From 3c020c222ccd379fc3ec4c2a8ad5dc8fafa92d1c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Sep 2008 17:21:16 -0400 Subject: [PATCH] touch up monkeysphere-server(8), include suggestion of allowing certifier identities from a file. --- man/man8/monkeysphere-server.8 | 61 ++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index f207e2c..c905f2f 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -130,51 +130,54 @@ is located: HostKey /var/lib/monkeysphere/ssh_host_rsa_key -In order for users logging into the system to be able to verify the +In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) -will need to sign the host's key. This is done using standard key -signing techniquies, usually by pulling the key from the keyserver, -signing the key, and re-publishing the signature. Once that is done, -users logging into the host will be able to certify the host's key via -the signature of the host admin. +will need to sign the host's key. This is done using standard OpenPGP +keysigning techniques, usually: pul the key from the keyserver, verify +and sign the key, and then re-publish the signature. Once an admin's +signature is published, users logging into the host can use it to +validate the host's key. If the server will also handle user authentication through monkeysphere-generated authorized_keys files, the server must be told -which keys will act as user certifiers. This is done with the -\fBadd-certifier\fP command: - -$ monkeysphere-server add-certifier KEYID - -where KEYID is the key ID of the server admin, or whoever's signature -will be certifying users to the system. Certifiers can be removed -with the \fBremove-certifier\fP command, and listed with the -\fBlist-certifiers\fP command. - -Remote user's will then be granted access to a local user account -based on the appropriately signed and valid keys associated with user -IDs listed in the authorized_user_ids file of the local user. By -default, the authorized_user_ids file for local users is found in +which keys will act as identity certifiers. This is done with the +\fBadd-identity-certifier\fP command: + +$ monkeysphere-server add-identity-certifier KEYID + +where KEYID is the key ID of the server admin, or whoever's +certifications should be acceptable to the system for the purposes of +authenticating remote users. You can run this command multiple times +to indicate that multiple certifiers are trusted. You may also +specify a filename instead of a key ID, as long as the file contains a +single OpenPGP public key. Certifiers can be removed with the +\fBremove-identity-certifier\fP command, and listed with the +\fBlist-identity-certifiers\fP command. + +Remote users will then be granted access to a local account based on +the appropriately-signed and valid keys associated with user IDs +listed in that account's authorized_user_ids file. By default, the +authorized_user_ids file for an account is ~/.monkeysphere/authorized_user_ids. This can be changed in the monkeysphere-server.conf file. The \fBupdate-users\fP command can then be used to generate -authorized_keys file for local users based on the authorized user IDs -listed in the various local user's authorized_user_ids file: +authorized_keys file for local accounts based on the authorized user +IDs listed in the account's authorized_user_ids file: $ monkeysphere-server update-users USER -Not specifying a specific user will cause all users on the system to -updated. sshd can then use these monkeysphere generated -authorized_keys files to grant access to user accounts for remote -users. You must also tell sshd to look at the monkeysphere-generated -authorized_keys file for user authentication by setting the following -in the sshd_config: +Not specifying USER will cause all accounts on the system to updated. +sshd can then use these monkeysphere generated authorized_keys files +to grant access to user accounts for remote users. You must also tell +sshd to look at the monkeysphere-generated authorized_keys file for +user authentication by setting the following in the sshd_config: AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u It is recommended to add "monkeysphere-server update-users" to a system crontab, so that user keys are kept up-to-date, and key -revocations and expirations can be processed in a timely manor. +revocations and expirations can be processed in a timely manner. .SH ENVIRONMENT -- 2.25.1