From 8c8d5414f07e1c411f824d60fbfaaf545e91749a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 26 Jul 2008 13:24:00 -0700 Subject: [PATCH] small tweaks and FIXME fixes to documentation. --- doc/README | 33 +++++++++++++++++++----- doc/README.admin | 2 +- man/man1/monkeysphere-ssh-proxycommand.1 | 14 +++++----- 3 files changed, 35 insertions(+), 14 deletions(-) diff --git a/doc/README b/doc/README index 5e6de8e..e10f79b 100644 --- a/doc/README +++ b/doc/README @@ -8,9 +8,11 @@ Keeping your keyring up-to-date ------------------------------- Regularly refresh your GnuPG keyring from the keyservers. This can be -done with a simple cronjob. +done with a simple cronjob. An example of crontab line to do this is: -FIXME: give an example of a useful cronjob +0 12 * * * /usr/bin/gpg --refresh-keys + +This would refresh your keychain every day at noon. Keeping your known_hosts file in sync with your keyring @@ -18,15 +20,27 @@ Keeping your known_hosts file in sync with your keyring With your keyring updated, you want to make sure that openssh can still see the most recent trusted information about who the various -hosts are: +hosts are. This can be done with the monkeysphere-ssh-proxycommand +(see next section) or with the update-known_hosts command: $ monkeysphere update-known_hosts +This will command will check to see if there is an openpgp key for +each (non-hashed) host listed in the known_hosts file, and then add +the key for that host to the known_hosts file if one is found. This +command could be added to a crontab as well, if desired. + Using monkeysphere-ssh-proxycommand(1) -------------------------------------- -FIXME: make a suggestion about how to integrate this in daily use. +The best way to handle host keys is to use the monkeysphere ssh proxy +command. This command will make sure the known_hosts file is +up-to-date for the host you are connecting to with ssh. The best way +to integrate this is to add the following line to the "Host *" section +of your ~/.ssh/config file: + +ProxyCommand monkeysphere-ssh-proxycommand %h %p Setting up an OpenPGP authentication key @@ -38,6 +52,7 @@ keyid $GPGID, you can set up such a subkey relatively easily with: $ monkeysphere gen-subkey $GPGID + Using your OpenPGP authentication key for SSH --------------------------------------------- @@ -48,11 +63,17 @@ FIXME: using the key with a single session? NOTE: the current version of openpgp2ssh does *not* deal well with encrypted keys (as of 2008-07-26) + Miscellaneous ------------- -For a user to update their monkeysphere authorized_keys file: +Users can also maintain their own authorized_keys files, for users +that would be logging into their accounts. This is done with the +update-authorized_keys command: $ monkeysphere update-authorized_keys -FIXME: where is this file located? What does this command do? +This command will take all the user IDs listed in the +~/.config/monkeysphere/authorized_user_ids file and check to see if +there are acceptable keys for those user IDs available. If so, they +will be added to the ~/.ssh/authorized_keys file. diff --git a/doc/README.admin b/doc/README.admin index 25a7a80..a644bbe 100644 --- a/doc/README.admin +++ b/doc/README.admin @@ -23,7 +23,7 @@ $ gpg --sign-key ='ssh://server.hostname' Update OpenSSH configuration files ---------------------------------- -To use the newly-generated host key for ssh connections, Put the +To use the newly-generated host key for ssh connections, put the following line in /etc/ssh/sshd_config (be sure to remove references to any other key): diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 5a84dc5..9aad232 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -41,13 +41,13 @@ queried when processing host. If the host userID is not found in either the user's keyring or in the known_hosts file, then the keyserver is queried for the host userID. If the host userID is found in the user's keyring, then the keyserver is not checked. This -assumes that the keyring is kept up-to-date, in a cron job or the -like, so that revocations are properly handled. If the host userID is -not found in the user's keyring, but the host is listed in the -known_hosts file, then the keyserver is not checked. This last policy -might change in the future, possibly by adding a deferred check, so -that hosts that go from non-monkeysphere-enabled to -monkeysphere-enabled will be properly checked. +assumes that the keyring is kept up-to-date, in a cronjob or the like, +so that revocations are properly handled. If the host userID is not +found in the user's keyring, but the host is listed in the known_hosts +file, then the keyserver is not checked. This last policy might +change in the future, possibly by adding a deferred check, so that +hosts that go from non-monkeysphere-enabled to monkeysphere-enabled +will be properly checked. .SH ENVIRONMENT VARIABLES -- 2.25.1