X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman8%2Fmonkeysphere-authentication.8;h=ea9debd33d99618ea785c9a1336e3c3545c6abb5;hb=HEAD;hp=dfa74445347e3ea975f23f59252f19643427dc01;hpb=4cf60ae41b38e76a5c30de991b470c80abbc57e4;p=monkeysphere.git diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index dfa7444..ea9debd 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -1,4 +1,4 @@ -.TH MONKEYSPHERE-SERVER "8" "March 2009" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-AUTHENTICATION "8" "January 2010" "monkeysphere" "System Commands" .SH NAME @@ -11,9 +11,9 @@ monkeysphere\-authentication - Monkeysphere authentication admin tool. .SH DESCRIPTION \fBMonkeysphere\fP is a framework to leverage the OpenPGP Web of Trust -(WoT) for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, -and added to the authorized_keys and known_hosts files used by OpenSSH -for connection authentication. +(WoT) for key-based authentication. OpenPGP keys are tracked via +GnuPG, and added to the authorized_keys files used by OpenSSH for +connection authentication. \fBmonkeysphere\-authentication\fP is a Monkeysphere server admin utility for configuring and managing SSH user authentication through @@ -37,6 +37,11 @@ monkeysphere-controlled authorized_keys file. If no accounts are specified, then all accounts on the system are processed. `u' may be used in place of `update\-users'. .TP +.B refresh\-keys +Refresh all keys in the monkeysphere-authentication keyring. If no +accounts are specified, then all accounts on the system are processed. +`r' may be used in place of `refresh\-keys'. +.TP .B add\-id\-certifier KEYID|FILE Instruct system to trust user identity certifications made by KEYID. The key ID will be loaded from the keyserver. A file may be loaded @@ -59,12 +64,14 @@ Instruct system to ignore user identity certifications made by KEYID. List key IDs trusted by the system to certify user identities. `c' may be used in place of `list\-id\-certifiers'. .TP +.B version +Show the monkeysphere version number. `v' may be used in place of +`version'. +.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.TP -.B version -show version number + Other commands: .TP @@ -92,7 +99,7 @@ monkeysphere-generated authorized_keys files, the server must be told which keys will act as identity certifiers. This is done with the \fBadd\-id\-certifier\fP command: -$ monkeysphere\-authentication add\-id\-certifier KEYID +# monkeysphere\-authentication add\-id\-certifier KEYID where KEYID is the key ID of the server admin, or whoever's certifications should be acceptable to the system for the purposes of @@ -103,7 +110,7 @@ single OpenPGP public key. Certifiers can be removed with the \fBremove\-id\-certifier\fP command, and listed with the \fBlist\-id\-certifiers\fP command. -Remote users will be granted access to local accounts based on the +A remote user will be granted access to a local account based on the appropriately-signed and valid keys associated with user IDs listed in that account's authorized_user_ids file. By default, the authorized_user_ids file for an account is @@ -111,22 +118,22 @@ authorized_user_ids file for an account is monkeysphere\-authentication.conf file. The \fBupdate\-users\fP command is used to generate authorized_keys -files for local accounts based on the authorized user IDs listed in -the account's authorized_user_ids file: +files for a local account based on the user IDs listed in the +account's authorized_user_ids file: -$ monkeysphere\-authentication update\-users USER +# monkeysphere\-authentication update\-users USER Not specifying USER will cause all accounts on the system to updated. -The ssh server can then use these monkeysphere\-generated -authorized_keys files to grant access to user accounts for remote -users. In order for sshd to look at the monkeysphere\-generated -authorized_keys file for user authentication, the AuthorizedKeysFile -parameter must be set in the sshd_config to point to the -monkeysphere\-generated authorized_keys files: +The ssh server can use these monkeysphere-generated authorized_keys +files to grant access to user accounts for remote users. In order for +sshd to look at the monkeysphere-generated authorized_keys file for +user authentication, the AuthorizedKeysFile parameter must be set in +the sshd_config to point to the monkeysphere\-generated +authorized_keys files: -AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u +AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u -It is recommended to add "monkeysphere\-authentication update-users" +It is recommended to add "monkeysphere\-authentication update\-users" to a system crontab, so that user keys are kept up-to-date, and key revocations and expirations can be processed in a timely manner. @@ -158,6 +165,11 @@ raw authorized_keys file. %h gets replaced with the user's homedir, .TP MONKEYSPHERE_PROMPT If set to `false', never prompt the user for confirmation. (true) +.TP +MONKEYSPHERE_STRICT_MODES +If set to `false', ignore too-loose permissions on known_hosts, +authorized_keys, and authorized_user_ids files. NOTE: setting this to +false may expose users to abuse by other users on the system. (true) .SH FILES @@ -165,13 +177,24 @@ If set to `false', never prompt the user for confirmation. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +If monkeysphere-authentication is configured to query an hkps +keyserver, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +.TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. +.TP +~/.monkeysphere/authorized_user_ids +A list of OpenPGP user IDs, one per line. OpenPGP keys with an +exactly-matching User ID (calculated valid by the designated identity +certifiers), will have any valid authorization-capable keys or subkeys +added to the given user's authorized_keys file. .SH AUTHOR -Written by: -Jameson Rollins , +This man page was written by: +Jameson Rollins , Daniel Kahn Gillmor , Matthew Goins @@ -182,4 +205,5 @@ Matthew Goins .BR monkeysphere (7), .BR gpg (1), .BR ssh (1), -.BR sshd (8) +.BR sshd (8), +.BR sshd_config (5)