SKS Keyserver (Linux): Unterschied zwischen den Versionen
(78 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 3: | Zeile 3: | ||
== Installation == | == Installation == | ||
Die folgenden Befehle als Benutzer ''root'' ausführen: | |||
<pre> | |||
sudo -s | |||
</pre> | |||
Paket installieren: | Paket installieren: | ||
<pre> | <pre> | ||
apt-get install sks | |||
</pre> | </pre> | ||
== Konfiguration == | |||
Vor Änderungen der Konfigurationen den SKS-Dämon stoppen: | |||
<pre> | <pre> | ||
service sks stop | |||
</pre> | </pre> | ||
Zeile 19: | Zeile 26: | ||
</pre> | </pre> | ||
Wir verwenden den Server ''Standalone'' - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern): | |||
<pre> | <pre> | ||
mv /etc/sks/mailsync /etc/sks/mailsync_bak | mv /etc/sks/mailsync /etc/sks/mailsync_bak | ||
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync | echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync | ||
mv /etc/sks/membership /etc/sks/membership_bak | mv /etc/sks/membership /etc/sks/membership_bak | ||
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership | echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership | ||
</pre> | </pre> | ||
=== ''/etc/default/sks'' anpassen === | |||
Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren | Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren | ||
<pre> | <pre> | ||
vi /etc/default/sks | |||
</pre> | </pre> | ||
Zeile 39: | Zeile 46: | ||
</pre> | </pre> | ||
=== ''/etc/sks/sksconf'' anpassen === | |||
<pre> | |||
vi /etc/sks/sksconf | |||
</pre> | |||
<pre> | |||
# /etc/sks/sksconf | |||
# | |||
# The configuration file for your SKS server. | |||
# You can find more options in sks(8) manpage. | |||
# Set server hostname | |||
#hostname: this.server.fdqn | |||
hostname: pgp.<domain> | |||
# Set recon binding address | |||
#recon_address: 0.0.0.0 | |||
# Set recon port number | |||
#recon_port: 11370 | |||
# Set hkp binding address | |||
#hkp_address: 0.0.0.0 | |||
# Set hkp port number | |||
#hkp_port: 11371 | |||
# Have the HKP interface listen on port 80, as well as the hkp_port | |||
#use_port_80: | |||
# From address used in synchronization emails used to communicate with PKS | |||
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>" | |||
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>" | |||
# Command used for sending mail (you can use -f option to specify the | |||
# envelope sender address, if your MTA trusts the sks user) | |||
sendmail_cmd: /usr/lib/sendmail -t -oi | |||
# Runs database statistics calculation on boot (time and cpu expensive) | |||
#initial_stat: | |||
# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice | |||
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values | |||
pagesize: 16 | |||
# | |||
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had | |||
# very good results with 8196 | |||
ptree_pagesize: 16 | |||
</pre> | |||
Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten: | |||
<pre> | <pre> | ||
service sks start | |||
</pre> | </pre> | ||
Danach kann wieder zum normalen Benutzer zurück gewechselt werden: | |||
<pre> | <pre> | ||
exit | exit | ||
</pre> | |||
=== ''/etc/sks/mailsync'' anpassen === | |||
<pre> | |||
sudo vi /etc/sks/mailsync | |||
</pre> | |||
Mailadresse von empfangenden SKS-Server hinzufügen: | |||
<pre> | |||
# /etc/sks/mailsync | |||
# | |||
# The mailsync should contains a list of email addresses of PKS | |||
# keyservers, one per line. This file is important, because it ensures | |||
# that keys submitted directly to an SKS keyserver are also forwarded | |||
# to PKS keyservers. | |||
# | |||
# Empty lines and whitespace-only lines are ignored, as are lines | |||
# whose first non-whitespace character is a `#'. | |||
# | |||
# IMPORTANT: don't add someone to your mailsync file without getting | |||
# their permission first! | |||
pgp-public-keys@<domain> | |||
</pre> | |||
== Initial-Datenbank == | |||
{{note|Momentan nicht verwendet - Server mit leerer Datenbank gestartet.}} | |||
=== Links === | |||
[http://keys.niif.hu/keydump/ http://keys.niif.hu/keydump/] | |||
== Konfiguration == | |||
=== Anpassen des Webinterfaces === | |||
<pre> | |||
sudo vi /var/lib/sks/www/index.html | |||
</pre> | |||
== Apache == | |||
=== HKP === | |||
<pre> | |||
cd /etc/apache2/sites-available | |||
sudo vi pgp.conf | |||
</pre> | |||
<pre> | |||
<VirtualHost *:80> | |||
ServerName pgp.kirner.or.at | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
ProxyVia Off | |||
ProxyPass / http://127.0.0.1:11371/ | |||
ProxyPassReverse / http://127.0.0.1:11371/ | |||
ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log | |||
CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined | |||
</VirtualHost> | |||
</pre> | |||
<pre> | |||
sudo a2ensite pgp.conf | |||
sudo service apache2 reload | |||
</pre> | |||
=== HKPS === | |||
Bezüglich SSL-Zertifikat siehe folgenden Link: [[SSL_Zertifikat]] | |||
<pre> | |||
cd /etc/apache2/sites-available | |||
sudo vi pgp-ssl.conf | |||
</pre> | |||
<pre> | |||
<VirtualHost *:443> | |||
ServerName pgp.kirner.or.at | |||
SSLEngine on | |||
SSLCertificateFile /etc/ssl/certs/pgp.crt | |||
SSLCertificateKeyFile /etc/ssl/private/apache.key | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
ProxyVia Off | |||
ProxyPass / http://127.0.0.1:11371/ | |||
ProxyPassReverse / http://127.0.0.1:11371/ | |||
ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log | |||
CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined | |||
</VirtualHost> | |||
</pre> | |||
<pre> | |||
sudo a2ensite pgp-ssl.conf | |||
sudo service apache2 reload | |||
</pre> | |||
== Mailinterface == | |||
Pfad zu ''sks_add_mail'': | |||
<pre> | |||
dpkg-query -L sks | grep sks_add_mail | |||
</pre> | |||
<pre> | |||
/usr/lib/sks/sks_add_mail | |||
</pre> | |||
<pre> | |||
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/ | |||
</pre> | |||
=== Service === | |||
<pre> | |||
sudo vi /etc/postfix/master.cf | |||
</pre> | |||
<pre> | |||
sksserver unix - n n - - pipe | |||
flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/ | |||
</pre> | |||
=== Alias Eintrag === | |||
<pre> | |||
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1); | |||
</pre> | |||
=== Relay-Domain === | |||
<pre> | |||
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) | |||
values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1); | |||
</pre> | |||
=== Postfix neustarten === | |||
<pre> | |||
sudo service postfix restart | |||
</pre> | |||
=== Links === | |||
[http://pgp.mit.edu/emailhelp.html http://pgp.mit.edu/emailhelp.html] | |||
[http://www.postfix.org/pipe.8.html http://www.postfix.org/pipe.8.html] | |||
== Ports == | |||
{| class="wikitable" | |||
! style="text-align:left;"| Bezeichnung | |||
! style="text-align:left;"| Port | |||
! style="text-align:left;"| Protokoll | |||
! style="text-align:left;"| Kommentar | |||
|- | |||
|Recon | |||
|style="text-align:center;"|11370 | |||
| | |||
| Zur Synchronisation zwischen Key-Servern | |||
|- | |||
|HKP | |||
|style="text-align:center;"|11371 | |||
| TCP | |||
| | |||
|- | |||
|HKP | |||
|style="text-align:center;"|80 | |||
| | |||
| | |||
|- | |||
|HKPS | |||
|style="text-align:center;"|443 | |||
| | |||
| | |||
|} | |||
== Testen == | |||
Schlüssel erstellen siehe [[GnuPG (Linux)|GnuPG]] | |||
=== direkt über den Port === | |||
<pre> | |||
http://<server>:11371/ | |||
</pre> | |||
=== Schlüssel senden === | |||
<pre> | |||
gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD | |||
</pre> | |||
=== Schlüssel empfangen === | |||
<pre> | |||
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD | |||
</pre> | |||
== Schlüssel löschen == | |||
Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels. | |||
Den Hash-Schlüssel kann man sich durch hinzufügen von ''&hash=on'' in der URL anzeigen lassen: | |||
<pre> | |||
http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on | |||
</pre> | |||
Danach kann der Schlüssel folgendermaßen gelöscht werden: | |||
<pre> | |||
sudo sks drop <hash key> | |||
</pre> | </pre> | ||
Zeile 61: | Zeile 335: | ||
[https://roll.urown.net/server/pgp-keyserver.html https://roll.urown.net/server/pgp-keyserver.html] | [https://roll.urown.net/server/pgp-keyserver.html https://roll.urown.net/server/pgp-keyserver.html] | ||
[https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks] | |||
[https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver] | |||
Zurück zu [[Ubuntu]] | Zurück zu [[Ubuntu]] |
Aktuelle Version vom 21. Januar 2017, 19:45 Uhr
Noch in Bearbeitung
Installation
Die folgenden Befehle als Benutzer root ausführen:
sudo -s
Paket installieren:
apt-get install sks
Konfiguration
Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:
service sks stop
Datenbank als Benutzer debian-sks initialisieren:
su debian-sks -c '/usr/sbin/sks build'
Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):
mv /etc/sks/mailsync /etc/sks/mailsync_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync mv /etc/sks/membership /etc/sks/membership_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
/etc/default/sks anpassen
Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren
vi /etc/default/sks
und folgende Zeile anpassen:
initstart=yes
/etc/sks/sksconf anpassen
vi /etc/sks/sksconf
# /etc/sks/sksconf # # The configuration file for your SKS server. # You can find more options in sks(8) manpage. # Set server hostname #hostname: this.server.fdqn hostname: pgp.<domain> # Set recon binding address #recon_address: 0.0.0.0 # Set recon port number #recon_port: 11370 # Set hkp binding address #hkp_address: 0.0.0.0 # Set hkp port number #hkp_port: 11371 # Have the HKP interface listen on port 80, as well as the hkp_port #use_port_80: # From address used in synchronization emails used to communicate with PKS #from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>" from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>" # Command used for sending mail (you can use -f option to specify the # envelope sender address, if your MTA trusts the sks user) sendmail_cmd: /usr/lib/sendmail -t -oi # Runs database statistics calculation on boot (time and cpu expensive) #initial_stat: # bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice # this caused page deadlocks. I found 8K (16) and 16K (32) to be better values pagesize: 16 # # The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had # very good results with 8196 ptree_pagesize: 16
Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:
service sks start
Danach kann wieder zum normalen Benutzer zurück gewechselt werden:
exit
/etc/sks/mailsync anpassen
sudo vi /etc/sks/mailsync
Mailadresse von empfangenden SKS-Server hinzufügen:
# /etc/sks/mailsync # # The mailsync should contains a list of email addresses of PKS # keyservers, one per line. This file is important, because it ensures # that keys submitted directly to an SKS keyserver are also forwarded # to PKS keyservers. # # Empty lines and whitespace-only lines are ignored, as are lines # whose first non-whitespace character is a `#'. # # IMPORTANT: don't add someone to your mailsync file without getting # their permission first! pgp-public-keys@<domain>
Initial-Datenbank
Momentan nicht verwendet - Server mit leerer Datenbank gestartet.
Links
Konfiguration
Anpassen des Webinterfaces
sudo vi /var/lib/sks/www/index.html
Apache
HKP
cd /etc/apache2/sites-available sudo vi pgp.conf
<VirtualHost *:80> ServerName pgp.kirner.or.at ProxyPreserveHost On ProxyRequests Off ProxyVia Off ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined </VirtualHost>
sudo a2ensite pgp.conf sudo service apache2 reload
HKPS
Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat
cd /etc/apache2/sites-available sudo vi pgp-ssl.conf
<VirtualHost *:443> ServerName pgp.kirner.or.at SSLEngine on SSLCertificateFile /etc/ssl/certs/pgp.crt SSLCertificateKeyFile /etc/ssl/private/apache.key ProxyPreserveHost On ProxyRequests Off ProxyVia Off ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined </VirtualHost>
sudo a2ensite pgp-ssl.conf sudo service apache2 reload
Mailinterface
Pfad zu sks_add_mail:
dpkg-query -L sks | grep sks_add_mail
/usr/lib/sks/sks_add_mail
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/
Service
sudo vi /etc/postfix/master.cf
sksserver unix - n n - - pipe flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/
Alias Eintrag
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);
Relay-Domain
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);
Postfix neustarten
sudo service postfix restart
Links
http://pgp.mit.edu/emailhelp.html
http://www.postfix.org/pipe.8.html
Ports
Bezeichnung | Port | Protokoll | Kommentar |
---|---|---|---|
Recon | 11370 | Zur Synchronisation zwischen Key-Servern | |
HKP | 11371 | TCP | |
HKP | 80 | ||
HKPS | 443 |
Testen
Schlüssel erstellen siehe GnuPG
direkt über den Port
http://<server>:11371/
Schlüssel senden
gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD
Schlüssel empfangen
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
Schlüssel löschen
Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.
Den Hash-Schlüssel kann man sich durch hinzufügen von &hash=on in der URL anzeigen lassen:
http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on
Danach kann der Schlüssel folgendermaßen gelöscht werden:
sudo sks drop <hash key>
Links
http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU
http://keyserver.mattrude.com/guides/building-server/
https://roll.urown.net/server/pgp-keyserver.html
https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks
https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver
Zurück zu Ubuntu