SKS Keyserver (Linux): Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
|
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |
(kein Unterschied)
| |
Aktuelle Version vom 21. Januar 2017, 18:45 Uhr
Noch in Bearbeitung
Installation
Die folgenden Befehle als Benutzer root ausführen:
sudo -s
Paket installieren:
apt-get install sks
Konfiguration
Vor Änderungen der Konfigurationen den SKS-Dämon stoppen:
service sks stop
Datenbank als Benutzer debian-sks initialisieren:
su debian-sks -c '/usr/sbin/sks build'
Wir verwenden den Server Standalone - dazu alle Kommunciationskanäle zu anderen Servern deaktivieren (vorher noch die Originaldateien sichern):
mv /etc/sks/mailsync /etc/sks/mailsync_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync mv /etc/sks/membership /etc/sks/membership_bak echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
/etc/default/sks anpassen
Service beim Hochfahren automatisch starten - dazu /etc/default/sks editieren
vi /etc/default/sks
und folgende Zeile anpassen:
initstart=yes
/etc/sks/sksconf anpassen
vi /etc/sks/sksconf
# /etc/sks/sksconf # # The configuration file for your SKS server. # You can find more options in sks(8) manpage. # Set server hostname #hostname: this.server.fdqn hostname: pgp.<domain> # Set recon binding address #recon_address: 0.0.0.0 # Set recon port number #recon_port: 11370 # Set hkp binding address #hkp_address: 0.0.0.0 # Set hkp port number #hkp_port: 11371 # Have the HKP interface listen on port 80, as well as the hkp_port #use_port_80: # From address used in synchronization emails used to communicate with PKS #from_addr: "PGP Key Server Administrator <pgp-public-keys@this.server.fdqn>" from_addr: "PGP Key Server Administrator <pgp-public-keys@<domain>>" # Command used for sending mail (you can use -f option to specify the # envelope sender address, if your MTA trusts the sks user) sendmail_cmd: /usr/lib/sendmail -t -oi # Runs database statistics calculation on boot (time and cpu expensive) #initial_stat: # bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice # this caused page deadlocks. I found 8K (16) and 16K (32) to be better values pagesize: 16 # # The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had # very good results with 8196 ptree_pagesize: 16
Nach Abschluss aller Konfigurationen den SKS-Dämon wieder starten:
service sks start
Danach kann wieder zum normalen Benutzer zurück gewechselt werden:
exit
/etc/sks/mailsync anpassen
sudo vi /etc/sks/mailsync
Mailadresse von empfangenden SKS-Server hinzufügen:
# /etc/sks/mailsync # # The mailsync should contains a list of email addresses of PKS # keyservers, one per line. This file is important, because it ensures # that keys submitted directly to an SKS keyserver are also forwarded # to PKS keyservers. # # Empty lines and whitespace-only lines are ignored, as are lines # whose first non-whitespace character is a `#'. # # IMPORTANT: don't add someone to your mailsync file without getting # their permission first! pgp-public-keys@<domain>
Initial-Datenbank
Momentan nicht verwendet - Server mit leerer Datenbank gestartet.
Links
Konfiguration
Anpassen des Webinterfaces
sudo vi /var/lib/sks/www/index.html
Apache
HKP
cd /etc/apache2/sites-available sudo vi pgp.conf
<VirtualHost *:80>
ServerName pgp.kirner.or.at
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp.conf sudo service apache2 reload
HKPS
Bezüglich SSL-Zertifikat siehe folgenden Link: SSL_Zertifikat
cd /etc/apache2/sites-available sudo vi pgp-ssl.conf
<VirtualHost *:443>
ServerName pgp.kirner.or.at
SSLEngine on
SSLCertificateFile /etc/ssl/certs/pgp.crt
SSLCertificateKeyFile /etc/ssl/private/apache.key
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ErrorLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-error.log
CustomLog ${APACHE_LOG_DIR}/pgp.kirner.or.at-access.log combined
</VirtualHost>
sudo a2ensite pgp-ssl.conf sudo service apache2 reload
Mailinterface
Pfad zu sks_add_mail:
dpkg-query -L sks | grep sks_add_mail
/usr/lib/sks/sks_add_mail
sudo -u debian-sks /usr/lib/sks/sks_add_mail /var/lib/sks/
Service
sudo vi /etc/postfix/master.cf
sksserver unix - n n - - pipe flags=FR user=debian-sks argv=/usr/lib/sks/sks_add_mail /var/spool/sks/
Alias Eintrag
INSERT INTO alias (address, goto, domain, created, modified, active) values ('pgp-public-keys@<domain>', 'pgp-public-keys@pgp.<domain>', '<domain>', CURTIME(), CURTIME(), 1);
Relay-Domain
INSERT INTO domain (domain, description, aliases, mailboxes, maxquota, quota, transport, backupmx, created, modified, active)
values ('pgp.<domain>', 'sksserver', 100, 100, 100, 2048, 'relay', 0, CURTIME(), CURTIME(), 1);
Postfix neustarten
sudo service postfix restart
Links
http://pgp.mit.edu/emailhelp.html
http://www.postfix.org/pipe.8.html
Ports
| Bezeichnung | Port | Protokoll | Kommentar |
|---|---|---|---|
| Recon | 11370 | Zur Synchronisation zwischen Key-Servern | |
| HKP | 11371 | TCP | |
| HKP | 80 | ||
| HKPS | 443 |
Testen
Schlüssel erstellen siehe GnuPG
direkt über den Port
http://<server>:11371/
Schlüssel senden
gpg --send-key --keyserver gpg.kirner.or.at 1234ABCD
Schlüssel empfangen
gpg --recv-key --keyserver gpg.kirner.or.at 1234ABCD
Schlüssel löschen
Die Löschung eines Schlüssels erfordert die Angabe des dazugehörigen Hash-Schlüssels.
Den Hash-Schlüssel kann man sich durch hinzufügen von &hash=on in der URL anzeigen lassen:
http://<server>:11371/pks/lookup?op=vindex&search=<keyID>&hash=on
Danach kann der Schlüssel folgendermaßen gelöscht werden:
sudo sks drop <hash key>
Links
http://www.bauer-power.net/2010/05/how-to-setup-free-pgp-key-server-in.html#.WGEXB58xlyU
http://keyserver.mattrude.com/guides/building-server/
https://roll.urown.net/server/pgp-keyserver.html
https://dokuwiki.nausch.org/doku.php/centos:web_c7:sks
https://support.mailbox.org/knowledge-base/article/der-mailbox-org-hkps-keyserver
Zurück zu Ubuntu