-------------------------------
Regularly refresh your GnuPG keyring from the keyservers. This can be
-done with a simple cronjob.
+done with a simple cronjob. An example of crontab line to do this is:
-FIXME: give an example of a useful cronjob
+0 12 * * * /usr/bin/gpg --refresh-keys
+
+This would refresh your keychain every day at noon.
Keeping your known_hosts file in sync with your keyring
With your keyring updated, you want to make sure that openssh can
still see the most recent trusted information about who the various
-hosts are:
+hosts are. This can be done with the monkeysphere-ssh-proxycommand
+(see next section) or with the update-known_hosts command:
$ monkeysphere update-known_hosts
+This will command will check to see if there is an openpgp key for
+each (non-hashed) host listed in the known_hosts file, and then add
+the key for that host to the known_hosts file if one is found. This
+command could be added to a crontab as well, if desired.
+
Using monkeysphere-ssh-proxycommand(1)
--------------------------------------
-FIXME: make a suggestion about how to integrate this in daily use.
+The best way to handle host keys is to use the monkeysphere ssh proxy
+command. This command will make sure the known_hosts file is
+up-to-date for the host you are connecting to with ssh. The best way
+to integrate this is to add the following line to the "Host *" section
+of your ~/.ssh/config file:
+
+ProxyCommand monkeysphere-ssh-proxycommand %h %p
Setting up an OpenPGP authentication key
$ monkeysphere gen-subkey $GPGID
+
Using your OpenPGP authentication key for SSH
---------------------------------------------
NOTE: the current version of openpgp2ssh does *not* deal well with
encrypted keys (as of 2008-07-26)
+
Miscellaneous
-------------
-For a user to update their monkeysphere authorized_keys file:
+Users can also maintain their own authorized_keys files, for users
+that would be logging into their accounts. This is done with the
+update-authorized_keys command:
$ monkeysphere update-authorized_keys
-FIXME: where is this file located? What does this command do?
+This command will take all the user IDs listed in the
+~/.config/monkeysphere/authorized_user_ids file and check to see if
+there are acceptable keys for those user IDs available. If so, they
+will be added to the ~/.ssh/authorized_keys file.
either the user's keyring or in the known_hosts file, then the
keyserver is queried for the host userID. If the host userID is found
in the user's keyring, then the keyserver is not checked. This
-assumes that the keyring is kept up-to-date, in a cron job or the
-like, so that revocations are properly handled. If the host userID is
-not found in the user's keyring, but the host is listed in the
-known_hosts file, then the keyserver is not checked. This last policy
-might change in the future, possibly by adding a deferred check, so
-that hosts that go from non-monkeysphere-enabled to
-monkeysphere-enabled will be properly checked.
+assumes that the keyring is kept up-to-date, in a cronjob or the like,
+so that revocations are properly handled. If the host userID is not
+found in the user's keyring, but the host is listed in the known_hosts
+file, then the keyserver is not checked. This last policy might
+change in the future, possibly by adding a deferred check, so that
+hosts that go from non-monkeysphere-enabled to monkeysphere-enabled
+will be properly checked.
.SH ENVIRONMENT VARIABLES
projects / monkeysphere.git / commitdiff