SKS Keyserver (Linux): Unterschied zwischen den Versionen

Installation

Die folgenden Befehle als Benutzer root ausführen:

sudo -s

Paket installieren:

apt-get install sks

Konfiguration

Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:

service sks stop

Datenbank als Benutzer debian-sks initialisieren:

su debian-sks -c '/usr/sbin/sks build'

Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):

mv /etc/sks/mailsync /etc/sks/mailsync_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
mv /etc/sks/membership /etc/sks/membership_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership

/etc/default/sks anpassen

Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren

vi /etc/default/sks

und folgende Zeile anpassen:

initstart=yes

/etc/sks/sksconf anpassen

vi /etc/sks/sksconf

# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.

# Set server hostname
#hostname: this.server.fdqn
hostname: pgp.<domain>

# Set recon binding address
#recon_address: 0.0.0.0

# Set recon port number
#recon_port: 11370

# Set hkp binding address
#hkp_address: 0.0.0.0

# Set hkp port number
#hkp_port: 11371

# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:

# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>"

# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
sendmail_cmd: /usr/lib/sendmail -t -oi

# Runs database statistics calculation on boot (time and cpu expensive)
#initial_stat:

# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16

Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:

service sks start

Danach kann wieder zum normalen Benutzer zurück gewechselt werden:

exit

/etc/sks/mailsync anpassen

sudo vi /etc/sks/mailsync

Mailadresse von empfangenden SKS-Server hinzufügen:

# /etc/sks/mailsync
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
pgp-public-keys@<domain>

Initial-Datenbank

Links

http://keys.niif.hu/keydump/

Konfiguration

Anpassen des Webinterfaces

sudo vi /var/lib/sks/www/index.html

Apache

HKP

cd /etc/apache2/sites-available
sudo vi pgp.conf

<VirtualHost *:80>
    ServerName pgp.kirner.or.at

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>

sudo a2ensite pgp.conf
sudo service apache2 reload

HKPS

Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat

cd /etc/apache2/sites-available
sudo vi pgp-ssl.conf

<VirtualHost *:443>
    ServerName pgp.kirner.or.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/pgp.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>

sudo a2ensite pgp-ssl.conf
sudo service apache2 reload

Mailinterface

Pfad zu sks_add_mail:

dpkg-query -L sks | grep sks_add_mail

/usr/lib/sks/sks_add_mail

sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/

Service

sudo vi /etc/postfix/master.cf

sksserver       unix    -       n       n       -       -       pipe
  flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/

Alias Eintrag

INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);

Relay-Domain

INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) 
            values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);

Postfix neustarten

sudo service postfix restart

Links

http://pgp.mit.edu/emailhelp.html

http://www.postfix.org/pipe.8.html

Ports

Testen

Schlüssel erstellen siehe GnuPG

direkt über den Port

http://<server>:11371/

Schlüssel senden

gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel empfangen

gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel löschen

Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.

Den Hash-Schlüssel kann man sich durch hinzufügen von &hash=on in der URL anzeigen lassen:

http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on

Danach kann der Schlüssel folgendermaßen gelöscht werden:

sudo sks drop <hash key>

Links

https://njh.eu/keyserver

http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU

http://keyserver.mattrude.com/guides/building-server/

https://roll.urown.net/server/pgp-keyserver.html

https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks

https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver

Zurück zu Ubuntu