summaryrefslogtreecommitdiff
path: root/man/man1/monkeysphere-ssh-proxycommand.1
blob: 9aad23205de7a01161c4941449f0ba2c02f56232 (plain)
  1. .TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands"
  2. .SH NAME
  3. monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script
  4. .SH DESCRIPTION
  5. \fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used
  6. to trigger a monkeysphere update of the ssh known_hosts file for a
  7. host that is being connected to with ssh. This works by updating the
  8. known_hosts file for the host first, before an attempted connection to
  9. the host is made. Once the known_hosts file has been updated, a TCP
  10. connection to the host is made by exec'ing netcat(1). Regular ssh
  11. communication is then done over this netcat TCP connection (see
  12. ProxyCommand in ssh_config(5) for more info).
  13. This command is meant to be run as the ssh "ProxyCommand". This can
  14. either be done by specifying the proxy command on the command line:
  15. .B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ...
  16. or by adding the following line to your ~/.ssh/config script:
  17. .B ProxyCommand monkeysphere-ssh-proxycommand %h %p
  18. The script can easily be incorporated into other ProxyCommand scripts
  19. by calling it with the "--no-connect" option, i.e.:
  20. .B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT"
  21. This will run everything except the final exec of netcat to make the
  22. TCP connection to the host. In this way this command can be added to
  23. another proxy command that does other stuff, and then makes the
  24. connection to the host itself.
  25. .SH KEYSERVER CHECKING
  26. The proxy command has a fairly nuanced policy for when keyservers are
  27. queried when processing host. If the host userID is not found in
  28. either the user's keyring or in the known_hosts file, then the
  29. keyserver is queried for the host userID. If the host userID is found
  30. in the user's keyring, then the keyserver is not checked. This
  31. assumes that the keyring is kept up-to-date, in a cronjob or the like,
  32. so that revocations are properly handled. If the host userID is not
  33. found in the user's keyring, but the host is listed in the known_hosts
  34. file, then the keyserver is not checked. This last policy might
  35. change in the future, possibly by adding a deferred check, so that
  36. hosts that go from non-monkeysphere-enabled to monkeysphere-enabled
  37. will be properly checked.
  38. .SH ENVIRONMENT VARIABLES
  39. All environment variables defined in monkeysphere(1) can also be used
  40. for the proxy command, with one note:
  41. .TP
  42. MONKEYSPHERE_CHECK_KEYSERVER
  43. Setting this variable (to `true' or `false') will override the policy
  44. defined in KEYSERVER CHECKING above.
  45. .SH AUTHOR
  46. Written by Jameson Rollins <jrollins@fifthhorseman.net>
  47. .SH SEE ALSO
  48. .BR monkeysphere (1),
  49. .BR ssh (1),
  50. .BR ssh_config (5),
  51. .BR netcat (1),
  52. .BR gpg (1)