X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=website%2Fgetting-started-user.mdwn;h=66378dc12587dd2b8f3d67ca40b0604f6b0ba2d8;hb=7833a5e9da4c6e15eea7edfc38ae122360b37f1f;hp=2260256b2350297f836f39c395c9c57e14a8728c;hpb=20e88948f035c56d51f07c53de50b75df57fc816;p=monkeysphere.git diff --git a/website/getting-started-user.mdwn b/website/getting-started-user.mdwn index 2260256..66378dc 100644 --- a/website/getting-started-user.mdwn +++ b/website/getting-started-user.mdwn @@ -20,6 +20,16 @@ done with a simple cronjob. An example of crontab line to do this is: This would refresh your keychain every day at noon. +Install the monkeysphere software on your system +------------------------------------------------ + +If you haven't installed monkeysphere yet, you will need to [download +and install] (/download) before continuing. + +Make sure that you have the GnuTLS library version 2.6 or later +installed on your system. If you can't (or don't want to) upgrade to +GnuTLS 2.6 or later, there are patches for GnuTLS 2.4 available in +[the Monkeysphere git repo](/community). Keeping your `known_hosts` file in sync with your keyring ----------------------------------------------------------- @@ -87,18 +97,9 @@ Using your OpenPGP authentication key for SSH Once you have created an OpenPGP authentication subkey, you will need to feed it to your ssh agent. -Currently (2008-08-23), gnutls does not support this operation. In order -to take this step, you will need to upgrade to a patched version of -gnutls. You can easily upgrade a Debian system by adding the following -to `/etc/apt/sources.list.d/monkeysphere.list`: - - deb http://archive.monkeysphere.info/debian experimental gnutls - deb-src http://archive.monkeysphere.info/debian experimental gnutls - -Next, run `aptitude update; aptitude install libgnutls26`. - -With the patched gnutls installed, you can feed your authentication -subkey to your ssh agent by running: +The GnuTLS library supports this operation as of version 2.6, but +earlier versions do not. With a recent version of GnuTLS installed, +you can feed your authentication subkey to your ssh agent by running: $ monkeysphere subkey-to-ssh-agent @@ -116,8 +117,9 @@ to certify hosts. This is a two step process: first you must sign the key, and then you have to indicate a trust level. The process of signing another key is outside the scope of this -document, however the gnupg README details the signing process and you -can find good [documentation +document, however the [gnupg +README](http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/README?root=GnuPG&view=markup) +details the signing process and you can find good [documentation ](http://www.debian.org/events/keysigning) online detailing this process. @@ -129,30 +131,51 @@ certifiers. This can be done either by giving full trust to one host-certifying key, or by giving marginal trust to three different host-certifiers. In the following we demonstrate how to add full trust validity to a host-certifying key: - - $ gpg --edit-key - Command> trust - pub 2048R/3B757F8C created: 2008-06-19 expires: 2008-11-16 usage: CA - trust: unknown validity: full - [ unknown ] (1). ssh://monkeysphere.info - [ unknown ] (2) ssh://george.riseup.net - - Please decide how far you trust this user to correctly verify other users' keys - (by looking at passports, checking fingerprints from different sources, etc.) - - 1 = I don't know or won't say - 2 = I do NOT trust - 3 = I trust marginally - 4 = I trust fully - 5 = I trust ultimately - m = back to the main menu - - Your decision? 4 + + + $ gpg --edit-key 'Jane Admin' + gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: unknown validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + + Command> trust + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: unknown validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + + Please decide how far you trust this user to correctly verify other users' keys + (by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + m = back to the main menu + + Your decision? 4 + + pub 4096R/ABCD123A created: 2007-06-02 expires: 2012-05-31 usage: SC + trust: full validity: full + sub 2048R/01DECAF7 created: 2007-06-02 expires: 2012-05-31 usage: E + [ full ] (1). Jane Admin + Please note that the shown key validity is not necessarily correct + unless you restart the program. + + Command> save + Key not changed so no update needed. + $ Note: Due to a limitation with gnupg, it is not currently possible to limit the domain scope properly, which means that if you fully trust -an admin, this admin can currently assert host verification for any -hosts. +an admin, you'll trust all their certifications. Because the Monkeysphre relies on GPG's definition of the OpenPGP web of trust, it is important to understand [how GPG calculates User ID