X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;ds=sidebyside;f=doc%2FREADME;h=427f214f4d82916d2b8141a6ed53cd29f9cf4682;hb=8a977a8371f2ea54e3888494e1b474befeba318b;hp=9dc8753f7cdfb2895fc2fa4cc1c633ac0d38109c;hpb=6b83b50141e37e2926333dc1aa987bfb50317b5b;p=monkeysphere.git diff --git a/doc/README b/doc/README index 9dc8753..427f214 100644 --- a/doc/README +++ b/doc/README @@ -1,48 +1,56 @@ Monkeysphere README -------------------- +=================== -Default file locations: +user usage +---------- +For a user to update their known_hosts file: -MS_HOME=~/.config/monkeysphere -STAGING_AREA=$MS_HOME -GNUPGHOME=~/.gnupg -$MS_HOME/monkeysphere.conf -$MS_HOME/auth_host_ids -$MS_HOME/auth_user_ids -$STAGING_AREA/host_keys/KEYHASH -$STAGING_AREA/known_hosts -$STAGING_AREA/user_keys/KEYHASH -$STAGING_AREA/authorized_keys +$ monkeysphere update-known_hosts -For a user to update their ms known_hosts file: +For a user to update their monkeysphere authorized_keys file: -$ rhesus --known_hosts +$ monkeysphere update-authorized_keys -For a user to update their ms authorized_keys file: +server service publication +-------------------------- +To publish a server host key: -$ rhesus --authorized_keys +# monkeysphere-server gen-key +# monkeysphere-server publish-key -A system can maintain ms authorized_keys files for it's users. Some -different variables need to be defined to help manage this. The way -this is done is by first defining a new MS_HOME: +This will generate the key for server with the service URI +(ssh://server.hostname). The server admin should now sign the server +key so that people in the admin's web of trust can authenticate the +server without manual host key checking: -MS_HOME=/etc/monkeysphere +$ gpg --search ='ssh://server.hostname' +$ gpg --sign-key 'ssh://server.hostname' -This directory would then have a monkeysphere.conf which defines the -following variables: +server authorized_keys maintenance +---------------------------------- +A system can maintain monkeysphere authorized_keys files for it's +users. -AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER" -STAGING_AREA=/var/lib/monkeysphere/stage/$USER -GNUPGHOME=$MS_HOME/gnupg +For each user account on the server, the userids of people authorized +to log into that account would be placed in: -To update the ms authorized_keys file for user "foo", the system would -then run the following: +/etc/monkeysphere/authorized_user_file/USER -# USER=foo MS_HOME=/etc/monkeysphere rhesus --authorized_keys +However, in order for users to become authenticated, the server must +determine that the user keys have "full" validity. This means that +the server must fully trust at least one person whose signature on the +connecting users key would validate the user. This would generally be +the server admin. If the server admin's keyid is XXXXXXXX, then on +the server run: -To update the ms authorized_keys file for all users on the the system: +# monkeysphere-server trust-keys XXXXXXXX -MS_HOME=/etc/monkeysphere -for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do - rhesus --authorized_keys -done +To update the monkeysphere authorized_keys file for user "bob", the +system would then run the following: + +# monkeysphere-server update-users bob + +To update the monkeysphere authorized_keys file for all users on the +the system, run the same command with no arguments: + +# monkeysphere-server update-users bob