summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/dirs1
-rw-r--r--debian/monkeysphere.dirs1
-rw-r--r--doc/TODO12
-rw-r--r--man/man1/monkeysphere-ssh-proxycommand.113
-rw-r--r--man/man1/monkeysphere.160
-rw-r--r--man/man8/monkeysphere-server.811
6 files changed, 48 insertions, 50 deletions
diff --git a/debian/dirs b/debian/dirs
index bdf0fe0..b458649 100644
--- a/debian/dirs
+++ b/debian/dirs
@@ -1,4 +1,5 @@
var/cache/monkeysphere
+var/cache/monkeysphere/authorized_keys
usr/bin
usr/sbin
usr/share
diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs
index 4604eee..bc8abcf 100644
--- a/debian/monkeysphere.dirs
+++ b/debian/monkeysphere.dirs
@@ -1,4 +1,5 @@
usr/share/monkeysphere
var/cache/monkeysphere
+var/cache/monkeysphere/authorized_keys
etc/monkeysphere
etc/monkeysphere/authorized_user_ids
diff --git a/doc/TODO b/doc/TODO
index 6125fea..905d198 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -1,6 +1,18 @@
Next-Steps Monkeysphere Projects:
---------------------------------
+Handle unknown hosts in such a way that they're not always removed
+ from known_hosts file. Ask user to lsign the host key?
+
+Handle multiple multiple hostnames (multiple user IDs?) when
+ generating host keys with gen-key.
+
+Make sure alternate ports are handled for known_hosts.
+
+Add environment variables sections to man pages.
+
+Script to import private key into ssh agent.
+
Provide a friendly interactive UI for marginal or failing client-side
hostkey verifications. Handle the common cases smoothly, and
provide good debugging info for the unusual cases.
diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1
index 8392ae8..5fabb91 100644
--- a/man/man1/monkeysphere-ssh-proxycommand.1
+++ b/man/man1/monkeysphere-ssh-proxycommand.1
@@ -19,13 +19,12 @@ or by adding the following line to your ~/.ssh/config script:
.B ProxyCommand monkeysphere-ssh-proxycommand %h %p
The script is very simple, and can easily be incorporated into other
-ProxyCommand scripts. All it does is first runs
-
-.B monkeysphere update-known-hosts HOST
-
-and then
-
-.B exec nc HOST PORT
+ProxyCommand scripts. It first tests to see if the host is in the
+known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to
+true and "update-known_hosts" is run for the host to check for a host
+key for that host. If the host is found in the known_hosts file,
+CHECK_KEYSERVER is set to false and "update-known_hosts" is run to
+update from the local keychain.
Run the following command for more info:
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index 95f1e59..8d89071 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -24,25 +24,23 @@ for authentication and encryption of ssh connection.
.B update-known_hosts [HOST]...
Update the known_hosts file. For each specified host, gpg will be
queried for a key associated with the host URI (see HOST URIs),
-querying a keyserver if none is found in the user's keychain. search
-for a gpg key for the host in the Web of Trust. If a key is found, it
-will be added to the host_keys cache (see KEY CACHES) and any ssh keys
-for the host will be removed from the user's known_hosts file. If the
-found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg
-key will be added to the known_hosts file. If no gpg key is found for
-the host, then nothing is done. If no hosts are specified, all hosts
-listed in the known_hosts file will be processed. `k' may be used in
-place of `update-known_hosts'.
+querying a keyserver if specified. If a key is found, it will be
+converted to an ssh key, and any matching ssh keys will be removed
+from the user's known_hosts file. If the found key is acceptable (see
+KEY ACCEPTABILITY), then the key will be updated and re-added to the
+known_hosts file. If no gpg key is found for the host, then nothing
+is done. If no hosts are specified, all hosts listed in the
+known_hosts file will be processed. `k' may be used in place of
+`update-known_hosts'.
.TP
.B update-userids [USERID]...
Add/update a user ID to the authorized_user_ids file. The user IDs
specified should be exact matches to OpenPGP user IDs. For each
specified user ID, gpg will be queried for a key associated with that
-user ID, querying a keyserver if none is found in the user's keychain.
-If a key is found, it will be added to the user_keys cache (see KEY
-CACHES) and the user ID will be added to the user's
-authorized_user_ids file (if it wasn't already present). `u' may be
-used in place of `update-userids'.
+user ID, querying a keyserver if specified. If a key is found, the
+user ID will be added to the user's authorized_user_ids file (if it
+wasn't already present). `u' may be used in place of
+`update-userids'.
.TP
.B remove-userids [USERID]...
Remove a user ID from the authorized_user_ids file. The user IDs
@@ -50,11 +48,15 @@ specified should be exact matches to OpenPGP user IDs. `r' may be
used in place of `remove-userids'.
.TP
.B update-authorized_keys
-Update the monkeysphere authorized_keys file. The monkeysphere
-authorized_keys file will be regenerated from the valid keys in the
-user_key cache, and the user's independently controlled
-authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be
-used in place of `update-authorized_keys'.
+Update the monkeysphere authorized_keys file. For each user ID in the
+user's authorized_user_ids file, gpg will be queried for keys
+associated with that user ID, querying a keyserver if specified. If a
+key is found, it will be converted to an ssh key, and any matching ssh
+keys will be removed from the user's authorized_keys file. If the
+found key is acceptable (see KEY ACCEPTABILITY), then the key will be
+updated and re-added to the authorized_keys file. If no gpg key is
+found for the user ID, then nothing is done. `a' may be used in place
+of `update-authorized_keys'.
.TP
.B gen-subkey KEYID
Generate an `a` capable subkey. For the primary key with the
@@ -83,21 +85,6 @@ the "authentication" ("a") capability flag.
.B validity
The key must be "fully" valid, and must not be expired or revoked.
-.SH KEY CACHES
-
-Monkeysphere keeps track of keys in key cache directories. The files
-in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where
-USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is
-the key ID of the primary key. If the user/key ID combo exists in the
-Web of Trust but is not acceptable, then the file is empty. If the
-primary key has at least one acceptable sub key, then an ssh-style
-key, converted from the OpenPGP key, of all acceptable subkeys will be
-stored in the cache file, one per line. known_hosts style key lines
-will be stored in the host_keys cache files, and authorized_keys style
-key lines will be stored in the user_keys cache files. OpenPGP keys
-are converted to ssh-style keys with the openpgp2ssh utility (see `man
-openpgp2ssh').
-
.SH FILES
.TP
@@ -114,11 +101,6 @@ addition to the authorized_keys file.
~/.config/monkeysphere/authorized_keys
Monkeysphere generated authorized_keys file.
.TP
-~/.config/monkeysphere/user_keys
-User keys cache directory.
-.TP
-~/.config/monkeysphere/host_keys
-Host keys cache directory.
.SH AUTHOR
diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8
index eafd6a8..5ca248a 100644
--- a/man/man8/monkeysphere-server.8
+++ b/man/man8/monkeysphere-server.8
@@ -24,8 +24,11 @@ be used for authentication and encryption of ssh connection.
.B update-users [USER]...
Update the admin-controlled authorized_keys files for user. For each
user specified, update the user's authorized_keys file in
-/var/cache/monkeysphere/USER. See `man monkeysphere' for more info.
-`k' may be used in place of `update-known_hosts'.
+/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere'
+for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is
+set, then a user-controlled authorized_keys file (usually
+~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k'
+may be used in place of `update-known_hosts'.
.TP
.B gen-key
Generate a gpg key for the host. `g' may be used in place of
@@ -66,8 +69,8 @@ Monkeysphere GNUPG home directory.
/etc/monkeysphere/authorized_user_ids/USER
Server maintained authorized_user_ids files for users.
.TP
-/var/cache/monkeysphere/USER
-User keys cache directories.
+/var/cache/monkeysphere/authorized_keys/USER
+User authorized_keys file.
.SH AUTHOR