summaryrefslogtreecommitdiff
path: root/doc/README.admin
blob: a644bbefb34ada670ed25b24214094652afb5f3a (plain) 
    

  1. Monkeysphere Server Administrator README
    2. 

  2. ========================================
    3. 

  3. 

  4. FIXME: distinguish between publishing a new monkeysphere-enabled host
    5. 

  5. key and accepting user identification via the web-of-trust.
    6. 

  6. 

  7. server service publication
    8. 

  8. --------------------------
    9. 

  9. To publish a server host key:
    10. 

  10. 

  11. # monkeysphere-server gen-key
    12. 

  12. # monkeysphere-server publish-key
    13. 

  13. 

  14. This will generate the key for server with the service URI
    15. 

  15. (ssh://server.hostname).  The server admin should now sign the server
    16. 

  16. key so that people in the admin's web of trust can authenticate the
    17. 

  17. server without manual host key checking:
    18. 

  18. 

  19. $ gpg --search ='ssh://server.hostname'
    20. 

  20. $ gpg --sign-key ='ssh://server.hostname'
    21. 

  21. 

  22. 

  23. Update OpenSSH configuration files
    24. 

  24. ----------------------------------
    25. 

  25. 

  26. To use the newly-generated host key for ssh connections, put the
    27. 

  27. following line in /etc/ssh/sshd_config (be sure to remove references
    28. 

  28. to any other key):
    29. 

  29. 

  30. HostKey /var/lib/monkeysphere/ssh_host_rsa_key
    31. 

  31. 

  32. FIXME: should we just suggest symlinks in the filesystem here instead?
    33. 

  33. 

  34. FIXME: What about DSA host keys?  The SSH RFC seems to require that DSA be available, though OpenSSH will work without a DSA host key.
    35. 

  35. 

  36. To enable users to use the monkeysphere to authenticate against the
    37. 

  37. web-of-trust, add this line to /etc/ssh/sshd_config (again, making
    38. 

  38. sure that no other AuthorizedKeysFile directive exists):
    39. 

  39. 

  40. AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
    41. 

  41. 

  42. 

  43. 

  44. MonkeySphere authorized_keys maintenance
    45. 

  45. ----------------------------------------
    46. 

  46. 

  47. A system can maintain monkeysphere authorized_keys files for it's
    48. 

  48. users.
    49. 

  49. 

  50. For each user account on the server, the userids of people authorized
    51. 

  51. to log into that account would be placed in:
    52. 

  52. 

  53.   ~/.config/monkeysphere/authorized_user_ids
    54. 

  54. 

  55. However, in order for users to become authenticated, the server must
    56. 

  56. determine that the user keys have "full" validity.  This means that
    57. 

  57. the server must fully trust at least one person whose signature on the
    58. 

  58. connecting user's key would validate the user.  This would generally be
    59. 

  59. the server admin.  If the server admin's keyid is XXXXXXXX, then on
    60. 

  60. the server run:
    61. 

  61. 

  62. # monkeysphere-server add-identity-certifier XXXXXXXX
    63. 

  63. 

  64. To update the monkeysphere authorized_keys file for user "bob", the
    65. 

  65. system would then run the following:
    66. 

  66. 

  67. # monkeysphere-server update-users bob
    68. 

  68. 

  69. To update the monkeysphere authorized_keys file for all users on the
    70. 

  70. the system, run the same command with no arguments:
    71. 

  71. 

  72. # monkeysphere-server update-users
    73. 

  73. 

  74. You probably want to set up a regularly scheduled job (e.g. with cron)
    75. 

  75. to take care of this regularly.
    76. 

  76. 

  77. FIXME: document other likely problems and troubleshooting techniques
    78.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 06:17:42 +0000