summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorMatt Goins <mjgoins@openflows.com>2009-01-31 21:29:41 -0500
committerMatt Goins <mjgoins@openflows.com>2009-01-31 21:29:41 -0500
commit487fffd53cd109fb7f6291735c1f5cb5a0df8eeb (patch)
tree523b61d283b400297fccc8e01d69e8d84ebfcbae /man
parent478cc34eee374166aae51f8598aa392e1fbfdde6 (diff)
Removed obsolete man pages, split monkeysphere-server man page into two new ones.
Diffstat (limited to 'man')
-rw-r--r--man/man1/monkeysphere-ssh-proxycommand.173
-rw-r--r--man/man1/monkeysphere.155
-rw-r--r--man/man8/monkeysphere-authentication.8168
-rw-r--r--man/man8/monkeysphere-host.8149
-rw-r--r--man/man8/monkeysphere-server.8244
5 files changed, 370 insertions, 319 deletions
diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1
deleted file mode 100644
index 65edd0b..0000000
--- a/man/man1/monkeysphere-ssh-proxycommand.1
+++ /dev/null
@@ -1,73 +0,0 @@
-.TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands"
-
-.SH NAME
-
-monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script
-
-.SH DESCRIPTION
-
-\fBmonkeysphere-ssh-proxycommand\fP is an ssh proxy command that can be used
-to trigger a monkeysphere update of the ssh known_hosts file for a
-host that is being connected to with ssh. This works by updating the
-known_hosts file for the host first, before an attempted connection to
-the host is made. Once the known_hosts file has been updated, a TCP
-connection to the host is made by exec'ing netcat(1). Regular ssh
-communication is then done over this netcat TCP connection (see
-ProxyCommand in ssh_config(5) for more info).
-
-This command is meant to be run as the ssh "ProxyCommand". This can
-either be done by specifying the proxy command on the command line:
-
-.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ...
-
-or by adding the following line to your ~/.ssh/config script:
-
-.B ProxyCommand monkeysphere-ssh-proxycommand %h %p
-
-The script can easily be incorporated into other ProxyCommand scripts
-by calling it with the "--no-connect" option, i.e.:
-
-.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT"
-
-This will run everything except the final exec of netcat to make the
-TCP connection to the host. In this way this command can be added to
-another proxy command that does other stuff, and then makes the
-connection to the host itself.
-
-.SH KEYSERVER CHECKING
-
-The proxy command has a fairly nuanced policy for when keyservers are
-queried when processing a host. If the host userID is not found in
-either the user's keyring or in the known_hosts file, then the
-keyserver is queried for the host userID. If the host userID is found
-in the user's keyring, then the keyserver is not checked. This
-assumes that the keyring is kept up-to-date, in a cronjob or the like,
-so that revocations are properly handled. If the host userID is not
-found in the user's keyring, but the host is listed in the known_hosts
-file, then the keyserver is not checked. This last policy might
-change in the future, possibly by adding a deferred check, so that
-hosts that go from non-monkeysphere-enabled to monkeysphere-enabled
-will be properly checked.
-
-.SH ENVIRONMENT VARIABLES
-
-All environment variables defined in monkeysphere(1) can also be used
-for the proxy command, with one note:
-
-.TP
-MONKEYSPHERE_CHECK_KEYSERVER
-Setting this variable (to `true' or `false') will override the policy
-defined in KEYSERVER CHECKING above.
-
-.SH AUTHOR
-
-Written by Jameson Rollins <jrollins@fifthhorseman.net>
-
-.SH SEE ALSO
-
-.BR monkeysphere (1),
-.BR monkeysphere (7),
-.BR ssh (1),
-.BR ssh_config (5),
-.BR netcat (1),
-.BR gpg (1)
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index 3ece735..1a52983 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -39,6 +39,54 @@ host, 1 if no matching keys were found at all, and 2 if matching keys
were found but none were acceptable. `k' may be used in place of
`update-known_hosts'.
.TP
+.B ssh-proxycommand
+an ssh proxy command that can be used
+to trigger a monkeysphere update of the ssh known_hosts file for a
+host that is being connected to with ssh. This works by updating the
+known_hosts file for the host first, before an attempted connection to
+the host is made. Once the known_hosts file has been updated, a TCP
+connection to the host is made by exec'ing netcat(1). Regular ssh
+communication is then done over this netcat TCP connection (see
+ProxyCommand in ssh_config(5) for more info).
+
+This command is meant to be run as the ssh "ProxyCommand". This can
+either be done by specifying the proxy command on the command line:
+
+.B ssh -o ProxyCommand="monkeysphere ssh-proxycommand %h %p" ...
+
+or by adding the following line to your ~/.ssh/config script:
+
+.B ProxyCommand monkeysphere ssh-proxycommand %h %p
+
+The script can easily be incorporated into other ProxyCommand scripts
+by calling it with the "--no-connect" option, i.e.:
+
+.B monkeysphere ssh-proxycommand --no-connect "$HOST" "$PORT"
+
+This will run everything except the final exec of netcat to make the
+TCP connection to the host. In this way this command can be added to
+another proxy command that does other stuff, and then makes the
+connection to the host itself.
+
+KEYSERVER CHECKING:
+The proxy command has a fairly nuanced policy for when keyservers are
+queried when processing a host. If the host userID is not found in
+either the user's keyring or in the known_hosts file, then the
+keyserver is queried for the host userID. If the host userID is found
+in the user's keyring, then the keyserver is not checked. This
+assumes that the keyring is kept up-to-date, in a cronjob or the like,
+so that revocations are properly handled. If the host userID is not
+found in the user's keyring, but the host is listed in the known_hosts
+file, then the keyserver is not checked. This last policy might
+change in the future, possibly by adding a deferred check, so that
+hosts that go from non-monkeysphere-enabled to monkeysphere-enabled
+will be properly checked.
+
+Setting the MONKEYSPHERE_CHECK_KEYSERVER
+variable (to `true' or `false') will override the keyserver-checking policy
+defined above.
+
+.TP
.B update-authorized_keys
Update the authorized_keys file for the user executing the command
(see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below). First all
@@ -125,8 +173,11 @@ Kahn Gillmor <dkg@fifthhorseman.net>
.SH SEE ALSO
-.BR monkeysphere-ssh-proxycommand (1),
-.BR monkeysphere-server (8),
+\" DELETEME
+\".BR monkeysphere-ssh-proxycommand (1),
+\".BR monkeysphere-server (8),
+.BR monkeysphere-host (8),
+.BR monkeysphere-authentication (8),
.BR monkeysphere (7),
.BR ssh (1),
.BR ssh-add (1),
diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8
new file mode 100644
index 0000000..68a7a1b
--- /dev/null
+++ b/man/man8/monkeysphere-authentication.8
@@ -0,0 +1,168 @@
+.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
+
+.SH NAME
+
+monkeysphere-authentication \- Monkeysphere authentication admin tool.
+
+.SH SYNOPSIS
+
+.B monkeysphere-authentication \fIsubcommand\fP [\fIargs\fP]
+.br
+.B monkeysphere-authentication expert \fIexpert-subcommand\fP [\fIargs\fP]
+
+.SH DESCRIPTION
+
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust for
+OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and added to the
+authorized_keys and known_hosts files used by OpenSSH for connection
+authentication.
+
+\fBmonkeysphere-authentication\fP is a Monkeysphere server admin utility.
+
+.SH SUBCOMMANDS
+\fBmonkeysphere-authentication\fP takes various subcommands.(Users may use the
+abbreviated subcommand in parentheses):
+
+.TP
+.B update-users (u) [ACCOUNT]...
+Rebuild the monkeysphere-controlled authorized_keys files. For each specified
+account, the user ID's listed in the account's authorized_user_ids file are
+processed. For each user ID, gpg will be queried for keys associated with that
+user ID, optionally querying a keyserver. If an acceptable key is found (see
+KEY ACCEPTABILITY in monkeysphere(7)), the key is added to the account's
+monkeysphere-controlled authorized_keys file. If the RAW_AUTHORIZED_KEYS
+variable is set, then a separate authorized_keys file (usually
+~USER/.ssh/authorized_keys) is appended to the monkeysphere-controlled
+authorized_keys file. If no accounts are specified, then all accounts on the
+system are processed. `u' may be used in place of `update-users'.
+
+\" XXX
+
+.TP
+.B add-id-certifier (c+) KEYID
+Instruct system to trust user identity certifications made by KEYID.
+Using the `-n' or `--domain' option allows you to indicate that you
+only trust the given KEYID to make identifications within a specific
+domain (e.g. "trust KEYID to certify user identities within the
+@example.org domain"). A certifier trust level can be specified with
+the `-t' or `--trust' option (possible values are `marginal' and
+`full' (default is `full')). A certifier trust depth can be specified
+with the `-d' or `--depth' option (default is 1). `c+' may be used in
+place of `add-id-certifier'.
+.TP
+.B remove-id-certifier (c-) KEYID
+Instruct system to ignore user identity certifications made by KEYID.
+`c-' may be used in place of `remove-id-certifier'.
+.TP
+.B list-id-certifiers (c)
+List key IDs trusted by the system to certify user identities. `c'
+may be used in place of `list-id-certifiers'.
+.TP
+.B help
+Output a brief usage summary. `h' or `?' may be used in place of
+`help'.
+.TP
+.B version
+show version number
+
+.SH "EXPERT" SUBCOMMANDS
+Some commands are very unlikely to be needed by most administrators.
+These commands must follow the word `expert'.
+.TP
+.B diagnostics (d)
+Review the state of the server with respect to authentication.
+.TP
+.B gpg-cmd
+Execute a gpg command on the gnupg-authentication keyring as the
+monkeysphere user. This takes a single command (multiple gpg
+arguments need to be quoted). Use this command with caution, as
+modifying the gnupg-authentication keyring can affect ssh user
+authentication.
+
+.SH SETUP
+
+If the server will handle user authentication through
+monkeysphere-generated authorized_keys files, the server must be told
+which keys will act as identity certifiers. This is done with the
+\fBadd-id-certifier\fP command:
+
+$ monkeysphere-authentication add-id-certifier KEYID
+
+where KEYID is the key ID of the server admin, or whoever's
+certifications should be acceptable to the system for the purposes of
+authenticating remote users. You can run this command multiple times
+to indicate that multiple certifiers are trusted. You may also
+specify a filename instead of a key ID, as long as the file contains a
+single OpenPGP public key. Certifiers can be removed with the
+\fBremove-id-certifier\fP command, and listed with the
+\fBlist-id-certifiers\fP command.
+
+Remote users will then be granted access to a local account based on
+the appropriately-signed and valid keys associated with user IDs
+listed in that account's authorized_user_ids file. By default, the
+authorized_user_ids file for an account is
+~/.monkeysphere/authorized_user_ids. This can be changed in the
+monkeysphere-authentication.conf file.
+
+The \fBupdate-users\fP command can then be used to generate
+authorized_keys file for local accounts based on the authorized user
+IDs listed in the account's authorized_user_ids file:
+
+$ monkeysphere-authentication update-users USER
+
+Not specifying USER will cause all accounts on the system to updated.
+sshd can then use these monkeysphere generated authorized_keys files
+to grant access to user accounts for remote users. You must also tell
+sshd to look at the monkeysphere-generated authorized_keys file for
+user authentication by setting the following in the sshd_config:
+
+AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
+
+It is recommended to add "monkeysphere-authentication update-users" to a
+system crontab, so that user keys are kept up-to-date, and key
+revocations and expirations can be processed in a timely manner.
+
+.SH ENVIRONMENT
+
+The following environment variables will override those specified in
+(defaults in parentheses):
+.TP
+MONKEYSPHERE_MONKEYSPHERE_USER
+User to control authentication keychain (monkeysphere).
+.TP
+MONKEYSPHERE_LOG_LEVEL
+Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity.
+.TP
+MONKEYSPHERE_KEYSERVER
+OpenPGP keyserver to use (subkeys.pgp.net).
+.TP
+MONKEYSPHERE_AUTHORIZED_USER_IDS
+Path to user authorized_user_ids file
+(%h/.monkeysphere/authorized_user_ids).
+.TP
+MONKEYSPHERE_RAW_AUTHORIZED_KEYS
+Path to user-controlled authorized_keys file. `-' means not to add
+user-controlled file (%h/.ssh/authorized_keys).
+
+.SH FILES
+
+.TP
+/etc/monkeysphere/monkeysphere-authentication.conf
+System monkeysphere-authentication config file.
+.TP
+/var/lib/monkeysphere/authentication/authorized_keys/USER
+Monkeysphere-generated user authorized_keys files.
+
+.SH AUTHOR
+
+Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
+Gillmor <dkg@fifthhorseman.net>
+
+.SH SEE ALSO
+
+.BR monkeysphere (1),
+.BR monkeysphere-host (8),
+.BR monkeysphere (7),
+.BR gpg (1),
+.BR ssh (1)
diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
new file mode 100644
index 0000000..fd676a4
--- /dev/null
+++ b/man/man8/monkeysphere-host.8
@@ -0,0 +1,149 @@
+.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
+
+.SH NAME
+
+monkeysphere-host \- Monkeysphere host admin tool.
+
+.SH SYNOPSIS
+
+.B monkeysphere-host \fIsubcommand\fP [\fIargs\fP]
+.br
+.B monkeysphere-host expert \fIexpert-subcommand\fP [\fIargs\fP]
+
+.SH DESCRIPTION
+
+\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
+for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
+added to the authorized_keys and known_hosts files used by OpenSSH for
+connection authentication.
+
+\fBmonkeysphere-host\fP is a Monkeysphere server admin utility.
+
+.SH SUBCOMMANDS
+
+\fBmonkeysphere-host\fP takes various subcommands:
+.TP
+.B extend-key EXPIRE
+Extend the validity of the OpenPGP key for the host until EXPIRE from
+the present. If EXPIRE is not specified, then the user will be
+prompted for the extension term. Expiration is specified like GnuPG
+does:
+.nf
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+.fi
+`e' may be used in place of `extend-key'.
+
+.TP
+.B add-hostname HOSTNAME
+Add a hostname user ID to the server host key. `n+' may be used in
+place of `add-hostname'.
+.TP
+.B revoke-hostname HOSTNAME
+Revoke a hostname user ID from the server host key. `n-' may be used
+in place of `revoke-hostname'.
+.TP
+.B add-revoker FINGERPRINT
+
+.TP
+.B show-key
+Output gpg information about host's OpenPGP key. `s' may be used in
+place of `show-key'.
+.TP
+.B publish-key
+Publish the host's OpenPGP key to the keyserver. `p' may be used in
+place of `publish-key'.
+.TP
+.B help
+Output a brief usage summary. `h' or `?' may be used in place of
+`help'.
+.TP
+.B version
+show version number
+.SH "EXPERT" SUBCOMMANDS
+Some commands are very unlikely to be needed by most administrators.
+These commands must follow the word `expert'.
+.TP
+.B gen-key [HOSTNAME]
+Generate a OpenPGP key for the host. If HOSTNAME is not specified,
+then the system fully-qualified domain name will be user. An
+alternate key bit length can be specified with the `-l' or `--length'
+option (default 2048). An expiration length can be specified with the
+`-e' or `--expire' option (prompt otherwise). The expiration format
+is the same as that of \fBextend-key\fP, below. A key revoker
+fingerprint can be specified with the `-r' or `--revoker' option. `g'
+may be used in place of `gen-key'.
+
+.TP
+.B diagnostics
+Review the state of the server with respect to the MonkeySphere in
+general and report on suggested changes. Among other checks, this
+includes making sure there is a valid host key, that the key is
+published, that the sshd configuration points to the right place, and
+that there are at least some valid identity certifiers. `d' may be
+used in place of `diagnostics'.
+.TP
+.B import-key
+FIXME:
+ import-key (i) import existing ssh key to gpg
+ --hostname (-h) NAME[:PORT] hostname for key user ID
+ --keyfile (-f) FILE key file to import
+ --expire (-e) EXPIRE date to expire
+
+.SH SETUP
+
+In order to start using the monkeysphere, you must first generate an
+OpenPGP key for the server and convert that key to an ssh key that can
+be used by ssh for host authentication. This can be done with the
+\fBgen-key\fP subcommand:
+
+$ monkeysphere-server gen-key
+
+To enable host verification via the monkeysphere, you must then
+publish the host's key to the Web of Trust using the \fBpublish-key\fP
+command to push the key to a keyserver. You must also modify the
+sshd_config on the server to tell sshd where the new server host key
+is located:
+
+HostKey /var/lib/monkeysphere/ssh_host_rsa_key
+
+In order for users logging into the system to be able to identify the
+host via the monkeysphere, at least one person (e.g. a server admin)
+will need to sign the host's key. This is done using standard OpenPGP
+keysigning techniques, usually: pul the key from the keyserver, verify
+and sign the key, and then re-publish the signature. Once an admin's
+signature is published, users logging into the host can use it to
+validate the host's key.
+
+.TP
+MONKEYSPHERE_LOG_LEVEL
+Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+increasing order of verbosity.
+.TP
+MONKEYSPHERE_KEYSERVER
+OpenPGP keyserver to use (subkeys.pgp.net).
+
+.SH FILES
+.TP
+/etc/monkeysphere/monkeysphere-host.conf
+System monkeysphere-host config file.
+.TP
+/var/lib/monkeysphere/ssh_host_rsa_key
+Copy of the host's private key in ssh format, suitable for use by
+sshd.
+
+.SH AUTHOR
+
+Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
+Gillmor <dkg@fifthhorseman.net>
+
+.SH SEE ALSO
+
+.BR monkeysphere (1),
+.BR monkeysphere-authentication (8),
+.BR monkeysphere (7),
+.BR gpg (1),
+.BR ssh (1)
diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8
deleted file mode 100644
index d25f0e8..0000000
--- a/man/man8/monkeysphere-server.8
+++ /dev/null
@@ -1,244 +0,0 @@
-.TH MONKEYSPHERE-SERVER "8" "June 2008" "monkeysphere" "User Commands"
-
-.SH NAME
-
-monkeysphere-server \- Monkeysphere server admin user interface
-
-.SH SYNOPSIS
-
-.B monkeysphere-server \fIsubcommand\fP [\fIargs\fP]
-
-.SH DESCRIPTION
-
-\fBMonkeysphere\fP is a framework to leverage the OpenPGP web of trust
-for OpenSSH authentication. OpenPGP keys are tracked via GnuPG, and
-added to the authorized_keys and known_hosts files used by OpenSSH for
-connection authentication.
-
-\fBmonkeysphere-server\fP is the Monkeysphere server admin utility.
-
-.SH SUBCOMMANDS
-
-\fBmonkeysphere-server\fP takes various subcommands:
-.TP
-.B update-users [ACCOUNT]...
-Rebuild the monkeysphere-controlled authorized_keys files. For each
-specified account, the user ID's listed in the account's
-authorized_user_ids file are processed. For each user ID, gpg will be
-queried for keys associated with that user ID, optionally querying a
-keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
-monkeysphere(7)), the key is added to the account's
-monkeysphere-controlled authorized_keys file. If the
-RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
-file (usually ~USER/.ssh/authorized_keys) is appended to the
-monkeysphere-controlled authorized_keys file. If no accounts are
-specified, then all accounts on the system are processed. `u' may be
-used in place of `update-users'.
-.TP
-.B gen-key [HOSTNAME]
-Generate a OpenPGP key for the host. If HOSTNAME is not specified,
-then the system fully-qualified domain name will be user. An
-alternate key bit length can be specified with the `-l' or `--length'
-option (default 2048). An expiration length can be specified with the
-`-e' or `--expire' option (prompt otherwise). The expiration format
-is the same as that of \fBextend-key\fP, below. A key revoker
-fingerprint can be specified with the `-r' or `--revoker' option. `g'
-may be used in place of `gen-key'.
-.TP
-.B extend-key EXPIRE
-Extend the validity of the OpenPGP key for the host until EXPIRE from
-the present. If EXPIRE is not specified, then the user will be
-prompted for the extension term. Expiration is specified like GnuPG
-does:
-.nf
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
-.fi
-`e' may be used in place of `extend-key'.
-.TP
-.B add-hostname HOSTNAME
-Add a hostname user ID to the server host key. `n+' may be used in
-place of `add-hostname'.
-.TP
-.B revoke-hostname HOSTNAME
-Revoke a hostname user ID from the server host key. `n-' may be used
-in place of `revoke-hostname'.
-.TP
-.B show-key
-Output gpg information about host's OpenPGP key. `s' may be used in
-place of `show-key'.
-.TP
-.B publish-key
-Publish the host's OpenPGP key to the keyserver. `p' may be used in
-place of `publish-key'.
-.TP
-.B diagnostics
-Review the state of the server with respect to the MonkeySphere in
-general and report on suggested changes. Among other checks, this
-includes making sure there is a valid host key, that the key is
-published, that the sshd configuration points to the right place, and
-that there are at least some valid identity certifiers. `d' may be
-used in place of `diagnostics'.
-.TP
-.B add-identity-certifier KEYID
-Instruct system to trust user identity certifications made by KEYID.
-Using the `-n' or `--domain' option allows you to indicate that you
-only trust the given KEYID to make identifications within a specific
-domain (e.g. "trust KEYID to certify user identities within the
-@example.org domain"). A certifier trust level can be specified with
-the `-t' or `--trust' option (possible values are `marginal' and
-`full' (default is `full')). A certifier trust depth can be specified
-with the `-d' or `--depth' option (default is 1). `c+' may be used in
-place of `add-identity-certifier'.
-.TP
-.B remove-identity-certifier KEYID
-Instruct system to ignore user identity certifications made by KEYID.
-`c-' may be used in place of `remove-identity-certifier'.
-.TP
-.B list-identity-certifiers
-List key IDs trusted by the system to certify user identities. `c'
-may be used in place of `list-identity-certifiers'.
-.TP
-.B gpg-authentication-cmd
-Execute a gpg command on the gnupg-authentication keyring as the
-monkeysphere user. This takes a single command (multiple gpg
-arguments need to be quoted). Use this command with caution, as
-modifying the gnupg-authentication keyring can affect ssh user
-authentication.
-.TP
-.B help
-Output a brief usage summary. `h' or `?' may be used in place of
-`help'.
-
-.SH SETUP
-
-In order to start using the monkeysphere, you must first generate an
-OpenPGP key for the server and convert that key to an ssh key that can
-be used by ssh for host authentication. This can be done with the
-\fBgen-key\fP subcommand:
-
-$ monkeysphere-server gen-key
-
-To enable host verification via the monkeysphere, you must then
-publish the host's key to the Web of Trust using the \fBpublish-key\fP
-command to push the key to a keyserver. You must also modify the
-sshd_config on the server to tell sshd where the new server host key
-is located:
-
-HostKey /var/lib/monkeysphere/ssh_host_rsa_key
-
-In order for users logging into the system to be able to identify the
-host via the monkeysphere, at least one person (e.g. a server admin)
-will need to sign the host's key. This is done using standard OpenPGP
-keysigning techniques, usually: pul the key from the keyserver, verify
-and sign the key, and then re-publish the signature. Once an admin's
-signature is published, users logging into the host can use it to
-validate the host's key.
-
-If the server will also handle user authentication through
-monkeysphere-generated authorized_keys files, the server must be told
-which keys will act as identity certifiers. This is done with the
-\fBadd-identity-certifier\fP command:
-
-$ monkeysphere-server add-identity-certifier KEYID
-
-where KEYID is the key ID of the server admin, or whoever's
-certifications should be acceptable to the system for the purposes of
-authenticating remote users. You can run this command multiple times
-to indicate that multiple certifiers are trusted. You may also
-specify a filename instead of a key ID, as long as the file contains a
-single OpenPGP public key. Certifiers can be removed with the
-\fBremove-identity-certifier\fP command, and listed with the
-\fBlist-identity-certifiers\fP command.
-
-Remote users will then be granted access to a local account based on
-the appropriately-signed and valid keys associated with user IDs
-listed in that account's authorized_user_ids file. By default, the
-authorized_user_ids file for an account is
-~/.monkeysphere/authorized_user_ids. This can be changed in the
-monkeysphere-server.conf file.
-
-The \fBupdate-users\fP command can then be used to generate
-authorized_keys file for local accounts based on the authorized user
-IDs listed in the account's authorized_user_ids file:
-
-$ monkeysphere-server update-users USER
-
-Not specifying USER will cause all accounts on the system to updated.
-sshd can then use these monkeysphere generated authorized_keys files
-to grant access to user accounts for remote users. You must also tell
-sshd to look at the monkeysphere-generated authorized_keys file for
-user authentication by setting the following in the sshd_config:
-
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
-
-It is recommended to add "monkeysphere-server update-users" to a
-system crontab, so that user keys are kept up-to-date, and key
-revocations and expirations can be processed in a timely manner.
-
-.SH ENVIRONMENT
-
-The following environment variables will override those specified in
-the monkeysphere-server.conf configuration file (defaults in
-parentheses):
-.TP
-MONKEYSPHERE_MONKEYSPHERE_USER
-User to control authentication keychain (monkeysphere).
-.TP
-MONKEYSPHERE_LOG_LEVEL
-Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
-increasing order of verbosity.
-.TP
-MONKEYSPHERE_KEYSERVER
-OpenPGP keyserver to use (subkeys.pgp.net).
-.TP
-MONKEYSPHERE_AUTHORIZED_USER_IDS
-Path to user authorized_user_ids file
-(%h/.monkeysphere/authorized_user_ids).
-.TP
-MONKEYSPHERE_RAW_AUTHORIZED_KEYS
-Path to user-controlled authorized_keys file. `-' means not to add
-user-controlled file (%h/.ssh/authorized_keys).
-
-.SH FILES
-
-.TP
-/etc/monkeysphere/monkeysphere-server.conf
-System monkeysphere-server config file.
-.TP
-/etc/monkeysphere/monkeysphere.conf
-System-wide monkeysphere config file.
-.TP
-/etc/monkeysphere/gnupg-host.conf
-Monkeysphere host GNUPG home gpg.conf
-.TP
-/etc/monkeysphere/gnupg-authentication.conf
-Monkeysphere authentication GNUPG home gpg.conf
-.TP
-/var/lib/monkeysphere/authorized_keys/USER
-Monkeysphere-generated user authorized_keys files.
-.TP
-/var/lib/monkeysphere/ssh_host_rsa_key
-Copy of the host's private key in ssh format, suitable for use by
-sshd.
-.TP
-/var/lib/monkeysphere/gnupg-host
-Monkeysphere host GNUPG home directory.
-.TP
-/var/lib/monkeysphere/gnupg-authentication
-Monkeysphere authentication GNUPG home directory.
-
-.SH AUTHOR
-
-Written by Jameson Rollins <jrollins@fifthhorseman.net>, Daniel Kahn
-Gillmor <dkg@fifthhorseman.net>
-
-.SH SEE ALSO
-
-.BR monkeysphere (1),
-.BR monkeysphere (7),
-.BR gpg (1),
-.BR ssh (1)