SKS Keyserver (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(71 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 3: Zeile 3:


== Installation ==
== Installation ==
Die folgenden Befehle als Benutzer ''root'' ausführen:
<pre>
sudo -s
</pre>


Paket installieren:
Paket installieren:
<pre>
<pre>
sudo apt-get install sks
apt-get install sks
</pre>
</pre>


Danach SKS-Dämon stoppen:
== Konfiguration ==
 
Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:
<pre>
<pre>
sudo service sks stop
service sks stop
</pre>
</pre>


Zeile 19: Zeile 26:
</pre>
</pre>


Wir verwenden den Server ''Standalone'' - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):
<pre>
<pre>
sudo -s
mv /etc/sks/mailsync /etc/sks/mailsync_bak
mv /etc/sks/mailsync /etc/sks/mailsync_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
mv /etc/sks/membership /etc/sks/membership_bak
mv /etc/sks/membership /etc/sks/membership_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
exit
</pre>
</pre>


=== ''/etc/default/sks'' anpassen ===


Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren
Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren
<pre>
<pre>
sudo vi /etc/default/sks
vi /etc/default/sks
</pre>
</pre>


Zeile 38: Zeile 45:
initstart=yes
initstart=yes
</pre>
</pre>
=== ''/etc/sks/sksconf'' anpassen ===


<pre>
<pre>
sudo cp /etc/sks/sksconf /etc/sks/sksconf_bak
vi /etc/sks/sksconf
</pre>
</pre>


<pre>
<pre>
sudo -s
# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.
 
# Set server hostname
#hostname: this.server.fdqn
hostname: pgp.<domain>
 
# Set recon binding address
#recon_address: 0.0.0.0
 
# Set recon port number
#recon_port: 11370
 
# Set hkp binding address
#hkp_address: 0.0.0.0
 
# Set hkp port number
#hkp_port: 11371
 
# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:
 
# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>"
 
# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
sendmail_cmd: /usr/lib/sendmail -t -oi
 
# Runs database statistics calculation on boot (time and cpu expensive)
#initial_stat:
 
# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16
</pre>


cat >/etc/sks/sksconf <<'EOF'
Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:
pagesize: 16
<pre>
ptree_pagesize: 16
service sks start
EOF
</pre>


Danach kann wieder zum normalen Benutzer zurück gewechselt werden:
<pre>
exit
exit
</pre>
</pre>
=== ''/etc/sks/mailsync'' anpassen ===
<pre>
sudo vi /etc/sks/mailsync
</pre>
Mailadresse von empfangenden SKS-Server hinzufügen:
<pre>
# /etc/sks/mailsync
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
pgp-public-keys@<domain>
</pre>
== Initial-Datenbank ==
{{note|Momentan nicht verwendet - Server mit leerer Datenbank gestartet.}}
=== Links ===
[http://keys.niif.hu/keydump/ http://keys.niif.hu/keydump/]
== Konfiguration ==
=== Anpassen des Webinterfaces ===


<pre>
<pre>
sudo service sks start
sudo vi /var/lib/sks/www/index.html
</pre>
</pre>


== Apache ==
== Apache ==
=== HKP ===


<pre>
<pre>
sudo vi gpg.conf
cd /etc/apache2/sites-available
sudo vi pgp.conf
</pre>
</pre>


<pre>
<pre>
<VirtualHost *:80>
<VirtualHost *:80>
     ServerName gpg.kirner.or.at
     ServerName pgp.kirner.or.at


     ProxyPreserveHost On
     ProxyPreserveHost On
Zeile 75: Zeile 167:
     ProxyPassReverse / http://127.0.0.1:11371/
     ProxyPassReverse / http://127.0.0.1:11371/


     ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
     ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
     CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
     CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
</VirtualHost>
</pre>
</pre>
<pre>
sudo a2ensite pgp.conf
sudo service apache2 reload
</pre>
=== HKPS ===
Bezüglich SSL-Zertifikat siehe folgenden Link: [[SSL_Zertifikat]]
<pre>
cd /etc/apache2/sites-available
sudo vi pgp-ssl.conf
</pre>
<pre>
<VirtualHost *:443>
    ServerName pgp.kirner.or.at
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/pgp.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off
    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/
    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
</pre>
<pre>
sudo a2ensite pgp-ssl.conf
sudo service apache2 reload
</pre>
== Mailinterface ==
Pfad zu ''sks_add_mail'':
<pre>
dpkg-query -L sks | grep sks_add_mail
</pre>
<pre>
/usr/lib/sks/sks_add_mail
</pre>
<pre>
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/
</pre>
=== Service ===
<pre>
sudo vi /etc/postfix/master.cf
</pre>
<pre>
sksserver      unix    -      n      n      -      -      pipe
  flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/
</pre>
=== Alias Eintrag ===
<pre>
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);
</pre>
=== Relay-Domain ===
<pre>
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)
            values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);
</pre>
=== Postfix neustarten ===
<pre>
sudo service postfix restart
</pre>
=== Links ===
[http://pgp.mit.edu/emailhelp.html http://pgp.mit.edu/emailhelp.html]
[http://www.postfix.org/pipe.8.html http://www.postfix.org/pipe.8.html]


== Ports ==
== Ports ==
Zeile 84: Zeile 265:
{| class="wikitable"
{| class="wikitable"
! style="text-align:left;"| Bezeichnung
! style="text-align:left;"| Bezeichnung
! Port
! style="text-align:left;"| Port
! style="text-align:left;"| Protokoll
! style="text-align:left;"| Kommentar
|-
|Recon
|style="text-align:center;"|11370
|
| Zur Synchronisation zwischen Key-Servern
|-
|HKP
|style="text-align:center;"|11371
| TCP
|
|-
|-
|HPK
|HKP
|11371 / 80
|style="text-align:center;"|80
|
|
|-
|-
|HKPS
|HKPS
|443
|style="text-align:center;"|443
|
|
|}
|}


== Testen ==
== Testen ==
Schlüssel erstellen siehe [[GnuPG (Linux)|GnuPG]]
=== direkt über den Port ===


<pre>
<pre>
http://<server>:11371/
http://<server>:11371/
</pre>
=== Schlüssel senden ===
<pre>
gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD
</pre>
=== Schlüssel empfangen ===
<pre>
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
</pre>
== Schlüssel löschen ==
Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.
Den Hash-Schlüssel kann man sich durch hinzufügen von ''&hash=on'' in der URL anzeigen lassen:
<pre>
http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on
</pre>
Danach kann der Schlüssel folgendermaßen gelöscht werden:
<pre>
sudo sks drop <hash key>
</pre>
</pre>


Zeile 108: Zeile 335:


[https://roll.urown.net/server/pgp-keyserver.html https://roll.urown.net/server/pgp-keyserver.html]
[https://roll.urown.net/server/pgp-keyserver.html https://roll.urown.net/server/pgp-keyserver.html]
[https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks]
[https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver]




Zurück zu [[Ubuntu]]
Zurück zu [[Ubuntu]]

Aktuelle Version vom 21. Januar 2017, 19:45 Uhr

Noch in Bearbeitung


Installation

Die folgenden Befehle als Benutzer root ausführen:

sudo -s

Paket installieren:

apt-get install sks

Konfiguration

Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:

service sks stop

Datenbank als Benutzer debian-sks initialisieren:

su debian-sks -c '/usr/sbin/sks build'

Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):

mv /etc/sks/mailsync /etc/sks/mailsync_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
mv /etc/sks/membership /etc/sks/membership_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership

/etc/default/sks anpassen

Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren

vi /etc/default/sks

und folgende Zeile anpassen:

initstart=yes

/etc/sks/sksconf anpassen

vi /etc/sks/sksconf
# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.

# Set server hostname
#hostname: this.server.fdqn
hostname: pgp.<domain>

# Set recon binding address
#recon_address: 0.0.0.0

# Set recon port number
#recon_port: 11370

# Set hkp binding address
#hkp_address: 0.0.0.0

# Set hkp port number
#hkp_port: 11371

# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:

# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>"

# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
sendmail_cmd: /usr/lib/sendmail -t -oi

# Runs database statistics calculation on boot (time and cpu expensive)
#initial_stat:

# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16

Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:

service sks start

Danach kann wieder zum normalen Benutzer zurück gewechselt werden:

exit

/etc/sks/mailsync anpassen

sudo vi /etc/sks/mailsync

Mailadresse von empfangenden SKS-Server hinzufügen:

# /etc/sks/mailsync
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
pgp-public-keys@<domain>

Initial-Datenbank

Momentan nicht verwendet - Server mit leerer Datenbank gestartet.

Links

http://keys.niif.hu/keydump/

Konfiguration

Anpassen des Webinterfaces

sudo vi /var/lib/sks/www/index.html

Apache

HKP

cd /etc/apache2/sites-available
sudo vi pgp.conf
<VirtualHost *:80>
    ServerName pgp.kirner.or.at

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp.conf
sudo service apache2 reload

HKPS

Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat

cd /etc/apache2/sites-available
sudo vi pgp-ssl.conf
<VirtualHost *:443>
    ServerName pgp.kirner.or.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/pgp.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp-ssl.conf
sudo service apache2 reload

Mailinterface

Pfad zu sks_add_mail:

dpkg-query -L sks | grep sks_add_mail
/usr/lib/sks/sks_add_mail
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/

Service

sudo vi /etc/postfix/master.cf
sksserver       unix    -       n       n       -       -       pipe
  flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/

Alias Eintrag

INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);

Relay-Domain

INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) 
            values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);

Postfix neustarten

sudo service postfix restart

Links

http://pgp.mit.edu/emailhelp.html

http://www.postfix.org/pipe.8.html

Ports

Bezeichnung Port Protokoll Kommentar
Recon 11370 Zur Synchronisation zwischen Key-Servern
HKP 11371 TCP
HKP 80
HKPS 443

Testen

Schlüssel erstellen siehe GnuPG

direkt über den Port

http://<server>:11371/

Schlüssel senden

gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel empfangen

gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel löschen

Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.

Den Hash-Schlüssel kann man sich durch hinzufügen von &hash=on in der URL anzeigen lassen:

http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on

Danach kann der Schlüssel folgendermaßen gelöscht werden:

sudo sks drop <hash key>

Links

https://njh.eu/keyserver

http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU

http://keyserver.mattrude.com/guides/building-server/

https://roll.urown.net/server/pgp-keyserver.html

https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks

https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver


Zurück zu Ubuntu