SKS Keyserver (Linux): Unterschied zwischen den Versionen
|  (→Ports) | |||
| Zeile 179: | Zeile 179: | ||
| ! style="text-align:left;"| Bezeichnung | ! style="text-align:left;"| Bezeichnung | ||
| ! style="text-align:left;"| Port | ! style="text-align:left;"| Port | ||
| ! style="text-align:left;"| Protokoll | |||
| |- | |- | ||
| |HKP | |HKP | ||
| |11371  | |80 | ||
| | | |||
| |- | |||
| |HKP | |||
| |11371 | |||
| | TCP | |||
| |- | |- | ||
| |HKPS | |HKPS | ||
| |443 | |443 | ||
| | | |||
| |} | |} | ||
Version vom 30. Dezember 2016, 15:20 Uhr
Noch in Bearbeitung
Installation
Die folgenden Befehle als Benutzer root ausführen:
sudo -s
Paket installieren:
apt-get install sks
Konfiguration
Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:
service sks stop
Datenbank als Benutzer debian-sks initialisieren:
su debian-sks -c '/usr/sbin/sks build'
Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):
mv /etc/sks/mailsync /etc/sks/mailsync_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync mv /etc/sks/membership /etc/sks/membership_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren
vi /etc/default/sks
und folgende Zeile anpassen:
initstart=yes
Konfigurationsfile anpassen:
vi /etc/sks/sksconf
# /etc/sks/sksconf # # The configuration file for your SKS server. # You can find more options in sks(8) manpage. # Set server hostname #hostname: this.server.fdqn # Set recon binding address #recon_address: 0.0.0.0 # Set recon port number #recon_port: 11370 # Set hkp binding address #hkp_address: 0.0.0.0 # Set hkp port number #hkp_port: 11371 # Have the HKP interface listen on port 80, as well as the hkp_port # use_port_80: # From address used in synchronization emails used to communicate with PKS #from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>" # Command used for sending mail (you can use -f option to specify the # envelope sender address, if your MTA trusts the sks user) #sendmail_cmd: /usr/lib/sendmail -t -oi # Runs database statistics calculation on boot (time and cpu expensive) #initial_stat: # bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice # this caused page deadlocks. I found 8K (16) and 16K (32) to be better values pagesize: 16 # # The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had # very good results with 8196 ptree_pagesize: 16
Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:
service sks start
Danach kann wieder zum normalen Benutzer zurück gewechselt werden:
exit
Konfiguration
Anpassen des Webinterfaces
sudo vi /var/lib/sks/www/index.html
Apache
HKP
cd /etc/apache2/sites-available sudo vi gpg.conf
<VirtualHost *:80>
    ServerName gpg.kirner.or.at
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off
    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/
    ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite gpg.conf sudo service apache2 reload
HKPS
Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat
cd /etc/apache2/sites-available sudo vi gpg-ssl.conf
<VirtualHost *:443>
    ServerName gpg.kirner.or.at
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/gpg.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off
    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/
    ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite gpg-ssl.conf sudo service apache2 reload
Ports
| Bezeichnung | Port | Protokoll | 
|---|---|---|
| HKP | 80 | |
| HKP | 11371 | TCP | 
| HKPS | 443 | 
Testen
Schlüssel erstellen siehe GnuPG
direkt über den Port
http://<server>:11371/
Schlüssel senden
gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD
Schlüssel empfangen
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
Links
http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU
http://keyserver.mattrude.com/guides/building-server/
https://roll.urown.net/server/pgp-keyserver.html
https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks
https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver
Zurück zu Ubuntu