From 48cd196efb86f8661fbf77552ef6c26b11fe20c6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 17:34:08 -0400 Subject: Add some skeletal debian packaging stuff and man pages, and moved conf files to etc directory. --- man/man1/monkeysphere.1 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 man/man1/monkeysphere.1 (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 new file mode 100644 index 0000000..4c3d483 --- /dev/null +++ b/man/man1/monkeysphere.1 @@ -0,0 +1,6 @@ +.TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" +.SH NAME +monkeysphere \- monkeysphere client user interface +.SH SYNOPSIS +.B monkeysphere \fIcommand\fP [\fIargs\fP] +.SH DESCRIPTION -- cgit v1.2.3 From b489d119fc6c61e43c88efffb2ba4705ac4aeca8 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 11 Jun 2008 12:00:36 -0400 Subject: Fill out a little of the man pages. --- man/man1/monkeysphere.1 | 76 ++++++++++++++++++++++++++++++++++++++++++ man/man8/monkeysphere-server.8 | 54 ++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 4c3d483..fff16ba 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -4,3 +4,79 @@ monkeysphere \- monkeysphere client user interface .SH SYNOPSIS .B monkeysphere \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION +.PP +\fBmonkeysphere\fP is the client monkeysphere tool. +.SH SUBCOMMANDS +\fBmonkeysphere\fP takes various subcommands: +.PD +.TP +.B update-known_hosts [HOST]... +Update the known_hosts file. For every host listed, search for a gpg +key for the host in the Web of Trust. If a key is found, any ssh keys +for the host are removed from the known_hosts file. If the found key +is acceptable (see KEY ACCEPTABILITY), then the gpg key is converted +to an ssh key and added to the known_hosts file. If now gpg key is +found for the host, then nothing is done. If no hosts are specified, +all hosts listed in the known_hosts file will be processed. If they +`k' may be used in place of `update-known_hosts'. +.TP +.B update-authorized_keys +Update the authorized_keys file. +.TP +.B update-userids [USERID]... +Update userid +.TP +.B gen-ae-subkey KEYID +Generate an `ae` capable subkey +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.PD +.SH KEY ACCEPTABILITY +GPG keys are considered acceptable if the following criteria are met: +.PD +.TP +.B capability +The key must have both the "authentication" and "encrypt" capability +flags. +.TP +.B validity +The key must be "fully" valid, and must not be expired or revoked. +.PD +.SH FILES +.PD 1 +.TP +~/.config/monkeysphere/monkeysphere.conf +User monkeysphere config file. +.TP +/etc/monkeysphere/monkeysphere.conf +System-wide monkeysphere config file. +.TP +~/.config/monkeysphere/authorized_user_ids +GPG user IDs to validate for addition to the authorized_keys file. +.TP +~/.config/monkeysphere/authorized_keys +Monkeysphere generated authorized_keys file. +.TP +~/.config/monkeysphere/user_keys +User keys cache directory. +.TP +~/.config/monkeysphere/host_keys +Host keys cache directory. +.PD +.SH AUTHOR +Written by Jameson Rollins +.SH "REPORTING BUGS" +Report bugs to . +.SH COPYRIGHT +Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor +.br +This is free software. You may redistribute copies of it under the +terms of the GNU General Public License +. There is NO WARRANTY, to the +extent permitted by law. +.SH "SEE ALSO" +.BR ssh (1), +.BR gpg (1), +.BR monkeysphere-server (8) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 302bffb..39a8e5c 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -4,3 +4,57 @@ monkeysphere-server \- monkeysphere server admin user interface .SH SYNOPSIS .B monkeysphere-server \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION +.PP +\fBmonkeysphere-server\fP is the server admin monkeysphere tool. +.SH SUBCOMMANDS +\fBmonkeysphere-server\fP takes various subcommands: +.PD +.TP +.B update-users [HOST]... +.TP +.B gen-key +.TP +.B publish-key +.TP +.B trust-keys KEYID... +.TP +.B update-user-userids USER USERID... +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.PD +.SH FILES +.PD 1 +.TP +/etc/monkeysphere/monkeysphere-server.conf +System monkeysphere-server config file. +.TP +/etc/monkeysphere/monkeysphere.conf +System-wide monkeysphere config file. +.TP +/etc/monkeysphere/gnupg +Monkeysphere GNUPG home directory. +.TP +/etc/monkeysphere/authorized_user_ids/USER +Server maintained authorized_user_ids files for users. +.TP +/var/lib/monkeysphere/stage/USER +Staging directory for user key caches. +.PD +.SH AUTHOR +Written by Jameson Rollins +.SH "REPORTING BUGS" +Report bugs to . +.SH COPYRIGHT +Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor +.br +This is free software. You may redistribute copies of it under the +terms of the GNU General Public License +. There is NO WARRANTY, to the +extent permitted by law. +.SH "SEE ALSO" +.BR monkeysphere (1), +.BR gpg (1), +.BR ssh (1) + -- cgit v1.2.3 From c1affebb2e24c129a4baec24d0627abd1ac0b977 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 11 Jun 2008 16:04:15 -0400 Subject: fix typo in monkeysphere(1) --- man/man1/monkeysphere.1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index fff16ba..f9a6af4 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -15,9 +15,10 @@ Update the known_hosts file. For every host listed, search for a gpg key for the host in the Web of Trust. If a key is found, any ssh keys for the host are removed from the known_hosts file. If the found key is acceptable (see KEY ACCEPTABILITY), then the gpg key is converted -to an ssh key and added to the known_hosts file. If now gpg key is +to an ssh key and added to the known_hosts file. If no gpg key is found for the host, then nothing is done. If no hosts are specified, all hosts listed in the known_hosts file will be processed. If they + `k' may be used in place of `update-known_hosts'. .TP .B update-authorized_keys -- cgit v1.2.3 From 35a6f7cf8c455318078c7f94951dbc964bb41006 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 12 Jun 2008 00:22:02 -0400 Subject: Man page work. - flesh out more of the man pages for monkeysphere and monkeysphere-server - move the server cache directory to /var/cache, where it should be. --- debian/dirs | 3 +- etc/monkeysphere-server.conf | 3 -- man/man1/monkeysphere.1 | 83 +++++++++++++++++++++++++++--------------- man/man8/monkeysphere-server.8 | 35 ++++++++++-------- src/common | 12 +++--- src/monkeysphere | 4 +- src/monkeysphere-server | 11 +++--- 7 files changed, 87 insertions(+), 64 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/debian/dirs b/debian/dirs index 277c0b5..bdf0fe0 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,5 +1,4 @@ -var/lib/monkeysphere -var/lib/monkeysphere/stage +var/cache/monkeysphere usr/bin usr/sbin usr/share diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index bed5c09..3c16c5f 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -18,6 +18,3 @@ # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be substituted for the user's home directory. #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys - -# where to cache user authorized_keys lines -#STAGING_AREA=/var/lib/monkeysphere/stage diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index f9a6af4..410a5d7 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,34 +1,53 @@ .TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" .SH NAME -monkeysphere \- monkeysphere client user interface +monkeysphere \- MonkeySphere client user interface .SH SYNOPSIS .B monkeysphere \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION .PP -\fBmonkeysphere\fP is the client monkeysphere tool. +MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh +authentication and encryption. OpenPGP keys are tracked via GnuPG, +and added to the ssh authorized_keys and known_hosts files to be used +for authentication and encryption of ssh connection. + +\fBmonkeysphere\fP is the MonkeySphere client utility. +.PD .SH SUBCOMMANDS \fBmonkeysphere\fP takes various subcommands: -.PD .TP .B update-known_hosts [HOST]... -Update the known_hosts file. For every host listed, search for a gpg -key for the host in the Web of Trust. If a key is found, any ssh keys -for the host are removed from the known_hosts file. If the found key -is acceptable (see KEY ACCEPTABILITY), then the gpg key is converted -to an ssh key and added to the known_hosts file. If no gpg key is -found for the host, then nothing is done. If no hosts are specified, -all hosts listed in the known_hosts file will be processed. If they - -`k' may be used in place of `update-known_hosts'. -.TP -.B update-authorized_keys -Update the authorized_keys file. +Update the known_hosts file. For each specified host, gpg will be +queried for a key associated with the host URI (see HOST URIs), +querying a keyserver if none is found in the user's keychain. search +for a gpg key for the host in the Web of Trust. If a key is found, it +will be added to the host_keys cache (see KEY CACHES) and any ssh keys +for the host will be removed from the user's known_hosts file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg +key will be added to the known_hosts file. If no gpg key is found for +the host, then nothing is done. If no hosts are specified, all hosts +listed in the known_hosts file will be processed. `k' may be used in +place of `update-known_hosts'. .TP .B update-userids [USERID]... -Update userid +Add/update a userid in the authorized_user_ids file. The user IDs +specified should be exact matches to OpenPGP user IDs. For each +specified user ID, gpg will be queried for a key associated with that +user ID, querying a keyserver if none is found in the user's keychain. +If a key is found, it will be added to the user_keys cache (see KEY +CACHES) and the user ID will be added to the user's +authorized_user_ids file (if it wasn't already present). +.TP +.B update-authorized_keys +Update the monkeysphere authorized_keys file. The monkeysphere +authorized_keys file will be regenerated from the valid keys in the +user_key cache, and the user's independently controlled +authorized_keys file (usually ~/.ssh/authorized_keys). .TP .B gen-ae-subkey KEYID -Generate an `ae` capable subkey +Generate an `ae` capable subkey. For the primary key with the +specified key ID, generate a subkey with "authentication" and +"encryption" capability that can be used for MonkeySphere +transactions. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -45,6 +64,20 @@ flags. .B validity The key must be "fully" valid, and must not be expired or revoked. .PD +.SH KEY CACHES +Monkeysphere keeps track of keys in key cache directories. The files +in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where +USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is +the key ID of the primary key. If the user/key ID combo exists in the +Web of Trust but is not acceptable, then the file is empty. If the +primary key has at least one acceptable sub key, then an ssh-style +key, converted from the OpenPGP key, of all acceptable subkeys will be +stored in the cache file, one per line. known_hosts style key lines +will be stored in the host_keys cache files, and authorized_keys style +key lines will be stored in the user_keys cache files. OpenPGP keys +are converted to ssh-style keys with the openpgp2ssh utility (see `man +openpgp2ssh'). +.PD .SH FILES .PD 1 .TP @@ -55,7 +88,8 @@ User monkeysphere config file. System-wide monkeysphere config file. .TP ~/.config/monkeysphere/authorized_user_ids -GPG user IDs to validate for addition to the authorized_keys file. +GPG user IDs associated with keys that will be checked for addition to +the authorized_keys file. .TP ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. @@ -67,17 +101,8 @@ User keys cache directory. Host keys cache directory. .PD .SH AUTHOR -Written by Jameson Rollins -.SH "REPORTING BUGS" -Report bugs to . -.SH COPYRIGHT -Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor -.br -This is free software. You may redistribute copies of it under the -terms of the GNU General Public License -. There is NO WARRANTY, to the -extent permitted by law. -.SH "SEE ALSO" +Written by Jameson Rollins +.SH SEE ALSO .BR ssh (1), .BR gpg (1), .BR monkeysphere-server (8) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 7a12e17..cc07077 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -5,20 +5,32 @@ monkeysphere-server \- monkeysphere server admin user interface .B monkeysphere-server \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION .PP -\fBmonkeysphere-server\fP is the server admin monkeysphere tool. +\fBMonkeySphere\fP is a system to leverage the OpenPGP Web of Trust +for ssh authentication and encryption. OpenPGP keys are tracked via +GnuPG, and added to the ssh authorized_keys and known_hosts files to +be used for authentication and encryption of ssh connection. + +\fBmonkeysphere-server\fP is the MonkeySphere server admin utility. +.PD .SH SUBCOMMANDS \fBmonkeysphere-server\fP takes various subcommands: -.PD .TP -.B update-users [HOST]... +.B update-users [USER]... +Update the admin-controlled authorized_keys files for user. For each +user specified, update the user's authorized_keys file in +/var/cache/monkeysphere/USER. See `man monkeysphere' for more info. .TP .B gen-key +Generate a gpg key for the host. .TP .B publish-key +Publish the host's gpg key to a keyserver. .TP .B trust-keys KEYID... +Mark key specified with KEYID with full owner trust. .TP .B update-user-userids USER USERID... +Add/update a userid in the authorized_user_ids file for USER. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -39,21 +51,12 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/lib/monkeysphere/stage/USER -Staging directory for user key caches. +/var/cachemonkeysphere/USER +User keys cache directories. .PD .SH AUTHOR -Written by Jameson Rollins -.SH "REPORTING BUGS" -Report bugs to . -.SH COPYRIGHT -Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor -.br -This is free software. You may redistribute copies of it under the -terms of the GNU General Public License -. There is NO WARRANTY, to the -extent permitted by law. -.SH "SEE ALSO" +Written by Jameson Rollins +.SH SEE ALSO .BR monkeysphere (1), .BR gpg (1), .BR ssh (1) diff --git a/src/common b/src/common index d7caefd..914c800 100755 --- a/src/common +++ b/src/common @@ -14,8 +14,8 @@ # managed directories ETC="/etc/monkeysphere" export ETC -LIB="/var/lib/monkeysphere" -export LIB +CACHE="/var/cache/monkeysphere" +export CACHE ######################################################################## failure() { @@ -312,13 +312,13 @@ process_known_hosts() { # update an authorized_keys file after first processing the # authorized_user_ids file update_authorized_keys() { - local cacheDir local msAuthorizedKeys local userAuthorizedKeys + local cacheDir - cacheDir="$1" - msAuthorizedKeys="$2" - userAuthorizedKeys="$3" + msAuthorizedKeys="$1" + userAuthorizedKeys="$2" + cacheDir="$3" process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" diff --git a/src/monkeysphere b/src/monkeysphere index aaeda11..5d865c9 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,8 +35,8 @@ Monkeysphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-authorized_keys (a) update authorized_keys file update-userids (u) [USERID]... add/update userid + update-authorized_keys (a) update authorized_keys file gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help @@ -170,7 +170,7 @@ case $COMMAND in userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} # update authorized_keys - update_authorized_keys "$userKeysCacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" + update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" ;; 'update-userids'|'u') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a109cf5..0ff06af 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -129,7 +129,6 @@ GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} KEYSERVER=${KEYSERVER:-subkeys.pgp.net} REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -STAGING_AREA=${STAGING_AREA:-"$LIB"/stage} export GNUPGHOME @@ -150,8 +149,8 @@ case $COMMAND in log "----- user: $uname -----" AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - cacheDir="$STAGING_AREA"/"$uname"/user_keys - msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys + msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys + cacheDir="$CACHE"/"$uname"/user_keys # make sure authorized_user_ids file exists if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then @@ -166,7 +165,7 @@ case $COMMAND in fi # update authorized_keys - update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" + update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir" done log "----- done. -----" @@ -199,9 +198,9 @@ case $COMMAND in failure "you must specify at least one userid." fi AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys + cacheDir="$CACHE"/"$uname"/user_keys for userID ; do - update_userid "$userID" "$userKeysCacheDir" + update_userid "$userID" "$cacheDir" done ;; -- cgit v1.2.3 From a8372a5e6f55e6d830c6aba09a92673b49110a22 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 11:57:50 -0400 Subject: add man page for the ssh proxy command script. needs to be filled in. --- man/man1/monkeysphere-ssh-proxycommand.1 | 25 +++++++++++++++++++++++++ man/man1/monkeysphere.1 | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 man/man1/monkeysphere-ssh-proxycommand.1 (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 new file mode 100644 index 0000000..41a95aa --- /dev/null +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -0,0 +1,25 @@ +.TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands" +.SH NAME +monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script +.PD +.SH SYNOPSIS +.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ... +.PD +.SH DESCRIPTION +.PP +MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh +authentication and encryption. OpenPGP keys are tracked via GnuPG, +and added to the ssh authorized_keys and known_hosts files to be used +for authentication and encryption of ssh connection. + +\fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used +to trigger a monkeysphere update of the known_hosts file for the hosts +that are being connected to. +.PD +.SH AUTHOR +Written by Jameson Rollins +.PD +.SH SEE ALSO +.BR monkeypshere (1), +.BR ssh (1), +.BR gpg (1) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 410a5d7..636adcb 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,8 +1,10 @@ .TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" .SH NAME monkeysphere \- MonkeySphere client user interface +.PD .SH SYNOPSIS .B monkeysphere \fIcommand\fP [\fIargs\fP] +.PD .SH DESCRIPTION .PP MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh @@ -102,6 +104,7 @@ Host keys cache directory. .PD .SH AUTHOR Written by Jameson Rollins +.PD .SH SEE ALSO .BR ssh (1), .BR gpg (1), -- cgit v1.2.3 From 220a0fb50691a6cf3db9624275d46a6f730f55c6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 12:37:08 -0400 Subject: fix bugs in ssh key export functions --- man/man1/monkeysphere.1 | 1 + src/common | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 636adcb..d00a9db 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -107,5 +107,6 @@ Written by Jameson Rollins .PD .SH SEE ALSO .BR ssh (1), +.BR monkeysphere-ssh-proxycommand (1), .BR gpg (1), .BR monkeysphere-server (8) diff --git a/src/common b/src/common index 914c800..8b0f41a 100644 --- a/src/common +++ b/src/common @@ -98,7 +98,7 @@ gpg2known_hosts() { echo -n "$host " gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo "MonkeySphere${DATE}" + echo " MonkeySphere${DATE}" } # convert key from gpg to ssh authorized_keys format @@ -109,9 +109,9 @@ gpg2authorized_keys() { keyID="$1" userID="$2" - echo -n "MonkeySphere${DATE}:${userID}" gpg --export "$keyID" | \ - openpgp2ssh "$keyID" + openpgp2ssh "$keyID" | tr -d '\n' + echo " MonkeySphere${DATE}:${userID}" } # userid and key policy checking -- cgit v1.2.3 From 2ed952e2207d5278cfe96db2d7eeed40709f846b Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 17:47:34 -0400 Subject: Add 'remove_userid' function, inverse of 'update_userids'. Also, tweaked some of the output and man pages. --- debian/control | 2 +- man/man1/monkeysphere.1 | 15 +++++++++++---- man/man8/monkeysphere-server.8 | 17 +++++++++++++---- src/common | 32 +++++++++++++++++++++++++++----- src/monkeysphere | 18 ++++++++++++++++-- src/monkeysphere-server | 33 +++++++++++++++++++++++++++++++-- 6 files changed, 99 insertions(+), 18 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/debian/control b/debian/control index afd5bfa..d4d25c6 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: any -Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), ${shlibs:Depends} +Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, ${shlibs:Depends} Recommends: netcat Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index d00a9db..762f008 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -31,25 +31,32 @@ listed in the known_hosts file will be processed. `k' may be used in place of `update-known_hosts'. .TP .B update-userids [USERID]... -Add/update a userid in the authorized_user_ids file. The user IDs +Add/update a user ID to the authorized_user_ids file. The user IDs specified should be exact matches to OpenPGP user IDs. For each specified user ID, gpg will be queried for a key associated with that user ID, querying a keyserver if none is found in the user's keychain. If a key is found, it will be added to the user_keys cache (see KEY CACHES) and the user ID will be added to the user's -authorized_user_ids file (if it wasn't already present). +authorized_user_ids file (if it wasn't already present). `u' may be +used in place of `update-userids'. +.TP +.B remove-userids [USERID]... +Remove a user ID from the authorized_user_ids file. The user IDs +specified should be exact matches to OpenPGP user IDs. `r' may be +used in place of `remove-userids'. .TP .B update-authorized_keys Update the monkeysphere authorized_keys file. The monkeysphere authorized_keys file will be regenerated from the valid keys in the user_key cache, and the user's independently controlled -authorized_keys file (usually ~/.ssh/authorized_keys). +authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be +used in place of `update-authorized_keys'. .TP .B gen-ae-subkey KEYID Generate an `ae` capable subkey. For the primary key with the specified key ID, generate a subkey with "authentication" and "encryption" capability that can be used for MonkeySphere -transactions. +transactions. `g' may be used in place of `gen-ae-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index cc07077..8f62610 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -19,18 +19,27 @@ be used for authentication and encryption of ssh connection. Update the admin-controlled authorized_keys files for user. For each user specified, update the user's authorized_keys file in /var/cache/monkeysphere/USER. See `man monkeysphere' for more info. +`k' may be used in place of `update-known_hosts'. .TP .B gen-key -Generate a gpg key for the host. +Generate a gpg key for the host. `g' may be used in place of +`gen-key'. .TP .B publish-key -Publish the host's gpg key to a keyserver. +Publish the host's gpg key to a keyserver. `p' may be used in place +of `publish-key' .TP .B trust-keys KEYID... -Mark key specified with KEYID with full owner trust. +Mark key specified with KEYID with full owner trust. `t' may be used +in place of `trust-keys'. .TP .B update-user-userids USER USERID... -Add/update a userid in the authorized_user_ids file for USER. +Add/update a user ID to the authorized_user_ids file for USER. `u' may +be used in place of `update-user-userids'. +.TP +.B remove-user-userids USER USERID... +Remove a user ID from the authorized_user_ids file for USER. `r' may +be used in place of `remove-user-userids'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of diff --git a/src/common b/src/common index d56028f..01e6f32 100644 --- a/src/common +++ b/src/common @@ -240,6 +240,9 @@ process_user_id() { # hash userid for cache file name userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') + # make sure the cache directory exists + mkdir -p "$cacheDir" + # touch/clear key cache file # (will be left empty if there are noacceptable keys) > "$cacheDir"/"$userIDHash"."$pubKeyID" @@ -285,16 +288,16 @@ update_userid() { cacheDir="$2" log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then return 1 fi if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - echo "the following userid is not in the authorized_user_ids file:" - echo " $userID" - read -p "would you like to add it? [Y|n]: " OK; OK=${OK:=Y} + read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then - log -n "adding userid to authorized_user_ids file... " + log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else @@ -303,6 +306,24 @@ update_userid() { fi } +# remove a userid from the authorized_user_ids file +remove_userid() { + local userID + + userID="$1" + + log "processing userid: '$userID'" + + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + log "user ID not currently authorized." + return 1 + fi + + log -n "removing user ID '$userID'... " + grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS" + echo "done." +} + # process a host for addition to a known_host file process_host() { local host @@ -373,7 +394,8 @@ update_authorized_keys() { cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." fi - log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" } # process an authorized_*_ids file diff --git a/src/monkeysphere b/src/monkeysphere index 997ca58..1ba51d7 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,7 +35,8 @@ MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-userids (u) [USERID]... add/update userid + update-userids (u) [USERID]... add/update user IDs + remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help @@ -164,13 +165,26 @@ case $COMMAND in fi ;; - 'update-userids'|'u') + 'update-userids'|'update-userid'|'u') if [ -z "$1" ] ; then failure "you must specify at least one userid." fi for userID ; do update_userid "$userID" "$userKeysCacheDir" done + log "run the following to update your monkeysphere authorized_keys file:" + log "$PGRM update-authorized_keys" + ;; + + 'remove-userids'|'remove-userid'|'r') + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + for userID ; do + remove_userid "$userID" + done + log "run the following to update your monkeysphere authorized_keys file:" + log "$PGRM update-authorized_keys" ;; 'update-authorized_keys'|'update-authorized-keys'|'a') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 922aad3..13221c5 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -35,7 +35,8 @@ subcommands: gen-key (g) generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted - update-user-userids (u) USER UID... add/update userids for a user + update-user-userids (u) USER UID... add/update user IDs for a user + remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF @@ -179,7 +180,7 @@ case $COMMAND in done ;; - 'update-user-userids'|'u') + 'update-user-userids'|'update-user-userid'|'u') uname="$1" shift if [ -z "$uname" ] ; then @@ -200,6 +201,34 @@ case $COMMAND in for userID ; do update_userid "$userID" "$cacheDir" done + + log "run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" + ;; + + 'remove-user-userids'|'remove-user-userid'|'r') + uname="$1" + shift + if [ -z "$uname" ] ; then + failure "you must specify user." + fi + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + + # set variables for the user + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs + for userID ; do + remove_userid "$userID" + done + + log "run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" ;; 'help'|'h'|'?') -- cgit v1.2.3 From 28c7489bb830c8ef9bb7c6e40e3fc4d47a702614 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 14 Jun 2008 15:58:34 -0400 Subject: More work on the man pages. --- man/man1/monkeysphere-ssh-proxycommand.1 | 12 ++++++--- man/man1/monkeysphere.1 | 44 ++++++++++++++++++++------------ man/man1/openpgp2ssh.1 | 2 +- man/man8/monkeysphere-server.8 | 25 ++++++++++++------ src/monkeysphere-server | 2 +- 5 files changed, 55 insertions(+), 30 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 63b5a5e..8392ae8 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -1,9 +1,11 @@ .TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script -.PD + .SH DESCRIPTION -.PP + \fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used to trigger a monkeysphere update of the known_hosts file for the hosts that are being connected to. It is meant to be run as an ssh @@ -28,11 +30,13 @@ and then Run the following command for more info: .B less $(which monkeysphere-ssh-proxycommand) -.PD + .SH AUTHOR + Written by Jameson Rollins -.PD + .SH SEE ALSO + .BR monkeypshere (1), .BR ssh (1), .BR gpg (1) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 762f008..526cad6 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,20 +1,24 @@ .TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere \- MonkeySphere client user interface -.PD + .SH SYNOPSIS + .B monkeysphere \fIcommand\fP [\fIargs\fP] -.PD + .SH DESCRIPTION -.PP + MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh authentication and encryption. OpenPGP keys are tracked via GnuPG, and added to the ssh authorized_keys and known_hosts files to be used for authentication and encryption of ssh connection. \fBmonkeysphere\fP is the MonkeySphere client utility. -.PD + .SH SUBCOMMANDS + \fBmonkeysphere\fP takes various subcommands: .TP .B update-known_hosts [HOST]... @@ -61,10 +65,15 @@ transactions. `g' may be used in place of `gen-ae-subkey'. .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.PD + +.SH HOST URIs + +Host OpenPGP keys have associated user IDs that use the ssh URI +specification for the host, ie. "ssh://host.full.domain". + .SH KEY ACCEPTABILITY + GPG keys are considered acceptable if the following criteria are met: -.PD .TP .B capability The key must have both the "authentication" and "encrypt" capability @@ -72,8 +81,9 @@ flags. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. -.PD + .SH KEY CACHES + Monkeysphere keeps track of keys in key cache directories. The files in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is @@ -86,9 +96,9 @@ will be stored in the host_keys cache files, and authorized_keys style key lines will be stored in the user_keys cache files. OpenPGP keys are converted to ssh-style keys with the openpgp2ssh utility (see `man openpgp2ssh'). -.PD + .SH FILES -.PD 1 + .TP ~/.config/monkeysphere/monkeysphere.conf User monkeysphere config file. @@ -97,8 +107,8 @@ User monkeysphere config file. System-wide monkeysphere config file. .TP ~/.config/monkeysphere/authorized_user_ids -GPG user IDs associated with keys that will be checked for addition to -the authorized_keys file. +OpenPGP user IDs associated with keys that will be checked for +addition to the authorized_keys file. .TP ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. @@ -108,12 +118,14 @@ User keys cache directory. .TP ~/.config/monkeysphere/host_keys Host keys cache directory. -.PD + .SH AUTHOR + Written by Jameson Rollins -.PD + .SH SEE ALSO -.BR ssh (1), + .BR monkeysphere-ssh-proxycommand (1), -.BR gpg (1), -.BR monkeysphere-server (8) +.BR monkeysphere-server (8), +.BR ssh (1), +.BR gpg (1) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 83b6154..bea1da5 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -69,7 +69,7 @@ and this man page were written by Daniel Kahn Gillmor . .Sh BUGS .Nm -currently only exports into formats used by the OpenSSH. +Currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by lsh(1) and putty(1). .Pp diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 8f62610..eafd6a8 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -1,18 +1,24 @@ .TH MONKEYSPHERE-SERVER "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere-server \- monkeysphere server admin user interface + .SH SYNOPSIS + .B monkeysphere-server \fIcommand\fP [\fIargs\fP] + .SH DESCRIPTION -.PP + \fBMonkeySphere\fP is a system to leverage the OpenPGP Web of Trust for ssh authentication and encryption. OpenPGP keys are tracked via GnuPG, and added to the ssh authorized_keys and known_hosts files to be used for authentication and encryption of ssh connection. \fBmonkeysphere-server\fP is the MonkeySphere server admin utility. -.PD + .SH SUBCOMMANDS + \fBmonkeysphere-server\fP takes various subcommands: .TP .B update-users [USER]... @@ -26,11 +32,11 @@ Generate a gpg key for the host. `g' may be used in place of `gen-key'. .TP .B publish-key -Publish the host's gpg key to a keyserver. `p' may be used in place +Publish the host's gpg key to the keyserver. `p' may be used in place of `publish-key' .TP .B trust-keys KEYID... -Mark key specified with KEYID with full owner trust. `t' may be used +Mark key specified with key IDs with full owner trust. `t' may be used in place of `trust-keys'. .TP .B update-user-userids USER USERID... @@ -44,9 +50,9 @@ be used in place of `remove-user-userids'. .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.PD + .SH FILES -.PD 1 + .TP /etc/monkeysphere/monkeysphere-server.conf System monkeysphere-server config file. @@ -60,12 +66,15 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/cachemonkeysphere/USER +/var/cache/monkeysphere/USER User keys cache directories. -.PD + .SH AUTHOR + Written by Jameson Rollins + .SH SEE ALSO + .BR monkeysphere (1), .BR gpg (1), .BR ssh (1) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 13221c5..e05b4b7 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -47,7 +47,7 @@ gen_key() { # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} - KEY_USAGE=${KEY_USAGE:-"encrypt,auth"} + KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} SERVICE=${SERVICE:-"ssh"} HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} -- cgit v1.2.3 From 5ff6e131ad52ce4de7172e56170ea4f37e397a9e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 15 Jun 2008 18:23:39 -0400 Subject: Fix gen-subkey function for client. --- man/man1/monkeysphere.1 | 15 ++++++----- src/monkeysphere | 68 ++++++++++++++++++++++++------------------------- src/monkeysphere-server | 2 +- 3 files changed, 42 insertions(+), 43 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 526cad6..95f1e59 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -56,11 +56,11 @@ user_key cache, and the user's independently controlled authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be used in place of `update-authorized_keys'. .TP -.B gen-ae-subkey KEYID -Generate an `ae` capable subkey. For the primary key with the -specified key ID, generate a subkey with "authentication" and -"encryption" capability that can be used for MonkeySphere -transactions. `g' may be used in place of `gen-ae-subkey'. +.B gen-subkey KEYID +Generate an `a` capable subkey. For the primary key with the +specified key ID, generate a subkey with "authentication" capability +that can be used for MonkeySphere transactions. `g' may be used in +place of `gen-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -76,8 +76,9 @@ specification for the host, ie. "ssh://host.full.domain". GPG keys are considered acceptable if the following criteria are met: .TP .B capability -The key must have both the "authentication" and "encrypt" capability -flags. +For host keys, the key must have both the "authentication" ("a") and +"encrypt" ("e") capability flags. For user keys, the key must have +the "authentication" ("a") capability flag. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. diff --git a/src/monkeysphere b/src/monkeysphere index ff4423b..6369197 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # monkeysphere: MonkeySphere client tool # @@ -38,14 +38,15 @@ subcommands: update-userids (u) [USERID]... add/update user IDs remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file - gen-ae-subkey (g) KEYID generate an 'ae' capable subkey + gen-subkey (g) KEYID generate an 'a' capable subkey help (h,?) this help EOF } -# generate a subkey with the 'a' and 'e' usage flags set -gen_ae_subkey(){ +# generate a subkey with the 'a' usage flags set +# FIXME: not working yet. +gen_subkey(){ local keyID local gpgOut local userID @@ -54,11 +55,6 @@ gen_ae_subkey(){ keyID="$1" - # set subkey defaults - SUBKEY_TYPE=${KEY_TYPE:-"RSA"} - SUBKEY_LENGTH=${KEY_LENGTH:-"1024"} - SUBKEY_USAGE=${KEY_USAGE:-"encrypt,auth"} - gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ "$keyID" 2> /dev/null) @@ -68,35 +64,37 @@ gen_ae_subkey(){ return 1 fi - userID=$(echo "$gpgOut" | grep "^uid:" | cut -d: -f10) - - # set key parameters - keyParameters=$(cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years EOF -) - - echo "The following key parameters will be used:" - echo "$keyParameters" - - read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} != 'Y' ] ; then - failure "aborting." - fi - - # add commit command - keyParameters="${keyParameters}"$(cat < Date: Tue, 17 Jun 2008 14:33:19 -0400 Subject: Update man pages and TODO. --- debian/dirs | 1 + debian/monkeysphere.dirs | 1 + doc/TODO | 12 +++++++ man/man1/monkeysphere-ssh-proxycommand.1 | 13 ++++--- man/man1/monkeysphere.1 | 60 +++++++++++--------------------- man/man8/monkeysphere-server.8 | 11 +++--- 6 files changed, 48 insertions(+), 50 deletions(-) (limited to 'man/man1/monkeysphere.1') diff --git a/debian/dirs b/debian/dirs index bdf0fe0..b458649 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,4 +1,5 @@ var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys usr/bin usr/sbin usr/share diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index 4604eee..bc8abcf 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,4 +1,5 @@ usr/share/monkeysphere var/cache/monkeysphere +var/cache/monkeysphere/authorized_keys etc/monkeysphere etc/monkeysphere/authorized_user_ids diff --git a/doc/TODO b/doc/TODO index 6125fea..905d198 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,6 +1,18 @@ Next-Steps Monkeysphere Projects: --------------------------------- +Handle unknown hosts in such a way that they're not always removed + from known_hosts file. Ask user to lsign the host key? + +Handle multiple multiple hostnames (multiple user IDs?) when + generating host keys with gen-key. + +Make sure alternate ports are handled for known_hosts. + +Add environment variables sections to man pages. + +Script to import private key into ssh agent. + Provide a friendly interactive UI for marginal or failing client-side hostkey verifications. Handle the common cases smoothly, and provide good debugging info for the unusual cases. diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 8392ae8..5fabb91 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -19,13 +19,12 @@ or by adding the following line to your ~/.ssh/config script: .B ProxyCommand monkeysphere-ssh-proxycommand %h %p The script is very simple, and can easily be incorporated into other -ProxyCommand scripts. All it does is first runs - -.B monkeysphere update-known-hosts HOST - -and then - -.B exec nc HOST PORT +ProxyCommand scripts. It first tests to see if the host is in the +known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to +true and "update-known_hosts" is run for the host to check for a host +key for that host. If the host is found in the known_hosts file, +CHECK_KEYSERVER is set to false and "update-known_hosts" is run to +update from the local keychain. Run the following command for more info: diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 95f1e59..8d89071 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -24,25 +24,23 @@ for authentication and encryption of ssh connection. .B update-known_hosts [HOST]... Update the known_hosts file. For each specified host, gpg will be queried for a key associated with the host URI (see HOST URIs), -querying a keyserver if none is found in the user's keychain. search -for a gpg key for the host in the Web of Trust. If a key is found, it -will be added to the host_keys cache (see KEY CACHES) and any ssh keys -for the host will be removed from the user's known_hosts file. If the -found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg -key will be added to the known_hosts file. If no gpg key is found for -the host, then nothing is done. If no hosts are specified, all hosts -listed in the known_hosts file will be processed. `k' may be used in -place of `update-known_hosts'. +querying a keyserver if specified. If a key is found, it will be +converted to an ssh key, and any matching ssh keys will be removed +from the user's known_hosts file. If the found key is acceptable (see +KEY ACCEPTABILITY), then the key will be updated and re-added to the +known_hosts file. If no gpg key is found for the host, then nothing +is done. If no hosts are specified, all hosts listed in the +known_hosts file will be processed. `k' may be used in place of +`update-known_hosts'. .TP .B update-userids [USERID]... Add/update a user ID to the authorized_user_ids file. The user IDs specified should be exact matches to OpenPGP user IDs. For each specified user ID, gpg will be queried for a key associated with that -user ID, querying a keyserver if none is found in the user's keychain. -If a key is found, it will be added to the user_keys cache (see KEY -CACHES) and the user ID will be added to the user's -authorized_user_ids file (if it wasn't already present). `u' may be -used in place of `update-userids'. +user ID, querying a keyserver if specified. If a key is found, the +user ID will be added to the user's authorized_user_ids file (if it +wasn't already present). `u' may be used in place of +`update-userids'. .TP .B remove-userids [USERID]... Remove a user ID from the authorized_user_ids file. The user IDs @@ -50,11 +48,15 @@ specified should be exact matches to OpenPGP user IDs. `r' may be used in place of `remove-userids'. .TP .B update-authorized_keys -Update the monkeysphere authorized_keys file. The monkeysphere -authorized_keys file will be regenerated from the valid keys in the -user_key cache, and the user's independently controlled -authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be -used in place of `update-authorized_keys'. +Update the monkeysphere authorized_keys file. For each user ID in the +user's authorized_user_ids file, gpg will be queried for keys +associated with that user ID, querying a keyserver if specified. If a +key is found, it will be converted to an ssh key, and any matching ssh +keys will be removed from the user's authorized_keys file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the key will be +updated and re-added to the authorized_keys file. If no gpg key is +found for the user ID, then nothing is done. `a' may be used in place +of `update-authorized_keys'. .TP .B gen-subkey KEYID Generate an `a` capable subkey. For the primary key with the @@ -83,21 +85,6 @@ the "authentication" ("a") capability flag. .B validity The key must be "fully" valid, and must not be expired or revoked. -.SH KEY CACHES - -Monkeysphere keeps track of keys in key cache directories. The files -in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where -USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is -the key ID of the primary key. If the user/key ID combo exists in the -Web of Trust but is not acceptable, then the file is empty. If the -primary key has at least one acceptable sub key, then an ssh-style -key, converted from the OpenPGP key, of all acceptable subkeys will be -stored in the cache file, one per line. known_hosts style key lines -will be stored in the host_keys cache files, and authorized_keys style -key lines will be stored in the user_keys cache files. OpenPGP keys -are converted to ssh-style keys with the openpgp2ssh utility (see `man -openpgp2ssh'). - .SH FILES .TP @@ -114,11 +101,6 @@ addition to the authorized_keys file. ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. .TP -~/.config/monkeysphere/user_keys -User keys cache directory. -.TP -~/.config/monkeysphere/host_keys -Host keys cache directory. .SH AUTHOR diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index eafd6a8..5ca248a 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -24,8 +24,11 @@ be used for authentication and encryption of ssh connection. .B update-users [USER]... Update the admin-controlled authorized_keys files for user. For each user specified, update the user's authorized_keys file in -/var/cache/monkeysphere/USER. See `man monkeysphere' for more info. -`k' may be used in place of `update-known_hosts'. +/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' +for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is +set, then a user-controlled authorized_keys file (usually +~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k' +may be used in place of `update-known_hosts'. .TP .B gen-key Generate a gpg key for the host. `g' may be used in place of @@ -66,8 +69,8 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/cache/monkeysphere/USER -User keys cache directories. +/var/cache/monkeysphere/authorized_keys/USER +User authorized_keys file. .SH AUTHOR -- cgit v1.2.3 From ac63e6d6a916e4b51a183e60d7aeae3c2568f3af Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 14:39:13 -0400 Subject: Fix small bug in man page. --- man/man1/monkeysphere.1 | 1 - 1 file changed, 1 deletion(-) (limited to 'man/man1/monkeysphere.1') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 8d89071..a5b422c 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -100,7 +100,6 @@ addition to the authorized_keys file. .TP ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. -.TP .SH AUTHOR -- cgit v1.2.3