be granted access to a local user account
The \fBupdate-users\fP command can then be used to generate
authorized_keys file for local users based on the authorized user IDs
-listed in the user's authorized_user_ids file:
+listed in the various local user's authorized_user_ids file:
$ monkeysphere-server update-users USER
-sshd can then use these files to grant access to user accounts for
-remote users. If no user is specified, authorized_keys files will be
-generated for all users on the system. You must also tell sshd to
-look at the monkeysphere-generated authorized_keys file for user
-authentication by setting the following in the sshd_config:
+Not specifying a specific user will cause all users on the system to
+updated. sshd can then use these monkeysphere generated
+authorized_keys files to grant access to user accounts for remote
+users. You must also tell sshd to look at the monkeysphere-generated
+authorized_keys file for user authentication by setting the following
+in the sshd_config:
AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u