when converted via markdown to html.
-Monkeysphere User README
+#Monkeysphere User README
========================
You don't have to be an OpenSSH or OpenPGP expert to use the
========================
You don't have to be an OpenSSH or OpenPGP expert to use the
Regularly refresh your GnuPG keyring from the keyservers. This can be
done with a simple cronjob. An example of crontab line to do this is:
Regularly refresh your GnuPG keyring from the keyservers. This can be
done with a simple cronjob. An example of crontab line to do this is:
-0 12 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
+ 0 12 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
This would refresh your keychain every day at noon.
This would refresh your keychain every day at noon.
hosts are. This can be done with the monkeysphere-ssh-proxycommand
(see next section) or with the update-known_hosts command:
hosts are. This can be done with the monkeysphere-ssh-proxycommand
(see next section) or with the update-known_hosts command:
-$ monkeysphere update-known_hosts
+ $ monkeysphere update-known_hosts
This command will check to see if there is an OpenPGP key for
each (non-hashed) host listed in the known_hosts file, and then add
This command will check to see if there is an OpenPGP key for
each (non-hashed) host listed in the known_hosts file, and then add
to integrate this is to add the following line to the "Host *" section
of your ~/.ssh/config file:
to integrate this is to add the following line to the "Host *" section
of your ~/.ssh/config file:
-ProxyCommand monkeysphere-ssh-proxycommand %h %p
+ ProxyCommand monkeysphere-ssh-proxycommand %h %p
The "Host *" section specifies what ssh options to use for all
connections. If you don't already have a "Host *" line, you can add it
by entering:
The "Host *" section specifies what ssh options to use for all
connections. If you don't already have a "Host *" line, you can add it
by entering:
On a line by itself. Add the ProxyCommand line just below it.
On a line by itself. Add the ProxyCommand line just below it.
current key, if you don't already have one. If your OpenPGP key is
keyid $GPGID, you can set up such a subkey relatively easily with:
current key, if you don't already have one. If your OpenPGP key is
keyid $GPGID, you can set up such a subkey relatively easily with:
-$ monkeysphere gen-subkey $GPGID
+ $ monkeysphere gen-subkey $GPGID
Typically, you can find out what your keyid is by running:
Typically, you can find out what your keyid is by running:
+ $ gpg --list-secret-keys
The first line (starting with sec) will include your key length followed
by the type of key (e.g. 1024D) followed by a slash and then your keyid.
The first line (starting with sec) will include your key length followed
by the type of key (e.g. 1024D) followed by a slash and then your keyid.
With the patched gnutls installed, you can feed your authentication sub
key to your ssh agent by running:
With the patched gnutls installed, you can feed your authentication sub
key to your ssh agent by running:
- monkeysphere subkey-to-ssh-agent
+ $ monkeysphere subkey-to-ssh-agent
FIXME: using the key with a single session?
FIXME: using the key with a single session?
Miscellaneous
-------------
Miscellaneous
-------------
If you want to do this as a regular user, use the
update-authorized_keys command:
If you want to do this as a regular user, use the
update-authorized_keys command:
-$ monkeysphere update-authorized_keys
+ $ monkeysphere update-authorized_keys
This command will take all the user IDs listed in the
~/.config/monkeysphere/authorized_user_ids file and check to see if
This command will take all the user IDs listed in the
~/.config/monkeysphere/authorized_user_ids file and check to see if
--------------------------
To publish a server host key:
--------------------------
To publish a server host key:
-# monkeysphere-server gen-key
-# monkeysphere-server publish-key
+ # monkeysphere-server gen-key
+ # monkeysphere-server publish-key
This will generate the key for server with the service URI
(ssh://server.hostname). The server admin should now sign the server
key so that people in the admin's web of trust can authenticate the
server without manual host key checking:
This will generate the key for server with the service URI
(ssh://server.hostname). The server admin should now sign the server
key so that people in the admin's web of trust can authenticate the
server without manual host key checking:
-$ gpg --search ='ssh://server.hostname'
-$ gpg --sign-key ='ssh://server.hostname'
+ $ gpg --search ='ssh://server.hostname'
+ $ gpg --sign-key ='ssh://server.hostname'
Update OpenSSH configuration files
Update OpenSSH configuration files
following line in /etc/ssh/sshd_config (be sure to remove references
to any other key):
following line in /etc/ssh/sshd_config (be sure to remove references
to any other key):
-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
+ HostKey /var/lib/monkeysphere/ssh_host_rsa_key
FIXME: should we just suggest symlinks in the filesystem here instead?
FIXME: should we just suggest symlinks in the filesystem here instead?
web-of-trust, add this line to /etc/ssh/sshd_config (again, making
sure that no other AuthorizedKeysFile directive exists):
web-of-trust, add this line to /etc/ssh/sshd_config (again, making
sure that no other AuthorizedKeysFile directive exists):
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
-
-
+ AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
MonkeySphere authorized_keys maintenance
----------------------------------------
MonkeySphere authorized_keys maintenance
----------------------------------------
For each user account on the server, the userids of people authorized
to log into that account would be placed in:
For each user account on the server, the userids of people authorized
to log into that account would be placed in:
- ~/.config/monkeysphere/authorized_user_ids
+ ~/.config/monkeysphere/authorized_user_ids
However, in order for users to become authenticated, the server must
determine that the user keys have "full" validity. This means that
However, in order for users to become authenticated, the server must
determine that the user keys have "full" validity. This means that
the server admin. If the server admin's keyid is XXXXXXXX, then on
the server run:
the server admin. If the server admin's keyid is XXXXXXXX, then on
the server run:
-# monkeysphere-server add-identity-certifier XXXXXXXX
+ # monkeysphere-server add-identity-certifier XXXXXXXX
To update the monkeysphere authorized_keys file for user "bob", the
system would then run the following:
To update the monkeysphere authorized_keys file for user "bob", the
system would then run the following:
-# monkeysphere-server update-users bob
+ # monkeysphere-server update-users bob
To update the monkeysphere authorized_keys file for all users on the
the system, run the same command with no arguments:
To update the monkeysphere authorized_keys file for all users on the
the system, run the same command with no arguments:
-# monkeysphere-server update-users
+ # monkeysphere-server update-users
You probably want to set up a regularly scheduled job (e.g. with cron)
to take care of this regularly.
You probably want to set up a regularly scheduled job (e.g. with cron)
to take care of this regularly.
projects / monkeysphere.git / commitdiff