SKS Keyserver (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
Zeile 189: Zeile 189:
</pre>
</pre>


=== ===
<pre>
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', <domain>, CURDATE(), CURDATE(), 1);
</pre>


=== Relay-Domain ===
=== Relay-Domain ===
<pre>
<pre>
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)  
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)  
             values ('gpg.kirner.or.at', 'gpg', 100, 100, 100, 2048, 'relay', 0, CURDATE(), CURDATE(), 1);
             values ('pgp.<domain>', 'gpg', 100, 100, 100, 2048, 'relay', 0, CURDATE(), CURDATE(), 1);
</pre>
</pre>



Version vom 30. Dezember 2016, 18:05 Uhr

Noch in Bearbeitung


Installation

Die folgenden Befehle als Benutzer root ausführen:

sudo -s

Paket installieren:

apt-get install sks

Konfiguration

Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:

service sks stop

Datenbank als Benutzer debian-sks initialisieren:

su debian-sks -c '/usr/sbin/sks build'

Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):

mv /etc/sks/mailsync /etc/sks/mailsync_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
mv /etc/sks/membership /etc/sks/membership_bak
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership

Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren

vi /etc/default/sks

und folgende Zeile anpassen:

initstart=yes

Konfigurationsfile anpassen:

vi /etc/sks/sksconf
# /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.

# Set server hostname
#hostname: this.server.fdqn

# Set recon binding address
#recon_address: 0.0.0.0

# Set recon port number
#recon_port: 11370

# Set hkp binding address
#hkp_address: 0.0.0.0

# Set hkp port number
#hkp_port: 11371

# Have the HKP interface listen on port 80, as well as the hkp_port
# use_port_80:

# From address used in synchronization emails used to communicate with PKS
#from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>"

# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
#sendmail_cmd: /usr/lib/sendmail -t -oi

# Runs database statistics calculation on boot (time and cpu expensive)
#initial_stat:

# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize:          16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize:    16

Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:

service sks start

Danach kann wieder zum normalen Benutzer zurück gewechselt werden:

exit

Konfiguration

Anpassen des Webinterfaces

sudo vi /var/lib/sks/www/index.html

Apache

HKP

cd /etc/apache2/sites-available
sudo vi gpg.conf
<VirtualHost *:80>
    ServerName gpg.kirner.or.at

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite gpg.conf
sudo service apache2 reload

HKPS

Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat

cd /etc/apache2/sites-available
sudo vi gpg-ssl.conf
<VirtualHost *:443>
    ServerName gpg.kirner.or.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/gpg.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia Off

    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/

    ErrorLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-error.log
    CustomLog ${APACHE_LOG_DIR}/gpg.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite gpg-ssl.conf
sudo service apache2 reload

Mailinterface

Pfad zu sks_add_mail:

dpkg-query -L sks | grep sks_add_mail
/usr/lib/sks/sks_add_mail
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/

INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', <domain>, CURDATE(), CURDATE(), 1);

Relay-Domain

INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active) 
            values ('pgp.<domain>', 'gpg', 100, 100, 100, 2048, 'relay', 0, CURDATE(), CURDATE(), 1);

Links

http://pgp.mit.edu/emailhelp.html

Ports

Bezeichnung Port Protokoll Kommentar
Recon 11370 Zur Synchronisation zwischen Key-Servern
HKP 11371 TCP
HKP 80
HKPS 443

Testen

Schlüssel erstellen siehe GnuPG

direkt über den Port

http://<server>:11371/

Schlüssel senden

gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD

Schlüssel empfangen

gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD

Links

https://njh.eu/keyserver

http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU

http://keyserver.mattrude.com/guides/building-server/

https://roll.urown.net/server/pgp-keyserver.html

https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks

https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver


Zurück zu Ubuntu