authorized_user_ids file are processed. For each user ID, gpg will be
queried for keys associated with that user ID, optionally querying a
keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
-monkeysphere(5)), the key is added to the account's
+monkeysphere(7)), the key is added to the account's
monkeysphere-controlled authorized_keys file. If the
RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
file (usually ~USER/.ssh/authorized_keys) is appended to the
used in place of `update-users'.
.TP
.B gen-key [HOSTNAME]
-Generate a OpenPGP key pair for the host. If HOSTNAME is not
-specified, then the system fully-qualified domain name will be user.
-An alternate key bit length can be specified with the `-l' or
-`--length' option (default 2048). An expiration length can be
-specified with the `-e' or `--expire' option (prompt otherwise). A
-key revoker fingerprint can be specified with the `-r' or `--revoker'
-option. `g' may be used in place of `gen-key'.
+Generate a OpenPGP key for the host. If HOSTNAME is not specified,
+then the system fully-qualified domain name will be user. An
+alternate key bit length can be specified with the `-l' or `--length'
+option (default 2048). An expiration length can be specified with the
+`-e' or `--expire' option (prompt otherwise). The expiration format
+is the same as that of \fBextend-key\fP, below. A key revoker
+fingerprint can be specified with the `-r' or `--revoker' option. `g'
+may be used in place of `gen-key'.
+.TP
+.B extend-key EXPIRE
+Extend the validity of the OpenPGP key for the host until EXPIRE from
+the present. If EXPIRE is not specified, then the user will be
+prompted for the extension term. Expiration is specified like GnuPG
+does:
+.nf
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+.fi
+`e' may be used in place of `extend-key'.
.TP
.B add-hostname HOSTNAME
Add a hostname user ID to the server host key. `n+' may be used in
Output gpg information about host's OpenPGP key. `s' may be used in
place of `show-key'.
.TP
-.B fingerprint
-Output just the fingerprint for the host's OpenPGP key. `f' may be
-used in place of `fingerprint'.
-.TP
.B publish-key
Publish the host's OpenPGP key to the keyserver. `p' may be used in
place of `publish-key'.
HostKey /var/lib/monkeysphere/ssh_host_rsa_key
-In order for users logging into the system to be able to verify the
+In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
-will need to sign the host's key. This is done using standard key
-signing techniquies, usually by pulling the key from the keyserver,
-signing the key, and re-publishing the signature. Once that is done,
-users logging into the host will be able to certify the host's key via
-the signature of the host admin.
+will need to sign the host's key. This is done using standard OpenPGP
+keysigning techniques, usually: pul the key from the keyserver, verify
+and sign the key, and then re-publish the signature. Once an admin's
+signature is published, users logging into the host can use it to
+validate the host's key.
If the server will also handle user authentication through
monkeysphere-generated authorized_keys files, the server must be told
-which keys will act as user certifiers. This is done with the
-\fBadd-certifier\fP command:
-
-$ monkeysphere-server add-certifier KEYID
-
-where KEYID is the key ID of the server admin, or whoever's signature
-will be certifying users to the system. Certifiers can be removed
-with the \fBremove-certifier\fP command, and listed with the
-\fBlist-certifiers\fP command.
-
-Remote user's will then be granted access to a local user account
-based on the appropriately signed and valid keys associated with user
-IDs listed in the authorized_user_ids file of the local user. By
-default, the authorized_user_ids file for local users is found in
-~/.config/monkeysphere/authorized_user_ids. This can be changed in
-the monkeysphere-server.conf file.
+which keys will act as identity certifiers. This is done with the
+\fBadd-identity-certifier\fP command:
+
+$ monkeysphere-server add-identity-certifier KEYID
+
+where KEYID is the key ID of the server admin, or whoever's
+certifications should be acceptable to the system for the purposes of
+authenticating remote users. You can run this command multiple times
+to indicate that multiple certifiers are trusted. You may also
+specify a filename instead of a key ID, as long as the file contains a
+single OpenPGP public key. Certifiers can be removed with the
+\fBremove-identity-certifier\fP command, and listed with the
+\fBlist-identity-certifiers\fP command.
+
+Remote users will then be granted access to a local account based on
+the appropriately-signed and valid keys associated with user IDs
+listed in that account's authorized_user_ids file. By default, the
+authorized_user_ids file for an account is
+~/.monkeysphere/authorized_user_ids. This can be changed in the
+monkeysphere-server.conf file.
The \fBupdate-users\fP command can then be used to generate
-authorized_keys file for local users based on the authorized user IDs
-listed in the various local user's authorized_user_ids file:
+authorized_keys file for local accounts based on the authorized user
+IDs listed in the account's authorized_user_ids file:
$ monkeysphere-server update-users USER
-Not specifying a specific user will cause all users on the system to
-updated. sshd can then use these monkeysphere generated
-authorized_keys files to grant access to user accounts for remote
-users. You must also tell sshd to look at the monkeysphere-generated
-authorized_keys file for user authentication by setting the following
-in the sshd_config:
+Not specifying USER will cause all accounts on the system to updated.
+sshd can then use these monkeysphere generated authorized_keys files
+to grant access to user accounts for remote users. You must also tell
+sshd to look at the monkeysphere-generated authorized_keys file for
+user authentication by setting the following in the sshd_config:
AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
It is recommended to add "monkeysphere-server update-users" to a
system crontab, so that user keys are kept up-to-date, and key
-revocations and expirations can be processed in a timely manor.
+revocations and expirations can be processed in a timely manner.
.SH ENVIRONMENT
the monkeysphere-server.conf configuration file (defaults in
parentheses):
.TP
+MONKEYSPHERE_MONKEYSPHERE_USER
+User to control authentication keychain (monkeysphere).
+.TP
+MONKEYSPHERE_LOG_LEVEL
+Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity.
+.TP
MONKEYSPHERE_KEYSERVER
OpenPGP keyserver to use (subkeys.pgp.net).
.TP
MONKEYSPHERE_AUTHORIZED_USER_IDS
Path to user authorized_user_ids file
-(%h/.config/monkeysphere/authorized_user_ids).
+(%h/.monkeysphere/authorized_user_ids).
.TP
MONKEYSPHERE_RAW_AUTHORIZED_KEYS
Path to user-controlled authorized_keys file. `-' means not to add
user-controlled file (%h/.ssh/authorized_keys).
-.TP
-MONKEYSPHERE_MONKEYSPHERE_USER
-User to control authentication keychain (monkeysphere).
.SH FILES
/etc/monkeysphere/monkeysphere.conf
System-wide monkeysphere config file.
.TP
+/etc/monkeysphere/gnupg-host.conf
+Monkeysphere host GNUPG home gpg.conf
+.TP
+/etc/monkeysphere/gnupg-authentication.conf
+Monkeysphere authentication GNUPG home gpg.conf
+.TP
/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
.TP
.SH SEE ALSO
.BR monkeysphere (1),
-.BR monkeysphere (5),
+.BR monkeysphere (7),
.BR gpg (1),
.BR ssh (1)
projects / monkeysphere.git / blobdiff