X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=man%2Fman8%2Fmonkeysphere-server.8;h=d7710e59066f9229ce43db053fdcd270049df7fc;hb=95fd733cb4c029b4221c162a38bb30eb1413b569;hp=f7a97557ac07fab42872d4b90e4c5246dc375733;hpb=de3031b28bbccd2cb47a9029e69064330ee137e8;p=monkeysphere.git diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index f7a9755..d7710e5 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -1,8 +1,8 @@ -.TH MONKEYSPHERE-SERVER "1" "June 2008" "monkeysphere" "User Commands" +.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" .SH NAME -monkeysphere-server \- monkeysphere server admin user interface +monkeysphere-server \- Monkeysphere server admin user interface .SH SYNOPSIS @@ -10,12 +10,12 @@ monkeysphere-server \- monkeysphere server admin user interface .SH DESCRIPTION -\fBMonkeySphere\fP is a framework to leverage the OpenPGP Web of Trust -for ssh authentication. OpenPGP keys are tracked via GnuPG, and added -to the authorized_keys and known_hosts files used by ssh for +\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust +for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and +added to the authorized_keys and known_hosts files used by OpenSSH for connection authentication. -\fBmonkeysphere-server\fP is the MonkeySphere server admin utility. +\fBmonkeysphere-server\fP is the Monkeysphere server admin utility. .SH SUBCOMMANDS @@ -54,10 +54,12 @@ place of `publish-key'. .TP .B add-identity-certifier KEYID Instruct system to trust user identity certifications made by KEYID. -A certifier domain can be specified with the `-n' or `--domain' -option. A certifier trust level can be specified with the `-t' or -`--trust' option (possible values are `1' for `marginal' and `2' for -`full' (default is `2')). A certifier trust depth can be specified +Using the `-n' or `--domain' option allows you to indicate that you +only trust the given KEYID to make identifications within a specific +domain (e.g. "trust KEYID to certify user identities within the +@example.org domain"). A certifier trust level can be specified with +the `-t' or `--trust' option (possible values are `marginal' and +`full' (default is `full')). A certifier trust depth can be specified with the `-d' or `--depth' option (default is 1). `a' may be used in place of `add-identity-certifier'. .TP @@ -69,6 +71,13 @@ Instruct system to ignore user identity certifications made by KEYID. List key IDs trusted by the system to certify user identities. `l' may be used in place of `list-identity-certifiers'. .TP +.B gpg-authentication-cmd +Execute a gpg command on the gnupg-authentication keyring as the +monkeysphere user. This takes a single command (multiple gpg +arguments need to be quoted). Use this command with caution, as +modifying the gnupg-authentication keyring can affect ssh user +authentication. +.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. @@ -84,18 +93,19 @@ $ monkeysphere-server gen-key To enable host verification via the monkeysphere, you must then publish the host's key to the Web of Trust using the \fBpublish-key\fP -command to push the key to a keyserver. Then modify the sshd_config -to tell sshd where the new server host key is located: +command to push the key to a keyserver. You must also modify the +sshd_config on the server to tell sshd where the new server host key +is located: HostKey /var/lib/monkeysphere/ssh_host_rsa_key In order for users logging into the system to be able to verify the -host via the monkeysphere, at least one person (ie. a server admin) -will need to sign the host's key. This is done in the same way that -key signing is usually done, by pulling the host's key from the -keyserver, signing the key, and re-publishing the signature. Once -that is done, users logging into the host will be able to certify the -host's key via the signature of the host admin. +host via the monkeysphere, at least one person (e.g. a server admin) +will need to sign the host's key. This is done using standard key +signing techniquies, usually by pulling the key from the keyserver, +signing the key, and re-publishing the signature. Once that is done, +users logging into the host will be able to certify the host's key via +the signature of the host admin. If the server will also handle user authentication through monkeysphere-generated authorized_keys files, the server must be told @@ -105,8 +115,8 @@ which keys will act as user certifiers. This is done with the $ monkeysphere-server add-certifier KEYID where KEYID is the key ID of the server admin, or whoever's signature -will be certifying users to the system. Certifiers can be later -remove with the \fBremove-certifier\fP command, and listed with the +will be certifying users to the system. Certifiers can be removed +with the \fBremove-certifier\fP command, and listed with the \fBlist-certifiers\fP command. Remote user's will then be granted access to a local user account @@ -118,21 +128,22 @@ the monkeysphere-server.conf file. The \fBupdate-users\fP command can then be used to generate authorized_keys file for local users based on the authorized user IDs -listed in the user's authorized_user_ids file: +listed in the various local user's authorized_user_ids file: $ monkeysphere-server update-users USER -sshd can then use these files to grant access to user accounts for -remote users. If no user is specified, authorized_keys files will be -generated for all users on the system. You must also tell sshd to -look at the monkeysphere-generated authorized_keys file for user -authentication by setting the following in the sshd_config: +Not specifying a specific user will cause all users on the system to +updated. sshd can then use these monkeysphere generated +authorized_keys files to grant access to user accounts for remote +users. You must also tell sshd to look at the monkeysphere-generated +authorized_keys file for user authentication by setting the following +in the sshd_config: AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u It is recommended to add "monkeysphere-server update-users" to a system crontab, so that user keys are kept up-to-date, and key -revokations and expirations can be processed in a timely manor. +revocations and expirations can be processed in a timely manor. .SH ENVIRONMENT @@ -152,7 +163,7 @@ Path to user-controlled authorized_keys file. `-' means not to add user-controlled file (%h/.ssh/authorized_keys). .TP MONKEYSPHERE_MONKEYSPHERE_USER -User to control authentication keychain (monkeypshere). +User to control authentication keychain (monkeysphere). .SH FILES