no way to compare when less than two revisions
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Vorhergehende Überarbeitung Nächste Überarbeitung | |||
— | centos:web_c7:sks [29.09.2018 15:41. ] – [sks-recon] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== SKS Keyserver unter CentOS 7.x installieren und betreiben ====== | ||
+ | {{: | ||
+ | |||
+ | Zur Verteilung und Abfrage von PGP-Schlüsseln bedienen wir uns am einfachsten eines [[http:// | ||
+ | |||
+ | Der grosse Vorteil des SKS-Keyservers ist sein einfaches und robustes Design, da der Server im wesentlichen aus zwei Prozessen besteht. Der erste (**sks-db**) übernimmt die Aufnahme neue Schlüssel, sowie die Ausgabe der gesuchten Schlüssel. Hierzu wird eine einfache Web-Schnittstelle zur Verfügung gestellt. | ||
+ | Der zweite Serverprozess (**sks-recon**) kümmert sich um den automatischen Abgleich der lokalen Datenbank mit den in Verbindung stehenden Peering-Partnern. | ||
+ | |||
+ | Ein wesentlicher Vorteil des SKS-Keyservers ist, dass dieser aktuell und aktiv weiterentwickelt wird, sowie eine weitestgehende Unterstützung des OpenPGP-Standards inklusive PhotoIDs und Subkeys unterstützt. | ||
+ | |||
+ | ===== Installation ===== | ||
+ | Zur Installation unseres SKS-Keyservers benutzen wir am einfachsten das RPM-Paket aus dem Projekt [[http:// | ||
+ | |||
+ | Die Installation gestaltet sich somit sehr einfach, muss nur noch das Paket **//sks//** mit Hilfe von **yum** installiert werden. | ||
+ | # yum install sks -y | ||
+ | |||
+ | Was uns das Programmpaket alles mitbringt offenbart uns wie immer eine Abfrage mit Hilfe von **rpm -qil**. | ||
+ | # rpm -qil sks | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Wed 08 Jul 2015 01:28:35 PM CEST | ||
+ | Group : System Environment/ | ||
+ | Size : 2772877 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : sks-1.1.5-7.el7.src.rpm | ||
+ | Build Date : Fri 12 Sep 2014 12:30:05 AM CEST | ||
+ | Build Host : buildvm-15.phx2.fedoraproject.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | SKS is a OpenPGP keyserver whose goal is to provide easy to | ||
+ | deploy, decentralized, | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | ===== Dokumentation ===== | ||
+ | Die Dokumentation die mitgeliefert wird, findet sich im Verzeichnis // | ||
+ | |||
+ | ==== ANNOUNCEMENT ==== | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | release: | ||
+ | |||
+ | SKS is an OpenPGP keyserver whose goal is to provide easy to deploy, | ||
+ | decentralized, | ||
+ | key submitted to one SKS server will quickly be distributed to all key | ||
+ | servers, and even wildly out-of-date servers, or servers that experience | ||
+ | spotty connectivity, | ||
+ | |||
+ | What's New in 1.1.5 | ||
+ | ==================== | ||
+ | - Fixes for machine-readable indices. Key expiration times are now read | ||
+ | from self-signatures on the key's UIDs. In addition, instead of 8-digit | ||
+ | key IDs, index entries now return the most specific key ID possible: | ||
+ | 16-digit key ID for V3 keys, and the full fingerprint for V4 keys. | ||
+ | - Add metadata information (number of keys, number of files, | ||
+ | checksums, etc) to key dump. This allows for information on the | ||
+ | key dump ahead of download/ | ||
+ | using md5sum -c < | ||
+ | - Replaced occurrances of the deprecated operator ' | ||
+ | - Upgraded to cryptlib-1.7 and own changes are now packaged as separate | ||
+ | patches that is installed during ' | ||
+ | - Option max_matches was setting max_internal_matches. Fixed (BB issue #4) | ||
+ | - op=hget now supports option=mr for completeness (BB issue #17) | ||
+ | - Add CORS header to web server responses. Allows JavaScript code to | ||
+ | interact with keyservers, for example the OpenPGP.js project. | ||
+ | - Change the default hkp_address and recon_address to making the | ||
+ | default configuration support IPv6. (Requires OCaml 3.11.0 or newer) | ||
+ | - Only use ' | ||
+ | the version suffix (+) (part of BB Issue #2) | ||
+ | - Reduce logging verbosity for debug level lower than 6 for (i) bad requests, | ||
+ | and (ii) no results found (removal of HTTP headers in log) (BB Issue #13) | ||
+ | - Add additional OIDs for ECC RFC6637 style implementations | ||
+ | (brainpool and secp256k1) (BB Issue #25) and fix issue for 32 bit arches. | ||
+ | - Fix a non-persistent cross-site scripting possibility resulting from | ||
+ | improper input sanitation before writing to client. (BB Issue #26 | CVE-2014-3207) | ||
+ | |||
+ | |||
+ | Note when upgrading from earlier versions of SKS | ||
+ | ==================== | ||
+ | The default values for pagesize settings changed in SKS 1.1.4. To continue | ||
+ | using an existing DB from earlier versions without rebuilding, explicit settings | ||
+ | have to be added to the sksconf file. | ||
+ | pagesize: | ||
+ | ptree_pagesize: | ||
+ | |||
+ | Getting the Software | ||
+ | ==================== | ||
+ | SKS can be downloaded from | ||
+ | https:// | ||
+ | |||
+ | Prerequisites | ||
+ | ==================== | ||
+ | There are a few prerequisites to building this code. You need: | ||
+ | * ocaml-3.11.0 or later (ocaml-3.12.x is recommended). Get it from | ||
+ | < | ||
+ | * Berkeley DB version 4.6.* or later, whereby 4.8 or later is recommended. | ||
+ | You can find the appropriate versions at | ||
+ | < | ||
+ | * GNU Make and a C compiler (e.g gcc) | ||
+ | |||
+ | |||
+ | Verifying the integrity of the download | ||
+ | ==================== | ||
+ | Releases of SKS are signed using the SKS Keyserver Signing Key | ||
+ | available on public keyservers with the KeyID | ||
+ | |||
+ | 0x41259773973A612A | ||
+ | |||
+ | and has a fingerprint of | ||
+ | |||
+ | C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A. | ||
+ | |||
+ | Using GnuPG, verification can be accomplished by, first, retrieving the signing key using | ||
+ | |||
+ | gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A | ||
+ | |||
+ | followed by verifying that you have the correct key | ||
+ | |||
+ | gpg --keyid-format long --fingerprint 0x41259773973A612A | ||
+ | |||
+ | should produce: | ||
+ | |||
+ | pub | ||
+ | Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A | ||
+ | |||
+ | A check should also be made that the key is signed by | ||
+ | trustworthy other keys; | ||
+ | |||
+ | gpg --list-sigs 0x41259773973A612A | ||
+ | |||
+ | and the fingerprint should be verified through other trustworthy sources. | ||
+ | |||
+ | Once you are certain that you have the correct key downloaded, you can create | ||
+ | a local signature, in order to remember that you have verified the key. | ||
+ | |||
+ | gpg --lsign-key 0x41259773973A612A | ||
+ | |||
+ | Finally; verifying the downloaded file can be done using | ||
+ | |||
+ | gpg --keyid-format long --verify sks-x.y.z.tgz.asc | ||
+ | |||
+ | The resulting output should be similar to | ||
+ | |||
+ | gpg: Signature made Wed Jun 27 12:52:39 2012 CEST | ||
+ | gpg: using RSA key 41259773973A612A | ||
+ | gpg: Good signature from "SKS Keyserver Signing Key" | ||
+ | |||
+ | |||
+ | Thanks | ||
+ | ==================== | ||
+ | We have to thank all the people who helped with this release, by discussions on | ||
+ | the mailing list, submitting patches, or opening issues for items that needed | ||
+ | our attention. | ||
+ | |||
+ | Happy Hacking, | ||
+ | |||
+ | The SKS Team (Yaron, John, Kristian, Phil, and the other contributors) | ||
+ | </ | ||
+ | |||
+ | ==== README ==== | ||
+ | # less / | ||
+ | < | ||
+ | ============= | ||
+ | |||
+ | The following is an incomplete guide to compiling, setting up and using SKS. | ||
+ | Hopefully this is enough to get you started, in addition there is a wiki available, | ||
+ | where in particular < | ||
+ | should help getting a working installation. | ||
+ | |||
+ | Prerequisites | ||
+ | ------------- | ||
+ | |||
+ | There are a few prerequisites to building this code. You need: | ||
+ | |||
+ | * OCaml-3.11.0 or later. | ||
+ | * Berkeley DB version 4.6.* or later. | ||
+ | appropriate versions at | ||
+ | < | ||
+ | * GNU Make and a C compiler (e.g gcc) | ||
+ | |||
+ | Verifying the integrity of the download | ||
+ | ---------------------------- | ||
+ | Releases of SKS are signed using the SKS Keyserver Signing Key | ||
+ | available on public keyservers with the KeyID | ||
+ | |||
+ | 0x41259773973A612A | ||
+ | |||
+ | and has a fingerprint of | ||
+ | |||
+ | C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A. | ||
+ | |||
+ | Using GnuPG, verification can be accomplished by, first, retrieving the signing key using | ||
+ | |||
+ | gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A | ||
+ | |||
+ | followed by verifying that you have the correct key | ||
+ | |||
+ | gpg --keyid-format long --fingerprint 0x41259773973A612A | ||
+ | |||
+ | should produce: | ||
+ | |||
+ | pub | ||
+ | Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A | ||
+ | |||
+ | A check should also be made that the key is signed by | ||
+ | trustworthy other keys; | ||
+ | |||
+ | gpg --list-sigs 0x41259773973A612A | ||
+ | |||
+ | and the fingerprint should be verified through other trustworthy sources. | ||
+ | |||
+ | Once you are certain that you have the correct key downloaded, you can create | ||
+ | a local signature, in order to remember that you have verified the key. | ||
+ | |||
+ | gpg --lsign-key 0x41259773973A612A | ||
+ | |||
+ | Finally; verifying the downloaded file can be done using | ||
+ | |||
+ | gpg --keyid-format long --verify sks-x.y.z.tgz.asc | ||
+ | |||
+ | The resulting output should be similar to | ||
+ | |||
+ | gpg: Signature made Wed Jun 27 12:52:39 2012 CEST | ||
+ | gpg: using RSA key 41259773973A612A | ||
+ | gpg: Good signature from "SKS Keyserver Signing Key" | ||
+ | |||
+ | Compilation and Installation | ||
+ | ---------------------------- | ||
+ | |||
+ | * Install OCaml and Berkeley DB | ||
+ | |||
+ | When installing ocaml, make sure you do both the `make world` and | ||
+ | the `make opt` steps before installing. | ||
+ | get the optimizing compilers. | ||
+ | compilation. | ||
+ | `OCAMLOPT` and `CALMP4O` to `ocamlc.opt`, | ||
+ | `camlp4o.opt` respectively.) | ||
+ | |||
+ | If your vendor or porting project supplies prebuilt binaries and | ||
+ | libraries for Berkeley DB, make sure to get the development | ||
+ | package as you will need the correct version include files. | ||
+ | |||
+ | * Copy `Makefile.local.unused` to `Makefile.local`, | ||
+ | match your installation. | ||
+ | |||
+ | * Compile | ||
+ | |||
+ | make dep | ||
+ | make all | ||
+ | make all.bc # if you want the bytecode versions | ||
+ | make install # puts executables in $PREFIX/ | ||
+ | # in Makefile.local | ||
+ | |||
+ | There are some other useful compilation targets, mostly useful for | ||
+ | development. | ||
+ | |||
+ | - `make doc` | ||
+ | |||
+ | creates a doc directory with ocamldoc-generated documentation | ||
+ | of the individual modules. | ||
+ | documentation to the source code, not a user's guide. | ||
+ | |||
+ | - `make modules.ps` | ||
+ | |||
+ | Creates a ps-file that shows the dependencies between | ||
+ | different modules, and gives you a sense of the overall | ||
+ | structure of the system. | ||
+ | AT& | ||
+ | script that's used actually requires that python2 be called | ||
+ | python2, rather than python. | ||
+ | script. | ||
+ | |||
+ | Setup and Configuration | ||
+ | ----------------------- | ||
+ | |||
+ | You need to set up a directory for the SKS installation. | ||
+ | contain the database files along with configuration and log files. | ||
+ | |||
+ | Configuration options can be passed in on the command-line or put in | ||
+ | the `sksconf` file in the SKS directory. | ||
+ | specifies the SKS directory itself, which defaults to the current | ||
+ | working directory. | ||
+ | |||
+ | ### Sksconf and commandline options | ||
+ | |||
+ | The format of the sksconf file is simply a bunch of lines of the | ||
+ | form: | ||
+ | |||
+ | keyword: value | ||
+ | |||
+ | The `#` character is used for comments, and blank lines are | ||
+ | ignored. | ||
+ | initial `-`. | ||
+ | |||
+ | The one thing you probably want no matter what is a line that says | ||
+ | |||
+ | logfile: log | ||
+ | |||
+ | which ensures that sks will output messages to `recon.log` and | ||
+ | `db.log` respectively. | ||
+ | |||
+ | ### Membership file | ||
+ | |||
+ | If you want your server to gossip with others, you will need a | ||
+ | membership file which tells the `sks recon` who else to gossip with. | ||
+ | The membership file should look something like: | ||
+ | |||
+ | epidemic.cs.cornell.edu 11370 | ||
+ | athos.rutgers.edu 11370 | ||
+ | ... | ||
+ | |||
+ | This file should be called `membership`, | ||
+ | SKS directory. | ||
+ | hosts have to have each other in their membership lists. | ||
+ | < | ||
+ | their membership lists. | ||
+ | |||
+ | **IMPORTANT NOTE**: if you include the server itself in the membership | ||
+ | file, you should make sure that you also specify the `hostname` | ||
+ | option, and that the selected hostname is exactly the same string | ||
+ | listed in the membership file. Otherwise, the `sks recon` will try to | ||
+ | synchronize with itself and will deadlock. | ||
+ | |||
+ | ### Outgoing PKS synchronization: | ||
+ | |||
+ | The mailsync file contains a list of email addresses of PKS | ||
+ | keyservers. | ||
+ | submitted directly to an SKS keyserver are also forwarded to PKS | ||
+ | keyservers. | ||
+ | |||
+ | **IMPORTANT**: | ||
+ | their permission first! | ||
+ | |||
+ | In order for outgoing email sync's to work, you need to specify a | ||
+ | command to actually send the email out. The default is `sendmail -t | ||
+ | -oi`, but you may need something different. | ||
+ | |||
+ | ### Incoming PKS synchronization | ||
+ | |||
+ | Incoming PKS synchronization is less critical than outgoing, | ||
+ | since as long as some SKS server gets the new data, it will be | ||
+ | distributed to all. Having more hosts receive the incoming PKS | ||
+ | syncs does, however, increase the fault-tolerance of the | ||
+ | connection between the two systems. | ||
+ | |||
+ | In order to get incoming mail working, you should pipe the appropriate | ||
+ | incoming mail to the following command via procmail: | ||
+ | |||
+ | sks_add_mail sks_directory_name | ||
+ | |||
+ | Here's an example procmail entry: | ||
+ | |||
+ | PATH=/ | ||
+ | |||
+ | :0 | ||
+ | * ^Subject: incremental | ||
+ | | sks_add_mail sks_directory_name | ||
+ | |||
+ | |||
+ | ### Built-in webserver | ||
+ | |||
+ | You can server up a simple index page directly from the port | ||
+ | you're using for HKP. This is done by creating a subdirectory in | ||
+ | your SKS directory called `web`. | ||
+ | named `index.html`, | ||
+ | supporting files with extensions .css, .es, or .js, and some image | ||
+ | files with extensions jpg, jpeg, png or gif. Subdirectories will | ||
+ | be ignored, as will filenames with anything other than | ||
+ | alphanumeric characters and the ' | ||
+ | particularly useful if you want to run your webserver off of port | ||
+ | 80. This can be done by using the -hkp_port command-line option. | ||
+ | |||
+ | |||
+ | Building up the databases | ||
+ | ------------------------- | ||
+ | |||
+ | - First, you need to get a keydump. | ||
+ | you should be able to convince PKS to generate one for you. If | ||
+ | you're starting from scratch, you'll need to download one from the | ||
+ | net. You should contact the pgp keyserver list | ||
+ | < | ||
+ | |||
+ | - in the SKS directory, put in a subdirectory called `dump` which | ||
+ | contains the keydump files from which the database is to be built. | ||
+ | |||
+ | - Run sks_build.sh. | ||
+ | might want to edit sks_build.sh if you want to trade off speed for | ||
+ | space usage. | ||
+ | you try this with less then 256 megs of RAM. | ||
+ | |||
+ | **DO NOT DELETE THE `dump` DIRECTORY**, | ||
+ | built. | ||
+ | dump must be left in place. | ||
+ | |||
+ | Platform specific issues | ||
+ | ------------------------ | ||
+ | |||
+ | ### FreeBSD ### | ||
+ | |||
+ | On FreeBSD it appears that libdb is named differently than on some | ||
+ | other platforms. | ||
+ | environment value to `-ldb46` instead of `-ldb-4.6` for other | ||
+ | platfomrs. | ||
+ | </ | ||
+ | |||
+ | ==== Manpage ==== | ||
+ | Als eine weitere sehr hilfreiche Quelle sei die Manpage von **sks** genannt: | ||
+ | # man sks | ||
+ | |||
+ | < | ||
+ | |||
+ | NAME | ||
+ | SKS - Synchronizing Key Server | ||
+ | |||
+ | SYNOPSIS | ||
+ | sks [options] -debug | ||
+ | |||
+ | DESCRIPTION | ||
+ | SKS is a OpenPGP keyserver whose goal is to provide easy to deploy, decentralized, | ||
+ | and highly reliable synchronization. That means that a key submitted to one SKS | ||
+ | | ||
+ | | ||
+ | rest of the system. | ||
+ | |||
+ | The design of SKS is deliberately simple. The server consists of two single-threaded | ||
+ | | ||
+ | key server, such as answering web requests. The only special functionality of "sks | ||
+ | | ||
+ | does all the work with respect to reconciling hosts databases. "sks recon" keeps | ||
+ | track of specialized summary information about the database, and can use that | ||
+ | | ||
+ | of another host. | ||
+ | |||
+ | FEATURES | ||
+ | | ||
+ | |||
+ | | ||
+ | style packets, photoID packets, multiple subkeys, and pretty much everything allowed | ||
+ | by the RFCs. | ||
+ | |||
+ | Fully compatible with PKS system - can both send and receive syncs from PKS servers, | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | a heavy load an any one host. | ||
+ | |||
+ | | ||
+ | |||
+ | OPTIONS | ||
+ | SKS binary command options are as follows: | ||
+ | |||
+ | db | ||
+ | Initiates database server. | ||
+ | |||
+ | recon | ||
+ | | ||
+ | |||
+ | | ||
+ | Apply filters to all keys in database, fixing some common problems. | ||
+ | |||
+ | build | ||
+ | Build key database, including body of keys directly in database. | ||
+ | |||
+ | | ||
+ | Build key database, doesn' | ||
+ | | ||
+ | build and the multiple of 15,000 keys to be read per pass when used with | ||
+ | | ||
+ | |||
+ | | ||
+ | Build prefix-tree database, used by reconciliation server, from key database. | ||
+ | | ||
+ | |||
+ | dump numkeys dumpdir < | ||
+ | | ||
+ | | ||
+ | The optional filename-prefix is prepended to the dump file names. Without it the | ||
+ | dump files are named 0000.pgp, 0001.pgp, | ||
+ | |||
+ | merge | ||
+ | Adds key from key files to existing database. | ||
+ | |||
+ | drop | ||
+ | Drops key from database. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | help | ||
+ | | ||
+ | |||
+ | ADDITIONAL OPTIONS | ||
+ | You won't need most of the options below for normal operation. These options can be | ||
+ | given in basedir/ | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | -q | ||
+ | Number of bits defining a bin. | ||
+ | |||
+ | -mbar | ||
+ | | ||
+ | |||
+ | -seed | ||
+ | Seed used by RNG. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | -d | ||
+ | Number of keys to drop at random when synchronizing. | ||
+ | |||
+ | -n | ||
+ | Number of keydump files to load at once. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | Cache size in megs for key db. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | Cache size in megs for prefix tree db. | ||
+ | |||
+ | | ||
+ | Set base port number. | ||
+ | |||
+ | | ||
+ | Set recon port number. | ||
+ | |||
+ | | ||
+ | Set recon binding addresses. | ||
+ | or domain names. | ||
+ | |||
+ | | ||
+ | Set hkp port number. | ||
+ | |||
+ | | ||
+ | Set hkp binding addresses. | ||
+ | or domain names. | ||
+ | |||
+ | | ||
+ | Have the HKP interface listen on port 80, as well as the hkp_port. | ||
+ | |||
+ | | ||
+ | Set base directory. | ||
+ | |||
+ | | ||
+ | Send log messages to stdout instead of log file. | ||
+ | |||
+ | | ||
+ | Use a disk-based ptree implementation. Slower, but requires far less memory. | ||
+ | |||
+ | | ||
+ | Use in-mem ptree. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | -prob | ||
+ | Set probability. Used for testing code only. | ||
+ | |||
+ | | ||
+ | Set sync interval for reconserver. | ||
+ | |||
+ | | ||
+ | Set time between gossips in minutes. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | Set sync interval for dbserver. | ||
+ | |||
+ | | ||
+ | Time period between checkpoints. | ||
+ | |||
+ | | ||
+ | Time period between checkpoints for reconserver. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | Hour at which to run database statistics. | ||
+ | |||
+ | | ||
+ | Runs database statistics calculation on boot. | ||
+ | |||
+ | | ||
+ | Set timeout in seconds for initial exchange of config info in reconciliation. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | From address used in synchronization emails used to communicate with PKS. | ||
+ | |||
+ | | ||
+ | When doing a database dump, only dump new keys, not keys already contained in a | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | THE MECHANIASM FOR SENDING UPDATES TO NON-SKS SERVERS. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | Set OpenPGP KeyID of the server contact | ||
+ | |||
+ | | ||
+ | | ||
+ | Read keyids from stdin (sksclient only) | ||
+ | |||
+ | | ||
+ | |||
+ | FILES | ||
+ | | ||
+ | |||
+ | | ||
+ | The main SKS executable. | ||
+ | |||
+ | | ||
+ | The executable responsible for parsing incoming mails from PKS key servers. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | The mailsync should contains a list of email addresses of PKS keyservers. This | ||
+ | file is important, because it ensures that keys submitted directly to an SKS | ||
+ | | ||
+ | your mailsync file without getting their permission first! | ||
+ | |||
+ | | ||
+ | With SKS, two hosts can efficiently compare their databases then repair whatever | ||
+ | | ||
+ | find other SKS servers that will agree to gossip with you. The hostname and port | ||
+ | of the server that has agreed to do so should be added to this file. | ||
+ | |||
+ | | ||
+ | The configuration file for your SKS server. | ||
+ | |||
+ | EXAMPLES | ||
+ | | ||
+ | keyserver.ahost.org 11370 # Comments are allowed | ||
+ | keyserver.foo.org 11370 # Another host with default ports | ||
+ | |||
+ | | ||
+ | membership_reload_interval: | ||
+ | initial_stat: | ||
+ | hostname: keyserver.example.com | ||
+ | from_addr: pgp-public-keys@keyserver.example.com | ||
+ | |||
+ | | ||
+ | PATH=/ | ||
+ | :0 | ||
+ | * ^Subject: incremental | ||
+ | | / | ||
+ | |||
+ | / | ||
+ | pgp-public-keys: | ||
+ | |||
+ | SEE ALSO | ||
+ | The SKS website is located at https:// | ||
+ | The SKS website is located at https:// | ||
+ | |||
+ | AUTHOR | ||
+ | The first draft was written by Thomas Sjogren < | ||
+ | |||
+ | 0.1 2014-05-05 | ||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | Die Konfiguration unseres **sks**-Keyservers gestaltet sich unter CentOS 7.x relativ einfach, werden entsprechende Konfigurationsbeispiele im **RPM** mitgeliefert, | ||
+ | |||
+ | ==== Konfigurations- und Arbeitsverzeichnis ==== | ||
+ | Im ersten Schritt legen wir uns unser Zielverzeichnis für unsere Konfigurationsdateien an. | ||
+ | # mkdir /etc/sks | ||
+ | |||
+ | Das Arbeitsverzeichnis legen wir auch noch entsprechend an. | ||
+ | # mkdir / | ||
+ | |||
+ | Anschließend passen wir die Dateiberechtigungen der gerade angelegten Verzeichnisse an. | ||
+ | # chown sks:sks /etc/sks / | ||
+ | |||
+ | ==== Logverzeichnis ==== | ||
+ | Damit für spätere Überwachungs- und ggf. Fehlersuchaufgaben auch entsprechende Logdateien geschrieben werden können, legen wir uns noch das passende Verzeichnis an. | ||
+ | # mkdir / | ||
+ | |||
+ | Die Datei- und Verzeichnis-Berechtigungen passen wir auch hier an. | ||
+ | # chown sks:sks / | ||
+ | |||
+ | |||
+ | ==== Logrotate ==== | ||
+ | Damit uns unser Logverzeichnis nicht voll läuft, werden wir unseren SKS-Server so einstellen, dass er in regelmässigen Abständen das Logfile archiviert und ein neues anlegt. | ||
+ | Hierzu legen wir uns im Verzeichnis // | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | / | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | /bin/kill -HUP `cat / | ||
+ | /bin/kill -HUP `cat / | ||
+ | | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Konfigurationsdateien ==== | ||
+ | === sksconf === | ||
+ | Im RPM-Paket ist eine typische Konfigurationsdatei enthalten, die wir als Basis für die Konfiguration heranziehen wollen. Wir kopieren also zunächst diese Datei **sksconf.typical** in unser zuvor angelegtes Konfigurationsverzeichnis // | ||
+ | |||
+ | # cp / | ||
+ | |||
+ | Anschließend bearbeiten wir diese Datei und vermerken dort unsere Serverspezifischen Angaben. | ||
+ | |||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | #* sksconf.typical - Typical configuration settings for a SKS server | ||
+ | #* *# | ||
+ | #* Copyright (C) 2011, 2012, 2013 John Clizbe | ||
+ | #* *# | ||
+ | #* This file is part of SKS. SKS is free software; you can *# | ||
+ | #* redistribute it and/or modify it under the terms of the GNU General | ||
+ | #* Public License as published by the Free Software Foundation; either | ||
+ | #* version 2 of the License, or (at your option) any later version. | ||
+ | #* *# | ||
+ | #* This program is distributed in the hope that it will be useful, but *# | ||
+ | #* WITHOUT ANY WARRANTY; without even the implied warranty of *# | ||
+ | #* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
+ | #* General Public License for more details. | ||
+ | #* *# | ||
+ | #* You should have received a copy of the GNU General Public License | ||
+ | #* along with this program; if not, write to the Free Software | ||
+ | #* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 | ||
+ | #* USA or see < | ||
+ | # | ||
+ | |||
+ | # sksconf -- SKS main configuration | ||
+ | # | ||
+ | # Django : 2015-07-08 | ||
+ | # default: basedir: | ||
+ | basedir: | ||
+ | |||
+ | # debuglevel 3 is default (max. debuglevel is 10) | ||
+ | debuglevel: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # default: hostname: | ||
+ | hostname: | ||
+ | hkp_port: | ||
+ | recon_port: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # default: unset | ||
+ | hkp_address: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # default: server_contact: | ||
+ | server_contact: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # default: from_addr: | ||
+ | from_addr: | ||
+ | sendmail_cmd: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # Runs database statistics calculation on boot | ||
+ | initial_stat: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # Maximum interval (in hours) at which membership file is reloaded | ||
+ | membership_reload_interval: | ||
+ | |||
+ | # Django : 2015-07-08 | ||
+ | # Hour at which to run database statistics. | ||
+ | # default: stat_hour: | ||
+ | stat_hour: | ||
+ | |||
+ | # Django: 2015-07-08 | ||
+ | # Have the HKP interface listen on port 80, as well as the hkp_port. | ||
+ | # | ||
+ | |||
+ | # set DB file pagesize as recommended by db_tuner | ||
+ | # pagesize is (n * 512) bytes | ||
+ | # NOTE: These must be set _BEFORE_ [fast]build & pbuild and remain set | ||
+ | # for the life of the database files. To change a value requires recreating | ||
+ | # the database from a dump | ||
+ | # | ||
+ | # KDB/ | ||
+ | pagesize: | ||
+ | # | ||
+ | # KDB/ | ||
+ | keyid_pagesize: | ||
+ | # | ||
+ | # KDB/ | ||
+ | meta_pagesize: | ||
+ | # KDB/ | ||
+ | subkeyid_pagesize: | ||
+ | # | ||
+ | # KDB/ | ||
+ | time_pagesize: | ||
+ | # | ||
+ | # KDB/ | ||
+ | tqueue_pagesize: | ||
+ | # | ||
+ | # KDB/word - db_tuner suggests 512 bytes. This locked the build process | ||
+ | # Better to use a default of 8 (4096 bytes) for now | ||
+ | # | ||
+ | # | ||
+ | # PTree/ | ||
+ | ptree_pagesize: | ||
+ | </ | ||
+ | |||
+ | === mailsync === | ||
+ | Wie schon zuvor bei der Hauptkonfigurationsdatei, | ||
+ | |||
+ | # cp / | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | #* mailsync - servers that should receive email updates from SKS *# | ||
+ | #* *# | ||
+ | #* Copyright (C) 2011, 2012, 2013 John Clizbe | ||
+ | #* *# | ||
+ | #* This file is part of SKS. SKS is free software; you can *# | ||
+ | #* redistribute it and/or modify it under the terms of the GNU General | ||
+ | #* Public License as published by the Free Software Foundation; either | ||
+ | #* version 2 of the License, or (at your option) any later version. | ||
+ | #* *# | ||
+ | #* This program is distributed in the hope that it will be useful, but *# | ||
+ | #* WITHOUT ANY WARRANTY; without even the implied warranty of *# | ||
+ | #* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
+ | #* General Public License for more details. | ||
+ | #* *# | ||
+ | #* You should have received a copy of the GNU General Public License | ||
+ | #* along with this program; if not, write to the Free Software | ||
+ | #* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 | ||
+ | #* USA or see < | ||
+ | # | ||
+ | # | ||
+ | # The mailsync should contains a list of email addresses of PKS | ||
+ | # keyservers, one per line. This file is important, because it ensures | ||
+ | # that keys submitted directly to an SKS keyserver are also forwarded | ||
+ | # to PKS keyservers. | ||
+ | # | ||
+ | # Empty lines and whitespace-only lines are ignored, as are lines | ||
+ | # whose first non-whitespace character is a `#'. | ||
+ | # | ||
+ | # IMPORTANT: don't add someone to your mailsync file without getting | ||
+ | # their permission first! | ||
+ | # | ||
+ | # Hironobu Suzuki operates the OpenPKSD server < | ||
+ | # | ||
+ | # | ||
+ | # Jonathon McDowell openrates the ONAK server < | ||
+ | # http:// | ||
+ | # | ||
+ | # | ||
+ | # V. Alex Brennen operates the CKS (CrytptNet) servers < | ||
+ | # | ||
+ | # Django : 2015-07-08 | ||
+ | pgp-public-keys@pgp.mit.edu | ||
+ | </ | ||
+ | |||
+ | === membership === | ||
+ | Die dritte Konfigurationsdatei beinhaltet eine Liste sämtlicher SKS-Knotenserver mit denen wir unsere Schlüssel austauschen. Wie bei den beiden anderen Konfigurationsdateien, | ||
+ | |||
+ | # cp / | ||
+ | |||
+ | Nach Rücksprache mit den Pearingpartnern tragen wir die entsprechenden Kontaktdaten in der Datei ein. | ||
+ | |||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | #* membership - list of servers to peer with along with optional | ||
+ | #* administrative contact information | ||
+ | #* *# | ||
+ | #* Copyright (C) 2011, 2012, 2013 John Clizbe | ||
+ | #* *# | ||
+ | #* This file is part of SKS. SKS is free software; you can *# | ||
+ | #* redistribute it and/or modify it under the terms of the GNU General | ||
+ | #* Public License as published by the Free Software Foundation; either | ||
+ | #* version 2 of the License, or (at your option) any later version. | ||
+ | #* *# | ||
+ | #* This program is distributed in the hope that it will be useful, but *# | ||
+ | #* WITHOUT ANY WARRANTY; without even the implied warranty of *# | ||
+ | #* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
+ | #* General Public License for more details. | ||
+ | #* *# | ||
+ | #* You should have received a copy of the GNU General Public License | ||
+ | #* along with this program; if not, write to the Free Software | ||
+ | #* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 | ||
+ | #* USA or see < | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # With SKS, two hosts can efficiently compare their databases then | ||
+ | # repair whatever differences are found. | ||
+ | # reconciliation, | ||
+ | # agree to gossip with you. The hostname and port of the server that | ||
+ | # has agreed to do so should be added to this file. | ||
+ | # | ||
+ | # Empty lines and whitespace-only lines are ignored, as are lines | ||
+ | # whose first non-whitespace character is a `#'. Comments preceded by '#' | ||
+ | # are allowed at the ends of lines | ||
+ | # | ||
+ | # Example: | ||
+ | # keyserver.linux.it 11370 | ||
+ | # | ||
+ | # The following operators have agreed to have their peering info included in this sample file. | ||
+ | # NOTE: This does NOT mean you may uncomment the lines and have peers. First you must contact the | ||
+ | # server owner and ask permission. You should include a line styled like these for your own server. | ||
+ | # Until two SKS membership files contain eact others peering info, they will not gossip. | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | key.adeti.org | ||
+ | keys.niif.hu | ||
+ | keyserver.adamas.ai | ||
+ | keyserver.ccc-hanau.de | ||
+ | keyserver.computer42.org | ||
+ | keyserver.gingerbear.net | ||
+ | keyserver.kjsl.org | ||
+ | keyserver.serviz.fr | ||
+ | keyserver.siccegge.de | ||
+ | keyserver.stack.nl | ||
+ | pgp.codelabs.ru | ||
+ | pgpkeys.co.uk | ||
+ | pgpkeys.eu | ||
+ | pks.aaiedu.hr | ||
+ | keyserver.singpolyma.net | ||
+ | sks.pkqs.net | ||
+ | sks.powdarrmonkey.net | ||
+ | sks.spodhuis.org | ||
+ | www.pretzlaff.co | ||
+ | keys.itunix.eu | ||
+ | sks.rainydayz.org | ||
+ | ice.mudshark.org | ||
+ | </ | ||
+ | |||
+ | ==== SKS-basedir option ==== | ||
+ | Laut dem Abschnitt //**Setup and Configuration**// | ||
+ | |||
+ | < | ||
+ | |||
+ | You need to set up a directory for the SKS installation. | ||
+ | database files along with configuration and log files. | ||
+ | |||
+ | Configuration options can be passed in on the command-line or put in the | ||
+ | " | ||
+ | directory itself, which defaults to the current working directory. | ||
+ | </ | ||
+ | |||
+ | Da wir aber, wie unter Linux üblich die Konfigurationsdateien unter // | ||
+ | |||
+ | === /etc/sks/ === | ||
+ | Für die drei zuvor angelegten Konfigurationsdateien setzen wir nun jeweils einen symlink. | ||
+ | # ln -s / | ||
+ | |||
+ | # ln -s / | ||
+ | |||
+ | # ln -s / | ||
+ | |||
+ | === / | ||
+ | Die beiden Serverprozesse schreiben jeweils ein eigenes logfile: | ||
+ | * **db.log** | ||
+ | * **recon.log** | ||
+ | Diese beiden Logdateien legen wir nun als leere Files an: | ||
+ | # touch / | ||
+ | |||
+ | Die Dateiberechtigung passen wir auch noch an. | ||
+ | # chown sks.sks / | ||
+ | |||
+ | Anschliessend setzen wir auch hier jeweils einen symbolischen link in Richtung unseres **basedir** des SKS-Keyservers. | ||
+ | # ln -s / | ||
+ | |||
+ | # ln -s / | ||
+ | |||
+ | === systemd === | ||
+ | In den **Systemd Service Definition** der beiden Daemon **sks-db** und **sks-recon** isd das SKS-Base-Directory direkt eingetragen. Diese Definition müssen wir nun noch auf unsere Umgebung anpassen. | ||
+ | <WRAP center round important 95%> | ||
+ | |||
+ | Wir ändern aber keinen Falls die originalen Systemd Service Definition aus dem Verzeichnis **// / | ||
+ | </ | ||
+ | |||
+ | # cp / | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | Description=SKS reconciliation service | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | # Django : 2015-07-11 | ||
+ | # default: ExecStart=/ | ||
+ | ExecStart=/ | ||
+ | User=sks | ||
+ | BindTo=sks-db.service | ||
+ | After=sks-db.service | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | # cp / | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | Description=SKS database service | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | # Django : 2015-07-11 | ||
+ | # default: ExecStart=/ | ||
+ | ExecStart=/ | ||
+ | User=sks | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | Abschließend machen wir unsere Änderungen im System bekannt. | ||
+ | # systemctl daemon-reload | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== SKS-Sysconfig ==== | ||
+ | |||
+ | Wollen wir unseren SKS-Keyserver nicht unter Root-Rechten laufen lassen, legen wir uns noch eine passende Konfigrationsdatei im Verzeichnis // | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # / | ||
+ | # | ||
+ | # User to run the daemon as | ||
+ | # Django : 2015-07-08 | ||
+ | # default: unset | ||
+ | RUN_AS=" | ||
+ | # | ||
+ | # Add extra daemon options here | ||
+ | # OPTIONS=""</ | ||
+ | |||
+ | ==== WEB-Verzeichnis ==== | ||
+ | Unser SKS-Keyserver wird später ein Webformular präsentieren, | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | Für dieses Webseite legen wir uns nun ein passendes Verzeichnis an. | ||
+ | # mkdir / | ||
+ | |||
+ | Die Datei- und Verzeichnis-Berechtigungen passen wir auch hier an. | ||
+ | # chown sks:sks / | ||
+ | |||
+ | Als Muster für die Webseite können wir uns entweder die Vorlagen aus dem RPM zu eigen machen, die wir im Verzeichnis // | ||
+ | # ll / | ||
+ | |||
+ | total 12 | ||
+ | drwxr-xr-x. 2 root root 4096 Jul 8 13:28 HTML5 | ||
+ | drwxr-xr-x. 2 root root 4096 Jul 8 13:28 OpenPKG | ||
+ | drwxr-xr-x. 2 root root 4096 Jul 8 13:28 XHTML+ES | ||
+ | |||
+ | Alternativ dazu können wir auch nachfolgende Datei nutzen, die wir entsprechend individualisieren und unseren Bedürfnissen anpassen. | ||
+ | |||
+ | # vim / | ||
+ | <file html / | ||
+ | <html lang=" | ||
+ | < | ||
+ | <meta http-equiv=" | ||
+ | <meta http-equiv=" | ||
+ | < | ||
+ | <meta name=" | ||
+ | <meta name=" | ||
+ | <!-- Mobile viewport optimized: j.mp/ | ||
+ | <meta name=" | ||
+ | <style type=" | ||
+ | h1, | ||
+ | h2, | ||
+ | p { | ||
+ | margin: 0; /* Let's zero those margins */ | ||
+ | } | ||
+ | |||
+ | #container { | ||
+ | border: 1px solid #555; /* Nice transition from white background */ | ||
+ | width: 600px; /* Should be narrow enough for small screens */ | ||
+ | margin: 0 auto; /* Centering */ | ||
+ | font-size: 1.1em; /* Font big enough not to need to squint */ | ||
+ | line-height: | ||
+ | } | ||
+ | |||
+ | #title { | ||
+ | background-color:# | ||
+ | padding: 10px; | ||
+ | } | ||
+ | | ||
+ | #title h1, #title h2 { | ||
+ | margin-top: 0.3em; | ||
+ | } | ||
+ | |||
+ | #info { | ||
+ | background-color:# | ||
+ | padding: 5px 10px; | ||
+ | } | ||
+ | |||
+ | #main { | ||
+ | background : #FAFBEA; | ||
+ | padding: 0 10px 10px 10px; | ||
+ | } | ||
+ | |||
+ | #main header { | ||
+ | padding-top: | ||
+ | } | ||
+ | |||
+ | #main p { | ||
+ | margin: 0.5em 0; | ||
+ | } | ||
+ | |||
+ | #keytext { | ||
+ | width: 100%; | ||
+ | height: 150px; | ||
+ | border: 1px solid #555; | ||
+ | background : #fff; | ||
+ | max-width: 100%; | ||
+ | display: block; | ||
+ | } | ||
+ | |||
+ | ul { | ||
+ | width: 100%; | ||
+ | list-style-type: | ||
+ | padding-left: | ||
+ | } | ||
+ | |||
+ | li { | ||
+ | width: 99%; | ||
+ | } | ||
+ | |||
+ | li label { | ||
+ | width: 57%; | ||
+ | display: inline-block; | ||
+ | } | ||
+ | | ||
+ | button { | ||
+ | border-radius: | ||
+ | -moz-border-radius: | ||
+ | background: -webkit-gradient(linear, | ||
+ | background: -moz-linear-gradient(top, | ||
+ | border: 1px solid #bbb; | ||
+ | } | ||
+ | |||
+ | #info p {line-height: | ||
+ | </ | ||
+ | </ | ||
+ | < | ||
+ | <div id=" | ||
+ | <header id=" | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | <div id=" | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | eine beliebige Zeichen der UserID oder den Usernamen an. M& | ||
+ | | ||
+ | | ||
+ | </p> | ||
+ | <form id=" | ||
+ | < | ||
+ | <ul> | ||
+ | <li> <label for=" | ||
+ | name=" | ||
+ | type=" | ||
+ | <li> <label for=" | ||
+ | <input id=" | ||
+ | </li> | ||
+ | <li> <label for=" | ||
+ | id=" | ||
+ | <li> <label for=" | ||
+ | < | ||
+ | | ||
+ | <li> <label for=" | ||
+ | Schl& | ||
+ | <input id=" | ||
+ | checked=" | ||
+ | <li> <label for=" | ||
+ | <input id=" | ||
+ | type=" | ||
+ | <li> <label for=" | ||
+ | <input id=" | ||
+ | </li> | ||
+ | </ul> | ||
+ | <button type=" | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | | ||
+ | < | ||
+ | | ||
+ | < | ||
+ | </p> | ||
+ | <form id=" | ||
+ | < | ||
+ | <button type=" | ||
+ | type=" | ||
+ | </ | ||
+ | </ | ||
+ | <!-- end of #main --> | ||
+ | <footer id=" | ||
+ | < | ||
+ | der <a href=" | ||
+ | </ | ||
+ | <p> | ||
+ | Wenn Sie mit meinem Keyserver eine Partnerschaft zum Schl& | ||
+ | wenn Sie Anmerkungen oder Fragen haben, oder wenn Sie den Administrator des Servers anderweitig | ||
+ | | ||
+ | <a href=" | ||
+ | & | ||
+ | </ | ||
+ | <p> | ||
+ | Benutzen Sie zum Verschl& | ||
+ | <a href=" | ||
+ | < | ||
+ | </ | ||
+ | <p style=" | ||
+ | </ | ||
+ | </ | ||
+ | <!--! end of #container --> | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Reverse Proxy ==== | ||
+ | |||
+ | Da der integrierte Web-Server des SKS-Daemon keine parallelen Zugriffe abarbeiten kann, werden wir einen Reverse-Proxy vorschalten, | ||
+ | |||
+ | Ein weiterer Vorteil des Reverse-Proxy ist, dass wir auch Nutzern, denen der Zugriff auf Port 11371 auf Grund von Sicherheits- und Proxyeinstellungen verwehrt ist, auf Port 80 und/oder 443 die Webseite des SKS-Daemon zur Verfügung stellen können. | ||
+ | |||
+ | Das nachfolgende Schaubild zeigt die einzelnen Kommunikationsstellen, | ||
+ | |||
+ | <uml width=900 title=" | ||
+ | skinparam defaultFontName Courier | ||
+ | |||
+ | |||
+ | state "SKS Pearing-Partner" | ||
+ | peer : / | ||
+ | peer : | ||
+ | peer : key.adeti.org | ||
+ | peer : keys.niif.hu | ||
+ | peer : keyserver.adamas.ai | ||
+ | peer : keyserver.ccc-hanau.de | ||
+ | peer : keyserver.computer42.org | ||
+ | peer : keyserver.gingerbear.net | ||
+ | peer : keyserver.kjsl.org | ||
+ | peer : keyserver.serviz.fr | ||
+ | peer : keyserver.siccegge.de | ||
+ | peer : keyserver.stack.nl | ||
+ | peer : pgp.codelabs.ru | ||
+ | peer : pgpkeys.co.uk | ||
+ | peer : pgpkeys.eu | ||
+ | peer : pks.aaiedu.hr | ||
+ | peer : keyserver.singpolyma.net | ||
+ | peer : sks.pkqs.net | ||
+ | peer : sks.powdarrmonkey.net | ||
+ | peer : sks.spodhuis.org | ||
+ | peer : www.pretzlaff.co | ||
+ | peer : keys.itunix.eu | ||
+ | peer : sks.rainydayz.org | ||
+ | peer : ice.mudshark.org | ||
+ | |||
+ | state "SKS client" | ||
+ | client : Clients stellen Anfragen an den | ||
+ | client : SKS-Keyserver: | ||
+ | client : | ||
+ | client : Suche, hoch- und herunterladen | ||
+ | client : von neuen PGP-Schlüsseln durch | ||
+ | client : die Endanweder | ||
+ | |||
+ | state Apache_bzw_NGINX_Server { | ||
+ | state " | ||
+ | 11371 : Entgegennehmen der Clientanfragen | ||
+ | 11371 : | ||
+ | 11371 : Daemon | ||
+ | 11371 : Port 11371 | ||
+ | 11371 : Adresse | ||
+ | |||
+ | state " | ||
+ | 80 : Entgegennehmen der Clientanfragen | ||
+ | 80 : | ||
+ | 80 : Daemon | ||
+ | 80 : Port 80 | ||
+ | 80 : Adresse | ||
+ | |||
+ | state " | ||
+ | 443 : Entgegennehmen der Clientanfragen | ||
+ | 443 : | ||
+ | 443 : Daemon | ||
+ | 443 : Port 443 | ||
+ | 443 : Adresse | ||
+ | } | ||
+ | |||
+ | state SKS_Keyserver { | ||
+ | state " | ||
+ | db : Beantworten der Clientanfragen | ||
+ | db : und Verwalten der Key-Datenbank | ||
+ | db : | ||
+ | db : Daemon | ||
+ | db : Port 11371 | ||
+ | db : Adresse | ||
+ | |||
+ | state " | ||
+ | recon : Austausch der neuen und | ||
+ | recon : geänderten PGP-Schlüssel | ||
+ | recon : mit den Pearing-Partnern | ||
+ | recon : | ||
+ | recon : Daemon | ||
+ | recon : Port 11370 | ||
+ | recon : Adresse | ||
+ | |||
+ | } | ||
+ | |||
+ | peer -right-> recon | ||
+ | |||
+ | client --> 80 | ||
+ | client --> 443 | ||
+ | client --> 11371 | ||
+ | |||
+ | 80 --> db | ||
+ | 443 --> db | ||
+ | 11371 --> db | ||
+ | |||
+ | </ | ||
+ | |||
+ | <WRAP center round info 95%> \\ | ||
+ | In den beiden nachfolgenden Konfigurationsbeispiele lautet die **" | ||
+ | </ | ||
+ | |||
+ | === Apache-Server === | ||
+ | Im ersten Konfigurationsbeispiel richten wir uns einen vHOST für unseren **[[centos: | ||
+ | # vim / | ||
+ | <code apache># | ||
+ | # keyserver.nausch.org: | ||
+ | # | ||
+ | < | ||
+ | ServerAdmin webmaster@nausch.org | ||
+ | ServerName keyserver.nausch.org: | ||
+ | ServerAlias keyserver.nausch.org | ||
+ | ServerPath / | ||
+ | |||
+ | <Proxy *> | ||
+ | Require all granted | ||
+ | </ | ||
+ | | ||
+ | ProxyPass / http:// | ||
+ | ProxyPassReverse / http:// | ||
+ | ProxyVia On | ||
+ | SetEnv proxy-nokeepalive 1 | ||
+ | |||
+ | ErrorLog logs/ | ||
+ | CustomLog logs/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | # | ||
+ | # keyserver.nausch.org: | ||
+ | # | ||
+ | < | ||
+ | ServerAdmin webmaster@nausch.org | ||
+ | ServerName keyserver.nausch.org: | ||
+ | ServerAlias keyserver.nausch.org | ||
+ | ServerPath / | ||
+ | |||
+ | <Proxy *> | ||
+ | Require all granted | ||
+ | </ | ||
+ | | ||
+ | ProxyPass / http:// | ||
+ | ProxyPassReverse / http:// | ||
+ | ProxyVia On | ||
+ | SetEnv proxy-nokeepalive 1 | ||
+ | |||
+ | ErrorLog logs/ | ||
+ | CustomLog logs/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | # | ||
+ | # keyserver.nausch.org: | ||
+ | # | ||
+ | < | ||
+ | ServerAdmin webmaster@nausch.org | ||
+ | ServerName keyserver.nausch.org: | ||
+ | ServerAlias keyserver.nausch.org | ||
+ | ServerPath / | ||
+ | |||
+ | # Django | ||
+ | # Required, because there is a host with same ServerName and | ||
+ | # ServerAlias LISTENING ON PORT 80, - and if these lines are | ||
+ | # not present, and .htaccess-Files or LDAP-Access is enabled | ||
+ | # for one or more Directory the host on PORT 443 and PORT 80 | ||
+ | # will ASK for .htaccess ord LDAP-Access, | ||
+ | # ---------------------------------------------------------- | ||
+ | # -- DO NOT DELETE THE FOLLOWING LINES, STARTING WITH SSL -- | ||
+ | # -- WHEN USING .htaccess or LDAP-Access! | ||
+ | # ---------------------------------------------------------- | ||
+ | SSLEngine on | ||
+ | SSLProtocol -ALL +TLSv1 | ||
+ | SSLCipherSuite ALL: | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | SSLCertificateChainFile / | ||
+ | |||
+ | <Proxy *> | ||
+ | Require all granted | ||
+ | </ | ||
+ | | ||
+ | ProxyPass / http:// | ||
+ | ProxyPassReverse / http:// | ||
+ | ProxyVia On | ||
+ | SetEnv proxy-nokeepalive 1 | ||
+ | |||
+ | ErrorLog logs/ | ||
+ | CustomLog logs/ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Bevor wir unseren Apache-Webserver neu durchstarten überprüfen wir noch, ob sich auch kein Fehler in unserer neuen Konfigurationsdatei eingeschlichen hat. | ||
+ | # apachectl -t | ||
+ | |||
+ | Syntax OK | ||
+ | |||
+ | Ist alles O.K. starten wir unseren Webserver einmal durch. | ||
+ | # systemctl condrestart httpd.service | ||
+ | |||
+ | === NGINX-Server === | ||
+ | Nutzen wir als Webserver **[[http:// | ||
+ | # vim / | ||
+ | <file c++ / | ||
+ | # Django : 2015-05-28 | ||
+ | # auf welchem Port soll der Server lauschen (HTTP: 11371)? | ||
+ | listen | ||
+ | |||
+ | # auf welchen Servernamen (vHOST) soll der Server reagieren? | ||
+ | server_name | ||
+ | |||
+ | # Welches Access- und Error-Logfile soll beschrieben werden? | ||
+ | access_log | ||
+ | error_log | ||
+ | |||
+ | # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests | ||
+ | # weitergeleitet werden? | ||
+ | location / { | ||
+ | proxy_pass | ||
+ | proxy_pass_header | ||
+ | add_header | ||
+ | proxy_ignore_client_abort | ||
+ | client_max_body_size | ||
+ | proxy_redirect | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | server { | ||
+ | # Django : 2015-05-28 | ||
+ | # auf welchem Port soll der Server lauschen (HTTP: 80)? | ||
+ | listen | ||
+ | |||
+ | # auf welchen Servernamen (vHOST) soll der Server reagieren? | ||
+ | server_name | ||
+ | |||
+ | # Welches Access- und Error-Logfile soll beschrieben werden? | ||
+ | access_log | ||
+ | error_log | ||
+ | |||
+ | # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests | ||
+ | # weitergeleitet werden? | ||
+ | location / { | ||
+ | proxy_pass | ||
+ | proxy_pass_header | ||
+ | add_header | ||
+ | proxy_ignore_client_abort | ||
+ | client_max_body_size | ||
+ | proxy_redirect | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | server { | ||
+ | # Django : 2015-05-28 | ||
+ | # auf welchem Port soll der Server lauschen (HTTPS: 443)? | ||
+ | # neben TLS soll auch SPDY (http:// | ||
+ | listen | ||
+ | |||
+ | # auf welchen Servernamen (vHOST) soll der Server reagieren? | ||
+ | server_name | ||
+ | |||
+ | # Welches Access- und Error-Logfile soll beschrieben werden? | ||
+ | access_log | ||
+ | error_log | ||
+ | |||
+ | # Standard-Parameter für TLS-Verschlüsselung inkludieren | ||
+ | include | ||
+ | # Zertifikatsdatei inkl. ggf. notwendiger Zwischen- und Root-Zertifikaten | ||
+ | # 1) Server-Zertifikat, | ||
+ | ssl_certificate | ||
+ | # Schlüsseldatei, | ||
+ | ssl_certificate_key | ||
+ | |||
+ | # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests | ||
+ | # weitergeleitet werden? | ||
+ | location / { | ||
+ | proxy_pass | ||
+ | proxy_pass_header | ||
+ | add_header | ||
+ | proxy_ignore_client_abort | ||
+ | client_max_body_size | ||
+ | proxy_redirect | ||
+ | } | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | Bevor wir unseren Apache-Webserver neu durchstarten überprüfen wir noch, ob sich auch kein Fehler in unserer neuen Konfigurationsdatei eingeschlichen hat. | ||
+ | # nginx -t | ||
+ | |||
+ | Syntax OK | ||
+ | |||
+ | Ist alles O.K. starten wir unseren Webserver einmal durch. | ||
+ | # systemctl condrestart nginx.service | ||
+ | |||
+ | ==== Paketfilter / Firewall ==== | ||
+ | Damit nun die Clients sich mit unserem Keyserver mit den Ports **11371**, **80** und **443** verbinden können, müssen wir noch entsprechende Firewall-Regeln definieren. Gleiches gilt natürlich auch für die Pearing-Partner, | ||
+ | |||
+ | Unter **CentOS 7** wird als Standard-Firewall die dynamische **firewalld** verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbiundungen kurz getrennt werden. Sondern unsere Änderungen können **// | ||
+ | |||
+ | In unserem Konfigurationsbeispiel hat unser Keyserver-Server die IP-Adresse 10.0.0.37. Wir brauchen also eine Firewall-Definition, | ||
+ | * **11371** HKP-Port wird bei der IP-Adresse 10.0.0.37 durch den **NGiNX**-Daemon und bei der IP-Adresse 127.0.0.1 durch den **sks-db**-Daemon gebunden | ||
+ | * **11370** Recon-Port wird bei der IP-Adresse 10.0.0.37 durch den **sks-recon**-Daemon gebunden | ||
+ | * **80** HTTP-Port wird bei der IP-Adresse 10.0.0.37 durch den **NGiNX**-Daemon gebunden | ||
+ | * **443** HTTPS-Port wird bei der IP-Adresse 10.0.0.37 durch den **NGiNX**-Daemon gebunden | ||
+ | |||
+ | Mit Hilfe des Programms **firewall-cmd** legen wir nun eine **permanente** Regel in der Zone **public**, dies entspricht in unserem Beispiel das Netzwerk-Interface **eth0** mit der IP **10.0.0.37** an. Als Source-IP geben wir die IP-Adresse unseres Postfix-Servers also die **0.0.0.0/ | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | |||
+ | Zum Aktivieren brauchen wir nun nur einen reload des Firewall-Daemon vornehmen. | ||
+ | # firewall-cmd --reload | ||
+ | |||
+ | Fragen wir nun den Regelsatz unserer **iptables**-basieten Firewall ab, finden wir in der Chain **IN_public_allow** unsere aktive Regel. | ||
+ | # iptables -nvL IN_public_allow | ||
+ | |||
+ | < | ||
+ | Chain IN_public_allow (1 references) | ||
+ | pkts bytes target | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | </ | ||
+ | |||
+ | ===== Datenbank initial befüllen ===== | ||
+ | ==== Download Keydump ==== | ||
+ | Zur Erstbefüllung unseres SKS-Keyservers benötigen wir ein Dumpfile der kompletten SKS-Datenbank. Ohnen einen solchen Datenbank-Backup müssten sonst alle Schlüssel von den einzelnen Peering-Partnern geholt werden. Dies würde diese unnötig belasten und auch die Zeitspanne bis dies erledigt wäre, wäre kaum überschaubar. Beinhaltet doch die Datenbank mit Stand 27.12.2011 3.026.036 Schlüssel und täglich werden es mehr! | ||
+ | |||
+ | Wir legen uns also ein temporäres Verzeichnis für den Empfang der Dumpfiles an. | ||
+ | # mkdir / | ||
+ | |||
+ | Die Berechtigungen passen wir für das Verzeichnis auch noch an. | ||
+ | |||
+ | Anschließend wechseln wir in das Zielverzeichnis. | ||
+ | # cd / | ||
+ | |||
+ | Im dritten Schritt holen wir uns nun das Datenbankbackup, | ||
+ | |||
+ | # wget --recursive --timestamping --level=1 --cut-dirs=3 --no-host-directories https:// | ||
+ | |||
+ | /* | ||
+ | # wget http:// | ||
+ | # wget http:// | ||
+ | |||
+ | # tar -xvf sks-dump-allfiles.tar | ||
+ | |||
+ | # bzip2 -d / | ||
+ | */ | ||
+ | |||
+ | |||
+ | Sind alle Dateien auf unseren Server geladen überprüfen wir nun noch die MD5-Checksummen, | ||
+ | |||
+ | # cd / | ||
+ | |||
+ | # md5sum -c / | ||
+ | |||
+ | < | ||
+ | sks-dump-0001.pgp: | ||
+ | sks-dump-0002.pgp: | ||
+ | sks-dump-0003.pgp: | ||
+ | sks-dump-0004.pgp: | ||
+ | sks-dump-0005.pgp: | ||
+ | sks-dump-0006.pgp: | ||
+ | sks-dump-0007.pgp: | ||
+ | sks-dump-0008.pgp: | ||
+ | sks-dump-0009.pgp: | ||
+ | sks-dump-0010.pgp: | ||
+ | ... | ||
+ | |||
+ | ... | ||
+ | sks-dump-0390.pgp: | ||
+ | sks-dump-0391.pgp: | ||
+ | sks-dump-0392.pgp: | ||
+ | sks-dump-0393.pgp: | ||
+ | sks-dump-0394.pgp: | ||
+ | sks-dump-0395.pgp: | ||
+ | sks-dump-0396.pgp: | ||
+ | sks-dump-0397.pgp: | ||
+ | sks-dump-0398.pgp: | ||
+ | |||
+ | |||
+ | ==== Datenbank mit Hilfe des Keydump anlegen ==== | ||
+ | Sind alle Dateien fehlerfrei auf unseren Server heruntergeladen worden, ist es an der Zeit die **lokale Datenbank** zu bauen. Hierzu wechseln wir erst einmal in das Stammverzeichnis unserer SKS-Installation // | ||
+ | |||
+ | # cd / | ||
+ | |||
+ | Dort starten wir das Script **sks_build.sh** welches uns bei der Installation unseres SKS-RPMs mitgeliefert wurde. Hat unser Server nur begrenzt Ressourcen wie **CPU** und **RAM** zur Verfügung, so müssen wir die Werte beim Aufruf von **fastbuild** und **pbuild** unseren Systemressourcen unseres Servers anpassen. | ||
+ | |||
+ | <file bash / | ||
+ | |||
+ | # SKS build script. | ||
+ | # cd to directory with " | ||
+ | # You might want to edit this file to reduce or increase memory usage | ||
+ | # depending on your system | ||
+ | |||
+ | trap ignore_signal USR1 USR2 | ||
+ | |||
+ | ignore_signal() { | ||
+ | echo " | ||
+ | } | ||
+ | |||
+ | ask_mode() { | ||
+ | echo " | ||
+ | echo "" | ||
+ | echo "1 - fastbuild" | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "" | ||
+ | echo "2 - normalbuild" | ||
+ | echo "" | ||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | echo "" | ||
+ | echo -n "Enter enter the mode (1/2): " | ||
+ | read | ||
+ | case " | ||
+ | 1) | ||
+ | mode=" | ||
+ | ;; | ||
+ | 2) | ||
+ | # Django : 2015-07-11 | ||
+ | # default: mode=" | ||
+ | mode=" | ||
+ | ;; | ||
+ | *) | ||
+ | echo " | ||
+ | exit 1 | ||
+ | ;; | ||
+ | esac | ||
+ | } | ||
+ | |||
+ | fail() { echo Command failed unexpectedly. | ||
+ | |||
+ | ask_mode | ||
+ | |||
+ | echo "=== Running (fast)build... ===" | ||
+ | if ! / | ||
+ | echo === Cleaning key database... === | ||
+ | if ! / | ||
+ | echo === Building ptree database... === | ||
+ | if ! / | ||
+ | echo === Done! === | ||
+ | </ | ||
+ | |||
+ | Mit dem Aufruf des Shellscriptes **sks_build.sh** starten wir den Import des Keydumps. Als erstes werden wir gefragt, ob wir | ||
+ | - **fastbuild** Den Keydump behalten und lediglich den Datenbankindex anlegen lassen wollen | ||
+ | - **normalbuild** die Datenbank komplett neu bauen wollen. | ||
+ | |||
+ | Den Bearbeitungsstand des Datenbankbaus kann man bei Bedarf in folgenden Logdateien verfolgen: | ||
+ | * **fastbuild.log** | ||
+ | * **clean.log** | ||
+ | * **pbuild.log** | ||
+ | |||
+ | # / | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | 1 - fastbuild | ||
+ | only an index of the keydump is created and the keydump cannot be | ||
+ | removed. | ||
+ | |||
+ | 2 - normalbuild | ||
+ | |||
+ | all the keydump will be imported in a new database. It takes longer | ||
+ | time and more disk space, but the server will run faster (depending | ||
+ | from the source/age of the keydump). | ||
+ | The keydump can be removed after the import. | ||
+ | |||
+ | Enter enter the mode (1/2): 2 | ||
+ | === Running (fast)build... === | ||
+ | Loading keys...done | ||
+ | DB time: 0.42 min. Total time: 0.50 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.62 min. Total time: 0.77 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.42 min. Total time: 1.54 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.41 min. Total time: 1.68 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.46 min. Total time: 2.12 min. | ||
+ | Loading keys...done | ||
+ | DB time: 1.10 min. Total time: 2.81 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.55 min. Total time: 2.77 min. | ||
+ | Loading keys...done | ||
+ | DB time: 2.85 min. Total time: 4.47 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.78 min. Total time: 5.23 min. | ||
+ | Loading keys...done | ||
+ | DB time: 5.02 min. Total time: 6.58 min. | ||
+ | Loading keys...done | ||
+ | DB time: 0.71 min. Total time: 3.36 min. | ||
+ | Loading keys...done | ||
+ | DB time: 1.30 min. Total time: 4.01 min. | ||
+ | Loading keys...done | ||
+ | DB time: 1.08 min. Total time: 3.33 min. | ||
+ | Loading keys...done | ||
+ | DB time: 1.01 min. Total time: 4.07 min. | ||
+ | Loading keys...done | ||
+ | DB time: 3.03 min. Total time: 5.33 min. | ||
+ | Loading keys...done | ||
+ | DB time: 5.24 min. Total time: 7.58 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.25 min. Total time: 8.98 min. | ||
+ | Loading keys...done | ||
+ | DB time: 4.32 min. Total time: 7.58 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.78 min. Total time: 9.65 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.48 min. Total time: 11.65 min. | ||
+ | Loading keys...done | ||
+ | DB time: 2.89 min. Total time: 8.35 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.68 min. Total time: 8.69 min. | ||
+ | Loading keys...done | ||
+ | DB time: 5.29 min. Total time: 7.38 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.05 min. Total time: 8.57 min. | ||
+ | Loading keys...done | ||
+ | DB time: 5.89 min. Total time: 8.82 min. | ||
+ | Loading keys...done | ||
+ | DB time: 6.90 min. Total time: 9.88 min. | ||
+ | Loading keys...done | ||
+ | DB time: 3.95 min. Total time: 5.66 min. | ||
+ | === Cleaning key database... === | ||
+ | === Building ptree database... === | ||
+ | === Done! === | ||
+ | </ | ||
+ | |||
+ | <WRAP round alert> | ||
+ | Das Verzeichnis **dump** darf auf keinen Fall gelöscht werden, wenn man sich entschlossen hat, lediglich einen **fastbuild**, | ||
+ | </ | ||
+ | |||
+ | Die Generierung der Datenbank-(Teile) wurde entsprechend in den Logdateien protokolliert: | ||
+ | # less / | ||
+ | |||
+ | 2015-07-10 21:09:51 Opening log | ||
+ | 2015-07-10 21:09:51 Running SKS 1.1.5 | ||
+ | 2015-07-10 21:09:51 Opening KeyDB database | ||
+ | |||
+ | # / | ||
+ | < | ||
+ | 2015-07-10 23:49:01 Running SKS 1.1.5 | ||
+ | 2015-07-10 23:49:01 Opening KeyDB database | ||
+ | 2015-07-10 23:49:01 Keydb opened | ||
+ | 2015-07-10 23:49:01 Database already deduped | ||
+ | 2015-07-10 23:49:01 Merging keys in database | ||
+ | 2015-07-10 23:49:01 Starting key merge | ||
+ | 2015-07-10 23:49:01 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:49:01 Hash: 0601937B551C30D7326D10AEC232FE9D | ||
+ | 2015-07-10 23:49:01 Hash: 25762EBCF3D9A13DBEC6A5833C3E574B | ||
+ | 2015-07-10 23:49:01 Hash: 19B3AA9F77E354BDB49F82CA49A7527E | ||
+ | 2015-07-10 23:49:01 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:49:01 Hash: 4DED36458ABCB8265E13E8C450ABCCAE | ||
+ | 2015-07-10 23:49:01 Hash: D5110071F82A6E7EEE82A46471D9AD3C | ||
+ | 2015-07-10 23:49:01 Hash: 5D61CB0A6F7FD10A60ACDC37799DFF5C | ||
+ | 2015-07-10 23:49:01 Hash: 5C5FED1F17ED372635DDBD270D327DC8 | ||
+ | 2015-07-10 23:49:01 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:49:01 Hash: 0D18FBFDD73B9C77298F0872A0FD5FB4 | ||
+ | 2015-07-10 23:49:01 Hash: AAC4EE9160676C62F1BEDF8B74108154 | ||
+ | 2015-07-10 23:49:01 Multiple keys found with same ID. merge_from_hashes called | ||
+ | ... | ||
+ | |||
+ | ... | ||
+ | 2015-07-10 23:50:34 3970 thousand steps processed | ||
+ | 2015-07-10 23:50:34 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:50:34 Hash: 5F87E0022D727FF3849FDE84849F569C | ||
+ | 2015-07-10 23:50:34 Hash: 900769245D28075C44CFF208B3229C84 | ||
+ | 2015-07-10 23:50:34 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:50:34 Hash: 56A881BCB74216F8709FFEE62A0A085B | ||
+ | 2015-07-10 23:50:34 Hash: 64BD2DEA21284CB142D9502D655DD588 | ||
+ | 2015-07-10 23:50:34 Multiple keys found with same ID. merge_from_hashes called | ||
+ | 2015-07-10 23:50:34 Hash: 5BDC703C635488A6E449D626E4B783B2 | ||
+ | 2015-07-10 23:50:34 Hash: BD582C386E381B241339D65A21E69628 | ||
+ | 2015-07-10 23:50:34 Completed key merge | ||
+ | </ | ||
+ | |||
+ | # cat / | ||
+ | < | ||
+ | 2015-07-10 23:50:34 Running SKS 1.1.5 | ||
+ | 2015-07-10 23:50:34 Opening PTree database | ||
+ | 2015-07-10 23:50:35 Opening dbs... | ||
+ | 2015-07-10 23:50:35 Opening KeyDB database | ||
+ | 2015-07-10 23:50:35 5000 hashes processed | ||
+ | 2015-07-10 23:50:35 10000 hashes processed | ||
+ | 2015-07-10 23:50:36 15000 hashes processed | ||
+ | 2015-07-10 23:50:37 20000 hashes processed | ||
+ | 2015-07-10 23:50:37 25000 hashes processed | ||
+ | ... | ||
+ | |||
+ | ... | ||
+ | 2015-07-11 00:35:16 3940000 hashes processed | ||
+ | 2015-07-11 00:35:21 3945000 hashes processed | ||
+ | 2015-07-11 00:35:25 3950000 hashes processed | ||
+ | 2015-07-11 00:35:29 3955000 hashes processed | ||
+ | 2015-07-11 00:35:34 3960000 hashes processed | ||
+ | 2015-07-11 00:35:38 3965000 hashes processed | ||
+ | 2015-07-11 00:35:42 3970000 hashes processed | ||
+ | 2015-07-11 00:35:47 3975000 hashes processed | ||
+ | 2015-07-11 00:35:47 3975295 hashes processed | ||
+ | 2015-07-11 00:35:47 Cleaning Tree.</ | ||
+ | Nachdem wir unsere Datenbank nur 1x initial bauen müssen, verschieben wir wir die Logfiles, die beim Anlegen der Datenbank erzeugt wurden, einfach an Ort und Stelle, nämlich nach // | ||
+ | # mv / | ||
+ | |||
+ | Da unser Keyserver mit den Rechten des Users **sks** laufen wird, //" | ||
+ | # chown sks.sks / | ||
+ | |||
+ | Bevor wir nun unseren Keyserver das erste mal starten, kontrollieren und berichtigen wir noch die Berechtigungen in den Konfigurations- und Logverzeichnissen. | ||
+ | |||
+ | # chown sks.sks /etc/sks/ -R | ||
+ | |||
+ | # chown sks.sks / | ||
+ | |||
+ | |||
+ | ===== SKS-Serverdienste starten ===== | ||
+ | ==== sks-db ==== | ||
+ | Nachdem wir die Initialbefüllung der Schlüsseldatenbank erfolgreich beendet haben, ist es an der Zeit den SKS-Datenbankdeamon **sks-db** zu starten. | ||
+ | # systemctl start sks-db | ||
+ | |||
+ | Den erfolgreichen Start können wir wie folgt abfragen: | ||
+ | # systemctl status sks-db | ||
+ | < | ||
+ | | ||
+ | | ||
+ | Main PID: 6531 (bash) | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Jul 11 00:39:55 vml000037.dmz.nausch.org systemd[1]: Started SKS database service. | ||
+ | </ | ||
+ | |||
+ | In der Logdatei des Datenbank-Daemons wird der Start auch entsprechend protokolliert. | ||
+ | # tailf / | ||
+ | < | ||
+ | 2015-07-11 00:39:55 sks_db, SKS version 1.1.5 | ||
+ | 2015-07-11 00:39:55 Using BerkelyDB version 5.3.21 | ||
+ | 2015-07-11 00:39:55 Copyright Yaron Minsky 2002, 2003, 2004 | ||
+ | 2015-07-11 00:39:55 Licensed under GPL. See LICENSE file for details | ||
+ | 2015-07-11 00:39:55 http port: 11371 | ||
+ | 2015-07-11 00:39:55 address for key.adeti.org: | ||
+ | 2015-07-11 00:39:55 address for keys.niif.hu: | ||
+ | 2015-07-11 00:39:56 address for keyserver.adamas.ai: | ||
+ | 2015-07-11 00:39:56 address for keyserver.ccc-hanau.de: | ||
+ | 2015-07-11 00:39:56 address for keyserver.computer42.org: | ||
+ | 2015-07-11 00:39:56 address for keyserver.kjsl.org: | ||
+ | 2015-07-11 00:40:06 address for keyserver.siccegge.de: | ||
+ | 2015-07-11 00:40:06 address for keyserver.stack.nl: | ||
+ | 2015-07-11 00:40:06 address for pgp.codelabs.ru: | ||
+ | 2015-07-11 00:40:06 address for pgpkeys.co.uk: | ||
+ | 2015-07-11 00:40:07 address for pgpkeys.eu: | ||
+ | 2015-07-11 00:40:07 address for pks.aaiedu.hr: | ||
+ | 2015-07-11 00:40:07 address for keyserver.singpolyma.net: | ||
+ | 2015-07-11 00:40:07 address for sks.pkqs.net: | ||
+ | 2015-07-11 00:40:07 address for sks.powdarrmonkey.net: | ||
+ | 2015-07-11 00:40:07 address for sks.spodhuis.org: | ||
+ | 2015-07-11 00:40:07 address for www.pretzlaff.co: | ||
+ | 2015-07-11 00:40:07 address for keys.itunix.eu: | ||
+ | 2015-07-11 00:40:07 address for sks.rainydayz.org: | ||
+ | 2015-07-11 00:40:08 address for ice.mudshark.org: | ||
+ | 2015-07-11 00:40:08 Opening KeyDB database | ||
+ | 2015-07-11 00:40:08 Calculating DB stats | ||
+ | 2015-07-11 00:40:13 Done calculating DB stats | ||
+ | 2015-07-11 00:40:13 Database opened | ||
+ | 2015-07-11 00:40:13 Applied filters: yminsky.dedup, | ||
+ | 2015-07-11 00:40:13 Calculating DB stats | ||
+ | 2015-07-11 00:40:18 Done calculating DB stats | ||
+ | </ | ||
+ | |||
+ | Fragen wir nun via **netstat** die geöffneten Ports ab, sehen wir neben den Ports des Reverseproxys **80**, **443** und **11371** auch den an der Adresse **127.0.0.1/ | ||
+ | # netstat -tulpen | ||
+ | |||
+ | Active Internet connections (only servers) | ||
+ | Proto Recv-Q Send-Q Local Address | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | |||
+ | Damit der Daemon beim Systemstart auch automatisch startet, führen wir noch nachfolgenden Befehl aus. | ||
+ | # systemctl enable sks-db | ||
+ | |||
+ | ln -s '/ | ||
+ | |||
+ | Möchten wir wissen, ob der Daemon automatisch beim Starten des Servers auch gestartet wird, nutzen wir die Option **is-enabled** | ||
+ | |||
+ | # systemctl is-enabled sks-db | ||
+ | |||
+ | enabled | ||
+ | |||
+ | ==== sks-recon ==== | ||
+ | Als nächstes starten wir nun noch den **sks-recon** Daemon, also den Daemon, der für den Austausch der Schlüssel mit den Pearingpartnern zuständig ist. | ||
+ | # systemctl start sks-recon | ||
+ | |||
+ | <WRAP center round tip 85%> | ||
+ | Sollte sich der Daemon beim ersten Starten weigern, anzustarten, | ||
+ | Hierzu wechseln wir in das **SKS-Arbeitsverzeichnis**. | ||
+ | # cd / | ||
+ | |||
+ | Anschließend starten wir den Daemon von Hand. | ||
+ | # sks recon | ||
+ | |||
+ | So können wir im Fehlerfall an Hand der Rückmeldungen des Daemon gezielter auf Fehlersuche gehen. Zum Stoppen des Vordergrundprozesses nutzen wir dann die Tastenkombination " | ||
+ | </ | ||
+ | |||
+ | Den erfolgreichen Start können wir wie folgt abfragen: | ||
+ | # systemctl status sks-recon | ||
+ | < | ||
+ | | ||
+ | | ||
+ | Main PID: 6645 (bash) | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Jul 11 00:54:37 vml000037.dmz.nausch.org systemd[1]: Starting SKS reconciliation service... | ||
+ | Jul 11 00:54:37 vml000037.dmz.nausch.org systemd[1]: Started SKS reconciliation service. | ||
+ | </ | ||
+ | |||
+ | In der Logdatei des Datenbank-Daemons wird der Start auch entsprechend protokolliert. | ||
+ | # tailf / | ||
+ | |||
+ | < | ||
+ | 2015-07-11 00:52:49 sks_recon, SKS version 1.1.5 | ||
+ | 2015-07-11 00:52:49 Using BerkelyDB version 5.3.21 | ||
+ | 2015-07-11 00:52:49 Copyright Yaron Minsky 2002-2013 | ||
+ | 2015-07-11 00:52:49 Licensed under GPL. See LICENSE file for details | ||
+ | 2015-07-11 00:52:49 Opening PTree database | ||
+ | 2015-07-11 00:52:49 Setting up PTree data structure | ||
+ | 2015-07-11 00:52:49 PTree setup complete | ||
+ | 2015-07-11 00:55:35 address for key.adeti.org: | ||
+ | 2015-07-11 00:55:35 address for keys.niif.hu: | ||
+ | 2015-07-11 00:55:35 address for keyserver.adamas.ai: | ||
+ | 2015-07-11 00:55:35 address for keyserver.ccc-hanau.de: | ||
+ | 2015-07-11 00:55:35 address for keyserver.computer42.org: | ||
+ | 2015-07-11 00:55:35 address for keyserver.kjsl.org: | ||
+ | 2015-07-11 00:55:40 address for keyserver.siccegge.de: | ||
+ | 2015-07-11 00:55:40 address for keyserver.stack.nl: | ||
+ | 2015-07-11 00:55:40 address for pgp.codelabs.ru: | ||
+ | 2015-07-11 00:55:40 address for pgpkeys.co.uk: | ||
+ | 2015-07-11 00:55:40 address for pgpkeys.eu: | ||
+ | 2015-07-11 00:55:40 address for pks.aaiedu.hr: | ||
+ | 2015-07-11 00:55:41 address for keyserver.singpolyma.net: | ||
+ | 2015-07-11 00:55:41 address for sks.pkqs.net: | ||
+ | 2015-07-11 00:55:41 address for sks.powdarrmonkey.net: | ||
+ | 2015-07-11 00:55:41 address for sks.spodhuis.org: | ||
+ | 2015-07-11 00:55:41 address for www.pretzlaff.co: | ||
+ | 2015-07-11 00:55:41 address for keys.itunix.eu: | ||
+ | 2015-07-11 00:55:41 address for sks.rainydayz.org: | ||
+ | 2015-07-11 00:55:41 address for ice.mudshark.org: | ||
+ | </ | ||
+ | |||
+ | Fragen wir nun via **netstat** die geöffneten Ports ab, sehen wir neben den bereits geöffneten Ports des Reverseproxys **80**, **443** und **11371** und die **127.0.0.1/ | ||
+ | # netstat -tulpen | ||
+ | |||
+ | Active Internet connections (only servers) | ||
+ | Proto Recv-Q Send-Q Local Address | ||
+ | tcp 1 0 0.0.0.0: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | tcp 0 0 10.0.0.37: | ||
+ | |||
+ | Damit der Daemon beim Systemstart auch automatisch startet, führen wir noch nachfolgenden Befehl aus. | ||
+ | # systemctl enable sks-recon | ||
+ | |||
+ | ln -s '/ | ||
+ | |||
+ | Möchten wir wissen, ob der Daemon automatisch beim Starten des Servers auch gestartet wird, nutzen wir die Option **is-enabled** | ||
+ | |||
+ | # systemctl is-enabled sks-recon | ||
+ | |||
+ | enabled | ||
+ | |||
+ | /* | ||
+ | cd / | ||
+ | 975 wget -m -nH --cut-dirs=3 ftp:// | ||
+ | 978 md5sum -c / | ||
+ | rmdir / | ||
+ | rmdir / | ||
+ | 979 cd / | ||
+ | 984 / | ||
+ | 988 chown sks.sks / | ||
+ | 989 systemctl start sks-db | ||
+ | 990 systemctl status sks-db | ||
+ | 992 systemctl start sks-recon | ||
+ | 993 systemctl status sks-recon | ||
+ | */ | ||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||
+ | ~~AUTOTWEET: | ||