summaryrefslogtreecommitdiff
path: root/doc/README
blob: 90345193414da1fa4c6306e0fa48068cd634a347 (plain)
  1. Monkeysphere README
  2. ===================
  3. Default files locations (by variable):
  4. MS_HOME=~/.config/monkeysphere
  5. MS_CONF=$MS_HOME/monkeysphere.conf
  6. AUTH_HOST_FILE=$MS_HOME/auth_host_ids
  7. AUTH_USER_FILE=$MS_HOME/auth_user_ids
  8. GNUPGHOME=~/.gnupg
  9. STAGING_AREA=$MS_HOME
  10. $STAGING_AREA/host_keys/KEYHASH
  11. $STAGING_AREA/known_hosts
  12. $STAGING_AREA/user_keys/KEYHASH
  13. $STAGING_AREA/authorized_keys
  14. user usage
  15. ----------
  16. For a user to update their ms known_hosts file:
  17. $ rhesus --known_hosts
  18. For a user to update their ms authorized_keys file:
  19. $ rhesus --authorized_keys
  20. server service publication
  21. --------------------------
  22. To publish a server host key use the "howler" component:
  23. # howler gen-key
  24. # howler publish-key
  25. This will generate the key for server with the service URI
  26. (ssh://server.hostname). The server admin should now sign the server
  27. key so that people in the admin's web of trust can authenticate the
  28. server without manual host key checking:
  29. $ gpg --search ='ssh://server.hostname'
  30. $ gpg --sign-key 'ssh://server.hostname'
  31. server authorized_keys maintenance
  32. ----------------------------------
  33. A system can maintain ms authorized_keys files for it's users. Some
  34. different variables need to be defined to help manage this. The way
  35. this is done is by first defining a new MS_HOME:
  36. MS_HOME=/etc/monkeysphere
  37. This directory would then have a monkeysphere.conf which defines the
  38. following variables:
  39. AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER"
  40. STAGING_AREA=/var/lib/monkeysphere/stage/$USER
  41. GNUPGHOME=$MS_HOME/gnupg
  42. For each user account on the server, the userids of people authorized
  43. to log into that account would be placed in the AUTH_USER_FILE for
  44. that user. However, in order for users to become authenticated, the
  45. server must determine that the user keys have "full" validity. This
  46. means that the server must fully trust at least one person whose
  47. signature on the connecting users key would validate the user. This
  48. would generally be the server admin. If the server admin's userid is
  49. "Alice <alice@foo.com>"
  50. then the server would run:
  51. # howler trust-uids "Alice <alice@foo.com>"
  52. To update the ms authorized_keys file for user "bob", the system would
  53. then run the following:
  54. # USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys
  55. To update the ms authorized_keys file for all users on the the system:
  56. MS_HOME=/etc/monkeysphere
  57. for USER in $(ls -1 /etc/monkeysphere/auth_user_ids) ; do
  58. rhesus --authorized_keys
  59. done