diff options
Diffstat (limited to 'man/man8')
-rw-r--r-- | man/man8/monkeysphere-authentication.8 | 10 | ||||
-rw-r--r-- | man/man8/monkeysphere-host.8 | 29 |
2 files changed, 20 insertions, 19 deletions
diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index e9e24b0..5dfa92a 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -136,7 +136,7 @@ user authentication, the AuthorizedKeysFile parameter must be set in the sshd_config to point to the monkeysphere\-generated authorized_keys files: -AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u +AuthorizedKeysFile __SYSDATADIR_PREFIX__/monkeysphere/authorized_keys/%u It is recommended to add "monkeysphere\-authentication update\-users" to a system crontab, so that user keys are kept up-to-date, and key @@ -179,18 +179,18 @@ false may expose users to abuse by other users on the system. (true) .SH FILES .TP -/etc/monkeysphere/monkeysphere\-authentication.conf +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP -/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \ -/etc/monkeysphere/monkeysphere\-x509\-anchors.crt +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \ +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-x509\-anchors.crt If monkeysphere-authentication is configured to query an hkps keyserver, it will use X.509 Certificate Authority certificates in this file to validate any X.509 certificates used by the keyserver. If the monkeysphere-authentication-x509 file is present, the monkeysphere-x509 file will be ignored. .TP -/var/lib/monkeysphere/authorized_keys/USER +__SYSDATADIR_PREFIX__/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .TP ~/.monkeysphere/authorized_user_ids diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index f3e0d43..4d96901 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -118,10 +118,10 @@ publication is not done by default. The first step is to import the host's ssh key into a monkeysphere\-style OpenPGP certificate. This is done with the import\-key command. For example: -# monkeysphere\-host import\-key /etc/ssh/ssh_host_rsa_key ssh://host.example.org +# monkeysphere\-host import\-key __SYSCONFDIR_PREFIX__/etc/ssh/ssh_host_rsa_key ssh://host.example.org On most systems, sshd's RSA secret key is stored at -/etc/ssh/ssh_host_rsa_key. +__SYSCONFDIR_PREFIX__/etc/ssh/ssh_host_rsa_key. See PUBLISHING AND CERTIFYING MONKEYSPHERE SERVICE CERTIFICATES for how to make sure your users can verify the ssh service offered by your @@ -137,18 +137,19 @@ PEM\-encoded). The first step is to import the web server's key into a monkeysphere\-style OpenPGP certificate. This is done with the import\-key command. For example: -# monkeysphere\-host import\-key /etc/ssl/private/host.example.net\-key.pem https://host.example.net +# monkeysphere\-host import\-key __SYSCONFDIR_PREFIX__/etc/ssl/private/host.example.net\-key.pem https://host.example.net If you don't know where the web server's key is stored on your machine, consult the configuration files for your web server. Debian\-based systems using the `ssl\-cert' packages often have a default self\-signed certificate stored in -`/etc/ssl/private/ssl\-cert\-snakeoil.key' ; if you're using that key, -your users are getting browser warnings about it. You can keep using -the same key, but help them use the OpenPGP WoT to verify that it does -belong to your web server by using something like: +`__SYSCONFDIR_PREFIX__/etc/ssl/private/ssl\-cert\-snakeoil.key' ; if +you're using that key, your users are getting browser warnings about +it. You can keep using the same key, but help them use the OpenPGP +WoT to verify that it does belong to your web server by using +something like: -# monkeysphere\-host import\-key /etc/ssl/private/ssl\-cert\-snakeoil.key https://$(hostname \-\-fqdn) +# monkeysphere\-host import\-key __SYSCONFDIR_PREFIX__/etc/ssl/private/ssl\-cert\-snakeoil.key https://$(hostname \-\-fqdn) If you offer multiple HTTPS websites using the same secret key, you should add the additional website names with the `add\-servicename' @@ -188,7 +189,7 @@ ssh) or without seeing a nasty "security warning" in their browsers Note that \fBmonkeysphere\-host\fP currently caches a copy of all imported secret keys (stored in OpenPGP form for future manipulation) -in /var/lib/monkeysphere/host/secring.gpg. Cleartext backups of this +in __SYSDATADIR_PREFIX__/monkeysphere/host/secring.gpg. Cleartext backups of this file could expose secret key material if not handled sensitively. .SH ENVIRONMENT @@ -209,22 +210,22 @@ If set to `false', never prompt the user for confirmation. (true) .SH FILES .TP -/etc/monkeysphere/monkeysphere\-host.conf +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-host.conf System monkeysphere\-host config file. .TP -/var/lib/monkeysphere/host_keys.pub.pgp +__SYSDATADIR_PREFIX__/monkeysphere/host_keys.pub.pgp A world\-readable copy of the host's OpenPGP certificates in ASCII armored format. This includes the certificates (including the public keys, servicename\-based User IDs, and most recent relevant self\-signatures) corresponding to every key used by Monkeysphere\-enabled services on the host. .TP -/var/lib/monkeysphere/host/ +__SYSDATADIR_PREFIX__/monkeysphere/host/ A locked directory (readable only by the superuser) containing copies of all imported secret keys (this is the host's GNUPGHOME directory). .TP -/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \ -/etc/monkeysphere/monkeysphere\-x509\-anchors.crt +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \ +__SYSCONFDIR_PREFIX__/etc/monkeysphere/monkeysphere\-x509\-anchors.crt If monkeysphere-host is configured to query an hkps keyserver for publish-keys, it will use X.509 Certificate Authority certificates in this file to validate any X.509 certificates used by the keyserver. |