Merge pull request #30 from keybase/david/update-network-arch-docs

ddworken · web-flow · commit d65a202626be · 2019-08-26T22:11:48.000-04:00
Update docs per issue 28
diff --git a/README.md b/README.md
@@ -84,6 +84,14 @@ kssh root@server                        # If in {TEAM}.ssh.root_everywhere
 
 We recommend building kssh yourself and distributing the binary among your team (perhaps in Keybase Files!). 
 
+# Network Architecture
+
+Since all communication between the kssh client and the SSH CA server happens over Keybase chat, it is possible (and recommended)
+to firewall off the SSH CA server so it cannot be reached from the general internet. Additionally, note that the SSH servers
+that trust the SSH CA do not need to communicate with Keybase's servers or with the CA server and thus it is also possible
+to firewall off the SSH servers from the general internet. Clients running kssh need to have Keybase running locally with
+a connection to Keybase's servers. 
+
 # OS Support
 
 It is recommended to run the server component of this bot on linux and running it in other environments is untested.
