SKS Keyserver (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(31 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 33: Zeile 33:
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
</pre>
</pre>
=== ''/etc/default/sks'' anpassen ===


Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren
Service beim Hochfahren automatisch starten - dazu ''/etc/default/sks'' editieren
Zeile 44: Zeile 46:
</pre>
</pre>


Konfigurationsfile anpassen:
=== ''/etc/sks/sksconf'' anpassen ===
 
<pre>
<pre>
vi /etc/sks/sksconf
vi /etc/sks/sksconf
Zeile 57: Zeile 60:
# Set server hostname
# Set server hostname
#hostname: this.server.fdqn
#hostname: this.server.fdqn
hostname: pgp.<domain>


# Set recon binding address
# Set recon binding address
Zeile 71: Zeile 75:


# Have the HKP interface listen on port 80, as well as the hkp_port
# Have the HKP interface listen on port 80, as well as the hkp_port
# use_port_80:
#use_port_80:


# From address used in synchronization emails used to communicate with PKS
# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>"


# Command used for sending mail (you can use -f option to specify the
# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
# envelope sender address, if your MTA trusts the sks user)
#sendmail_cmd: /usr/lib/sendmail -t -oi
sendmail_cmd: /usr/lib/sendmail -t -oi


# Runs database statistics calculation on boot (time and cpu expensive)
# Runs database statistics calculation on boot (time and cpu expensive)
Zeile 101: Zeile 106:
exit
exit
</pre>
</pre>
=== ''/etc/sks/mailsync'' anpassen ===
<pre>
sudo vi /etc/sks/mailsync
</pre>
Mailadresse von empfangenden SKS-Server hinzufügen:
<pre>
# /etc/sks/mailsync
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
pgp-public-keys@<domain>
</pre>
== Initial-Datenbank ==
{{note|Momentan nicht verwendet - Server mit leerer Datenbank gestartet.}}
=== Links ===
[http://keys.niif.hu/keydump/ http://keys.niif.hu/keydump/]


== Konfiguration ==
== Konfiguration ==
Zeile 116: Zeile 153:
<pre>
<pre>
cd /etc/apache2/sites-available
cd /etc/apache2/sites-available
sudo vi gpg.conf
sudo vi pgp.conf
</pre>
</pre>


<pre>
<pre>
<VirtualHost *:80>
<VirtualHost *:80>
     ServerName gpg.kirner.or.at
     ServerName pgp.kirner.or.at


     ProxyPreserveHost On
     ProxyPreserveHost On
Zeile 130: Zeile 167:
     ProxyPassReverse / http://127.0.0.1:11371/
     ProxyPassReverse / http://127.0.0.1:11371/


     ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
     ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
     CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
     CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
</VirtualHost>
</pre>
</pre>


<pre>
<pre>
sudo a2ensite gpg.conf
sudo a2ensite pgp.conf
sudo service apache2 reload
sudo service apache2 reload
</pre>
</pre>
Zeile 146: Zeile 183:
<pre>
<pre>
cd /etc/apache2/sites-available
cd /etc/apache2/sites-available
sudo vi gpg-ssl.conf
sudo vi pgp-ssl.conf
</pre>
</pre>


<pre>
<pre>
<VirtualHost *:443>
<VirtualHost *:443>
     ServerName gpg.kirner.or.at
     ServerName pgp.kirner.or.at


     SSLEngine on
     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/gpg.crt
     SSLCertificateFile /etc/ssl/certs/pgp.crt
     SSLCertificateKeyFile /etc/ssl/private/apache.key
     SSLCertificateKeyFile /etc/ssl/private/apache.key


Zeile 164: Zeile 201:
     ProxyPassReverse / http://127.0.0.1:11371/
     ProxyPassReverse / http://127.0.0.1:11371/


     ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
     ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
     CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
     CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
</VirtualHost>
</pre>
</pre>


<pre>
<pre>
sudo a2ensite gpg-ssl.conf
sudo a2ensite pgp-ssl.conf
sudo service apache2 reload
sudo service apache2 reload
</pre>
</pre>
Zeile 189: Zeile 226:
</pre>
</pre>


=== Service ===
<pre>
sudo vi /etc/postfix/master.cf
</pre>
<pre>
sksserver      unix    -      n      n      -      -      pipe
  flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/
</pre>
=== Alias Eintrag ===
<pre>
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);
</pre>


=== Relay-Domain ===
=== Relay-Domain ===
<pre>
<pre>
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)  
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)  
             values ('gpg.kirner.or.at', 'gpg', 100, 100, 100, 2048, 'relay', 0, CURDATE(), CURDATE(), 1);
             values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);
</pre>
 
=== Postfix neustarten ===
 
<pre>
sudo service postfix restart
</pre>
</pre>


Zeile 199: Zeile 258:


[http://pgp.mit.edu/emailhelp.html http://pgp.mit.edu/emailhelp.html]
[http://pgp.mit.edu/emailhelp.html http://pgp.mit.edu/emailhelp.html]
[http://www.postfix.org/pipe.8.html http://www.postfix.org/pipe.8.html]


== Ports ==
== Ports ==
Zeile 249: Zeile 310:
<pre>
<pre>
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
</pre>
== Schlüssel löschen ==
Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.
Den Hash-Schlüssel kann man sich durch hinzufügen von ''&hash=on'' in der URL anzeigen lassen:
<pre>
http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on
</pre>
Danach kann der Schlüssel folgendermaßen gelöscht werden:
<pre>
sudo sks drop <hash key>
</pre>
</pre>



Aktuelle Version vom 21. Januar 2017, 19:45 Uhr

Noch in Bearbeitung


Installation

Die folgenden Befehle als Benutzer root ausführen:

sudo -s

Paket installieren:

apt-get install sks

Konfiguration

Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:

service sks stop

Datenbank als Benutzer debian-sks initialisieren:

su debian-sks -c '/usr/sbin/sks build'

Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):

mv /etc/sks/mailsync /etc/sks/mailsync_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
mv /etc/sks/membership /etc/sks/membership_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership

/etc/default/sks anpassen

Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren

vi /etc/default/sks

und folgende Zeile anpassen:

initstart=yes

/etc/sks/sksconf anpassen

vi /etc/sks/sksconf
# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.

# Set server hostname
#hostname: this.server.fdqn
hostname: pgp.<domain>

# Set recon binding address
#recon_address: 0.0.0.0

# Set recon port number
#recon_port: 11370

# Set hkp binding address
#hkp_address: 0.0.0.0

# Set hkp port number
#hkp_port: 11371

# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:

# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"
from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>"

# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
sendmail_cmd: /usr/lib/sendmail -t -oi

# Runs database statistics calculation on boot (time and cpu expensive)
#initial_stat:

# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16

Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:

service sks start

Danach kann wieder zum normalen Benutzer zurück gewechselt werden:

exit

/etc/sks/mailsync anpassen

sudo vi /etc/sks/mailsync

Mailadresse von empfangenden SKS-Server hinzufügen:

# /etc/sks/mailsync
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
pgp-public-keys@<domain>

Initial-Datenbank

Momentan nicht verwendet - Server mit leerer Datenbank gestartet.

Links

http://keys.niif.hu/keydump/

Konfiguration

Anpassen des Webinterfaces

sudo vi /var/lib/sks/www/index.html

Apache

HKP

cd /etc/apache2/sites-available
sudo vi pgp.conf
<VirtualHost *:80>
    ServerName pgp.kirner.or.at

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp.conf
sudo service apache2 reload

HKPS

Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat

cd /etc/apache2/sites-available
sudo vi pgp-ssl.conf
<VirtualHost *:443>
    ServerName pgp.kirner.or.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/pgp.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp-ssl.conf
sudo service apache2 reload

Mailinterface

Pfad zu sks_add_mail:

dpkg-query -L sks | grep sks_add_mail
/usr/lib/sks/sks_add_mail
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/

Service

sudo vi /etc/postfix/master.cf
sksserver       unix    -       n       n       -       -       pipe
  flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/

Alias Eintrag

INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);

Relay-Domain

INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) 
            values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);

Postfix neustarten

sudo service postfix restart

Links

http://pgp.mit.edu/emailhelp.html

http://www.postfix.org/pipe.8.html

Ports

Bezeichnung Port Protokoll Kommentar
Recon 11370 Zur Synchronisation zwischen Key-Servern
HKP 11371 TCP
HKP 80
HKPS 443

Testen

Schlüssel erstellen siehe GnuPG

direkt über den Port

http://<server>:11371/

Schlüssel senden

gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel empfangen

gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel löschen

Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.

Den Hash-Schlüssel kann man sich durch hinzufügen von &hash=on in der URL anzeigen lassen:

http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on

Danach kann der Schlüssel folgendermaßen gelöscht werden:

sudo sks drop <hash key>

Links

https://njh.eu/keyserver

http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU

http://keyserver.mattrude.com/guides/building-server/

https://roll.urown.net/server/pgp-keyserver.html

https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks

https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver


Zurück zu Ubuntu