X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman8%2Fmonkeysphere-authentication.8;h=d3d3b952fd8bf3702c9876bbc3d1445ddb24cfcc;hb=eb815bce0da27a24ad718c31b77e45032e3a5916;hp=cfd13e7d5241dc6fc5b3b65de189b50e726c0c52;hpb=13e7b0e3c0f4522382445c6ae77b090e68f4c8e4;p=monkeysphere.git diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index cfd13e7..d3d3b95 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -16,7 +16,8 @@ and added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. \fBmonkeysphere\-authentication\fP is a Monkeysphere server admin -utility for configuring SSH user authentication through the WoT. +utility for configuring and managing SSH user authentication through +the WoT. .SH SUBCOMMANDS @@ -58,12 +59,14 @@ Instruct system to ignore user identity certifications made by KEYID. List key IDs trusted by the system to certify user identities. `c' may be used in place of `list\-id\-certifiers'. .TP +.B version +Show the monkeysphere version number. `v' may be used in place of +`version'. +.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.TP -.B version -show version number + Other commands: .TP @@ -91,7 +94,7 @@ monkeysphere-generated authorized_keys files, the server must be told which keys will act as identity certifiers. This is done with the \fBadd\-id\-certifier\fP command: -$ monkeysphere\-authentication add\-id\-certifier KEYID +# monkeysphere\-authentication add\-id\-certifier KEYID where KEYID is the key ID of the server admin, or whoever's certifications should be acceptable to the system for the purposes of @@ -102,28 +105,30 @@ single OpenPGP public key. Certifiers can be removed with the \fBremove\-id\-certifier\fP command, and listed with the \fBlist\-id\-certifiers\fP command. -Remote users will then be granted access to a local account based on -the appropriately-signed and valid keys associated with user IDs -listed in that account's authorized_user_ids file. By default, the +A remote user will be granted access to a local account based on the +appropriately-signed and valid keys associated with user IDs listed in +that account's authorized_user_ids file. By default, the authorized_user_ids file for an account is ~/.monkeysphere/authorized_user_ids. This can be changed in the monkeysphere\-authentication.conf file. -The \fBupdate\-users\fP command can then be used to generate -authorized_keys file for local accounts based on the authorized user -IDs listed in the account's authorized_user_ids file: +The \fBupdate\-users\fP command is used to generate authorized_keys +files for a local account based on the user IDs listed in the +account's authorized_user_ids file: -$ monkeysphere\-authentication update\-users USER +# monkeysphere\-authentication update\-users USER Not specifying USER will cause all accounts on the system to updated. -sshd can then use these monkeysphere generated authorized_keys files -to grant access to user accounts for remote users. You must also tell +The ssh server can use these monkeysphere-generated authorized_keys +files to grant access to user accounts for remote users. In order for sshd to look at the monkeysphere-generated authorized_keys file for -user authentication by setting the following in the sshd_config: +user authentication, the AuthorizedKeysFile parameter must be set in +the sshd_config to point to the monkeysphere\-generated +authorized_keys files: AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u -It is recommended to add "monkeysphere\-authentication update-users" +It is recommended to add "monkeysphere\-authentication update\-users" to a system crontab, so that user keys are kept up-to-date, and key revocations and expirations can be processed in a timely manner. @@ -156,7 +161,6 @@ raw authorized_keys file. %h gets replaced with the user's homedir, MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) - .SH FILES .TP @@ -165,10 +169,16 @@ System monkeysphere-authentication config file. .TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. +.TP +~/.monkeysphere/authorized_user_ids +A list of OpenPGP user IDs, one per line. OpenPGP keys with an +exactly-matching User ID (calculated valid by the designated identity +certifiers), will have any valid authorization-capable keys or subkeys +added to the given user's authorized_keys file. .SH AUTHOR -Written by: +This man page was written by: Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins @@ -180,4 +190,5 @@ Matthew Goins .BR monkeysphere (7), .BR gpg (1), .BR ssh (1), -.BR sshd (8) +.BR sshd (8), +.BR sshd_config (5)