diff options
author | Jamie McClelland <jm@mayfirst.org> | 2008-08-27 20:25:18 -0400 |
---|---|---|
committer | Jamie McClelland <jm@mayfirst.org> | 2008-08-27 20:25:18 -0400 |
commit | 335ccb07202eb718ae85ca2a1fa7e04042ad4542 (patch) | |
tree | 134bf75b99506a77c8f10e27bec2410a29911777 | |
parent | ff7e3b593d8fa632d8e997d2d95f5227cc58870c (diff) |
adding 2 tab indents for commands and blocks for easier readability
when converted via markdown to html.
-rw-r--r-- | doc/README | 19 | ||||
-rw-r--r-- | doc/README.admin | 22 |
2 files changed, 19 insertions, 22 deletions
@@ -1,4 +1,4 @@ -Monkeysphere User README +#Monkeysphere User README ======================== You don't have to be an OpenSSH or OpenPGP expert to use the @@ -16,7 +16,7 @@ Keep your keyring up-to-date Regularly refresh your GnuPG keyring from the keyservers. This can be done with a simple cronjob. An example of crontab line to do this is: -0 12 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1 + 0 12 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1 This would refresh your keychain every day at noon. @@ -29,7 +29,7 @@ still see the most recent trusted information about who the various hosts are. This can be done with the monkeysphere-ssh-proxycommand (see next section) or with the update-known_hosts command: -$ monkeysphere update-known_hosts + $ monkeysphere update-known_hosts This command will check to see if there is an OpenPGP key for each (non-hashed) host listed in the known_hosts file, and then add @@ -46,13 +46,13 @@ up-to-date for the host you are connecting to with ssh. The best way to integrate this is to add the following line to the "Host *" section of your ~/.ssh/config file: -ProxyCommand monkeysphere-ssh-proxycommand %h %p + ProxyCommand monkeysphere-ssh-proxycommand %h %p The "Host *" section specifies what ssh options to use for all connections. If you don't already have a "Host *" line, you can add it by entering: -Host * + Host * On a line by itself. Add the ProxyCommand line just below it. @@ -75,11 +75,11 @@ First things first: you'll need to create a new subkey for your current key, if you don't already have one. If your OpenPGP key is keyid $GPGID, you can set up such a subkey relatively easily with: -$ monkeysphere gen-subkey $GPGID + $ monkeysphere gen-subkey $GPGID Typically, you can find out what your keyid is by running: -gpg --list-secret-keys + $ gpg --list-secret-keys The first line (starting with sec) will include your key length followed by the type of key (e.g. 1024D) followed by a slash and then your keyid. @@ -104,11 +104,10 @@ Next, run `aptitude update; aptitude install libgnuttls26`. With the patched gnutls installed, you can feed your authentication sub key to your ssh agent by running: - monkeysphere subkey-to-ssh-agent + $ monkeysphere subkey-to-ssh-agent FIXME: using the key with a single session? - Miscellaneous ------------- @@ -121,7 +120,7 @@ is the case for your host, ask your system administrator. If you want to do this as a regular user, use the update-authorized_keys command: -$ monkeysphere update-authorized_keys + $ monkeysphere update-authorized_keys This command will take all the user IDs listed in the ~/.config/monkeysphere/authorized_user_ids file and check to see if diff --git a/doc/README.admin b/doc/README.admin index a644bbe..db0ec87 100644 --- a/doc/README.admin +++ b/doc/README.admin @@ -8,16 +8,16 @@ server service publication -------------------------- To publish a server host key: -# monkeysphere-server gen-key -# monkeysphere-server publish-key + # monkeysphere-server gen-key + # monkeysphere-server publish-key This will generate the key for server with the service URI (ssh://server.hostname). The server admin should now sign the server key so that people in the admin's web of trust can authenticate the server without manual host key checking: -$ gpg --search ='ssh://server.hostname' -$ gpg --sign-key ='ssh://server.hostname' + $ gpg --search ='ssh://server.hostname' + $ gpg --sign-key ='ssh://server.hostname' Update OpenSSH configuration files @@ -27,7 +27,7 @@ To use the newly-generated host key for ssh connections, put the following line in /etc/ssh/sshd_config (be sure to remove references to any other key): -HostKey /var/lib/monkeysphere/ssh_host_rsa_key + HostKey /var/lib/monkeysphere/ssh_host_rsa_key FIXME: should we just suggest symlinks in the filesystem here instead? @@ -37,9 +37,7 @@ To enable users to use the monkeysphere to authenticate against the web-of-trust, add this line to /etc/ssh/sshd_config (again, making sure that no other AuthorizedKeysFile directive exists): -AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u - - + AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u MonkeySphere authorized_keys maintenance ---------------------------------------- @@ -50,7 +48,7 @@ users. For each user account on the server, the userids of people authorized to log into that account would be placed in: - ~/.config/monkeysphere/authorized_user_ids + ~/.config/monkeysphere/authorized_user_ids However, in order for users to become authenticated, the server must determine that the user keys have "full" validity. This means that @@ -59,17 +57,17 @@ connecting user's key would validate the user. This would generally be the server admin. If the server admin's keyid is XXXXXXXX, then on the server run: -# monkeysphere-server add-identity-certifier XXXXXXXX + # monkeysphere-server add-identity-certifier XXXXXXXX To update the monkeysphere authorized_keys file for user "bob", the system would then run the following: -# monkeysphere-server update-users bob + # monkeysphere-server update-users bob To update the monkeysphere authorized_keys file for all users on the the system, run the same command with no arguments: -# monkeysphere-server update-users + # monkeysphere-server update-users You probably want to set up a regularly scheduled job (e.g. with cron) to take care of this regularly. |