X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman8%2Fmonkeysphere-server.8;h=d25f0e8ea671b1d781c6b3eb243b9cb18f554864;hb=924d4c617c5f5edcabb630521f0c97436f6f1cb7;hp=527cae791f9b131521f0166a451a761b41a5b0b5;hpb=8714868fe12f15afc02ee84379b544774df35c15;p=monkeysphere.git diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 527cae7..d25f0e8 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -27,7 +27,7 @@ specified account, the user ID's listed in the account's authorized_user_ids file are processed. For each user ID, gpg will be queried for keys associated with that user ID, optionally querying a keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in -monkeysphere(5)), the key is added to the account's +monkeysphere(7)), the key is added to the account's monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys file (usually ~USER/.ssh/authorized_keys) is appended to the @@ -36,17 +36,40 @@ specified, then all accounts on the system are processed. `u' may be used in place of `update-users'. .TP .B gen-key [HOSTNAME] -Generate a OpenPGP key pair for the host. If HOSTNAME is not -specified, then the system fully-qualified domain name will be user. -An alternate key bit length can be specified with the `-l' or -`--length' option (default 2048). An expiration length can be -specified with the `-e' or `--expire' option (prompt otherwise). A -key revoker fingerprint can be specified with the `-r' or `--revoker' -option. `g' may be used in place of `gen-key'. -.TP -.B show-fingerprint -Show the fingerprint for the host's OpenPGP key. `f' may be used in place of -`show-fingerprint'. +Generate a OpenPGP key for the host. If HOSTNAME is not specified, +then the system fully-qualified domain name will be user. An +alternate key bit length can be specified with the `-l' or `--length' +option (default 2048). An expiration length can be specified with the +`-e' or `--expire' option (prompt otherwise). The expiration format +is the same as that of \fBextend-key\fP, below. A key revoker +fingerprint can be specified with the `-r' or `--revoker' option. `g' +may be used in place of `gen-key'. +.TP +.B extend-key EXPIRE +Extend the validity of the OpenPGP key for the host until EXPIRE from +the present. If EXPIRE is not specified, then the user will be +prompted for the extension term. Expiration is specified like GnuPG +does: +.nf + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +.fi +`e' may be used in place of `extend-key'. +.TP +.B add-hostname HOSTNAME +Add a hostname user ID to the server host key. `n+' may be used in +place of `add-hostname'. +.TP +.B revoke-hostname HOSTNAME +Revoke a hostname user ID from the server host key. `n-' may be used +in place of `revoke-hostname'. +.TP +.B show-key +Output gpg information about host's OpenPGP key. `s' may be used in +place of `show-key'. .TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in @@ -68,15 +91,15 @@ domain (e.g. "trust KEYID to certify user identities within the @example.org domain"). A certifier trust level can be specified with the `-t' or `--trust' option (possible values are `marginal' and `full' (default is `full')). A certifier trust depth can be specified -with the `-d' or `--depth' option (default is 1). `a' may be used in +with the `-d' or `--depth' option (default is 1). `c+' may be used in place of `add-identity-certifier'. .TP .B remove-identity-certifier KEYID Instruct system to ignore user identity certifications made by KEYID. -`r' may be used in place of `remove-identity-certifier'. +`c-' may be used in place of `remove-identity-certifier'. .TP .B list-identity-certifiers -List key IDs trusted by the system to certify user identities. `l' +List key IDs trusted by the system to certify user identities. `c' may be used in place of `list-identity-certifiers'. .TP .B gpg-authentication-cmd @@ -107,51 +130,54 @@ is located: HostKey /var/lib/monkeysphere/ssh_host_rsa_key -In order for users logging into the system to be able to verify the +In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) -will need to sign the host's key. This is done using standard key -signing techniquies, usually by pulling the key from the keyserver, -signing the key, and re-publishing the signature. Once that is done, -users logging into the host will be able to certify the host's key via -the signature of the host admin. +will need to sign the host's key. This is done using standard OpenPGP +keysigning techniques, usually: pul the key from the keyserver, verify +and sign the key, and then re-publish the signature. Once an admin's +signature is published, users logging into the host can use it to +validate the host's key. If the server will also handle user authentication through monkeysphere-generated authorized_keys files, the server must be told -which keys will act as user certifiers. This is done with the -\fBadd-certifier\fP command: - -$ monkeysphere-server add-certifier KEYID - -where KEYID is the key ID of the server admin, or whoever's signature -will be certifying users to the system. Certifiers can be removed -with the \fBremove-certifier\fP command, and listed with the -\fBlist-certifiers\fP command. - -Remote user's will then be granted access to a local user account -based on the appropriately signed and valid keys associated with user -IDs listed in the authorized_user_ids file of the local user. By -default, the authorized_user_ids file for local users is found in -~/.config/monkeysphere/authorized_user_ids. This can be changed in -the monkeysphere-server.conf file. +which keys will act as identity certifiers. This is done with the +\fBadd-identity-certifier\fP command: + +$ monkeysphere-server add-identity-certifier KEYID + +where KEYID is the key ID of the server admin, or whoever's +certifications should be acceptable to the system for the purposes of +authenticating remote users. You can run this command multiple times +to indicate that multiple certifiers are trusted. You may also +specify a filename instead of a key ID, as long as the file contains a +single OpenPGP public key. Certifiers can be removed with the +\fBremove-identity-certifier\fP command, and listed with the +\fBlist-identity-certifiers\fP command. + +Remote users will then be granted access to a local account based on +the appropriately-signed and valid keys associated with user IDs +listed in that account's authorized_user_ids file. By default, the +authorized_user_ids file for an account is +~/.monkeysphere/authorized_user_ids. This can be changed in the +monkeysphere-server.conf file. The \fBupdate-users\fP command can then be used to generate -authorized_keys file for local users based on the authorized user IDs -listed in the various local user's authorized_user_ids file: +authorized_keys file for local accounts based on the authorized user +IDs listed in the account's authorized_user_ids file: $ monkeysphere-server update-users USER -Not specifying a specific user will cause all users on the system to -updated. sshd can then use these monkeysphere generated -authorized_keys files to grant access to user accounts for remote -users. You must also tell sshd to look at the monkeysphere-generated -authorized_keys file for user authentication by setting the following -in the sshd_config: +Not specifying USER will cause all accounts on the system to updated. +sshd can then use these monkeysphere generated authorized_keys files +to grant access to user accounts for remote users. You must also tell +sshd to look at the monkeysphere-generated authorized_keys file for +user authentication by setting the following in the sshd_config: AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u It is recommended to add "monkeysphere-server update-users" to a system crontab, so that user keys are kept up-to-date, and key -revocations and expirations can be processed in a timely manor. +revocations and expirations can be processed in a timely manner. .SH ENVIRONMENT @@ -159,19 +185,23 @@ The following environment variables will override those specified in the monkeysphere-server.conf configuration file (defaults in parentheses): .TP +MONKEYSPHERE_MONKEYSPHERE_USER +User to control authentication keychain (monkeysphere). +.TP +MONKEYSPHERE_LOG_LEVEL +Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. +.TP MONKEYSPHERE_KEYSERVER OpenPGP keyserver to use (subkeys.pgp.net). .TP MONKEYSPHERE_AUTHORIZED_USER_IDS Path to user authorized_user_ids file -(%h/.config/monkeysphere/authorized_user_ids). +(%h/.monkeysphere/authorized_user_ids). .TP MONKEYSPHERE_RAW_AUTHORIZED_KEYS Path to user-controlled authorized_keys file. `-' means not to add user-controlled file (%h/.ssh/authorized_keys). -.TP -MONKEYSPHERE_MONKEYSPHERE_USER -User to control authentication keychain (monkeysphere). .SH FILES @@ -182,6 +212,12 @@ System monkeysphere-server config file. /etc/monkeysphere/monkeysphere.conf System-wide monkeysphere config file. .TP +/etc/monkeysphere/gnupg-host.conf +Monkeysphere host GNUPG home gpg.conf +.TP +/etc/monkeysphere/gnupg-authentication.conf +Monkeysphere authentication GNUPG home gpg.conf +.TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .TP @@ -203,6 +239,6 @@ Gillmor .SH SEE ALSO .BR monkeysphere (1), -.BR monkeysphere (5), +.BR monkeysphere (7), .BR gpg (1), .BR ssh (1)