\fBmonkeysphere-authentication\fP is a Monkeysphere server admin utility.
.SH SUBCOMMANDS
-\fBmonkeysphere-authentication\fP takes various subcommands.(Users may use the
-abbreviated subcommand in parentheses):
+\fBmonkeysphere-authentication\fP takes various subcommands:
.TP
-.B update-users (u) [ACCOUNT]...
-Rebuild the monkeysphere-controlled authorized_keys files. For each specified
-account, the user ID's listed in the account's authorized_user_ids file are
-processed. For each user ID, gpg will be queried for keys associated with that
-user ID, optionally querying a keyserver. If an acceptable key is found (see
-KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the account's
-monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS
-variable is set, then a separate authorized_keys file (usually
-~USER/.ssh/authorized_keys) is appended to the monkeysphere-controlled
-authorized_keys file. If no accounts are specified, then all accounts on the
-system are processed. `u' may be used in place of `update-users'.
-
-\" XXX
-
+.B update-users [ACCOUNT]...
+Rebuild the monkeysphere-controlled authorized_keys files. For each
+specified account, the user ID's listed in the account's
+authorized_user_ids file are processed. For each user ID, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
+monkeysphere(7)), the key is added to the account's
+monkeysphere-controlled authorized_keys file. If the
+RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
+file (usually ~USER/.ssh/authorized_keys) is appended to the
+monkeysphere-controlled authorized_keys file. If no accounts are
+specified, then all accounts on the system are processed. `u' may be
+used in place of `update-users'.
.TP
-.B add-id-certifier (c+) KEYID
+.B add-id-certifier KEYID
Instruct system to trust user identity certifications made by KEYID.
Using the `-n' or `--domain' option allows you to indicate that you
only trust the given KEYID to make identifications within a specific
with the `-d' or `--depth' option (default is 1). `c+' may be used in
place of `add-id-certifier'.
.TP
-.B remove-id-certifier (c-) KEYID
+.B remove-id-certifier KEYID
Instruct system to ignore user identity certifications made by KEYID.
`c-' may be used in place of `remove-id-certifier'.
.TP
-.B list-id-certifiers (c)
+.B list-id-certifiers
List key IDs trusted by the system to certify user identities. `c'
may be used in place of `list-id-certifiers'.
.TP
.B version
show version number
-.SH "EXPERT" SUBCOMMANDS
-Some commands are very unlikely to be needed by most administrators.
-These commands must follow the word `expert'.
+Other commands:
+.TP
+.B setup
+Setup the server for Monkeysphere user authentication. This command
+is idempotent and run automatically by the other commands, and should
+therefore not usually need to be run manually. `s' may be used in
+place of `setup'.
.TP
-.B diagnostics (d)
-Review the state of the server with respect to authentication.
+.B diagnostics
+Review the state of the server with respect to authentication. `d'
+may be used in place of `diagnostics'.
.TP
.B gpg-cmd
-Execute a gpg command on the gnupg-authentication keyring as the
-monkeysphere user. This takes a single command (multiple gpg
-arguments need to be quoted). Use this command with caution, as
-modifying the gnupg-authentication keyring can affect ssh user
-authentication.
+Execute a gpg command, as the monkeysphere user, on the monkeysphere
+authentication "sphere" keyring. This takes a single argument
+(multiple gpg arguments need to be quoted). Use this command with
+caution, as modifying the authentication sphere keyring can affect ssh
+user authentication.
-.SH SETUP
+.SH SETUP USER AUTHENTICATION
If the server will handle user authentication through
monkeysphere-generated authorized_keys files, the server must be told
sshd to look at the monkeysphere-generated authorized_keys file for
user authentication by setting the following in the sshd_config:
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+AuthorizedKeysFile /var/lib/monkeysphere/authentication/authorized_keys/%u
It is recommended to add "monkeysphere-authentication update-users" to a
system crontab, so that user keys are kept up-to-date, and key
.SH ENVIRONMENT
The following environment variables will override those specified in
-(defaults in parentheses):
+the config file (defaults in parentheses):
.TP
MONKEYSPHERE_MONKEYSPHERE_USER
-User to control authentication keychain (monkeysphere).
+User to control authentication keychain. (monkeysphere)
.TP
MONKEYSPHERE_LOG_LEVEL
-Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
-increasing order of verbosity.
+Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity. (INFO)
.TP
MONKEYSPHERE_KEYSERVER
-OpenPGP keyserver to use (subkeys.pgp.net).
+OpenPGP keyserver to use. (pool.sks-keyservers.net)
.TP
MONKEYSPHERE_AUTHORIZED_USER_IDS
-Path to user authorized_user_ids file
-(%h/.monkeysphere/authorized_user_ids).
+Path to user's authorized_user_ids file. %h gets replaced with the
+user's homedir, %u with the username.
+(%h/.monkeysphere/authorized_user_ids)
.TP
MONKEYSPHERE_RAW_AUTHORIZED_KEYS
-Path to user-controlled authorized_keys file. `-' means not to add
-user-controlled file (%h/.ssh/authorized_keys).
+Path to regular ssh-style authorized_keys file to append to
+monkeysphere-generated authorized_keys. `none' means not to add any
+raw authorized_keys file. %h gets replaced with the user's homedir,
+%u with the username. (%h/.ssh/authorized_keys)
+.TP
+MONKEYSPHERE_PROMPT
+If set to `false', never prompt the user for confirmation. (true)
+
.SH FILES
/etc/monkeysphere/monkeysphere-authentication.conf
System monkeysphere-authentication config file.
.TP
-/var/lib/monkeysphere/authentication/authorized_keys/USER
+/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
.SH AUTHOR
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
+Written by:
+Jameson Rollins <jrollins@fifthhorseman.net>,
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+Matthew Goins <mjgoins@openflows.com>
.SH SEE ALSO
projects / monkeysphere.git / blobdiff