This would refresh your keychain every day at noon.
+Install the monkeysphere software on your system
+------------------------------------------------
+
+If you haven't installed monkeysphere yet, you will need to [download
+and install](/download) before continuing.
+
+Make sure that you have the GnuTLS library version 2.6 or later
+installed on your system. If you can't (or don't want to) upgrade to
+GnuTLS 2.6 or later, there are patches for GnuTLS 2.4 available in
+[the Monkeysphere git repo](/community).
+
+
Keeping your `known_hosts` file in sync with your keyring
------------------------------------------------------------
+---------------------------------------------------------
With your keyring updated, you want to make sure that OpenSSH can
still see the most recent trusted information about who the various
to integrate this is to add the following line to the "Host *" section
of your `~/.ssh/config` file:
- ProxyCommand monkeysphere-ssh-proxycommand %h %p
+ ProxyCommand monkeysphere ssh-proxycommand %h %p
The "Host *" section specifies what ssh options to use for all
connections. If you don't already have a "Host *" line, you can add it
Setting up an OpenPGP authentication key
----------------------------------------
-First things first: you'll need to create an "authentication" subkey
-for your current key, if you don't already have one. If you already
-have a GPG key, you can add an authentication subkey with:
+First things first: you'll need to have a OpenPGP "authentication"
+subkey for your current key, if you don't already have one. If you
+already have a GPG key, you can generate an authentication subkey with
+the `gen-subkey` command:
$ monkeysphere gen-subkey
Once you have created an OpenPGP authentication subkey, you will need
to feed it to your ssh agent.
-Currently (2008-08-23), gnutls does not support this operation. In order
-to take this step, you will need to upgrade to a patched version of
-gnutls. You can easily upgrade a Debian system by adding the following
-to `/etc/apt/sources.list.d/monkeysphere.list`:
-
- deb http://archive.monkeysphere.info/debian experimental gnutls
- deb-src http://archive.monkeysphere.info/debian experimental gnutls
-
-Next, run `aptitude update; aptitude install libgnutls26`.
-
-With the patched gnutls installed, you can feed your authentication
-subkey to your ssh agent by running:
+The GnuTLS library supports this operation as of version 2.6, but
+earlier versions do not. With a recent version of GnuTLS installed,
+you can feed your authentication subkey to your ssh agent by running:
$ monkeysphere subkey-to-ssh-agent
FIXME: using the key with a single ssh connection?
+
Establish trust
---------------
key, and then you have to indicate a trust level.
The process of signing another key is outside the scope of this
-document, however the gnupg README details the signing process and you
-can find good [documentation
+document, however the [gnupg
+README](http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/README?root=GnuPG&view=markup)
+details the signing process and you can find good [documentation
](http://www.debian.org/events/keysigning) online detailing this
process.
host-certifying key, or by giving marginal trust to three different
host-certifiers. In the following we demonstrate how to add full trust
validity to a host-certifying key:
-
- $ gpg --edit-key <admin_keyid>
- Command> trust
- pub 2048R/3B757F8C created: 2008-06-19 expires: 2008-11-16 usage: CA
- trust: unknown validity: full
- [ unknown ] (1). ssh://monkeysphere.info
- [ unknown ] (2) ssh://george.riseup.net
-
- Please decide how far you trust this user to correctly verify other users' keys
- (by looking at passports, checking fingerprints from different sources, etc.)
-
- 1 = I don't know or won't say
- 2 = I do NOT trust
- 3 = I trust marginally
- 4 = I trust fully
- 5 = I trust ultimately
- m = back to the main menu
-
- Your decision? 4
+
+
+ $ gpg --edit-key 'Jane Admin'
+ gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+
+ Command> trust
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: unknown validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+
+ Please decide how far you trust this user to correctly verify other users' keys
+ (by looking at passports, checking fingerprints from different sources, etc.)
+
+ 1 = I don't know or won't say
+ 2 = I do NOT trust
+ 3 = I trust marginally
+ 4 = I trust fully
+ 5 = I trust ultimately
+ m = back to the main menu
+
+ Your decision? 4
+
+ pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC
+ trust: full validity: full
+ sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E
+ [ full ] (1). Jane Admin <jane_admin@example.net>
+ Please note that the shown key validity is not necessarily correct
+ unless you restart the program.
+
+ Command> save
+ Key not changed so no update needed.
+ $
Note: Due to a limitation with gnupg, it is not currently possible to
limit the domain scope properly, which means that if you fully trust
-an admin, this admin can currently assert host verification for any
-hosts.
+an admin, you'll trust all their certifications.
Because the Monkeysphre relies on GPG's definition of the OpenPGP web
of trust, it is important to understand [how GPG calculates User ID