diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/man1/monkeysphere.1 | 36 | ||||
| -rw-r--r-- | man/man7/monkeysphere.7 | 2 | ||||
| -rw-r--r-- | man/man8/monkeysphere-authentication.8 | 30 | ||||
| -rw-r--r-- | man/man8/monkeysphere-host.8 | 31 |
4 files changed, 62 insertions, 37 deletions
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 0e80047..887b5df 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -58,22 +58,22 @@ were found but none were acceptable. `a' may be used in place of .TP .B gen-subkey [KEYID] Generate an authentication subkey for a private key in your GnuPG -keyring. For the primary key with the specified key ID, generate a -subkey with "authentication" capability that can be used for -monkeysphere transactions. An expiration length can be specified with -the `-e' or `--expire' option (prompt otherwise). If no key ID is +keyring. KEYID is the key ID for the primary key for which the subkey +with "authentication" capability will be generated. If no key ID is specified, but only one key exists in the secret keyring, that key -will be used. `g' may be used in place of `gen-subkey'. +will be used. The length of the generated key can be specified with +the `--length` or `-l` option. `g' may be used in place of +`gen-subkey'. .TP .B ssh-proxycommand -an ssh proxy command that can be used -to trigger a monkeysphere update of the ssh known_hosts file for a -host that is being connected to with ssh. This works by updating the -known_hosts file for the host first, before an attempted connection to -the host is made. Once the known_hosts file has been updated, a TCP -connection to the host is made by exec'ing netcat(1). Regular ssh -communication is then done over this netcat TCP connection (see -ProxyCommand in ssh_config(5) for more info). +An ssh ProxyCommand that can be used to trigger a monkeysphere update +of the ssh known_hosts file for a host that is being connected to with +ssh. This works by updating the known_hosts file for the host first, +before an attempted connection to the host is made. Once the +known_hosts file has been updated, a TCP connection to the host is +made by exec'ing netcat(1). Regular ssh communication is then done +over this netcat TCP connection (see ProxyCommand in ssh_config(5) for +more info). This command is meant to be run as the ssh "ProxyCommand". This can either be done by specifying the proxy command on the command line: @@ -108,9 +108,10 @@ change in the future, possibly by adding a deferred check, so that hosts that go from non-monkeysphere-enabled to monkeysphere-enabled will be properly checked. -Setting the MONKEYSPHERE_CHECK_KEYSERVER -variable (to `true' or `false') will override the keyserver-checking policy -defined above. +Setting the CHECK_KEYSERVER variable in the config file or the +MONKEYSPHERE_CHECK_KEYSERVER environment variable to either `true' or +`false' will override the keyserver-checking policy defined above and +either always or never check the keyserver for host key updates. .TP .B subkey-to-ssh-agent [ssh-add arguments] @@ -152,6 +153,9 @@ Whether or not to hash to the known_hosts file entries (`true'). .TP MONKEYSPHERE_AUTHORIZED_KEYS Path to ssh authorized_keys file (~/.ssh/authorized_keys). +.TP +MONKEYSPHERE_PROMPT +If set to `false', never prompt the user for confirmation. (true) .SH FILES diff --git a/man/man7/monkeysphere.7 b/man/man7/monkeysphere.7 index d221c87..578d96c 100644 --- a/man/man7/monkeysphere.7 +++ b/man/man7/monkeysphere.7 @@ -52,6 +52,6 @@ Daniel Kahn Gillmor <dkg@fifthhorseman.net> .BR openpgp2ssh (1), .BR pem2openpgp (1), .BR gpg (1), -.BR ssh (1), .BR http://tools.ietf.org/html/rfc4880, +.BR ssh (1), .BR http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/ diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 4d453d3..361822d 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -37,8 +37,11 @@ monkeysphere-controlled authorized_keys file. If no accounts are specified, then all accounts on the system are processed. `u' may be used in place of `update-users'. .TP -.B add-id-certifier KEYID +.B add-id-certifier KEYID|FILE Instruct system to trust user identity certifications made by KEYID. +The key ID will be loaded from the keyserver. A file may be loaded +instead of pulling the key from the keyserver by specifying the path +to the file as the argument, or by specifying `-` to load from stdin. Using the `-n' or `--domain' option allows you to indicate that you only trust the given KEYID to make identifications within a specific domain (e.g. "trust KEYID to certify user identities within the @@ -131,22 +134,29 @@ The following environment variables will override those specified in the config file (defaults in parentheses): .TP MONKEYSPHERE_MONKEYSPHERE_USER -User to control authentication keychain (monkeysphere). +User to control authentication keychain. (monkeysphere) .TP MONKEYSPHERE_LOG_LEVEL -Set the log level (INFO). Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in -increasing order of verbosity. +Set the log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +increasing order of verbosity. (INFO) .TP MONKEYSPHERE_KEYSERVER -OpenPGP keyserver to use (pool.sks-keyservers.net). +OpenPGP keyserver to use. (pool.sks-keyservers.net) .TP MONKEYSPHERE_AUTHORIZED_USER_IDS -Path to user authorized_user_ids file -(%h/.monkeysphere/authorized_user_ids). +Path to user's authorized_user_ids file. %h gets replaced with the +user's homedir, %u with the username. +(%h/.monkeysphere/authorized_user_ids) .TP MONKEYSPHERE_RAW_AUTHORIZED_KEYS -Path to user-controlled authorized_keys file. `-' means not to add -user-controlled file (%h/.ssh/authorized_keys). +Path to regular ssh-style authorized_keys file to append to +monkeysphere-generated authorized_keys. `none' means not to add any +raw authorized_keys file. %h gets replaced with the user's homedir, +%u with the username. (%h/.ssh/authorized_keys) +.TP +MONKEYSPHERE_PROMPT +If set to `false', never prompt the user for confirmation. (true) + .SH FILES @@ -154,7 +164,7 @@ user-controlled file (%h/.ssh/authorized_keys). /etc/monkeysphere/monkeysphere-authentication.conf System monkeysphere-authentication config file. .TP -/var/lib/monkeysphere/authentication/authorized_keys/USER +/var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. .SH AUTHOR diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 330b610..2ccaaec 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -23,9 +23,10 @@ connection authentication. \fBmonkeysphere-host\fP takes various subcommands: .TP -.B import-key [NAME[:PORT]] -Import a pem-encoded ssh secret host key, from stdin. NAME[:PORT] is -used to specify the hostname (and port) used in the user ID of the new +.B import-key FILE [NAME[:PORT]] +Import a pem-encoded ssh secret host key from file FILE. If FILE +is '-', then the key will be imported from stdin. NAME[:PORT] is used +to specify the hostname (and port) used in the user ID of the new OpenPGP key. If NAME is not specified, then the system fully-qualified domain name will be used (ie. `hostname -f'). If PORT is not specified, the no port is added to the user ID, which means @@ -35,11 +36,11 @@ port 22 is assumed. `i' may be used in place of `import-key'. Output information about host's OpenPGP and SSH keys. `s' may be used in place of `show-key'. .TP -.B extend-key EXPIRE +.B extend-key [EXPIRE] Extend the validity of the OpenPGP key for the host until EXPIRE from the present. If EXPIRE is not specified, then the user will be -prompted for the extension term. Expiration is specified like GnuPG -does: +prompted for the extension term. Expiration is specified as with +GnuPG: .nf 0 = key does not expire <n> = key expires in n days @@ -57,13 +58,19 @@ place of `add-hostname'. Revoke a hostname user ID from the server host key. `n-' may be used in place of `revoke-hostname'. .TP -.B add-revoker FINGERPRINT -Add a revoker to the host's OpenPGP key. `o' may be be used in place +.B add-revoker KEYID|FILE +Add a revoker to the host's OpenPGP key. The key ID will be loaded +from the keyserver. A file may be loaded instead of pulling the key +from the keyserver by specifying the path to the file as the argument, +or by specifying `-` to load from stdin. `o' may be be used in place of `add-revoker'. .TP .B revoke-key -Revoke the host's OpenPGP key. `r' may be used in place of -`revoke-key'. +Revoke the host's OpenPGP key. This will ask you a series of +questions, and then generate a key revocation certificate on standard +out. If you publish this revocation certificate to the public +keyservers, your host key will be permanently revoked. `r' may be +used in place of `revoke-key'. .TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in @@ -113,6 +120,10 @@ increasing order of verbosity. .TP MONKEYSPHERE_KEYSERVER OpenPGP keyserver to use (pool.sks-keyservers.net). +.TP +MONKEYSPHERE_PROMPT +If set to `false', never prompt the user for confirmation. (true) + .SH FILES |