From 487fffd53cd109fb7f6291735c1f5cb5a0df8eeb Mon Sep 17 00:00:00 2001 From: Matt Goins Date: Sat, 31 Jan 2009 21:29:41 -0500 Subject: [PATCH] Removed obsolete man pages, split monkeysphere-server man page into two new ones. --- man/man1/monkeysphere-ssh-proxycommand.1 | 73 ------- man/man1/monkeysphere.1 | 55 ++++- man/man8/monkeysphere-authentication.8 | 168 ++++++++++++++++ man/man8/monkeysphere-host.8 | 149 ++++++++++++++ man/man8/monkeysphere-server.8 | 244 ----------------------- 5 files changed, 370 insertions(+), 319 deletions(-) delete mode 100644 man/man1/monkeysphere-ssh-proxycommand.1 create mode 100644 man/man8/monkeysphere-authentication.8 create mode 100644 man/man8/monkeysphere-host.8 delete mode 100644 man/man8/monkeysphere-server.8 diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 deleted file mode 100644 index 65edd0b..0000000 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ /dev/null @@ -1,73 +0,0 @@ -.TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands" - -.SH NAME - -monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script - -.SH DESCRIPTION - -\fBmonkeysphere-ssh-proxycommand\fP is an ssh proxy command that can be used -to trigger a monkeysphere update of the ssh known_hosts file for a -host that is being connected to with ssh. This works by updating the -known_hosts file for the host first, before an attempted connection to -the host is made. Once the known_hosts file has been updated, a TCP -connection to the host is made by exec'ing netcat(1). Regular ssh -communication is then done over this netcat TCP connection (see -ProxyCommand in ssh_config(5) for more info). - -This command is meant to be run as the ssh "ProxyCommand". This can -either be done by specifying the proxy command on the command line: - -.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ... - -or by adding the following line to your ~/.ssh/config script: - -.B ProxyCommand monkeysphere-ssh-proxycommand %h %p - -The script can easily be incorporated into other ProxyCommand scripts -by calling it with the "--no-connect" option, i.e.: - -.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT" - -This will run everything except the final exec of netcat to make the -TCP connection to the host. In this way this command can be added to -another proxy command that does other stuff, and then makes the -connection to the host itself. - -.SH KEYSERVER CHECKING - -The proxy command has a fairly nuanced policy for when keyservers are -queried when processing a host. If the host userID is not found in -either the user's keyring or in the known_hosts file, then the -keyserver is queried for the host userID. If the host userID is found -in the user's keyring, then the keyserver is not checked. This -assumes that the keyring is kept up-to-date, in a cronjob or the like, -so that revocations are properly handled. If the host userID is not -found in the user's keyring, but the host is listed in the known_hosts -file, then the keyserver is not checked. This last policy might -change in the future, possibly by adding a deferred check, so that -hosts that go from non-monkeysphere-enabled to monkeysphere-enabled -will be properly checked. - -.SH ENVIRONMENT VARIABLES - -All environment variables defined in monkeysphere(1) can also be used -for the proxy command, with one note: - -.TP -MONKEYSPHERE_CHECK_KEYSERVER -Setting this variable (to `true' or `false') will override the policy -defined in KEYSERVER CHECKING above. - -.SH AUTHOR - -Written by Jameson Rollins - -.SH SEE ALSO - -.BR monkeysphere (1), -.BR monkeysphere (7), -.BR ssh (1), -.BR ssh_config (5), -.BR netcat (1), -.BR gpg (1) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 3ece735..1a52983 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -38,6 +38,54 @@ status of 0 if at least one acceptable key was found for a specified host, 1 if no matching keys were found at all, and 2 if matching keys were found but none were acceptable. `k' may be used in place of `update-known_hosts'. +.TP +.B ssh-proxycommand +an ssh proxy command that can be used +to trigger a monkeysphere update of the ssh known_hosts file for a +host that is being connected to with ssh. This works by updating the +known_hosts file for the host first, before an attempted connection to +the host is made. Once the known_hosts file has been updated, a TCP +connection to the host is made by exec'ing netcat(1). Regular ssh +communication is then done over this netcat TCP connection (see +ProxyCommand in ssh_config(5) for more info). + +This command is meant to be run as the ssh "ProxyCommand". This can +either be done by specifying the proxy command on the command line: + +.B ssh -o ProxyCommand="monkeysphere ssh-proxycommand %h %p" ... + +or by adding the following line to your ~/.ssh/config script: + +.B ProxyCommand monkeysphere ssh-proxycommand %h %p + +The script can easily be incorporated into other ProxyCommand scripts +by calling it with the "--no-connect" option, i.e.: + +.B monkeysphere ssh-proxycommand --no-connect "$HOST" "$PORT" + +This will run everything except the final exec of netcat to make the +TCP connection to the host. In this way this command can be added to +another proxy command that does other stuff, and then makes the +connection to the host itself. + +KEYSERVER CHECKING: +The proxy command has a fairly nuanced policy for when keyservers are +queried when processing a host. If the host userID is not found in +either the user's keyring or in the known_hosts file, then the +keyserver is queried for the host userID. If the host userID is found +in the user's keyring, then the keyserver is not checked. This +assumes that the keyring is kept up-to-date, in a cronjob or the like, +so that revocations are properly handled. If the host userID is not +found in the user's keyring, but the host is listed in the known_hosts +file, then the keyserver is not checked. This last policy might +change in the future, possibly by adding a deferred check, so that +hosts that go from non-monkeysphere-enabled to monkeysphere-enabled +will be properly checked. + +Setting the MONKEYSPHERE_CHECK_KEYSERVER +variable (to `true' or `false') will override the keyserver-checking policy +defined above. + .TP .B update-authorized_keys Update the authorized_keys file for the user executing the command @@ -125,8 +173,11 @@ Kahn Gillmor .SH SEE ALSO -.BR monkeysphere-ssh-proxycommand (1), -.BR monkeysphere-server (8), +\" DELETEME +\".BR monkeysphere-ssh-proxycommand (1), +\".BR monkeysphere-server (8), +.BR monkeysphere-host (8), +.BR monkeysphere-authentication (8), .BR monkeysphere (7), .BR ssh (1), .BR ssh-add (1), diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 new file mode 100644 index 0000000..68a7a1b --- /dev/null +++ b/man/man8/monkeysphere-authentication.8 @@ -0,0 +1,168 @@ +.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" + +.SH NAME + +monkeysphere-authentication \- Monkeysphere authentication admin tool. + +.SH SYNOPSIS + +.B monkeysphere-authentication \fIsubcommand\fP [\fIargs\fP] +.br +.B monkeysphere-authentication expert \fIexpert-subcommand\fP [\fIargs\fP] + +.SH DESCRIPTION + +\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust for +OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the +authorized_keys and known_hosts files used by OpenSSH for connection +authentication. + +\fBmonkeysphere-authentication\fP is a Monkeysphere server admin utility. + +.SH SUBCOMMANDS +\fBmonkeysphere-authentication\fP takes various subcommands.(Users may use the +abbreviated subcommand in parentheses): + +.TP +.B update-users (u) [ACCOUNT]... +Rebuild the monkeysphere-controlled authorized_keys files. For each specified +account, the user ID's listed in the account's authorized_user_ids file are +processed. For each user ID, gpg will be queried for keys associated with that +user ID, optionally querying a keyserver. If an acceptable key is found (see +KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the account's +monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS +variable is set, then a separate authorized_keys file (usually +~USER/.ssh/authorized_keys) is appended to the monkeysphere-controlled +authorized_keys file. If no accounts are specified, then all accounts on the +system are processed. `u' may be used in place of `update-users'. + +\" XXX + +.TP +.B add-id-certifier (c+) KEYID +Instruct system to trust user identity certifications made by KEYID. +Using the `-n' or `--domain' option allows you to indicate that you +only trust the given KEYID to make identifications within a specific +domain (e.g. "trust KEYID to certify user identities within the +@example.org domain"). A certifier trust level can be specified with +the `-t' or `--trust' option (possible values are `marginal' and +`full' (default is `full')). A certifier trust depth can be specified +with the `-d' or `--depth' option (default is 1). `c+' may be used in +place of `add-id-certifier'. +.TP +.B remove-id-certifier (c-) KEYID +Instruct system to ignore user identity certifications made by KEYID. +`c-' may be used in place of `remove-id-certifier'. +.TP +.B list-id-certifiers (c) +List key IDs trusted by the system to certify user identities. `c' +may be used in place of `list-id-certifiers'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.TP +.B version +show version number + +.SH "EXPERT" SUBCOMMANDS +Some commands are very unlikely to be needed by most administrators. +These commands must follow the word `expert'. +.TP +.B diagnostics (d) +Review the state of the server with respect to authentication. +.TP +.B gpg-cmd +Execute a gpg command on the gnupg-authentication keyring as the +monkeysphere user. This takes a single command (multiple gpg +arguments need to be quoted). Use this command with caution, as +modifying the gnupg-authentication keyring can affect ssh user +authentication. + +.SH SETUP + +If the server will handle user authentication through +monkeysphere-generated authorized_keys files, the server must be told +which keys will act as identity certifiers. This is done with the +\fBadd-id-certifier\fP command: + +$ monkeysphere-authentication add-id-certifier KEYID + +where KEYID is the key ID of the server admin, or whoever's +certifications should be acceptable to the system for the purposes of +authenticating remote users. You can run this command multiple times +to indicate that multiple certifiers are trusted. You may also +specify a filename instead of a key ID, as long as the file contains a +single OpenPGP public key. Certifiers can be removed with the +\fBremove-id-certifier\fP command, and listed with the +\fBlist-id-certifiers\fP command. + +Remote users will then be granted access to a local account based on +the appropriately-signed and valid keys associated with user IDs +listed in that account's authorized_user_ids file. By default, the +authorized_user_ids file for an account is +~/.monkeysphere/authorized_user_ids. This can be changed in the +monkeysphere-authentication.conf file. + +The \fBupdate-users\fP command can then be used to generate +authorized_keys file for local accounts based on the authorized user +IDs listed in the account's authorized_user_ids file: + +$ monkeysphere-authentication update-users USER + +Not specifying USER will cause all accounts on the system to updated. +sshd can then use these monkeysphere generated authorized_keys files +to grant access to user accounts for remote users. You must also tell +sshd to look at the monkeysphere-generated authorized_keys file for +user authentication by setting the following in the sshd_config: + +AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u + +It is recommended to add "monkeysphere-authentication update-users" to a +system crontab, so that user keys are kept up-to-date, and key +revocations and expirations can be processed in a timely manner. + +.SH ENVIRONMENT + +The following environment variables will override those specified in +(defaults in parentheses): +.TP +MONKEYSPHERE_MONKEYSPHERE_USER +User to control authentication keychain (monkeysphere). +.TP +MONKEYSPHERE_LOG_LEVEL +Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. +.TP +MONKEYSPHERE_KEYSERVER +OpenPGP keyserver to use (subkeys.pgp.net). +.TP +MONKEYSPHERE_AUTHORIZED_USER_IDS +Path to user authorized_user_ids file +(%h/.monkeysphere/authorized_user_ids). +.TP +MONKEYSPHERE_RAW_AUTHORIZED_KEYS +Path to user-controlled authorized_keys file. `-' means not to add +user-controlled file (%h/.ssh/authorized_keys). + +.SH FILES + +.TP +/etc/monkeysphere/monkeysphere-authentication.conf +System monkeysphere-authentication config file. +.TP +/var/lib/monkeysphere/authentication/authorized_keys/USER +Monkeysphere-generated user authorized_keys files. + +.SH AUTHOR + +Written by Jameson Rollins , Daniel Kahn +Gillmor + +.SH SEE ALSO + +.BR monkeysphere (1), +.BR monkeysphere-host (8), +.BR monkeysphere (7), +.BR gpg (1), +.BR ssh (1) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 new file mode 100644 index 0000000..fd676a4 --- /dev/null +++ b/man/man8/monkeysphere-host.8 @@ -0,0 +1,149 @@ +.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" + +.SH NAME + +monkeysphere-host \- Monkeysphere host admin tool. + +.SH SYNOPSIS + +.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP] +.br +.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP] + +.SH DESCRIPTION + +\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust +for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and +added to the authorized_keys and known_hosts files used by OpenSSH for +connection authentication. + +\fBmonkeysphere-host\fP is a Monkeysphere server admin utility. + +.SH SUBCOMMANDS + +\fBmonkeysphere-host\fP takes various subcommands: +.TP +.B extend-key EXPIRE +Extend the validity of the OpenPGP key for the host until EXPIRE from +the present. If EXPIRE is not specified, then the user will be +prompted for the extension term. Expiration is specified like GnuPG +does: +.nf + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +.fi +`e' may be used in place of `extend-key'. + +.TP +.B add-hostname HOSTNAME +Add a hostname user ID to the server host key. `n+' may be used in +place of `add-hostname'. +.TP +.B revoke-hostname HOSTNAME +Revoke a hostname user ID from the server host key. `n-' may be used +in place of `revoke-hostname'. +.TP +.B add-revoker FINGERPRINT + +.TP +.B show-key +Output gpg information about host's OpenPGP key. `s' may be used in +place of `show-key'. +.TP +.B publish-key +Publish the host's OpenPGP key to the keyserver. `p' may be used in +place of `publish-key'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.TP +.B version +show version number +.SH "EXPERT" SUBCOMMANDS +Some commands are very unlikely to be needed by most administrators. +These commands must follow the word `expert'. +.TP +.B gen-key [HOSTNAME] +Generate a OpenPGP key for the host. If HOSTNAME is not specified, +then the system fully-qualified domain name will be user. An +alternate key bit length can be specified with the `-l' or `--length' +option (default 2048). An expiration length can be specified with the +`-e' or `--expire' option (prompt otherwise). The expiration format +is the same as that of \fBextend-key\fP, below. A key revoker +fingerprint can be specified with the `-r' or `--revoker' option. `g' +may be used in place of `gen-key'. + +.TP +.B diagnostics +Review the state of the server with respect to the MonkeySphere in +general and report on suggested changes. Among other checks, this +includes making sure there is a valid host key, that the key is +published, that the sshd configuration points to the right place, and +that there are at least some valid identity certifiers. `d' may be +used in place of `diagnostics'. +.TP +.B import-key +FIXME: + import-key (i) import existing ssh key to gpg + --hostname (-h) NAME[:PORT] hostname for key user ID + --keyfile (-f) FILE key file to import + --expire (-e) EXPIRE date to expire + +.SH SETUP + +In order to start using the monkeysphere, you must first generate an +OpenPGP key for the server and convert that key to an ssh key that can +be used by ssh for host authentication. This can be done with the +\fBgen-key\fP subcommand: + +$ monkeysphere-server gen-key + +To enable host verification via the monkeysphere, you must then +publish the host's key to the Web of Trust using the \fBpublish-key\fP +command to push the key to a keyserver. You must also modify the +sshd_config on the server to tell sshd where the new server host key +is located: + +HostKey /var/lib/monkeysphere/ssh_host_rsa_key + +In order for users logging into the system to be able to identify the +host via the monkeysphere, at least one person (e.g. a server admin) +will need to sign the host's key. This is done using standard OpenPGP +keysigning techniques, usually: pul the key from the keyserver, verify +and sign the key, and then re-publish the signature. Once an admin's +signature is published, users logging into the host can use it to +validate the host's key. + +.TP +MONKEYSPHERE_LOG_LEVEL +Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. +.TP +MONKEYSPHERE_KEYSERVER +OpenPGP keyserver to use (subkeys.pgp.net). + +.SH FILES +.TP +/etc/monkeysphere/monkeysphere-host.conf +System monkeysphere-host config file. +.TP +/var/lib/monkeysphere/ssh_host_rsa_key +Copy of the host's private key in ssh format, suitable for use by +sshd. + +.SH AUTHOR + +Written by Jameson Rollins , Daniel Kahn +Gillmor + +.SH SEE ALSO + +.BR monkeysphere (1), +.BR monkeysphere-authentication (8), +.BR monkeysphere (7), +.BR gpg (1), +.BR ssh (1) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 deleted file mode 100644 index d25f0e8..0000000 --- a/man/man8/monkeysphere-server.8 +++ /dev/null @@ -1,244 +0,0 @@ -.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands" - -.SH NAME - -monkeysphere-server \- Monkeysphere server admin user interface - -.SH SYNOPSIS - -.B monkeysphere-server \fIsubcommand\fP [\fIargs\fP] - -.SH DESCRIPTION - -\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust -for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and -added to the authorized_keys and known_hosts files used by OpenSSH for -connection authentication. - -\fBmonkeysphere-server\fP is the Monkeysphere server admin utility. - -.SH SUBCOMMANDS - -\fBmonkeysphere-server\fP takes various subcommands: -.TP -.B update-users [ACCOUNT]... -Rebuild the monkeysphere-controlled authorized_keys files. For each -specified account, the user ID's listed in the account's -authorized_user_ids file are processed. For each user ID, gpg will be -queried for keys associated with that user ID, optionally querying a -keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in -monkeysphere(7)), the key is added to the account's -monkeysphere-controlled authorized_keys file. If the -RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys -file (usually ~USER/.ssh/authorized_keys) is appended to the -monkeysphere-controlled authorized_keys file. If no accounts are -specified, then all accounts on the system are processed. `u' may be -used in place of `update-users'. -.TP -.B gen-key [HOSTNAME] -Generate a OpenPGP key for the host. If HOSTNAME is not specified, -then the system fully-qualified domain name will be user. An -alternate key bit length can be specified with the `-l' or `--length' -option (default 2048). An expiration length can be specified with the -`-e' or `--expire' option (prompt otherwise). The expiration format -is the same as that of \fBextend-key\fP, below. A key revoker -fingerprint can be specified with the `-r' or `--revoker' option. `g' -may be used in place of `gen-key'. -.TP -.B extend-key EXPIRE -Extend the validity of the OpenPGP key for the host until EXPIRE from -the present. If EXPIRE is not specified, then the user will be -prompted for the extension term. Expiration is specified like GnuPG -does: -.nf - 0 = key does not expire - = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -.fi -`e' may be used in place of `extend-key'. -.TP -.B add-hostname HOSTNAME -Add a hostname user ID to the server host key. `n+' may be used in -place of `add-hostname'. -.TP -.B revoke-hostname HOSTNAME -Revoke a hostname user ID from the server host key. `n-' may be used -in place of `revoke-hostname'. -.TP -.B show-key -Output gpg information about host's OpenPGP key. `s' may be used in -place of `show-key'. -.TP -.B publish-key -Publish the host's OpenPGP key to the keyserver. `p' may be used in -place of `publish-key'. -.TP -.B diagnostics -Review the state of the server with respect to the MonkeySphere in -general and report on suggested changes. Among other checks, this -includes making sure there is a valid host key, that the key is -published, that the sshd configuration points to the right place, and -that there are at least some valid identity certifiers. `d' may be -used in place of `diagnostics'. -.TP -.B add-identity-certifier KEYID -Instruct system to trust user identity certifications made by KEYID. -Using the `-n' or `--domain' option allows you to indicate that you -only trust the given KEYID to make identifications within a specific -domain (e.g. "trust KEYID to certify user identities within the -@example.org domain"). A certifier trust level can be specified with -the `-t' or `--trust' option (possible values are `marginal' and -`full' (default is `full')). A certifier trust depth can be specified -with the `-d' or `--depth' option (default is 1). `c+' may be used in -place of `add-identity-certifier'. -.TP -.B remove-identity-certifier KEYID -Instruct system to ignore user identity certifications made by KEYID. -`c-' may be used in place of `remove-identity-certifier'. -.TP -.B list-identity-certifiers -List key IDs trusted by the system to certify user identities. `c' -may be used in place of `list-identity-certifiers'. -.TP -.B gpg-authentication-cmd -Execute a gpg command on the gnupg-authentication keyring as the -monkeysphere user. This takes a single command (multiple gpg -arguments need to be quoted). Use this command with caution, as -modifying the gnupg-authentication keyring can affect ssh user -authentication. -.TP -.B help -Output a brief usage summary. `h' or `?' may be used in place of -`help'. - -.SH SETUP - -In order to start using the monkeysphere, you must first generate an -OpenPGP key for the server and convert that key to an ssh key that can -be used by ssh for host authentication. This can be done with the -\fBgen-key\fP subcommand: - -$ monkeysphere-server gen-key - -To enable host verification via the monkeysphere, you must then -publish the host's key to the Web of Trust using the \fBpublish-key\fP -command to push the key to a keyserver. You must also modify the -sshd_config on the server to tell sshd where the new server host key -is located: - -HostKey /var/lib/monkeysphere/ssh_host_rsa_key - -In order for users logging into the system to be able to identify the -host via the monkeysphere, at least one person (e.g. a server admin) -will need to sign the host's key. This is done using standard OpenPGP -keysigning techniques, usually: pul the key from the keyserver, verify -and sign the key, and then re-publish the signature. Once an admin's -signature is published, users logging into the host can use it to -validate the host's key. - -If the server will also handle user authentication through -monkeysphere-generated authorized_keys files, the server must be told -which keys will act as identity certifiers. This is done with the -\fBadd-identity-certifier\fP command: - -$ monkeysphere-server add-identity-certifier KEYID - -where KEYID is the key ID of the server admin, or whoever's -certifications should be acceptable to the system for the purposes of -authenticating remote users. You can run this command multiple times -to indicate that multiple certifiers are trusted. You may also -specify a filename instead of a key ID, as long as the file contains a -single OpenPGP public key. Certifiers can be removed with the -\fBremove-identity-certifier\fP command, and listed with the -\fBlist-identity-certifiers\fP command. - -Remote users will then be granted access to a local account based on -the appropriately-signed and valid keys associated with user IDs -listed in that account's authorized_user_ids file. By default, the -authorized_user_ids file for an account is -~/.monkeysphere/authorized_user_ids. This can be changed in the -monkeysphere-server.conf file. - -The \fBupdate-users\fP command can then be used to generate -authorized_keys file for local accounts based on the authorized user -IDs listed in the account's authorized_user_ids file: - -$ monkeysphere-server update-users USER - -Not specifying USER will cause all accounts on the system to updated. -sshd can then use these monkeysphere generated authorized_keys files -to grant access to user accounts for remote users. You must also tell -sshd to look at the monkeysphere-generated authorized_keys file for -user authentication by setting the following in the sshd_config: - -AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u - -It is recommended to add "monkeysphere-server update-users" to a -system crontab, so that user keys are kept up-to-date, and key -revocations and expirations can be processed in a timely manner. - -.SH ENVIRONMENT - -The following environment variables will override those specified in -the monkeysphere-server.conf configuration file (defaults in -parentheses): -.TP -MONKEYSPHERE_MONKEYSPHERE_USER -User to control authentication keychain (monkeysphere). -.TP -MONKEYSPHERE_LOG_LEVEL -Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in -increasing order of verbosity. -.TP -MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (subkeys.pgp.net). -.TP -MONKEYSPHERE_AUTHORIZED_USER_IDS -Path to user authorized_user_ids file -(%h/.monkeysphere/authorized_user_ids). -.TP -MONKEYSPHERE_RAW_AUTHORIZED_KEYS -Path to user-controlled authorized_keys file. `-' means not to add -user-controlled file (%h/.ssh/authorized_keys). - -.SH FILES - -.TP -/etc/monkeysphere/monkeysphere-server.conf -System monkeysphere-server config file. -.TP -/etc/monkeysphere/monkeysphere.conf -System-wide monkeysphere config file. -.TP -/etc/monkeysphere/gnupg-host.conf -Monkeysphere host GNUPG home gpg.conf -.TP -/etc/monkeysphere/gnupg-authentication.conf -Monkeysphere authentication GNUPG home gpg.conf -.TP -/var/lib/monkeysphere/authorized_keys/USER -Monkeysphere-generated user authorized_keys files. -.TP -/var/lib/monkeysphere/ssh_host_rsa_key -Copy of the host's private key in ssh format, suitable for use by -sshd. -.TP -/var/lib/monkeysphere/gnupg-host -Monkeysphere host GNUPG home directory. -.TP -/var/lib/monkeysphere/gnupg-authentication -Monkeysphere authentication GNUPG home directory. - -.SH AUTHOR - -Written by Jameson Rollins , Daniel Kahn -Gillmor - -.SH SEE ALSO - -.BR monkeysphere (1), -.BR monkeysphere (7), -.BR gpg (1), -.BR ssh (1) -- 2.25.1