--- /dev/null
+Monkeysphere User README
+========================
+
+You don't have to be an OpenSSH or OpenPGP expert to use the
+Monkeysphere. However, you should be comfortable using secure shell
+(ssh), and you should already have GnuPG installed and an OpenPGP key
+pair before you begin.
+
+As a regular user on a system where the monkeysphere package is
+installed, you probably want to do a few things:
+
+
+Keep your keyring up-to-date
+----------------------------
+
+Regularly refresh your GnuPG keyring from the keyservers. This can be
+done with a simple cronjob. An example of crontab line to do this is:
+
+ 0 12 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
+
+This would refresh your keychain every day at noon.
+
+
+Keeping your `known_hosts` file in sync with your keyring
+-----------------------------------------------------------
+
+With your keyring updated, you want to make sure that OpenSSH can
+still see the most recent trusted information about who the various
+hosts are. This can be done with the monkeysphere-ssh-proxycommand
+(see next section) or with the `update-known_hosts` command:
+
+ $ monkeysphere update-known_hosts
+
+This command will check to see if there is an OpenPGP key for each
+(non-hashed) host listed in the `known_hosts` file, and then add the
+key for that host to the `known_hosts` file if one is found. This
+command could be added to a crontab as well, if desired.
+
+
+Using `monkeysphere-ssh-proxycommand`(1)
+----------------------------------------
+
+The best way to handle host keys is to use the monkeysphere ssh proxy
+command. This command will make sure the `known_hosts` file is
+up-to-date for the host you are connecting to with ssh. The best way
+to integrate this is to add the following line to the "Host *" section
+of your `~/.ssh/config` file:
+
+ ProxyCommand monkeysphere-ssh-proxycommand %h %p
+
+The "Host *" section specifies what ssh options to use for all
+connections. If you don't already have a "Host *" line, you can add it
+by entering:
+
+ Host *
+
+On a line by itself. Add the ProxyCommand line just below it.
+
+Once you've completed this step - you are half-way there. You will now
+be able to verify servers participating in the monkeysphere provided
+their keys have been signed by someone that you trust.
+
+FIXME: We should setup a way for someone to download a test gpg key and
+then connect to a test server that is signed by this gpg key so users
+can establish that they are setup correctly.
+
+The remaining steps will complete the second half: allowing servers to
+verify you based on your OpenPGP key.
+
+
+Setting up an OpenPGP authentication key
+----------------------------------------
+
+First things first: you'll need to create an "authentication" subkey
+for your current key, if you don't already have one. If you already
+have a GPG key, you can add an authentication subkey with:
+
+ $ monkeysphere gen-subkey
+
+If you have more than one secret key, you'll need to specify the key
+you want to add the subkey to on the command line.
+
+
+Using your OpenPGP authentication key for SSH
+---------------------------------------------
+
+Once you have created an OpenPGP authentication subkey, you will need
+to feed it to your ssh agent.
+
+Currently (2008-08-23), gnutls does not support this operation. In order
+to take this step, you will need to upgrade to a patched version of
+gnutls. You can easily upgrade a Debian system by adding the following
+to `/etc/apt/sources.list.d/monkeysphere.list`:
+
+ deb http://archive.monkeysphere.info/debian experimental gnutls
+ deb-src http://archive.monkeysphere.info/debian experimental gnutls
+
+Next, run `aptitude update; aptitude install libgnutls26`.
+
+With the patched gnutls installed, you can feed your authentication
+subkey to your ssh agent by running:
+
+ $ monkeysphere subkey-to-ssh-agent
+
+FIXME: using the key with a single ssh connection?
+
+
+Miscellaneous
+-------------
+
+Users can also maintain their own `~/.ssh/authorized_keys` files with
+the Monkeysphere. This is primarily useful for accounts on hosts that
+are not already systematically using the Monkeysphere for user
+authentication. If you're not sure whether this is the case for your
+host, ask your system administrator.
+
+If you want to do this as a regular user, use the
+`update-authorized_keys` command:
+
+ $ monkeysphere update-authorized_keys
+
+This command will take all the user IDs listed in the
+`~/.monkeysphere/authorized_user_ids` file and check to see if
+there are acceptable keys for those user IDs available. If so, they
+will be added to the `~/.ssh/authorized_keys` file.
+
+You must have indicated reasonable ownertrust in some key for this
+account, or no keys will be found with trusted certification paths.
+
+If you find this useful, you might want to place this command in your
+crontab so that revocations and rekeyings can take place
+automatically.