Inhaltsverzeichnis

SKS Keyserver unter CentOS 7.x installieren und betreiben

SKS Keyserver Logo

Zur Verteilung und Abfrage von PGP-Schlüsseln bedienen wir uns am einfachsten eines OpenPGP Keyservers. In diesem Kapitel widmen wir uns nun eingehend mit der Installation eines SKS Keyservers unter CentOS 7.x.

Der grosse Vorteil des SKS-Keyservers ist sein einfaches und robustes Design, da der Server im wesentlichen aus zwei Prozessen besteht. Der erste (sks-db) übernimmt die Aufnahme neue Schlüssel, sowie die Ausgabe der gesuchten Schlüssel. Hierzu wird eine einfache Web-Schnittstelle zur Verfügung gestellt. Der zweite Serverprozess (sks-recon) kümmert sich um den automatischen Abgleich der lokalen Datenbank mit den in Verbindung stehenden Peering-Partnern.

Ein wesentlicher Vorteil des SKS-Keyservers ist, dass dieser aktuell und aktiv weiterentwickelt wird, sowie eine weitestgehende Unterstützung des OpenPGP-Standards inklusive PhotoIDs und Subkeys unterstützt.

Installation

Zur Installation unseres SKS-Keyservers benutzen wir am einfachsten das RPM-Paket aus dem Projekt Extra Packages for Enterprise Linux kurz EPEL. Dieses Repository binden wir in unserem Server wie im Kapitel Einbinden des EPEL Repository unter CentOS 6.x beschrieben in unser System ein.

Die Installation gestaltet sich somit sehr einfach, muss nur noch das Paket sks mit Hilfe von yum installiert werden.

 # yum install sks -y

Was uns das Programmpaket alles mitbringt offenbart uns wie immer eine Abfrage mit Hilfe von rpm -qil.

 # rpm -qil sks
Name        : sks
Version     : 1.1.5
Release     : 7.el7
Architecture: x86_64
Install Date: Wed 08 Jul 2015 01:28:35 PM CEST
Group       : System Environment/Daemons
Size        : 2772877
License     : GPLv2+
Signature   : RSA/SHA256, Fri 19 Sep 2014 03:46:53 AM CEST, Key ID 6a2faea2352c64e5
Source RPM  : sks-1.1.5-7.el7.src.rpm
Build Date  : Fri 12 Sep 2014 12:30:05 AM CEST
Build Host  : buildvm-15.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://code.google.com/p/sks-keyserver/
Summary     : Synchronizing Key Server
Description :
SKS is a OpenPGP keyserver whose goal is to provide easy to
deploy, decentralized, and highly reliable synchronization.
/usr/bin/sks
/usr/bin/sks_add_mail
/usr/bin/sks_build.sh
/usr/lib/systemd/system/sks-db.service
/usr/lib/systemd/system/sks-recon.service
/usr/sbin/sks-db
/usr/sbin/sks-recon
/usr/share/doc/sks-1.1.5
/usr/share/doc/sks-1.1.5/ANNOUNCEMENT
/usr/share/doc/sks-1.1.5/BUGS
/usr/share/doc/sks-1.1.5/CHANGELOG
/usr/share/doc/sks-1.1.5/FILES
/usr/share/doc/sks-1.1.5/LICENSE
/usr/share/doc/sks-1.1.5/README.md
/usr/share/doc/sks-1.1.5/TODO
/usr/share/doc/sks-1.1.5/UPGRADING
/usr/share/doc/sks-1.1.5/VERSION
/usr/share/doc/sks-1.1.5/sampleConfig
/usr/share/doc/sks-1.1.5/sampleConfig/DB_CONFIG
/usr/share/doc/sks-1.1.5/sampleConfig/DB_CONFIG.orig
/usr/share/doc/sks-1.1.5/sampleConfig/aliases.sample
/usr/share/doc/sks-1.1.5/sampleConfig/aliases.sample.orig
/usr/share/doc/sks-1.1.5/sampleConfig/crontab.sample
/usr/share/doc/sks-1.1.5/sampleConfig/crontab.sample.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian
/usr/share/doc/sks-1.1.5/sampleConfig/debian/README
/usr/share/doc/sks-1.1.5/sampleConfig/debian/README.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/forward.exim
/usr/share/doc/sks-1.1.5/sampleConfig/debian/forward.exim.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/forward.postfix
/usr/share/doc/sks-1.1.5/sampleConfig/debian/forward.postfix.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/mailsync
/usr/share/doc/sks-1.1.5/sampleConfig/debian/mailsync.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/membership
/usr/share/doc/sks-1.1.5/sampleConfig/debian/membership.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/procmail
/usr/share/doc/sks-1.1.5/sampleConfig/debian/procmail.orig
/usr/share/doc/sks-1.1.5/sampleConfig/debian/sksconf
/usr/share/doc/sks-1.1.5/sampleConfig/debian/sksconf.orig
/usr/share/doc/sks-1.1.5/sampleConfig/mailsync
/usr/share/doc/sks-1.1.5/sampleConfig/mailsync.orig
/usr/share/doc/sks-1.1.5/sampleConfig/membership
/usr/share/doc/sks-1.1.5/sampleConfig/membership.orig
/usr/share/doc/sks-1.1.5/sampleConfig/procmailrc
/usr/share/doc/sks-1.1.5/sampleConfig/procmailrc.orig
/usr/share/doc/sks-1.1.5/sampleConfig/rc.sks
/usr/share/doc/sks-1.1.5/sampleConfig/rc.sks.orig
/usr/share/doc/sks-1.1.5/sampleConfig/sksconf.minimal
/usr/share/doc/sks-1.1.5/sampleConfig/sksconf.minimal.orig
/usr/share/doc/sks-1.1.5/sampleConfig/sksconf.typical
/usr/share/doc/sks-1.1.5/sampleConfig/sksconf.typical.orig
/usr/share/doc/sks-1.1.5/sampleWeb
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/README
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/README.orig
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/index.html
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/index.html.orig
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/robots.txt
/usr/share/doc/sks-1.1.5/sampleWeb/HTML5/robots.txt.orig
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/README
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/README.orig
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/index.html
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/index.html.orig
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/robots.txt
/usr/share/doc/sks-1.1.5/sampleWeb/OpenPKG/robots.txt.orig
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/functions.es
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/functions.es.orig
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/index.xhtml
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/index.xhtml.orig
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/robots.txt
/usr/share/doc/sks-1.1.5/sampleWeb/XHTML+ES/robots.txt.orig
/usr/share/man/man8/sks.8.gz

Dokumentation

Die Dokumentation die mitgeliefert wird, findet sich im Verzeichnis /usr/share/doc/sks-1.1.4/. Die dort hinterlegen Dokumente können bei der weiteren Konfiguration wertvolle Hilfe leisten.

ANNOUNCEMENT

 # less /usr/share/doc/sks-*/ANNOUNCEMENT
We are pleased to announce the availability of a new stable SKS
release:  Version 1.1.5.

SKS is an OpenPGP keyserver whose goal is to provide easy to deploy,
decentralized, and highly reliable synchronization. That means that a
key submitted to one SKS server will quickly be distributed to all key
servers, and even wildly out-of-date servers, or servers that experience
spotty connectivity, can fully synchronize with rest of the system.

What's New in 1.1.5
====================
  - Fixes for machine-readable indices. Key expiration times are now read
    from self-signatures on the key's UIDs. In addition, instead of 8-digit
    key IDs, index entries now return the most specific key ID possible:
    16-digit key ID for V3 keys, and the full fingerprint for V4 keys.
  - Add metadata information (number of keys, number of files, 
    checksums, etc) to key dump. This allows for information on the
    key dump ahead of download/import, and direct verification of checksums
    using md5sum -c <metadata-file>.  
  - Replaced occurrances of the deprecated operator 'or' with '||' (BB issue #2)
  - Upgraded to cryptlib-1.7 and own changes are now packaged as separate 
    patches that is installed during 'make'. Added the SHA-3 algorithm, Keccak
  - Option max_matches was setting max_internal_matches. Fixed (BB issue #4)
  - op=hget now supports option=mr for completeness (BB issue #17)
  - Add CORS header to web server responses. Allows JavaScript code to
    interact with keyservers, for example the OpenPGP.js project.
  - Change the default hkp_address and recon_address to making the 
    default configuration support IPv6. (Requires OCaml 3.11.0 or newer)
  - Only use '-warn-error A' if the source is marked as development as per
    the version suffix (+) (part of BB Issue #2)
  - Reduce logging verbosity for debug level lower than 6 for (i) bad requests, 
    and (ii) no results found (removal of HTTP headers in log) (BB Issue #13)
  - Add additional OIDs for ECC RFC6637 style implementations
    (brainpool and secp256k1) (BB Issue #25) and fix issue for 32 bit arches.
  - Fix a non-persistent cross-site scripting possibility resulting from 
    improper input sanitation before writing to client. (BB Issue #26 | CVE-2014-3207)


Note when upgrading from earlier versions of SKS
====================
The default values for pagesize settings changed in SKS 1.1.4. To continue
using an existing DB from earlier versions without rebuilding, explicit settings 
have to be added to the sksconf file.
pagesize:       4
ptree_pagesize: 1

Getting the Software
====================
SKS can be downloaded from 
https://bitbucket.org/skskeyserver/sks-keyserver

Prerequisites
====================
There are a few prerequisites to building this code. You need:
* ocaml-3.11.0 or later (ocaml-3.12.x is recommended). Get it from 
  <http://www.ocaml.org>
* Berkeley DB version 4.6.* or later, whereby 4.8 or later is recommended.  
  You can find the appropriate versions at
  <http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>
* GNU Make and a C compiler (e.g gcc)


Verifying the integrity of the download
====================
Releases of SKS are signed using the SKS Keyserver Signing Key
available on public keyservers with the KeyID

    0x41259773973A612A

and has a fingerprint of

    C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A.

Using GnuPG, verification can be accomplished by, first, retrieving the signing key using

    gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A

followed by verifying that you have the correct key

    gpg --keyid-format long --fingerprint 0x41259773973A612A

should produce:

    pub   4096R/41259773973A612A 2012-06-27
    Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A

A check should also be made that the key is signed by
trustworthy other keys;

    gpg --list-sigs 0x41259773973A612A

and the fingerprint should be verified through other trustworthy sources.

Once you are certain that you have the correct key downloaded, you can create
a local signature, in order to remember that you have verified the key.

     gpg --lsign-key 0x41259773973A612A

Finally; verifying the downloaded file can be done using

    gpg --keyid-format long --verify sks-x.y.z.tgz.asc

The resulting output should be similar to

    gpg: Signature made Wed Jun 27 12:52:39 2012 CEST
    gpg:                using RSA key 41259773973A612A
    gpg: Good signature from "SKS Keyserver Signing Key"


Thanks
====================
We have to thank all the people who helped with this release, by discussions on
the mailing list, submitting patches, or opening issues for items that needed
our attention.

Happy Hacking,

  The SKS Team (Yaron, John, Kristian, Phil, and the other contributors)

README

 # less /usr/share/doc/sks-*/README.md
SKS Keyserver
=============

The following is an incomplete guide to compiling, setting up and using SKS.
Hopefully this is enough to get you started, in addition there is a wiki available, 
where in particular <https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering> 
should help getting a working installation. 

Prerequisites
-------------

There are a few prerequisites to building this code.  You need:

* OCaml-3.11.0 or later.  Get it from <http://ocaml.org>
* Berkeley DB version 4.6.* or later.  You can find the
  appropriate versions at
  <http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>
* GNU Make and a C compiler (e.g gcc) 

  Verifying the integrity of the download
----------------------------
Releases of SKS are signed using the SKS Keyserver Signing Key
available on public keyservers with the KeyID

    0x41259773973A612A

and has a fingerprint of

    C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A.

Using GnuPG, verification can be accomplished by, first, retrieving the signing key using

    gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A

followed by verifying that you have the correct key

    gpg --keyid-format long --fingerprint 0x41259773973A612A

should produce:

    pub   4096R/41259773973A612A 2012-06-27
    Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A

A check should also be made that the key is signed by
trustworthy other keys;

    gpg --list-sigs 0x41259773973A612A

and the fingerprint should be verified through other trustworthy sources.

Once you are certain that you have the correct key downloaded, you can create
a local signature, in order to remember that you have verified the key.

     gpg --lsign-key 0x41259773973A612A

Finally; verifying the downloaded file can be done using

    gpg --keyid-format long --verify sks-x.y.z.tgz.asc

The resulting output should be similar to

    gpg: Signature made Wed Jun 27 12:52:39 2012 CEST
    gpg:                using RSA key 41259773973A612A
    gpg: Good signature from "SKS Keyserver Signing Key"

  Compilation and Installation
----------------------------

  * Install OCaml and Berkeley DB

    When installing ocaml, make sure you do both the `make world` and
    the `make opt` steps before installing.  The later makes sure you
    get the optimizing compilers.  (do make opt.opt if you want faster
    compilation.  You can then set the environment variables `OCAMLC`,
    `OCAMLOPT` and `CALMP4O` to `ocamlc.opt`, `ocamlopt.opt` and
    `camlp4o.opt` respectively.)

    If your vendor or porting project supplies prebuilt binaries and
    libraries for Berkeley DB, make sure to get the development
    package as you will need the correct version include files.

  * Copy `Makefile.local.unused` to `Makefile.local`, and edit to
    match your installation.

  * Compile

        make dep
        make all
        make all.bc # if you want the bytecode versions
        make install # puts executables in $PREFIX/bin, as defined
                     # in Makefile.local

    There are some other useful compilation targets, mostly useful for
    development.

      - `make doc`

        creates a doc directory with ocamldoc-generated documentation
        of the individual modules.  These are mostly useful as
        documentation to the source code, not a user's guide.

      - `make modules.ps`

        Creates a ps-file that shows the dependencies between
        different modules, and gives you a sense of the overall
        structure of the system.  For this to work you need to have
        AT&T's graphviz installed, as well as python2.  The python
        script that's used actually requires that python2 be called
        python2, rather than python.  You can of course edit that
        script.

Setup and Configuration
-----------------------

You need to set up a directory for the SKS installation.  It will
contain the database files along with configuration and log files.

Configuration options can be passed in on the command-line or put in
the `sksconf` file in the SKS directory.  the `-basedir` option
specifies the SKS directory itself, which defaults to the current
working directory.

### Sksconf and commandline options

The format of the sksconf file is simply a bunch of lines of the
form:

    keyword: value

The `#` character is used for comments, and blank lines are
ignored.  The keywords are just the command-line flags, minus the
initial `-`.

The one thing you probably want no matter what is a line that says

    logfile: log

which ensures that sks will output messages to `recon.log` and
`db.log` respectively.

### Membership file

If you want your server to gossip with others, you will need a
membership file which tells the `sks recon` who else to gossip with.
The membership file should look something like:

    epidemic.cs.cornell.edu 11370
    athos.rutgers.edu 11370
    ...

This file should be called `membership`, and should be stored in the
SKS directory.  Note that in order for synchronization to work, both
hosts have to have each other in their membership lists.  Send mail to
<sks-devel@nongnu.org> to get other SKS administrators to add you to
their membership lists.

**IMPORTANT NOTE**: if you include the server itself in the membership
file, you should make sure that you also specify the `hostname`
option, and that the selected hostname is exactly the same string
listed in the membership file.  Otherwise, the `sks recon` will try to
synchronize with itself and will deadlock.

### Outgoing PKS synchronization: mailsync file

The mailsync file contains a list of email addresses of PKS
keyservers.  This file is important, because it ensures that keys
submitted directly to an SKS keyserver are also forwarded to PKS
keyservers.

**IMPORTANT**: don't add someone to your mailsync file without getting
their permission first!

In order for outgoing email sync's to work, you need to specify a
command to actually send the email out.  The default is `sendmail -t
-oi`, but you may need something different.

### Incoming PKS synchronization

Incoming PKS synchronization is less critical than outgoing,
since as long as some SKS server gets the new data, it will be
distributed to all.  Having more hosts receive the incoming PKS
syncs does, however, increase the fault-tolerance of the
connection between the two systems.

In order to get incoming mail working, you should pipe the appropriate
incoming mail to the following command via procmail:

    sks_add_mail sks_directory_name

Here's an example procmail entry:

    PATH=/path/of/sks/exectuables

    :0
    * ^Subject: incremental
    | sks_add_mail sks_directory_name


### Built-in webserver

You can server up a simple index page directly from the port
you're using for HKP.  This is done by creating a subdirectory in
your SKS directory called `web`.  There, you can put an index file
named `index.html`, `index.htm`, `index.xhtm`, or `index.xhtml`,
supporting files with extensions .css, .es, or .js, and some image
files with extensions jpg, jpeg, png or gif. Subdirectories will
be ignored, as will filenames with anything other than
alphanumeric characters and the '.'  character.  This is
particularly useful if you want to run your webserver off of port
80.  This can be done by using the -hkp_port command-line option.


Building up the databases
-------------------------

  - First, you need to get a keydump.  If you're running a PKS server,
    you should be able to convince PKS to generate one for you.  If
    you're starting from scratch, you'll need to download one from the
    net.  You should contact the pgp keyserver list
    <pgp-keyserver-folk@flame.org>

  - in the SKS directory, put in a subdirectory called `dump` which
    contains the keydump files from which the database is to be built.

  - Run sks_build.sh.  That script actually runs three utilities.  You
    might want to edit sks_build.sh if you want to trade off speed for
    space usage.  At the current settings, you could run out of ram if
    you try this with less then 256 megs of RAM.

**DO NOT DELETE THE `dump` DIRECTORY**, even after the database is
built.  The original keys are not copied to the database, and so the
dump must be left in place.

Platform specific issues
------------------------

### FreeBSD ###

On FreeBSD it appears that libdb is named differently than on some
other platforms.  For that reason, you need to set the LIBDB
environment value to `-ldb46` instead of `-ldb-4.6` for other
platfomrs.

Manpage

Als eine weitere sehr hilfreiche Quelle sei die Manpage von sks genannt:

 # man sks
sks(8)                             SKS OpenPGP Key server                            sks(8)

NAME
       SKS - Synchronizing Key Server

SYNOPSIS
       sks [options] -debug

DESCRIPTION
       SKS is a OpenPGP keyserver whose goal is to provide easy to deploy, decentralized,
       and highly reliable synchronization. That means that a key submitted to one SKS
       server will quickly be distributed to all key servers, and even wildly out-of-date
       servers, or servers that experience spotty connectivity, can fully synchronize with
       rest of the system.

       The design of SKS is deliberately simple. The server consists of two single-threaded
       processes. The first, "sks db", fulfills the normal jobs associated with a public
       key server, such as answering web requests. The only special functionality of "sks
       db" is that it keeps a log summarizing the changes to the key database. "sks recon"
       does all the work with respect to reconciling hosts databases. "sks recon" keeps
       track of specialized summary information about the database, and can use that
       information to efficiently determine the differences between its database and that
       of another host.

FEATURES
       Highly efficient and reliable reconciliation algorithm

       Follows RFC2440 and RFC2440bis carefully - unlike PKS, SKS supports new and old
       style packets, photoID packets, multiple subkeys, and pretty much everything allowed
       by the RFCs.

       Fully compatible with PKS system - can both send and receive syncs from PKS servers,
       ensuring seamless connectivity.

       Simple configuration:  each host just needs a (partial) list of the other
       participating key servers. Gossip is used to distribute information without putting
       a heavy load an any one host.

       Supports HKP/web-based querying, and soon-to-be-standard machine readable indices

OPTIONS
       SKS binary command options are as follows:

       db
            Initiates database server.

       recon
           Initiates reconciliation server.

       cleandb
           Apply filters to all keys in database, fixing some common problems.

       build
           Build key database, including body of keys directly in database.

       fastbuild -n [size] -cache [mbytes]
           Build key database, doesn't include keys directly in database, faster than
           build. -n specifies the number of keydump files to read per pass when used with
           build and the multiple of 15,000 keys to be read per pass when used with
           fastbuild.  -cache specifies the database cache to use in megabytes.

       pbuild -cache [mbytes] -ptree_cache [mbytes]
           Build prefix-tree database, used by reconciliation server, from key database.
           Allows for specification of cache for key database and for ptree database.

       dump numkeys dumpdir <filename-prefix>
           Create a raw dump of the keys in the database. The dump is split into multiple
           files; the numkeys parameter determines the number of keys dumped in each file.
           The optional filename-prefix is prepended to the dump file names. Without it the
           dump files are named 0000.pgp, 0001.pgp,...

       merge
           Adds key from key files to existing database.

       drop
           Drops key from database.

       update_subkeys [-n # of updates / 1000]
           Updates subkey keyid index to include all current keys. Only useful when
           upgrading versions 1.0.4 or before of SKS.

       version
           prints SKS version and linked version of Berkeley DB to stdout

       help
           Prints the help message.

ADDITIONAL OPTIONS
       You won't need most of the options below for normal operation. These options can be
       given in basedir/sksconf or as command line option for the sks binary.

       -debug
           Debugging mode.

       -debuglevel
           Debugging level -- sets verbosity of logging.

       -q
            Number of bits defining a bin.

       -mbar
           Number of errors that can be corrected in one shot.

       -seed
           Seed used by RNG.

       -hostname
           Current hostname.

       -nodename
           Current nodename.

       -d
            Number of keys to drop at random when synchronizing.

       -n
            Number of keydump files to load at once.

       -max_internal_matches
           Maximum number of matches for most specific word in a multi-word search.

       -max_matches
           Maximum number of matches that will be returned from a query.

       -max_uid_fetches
           Maximum number of uid fetches performed in a verbose index query.

       -pagesize
           Pagesize in 512 byte chucks for key db.

       -keyid_pagesize
           Pagesize in 512 byte chucks for keyid db.

       -meta_pagesize
           Pagesize in 512 byte chucks for metadata db.

       -subkeyid_pagesize
           Pagesize in 512 byte chucks for subkeyid db.

       -time_pagesize
           Pagesize in 512 byte chucks for time db.

       -tqueue_pagesize
           Pagesize in 512 byte chucks for tqueue db.

       -word_pagesize
           Pagesize in 512 byte chunks for word db.

       -cache
           Cache size in megs for key db.

       -ptree_pagesize
           Pagesize in 512 byte chunks for prefix tree db.

       -ptree_cache
           Cache size in megs for prefix tree db.

       -baseport
           Set base port number.

       -recon_port
           Set recon port number.

       -recon_address
           Set recon binding addresses.  Can be a list of whitespace separated IP addresses
           or domain names.

       -hkp_port
           Set hkp port number.

       -hkp_address
           Set hkp binding addresses.  Can be a list of whitespace separated IP addresses
           or domain names.

       -use_port_80
           Have the HKP interface listen on port 80, as well as the hkp_port.

       -basedir
           Set base directory.

       -stdoutlog
           Send log messages to stdout instead of log file.

       -diskptree
           Use a disk-based ptree implementation. Slower, but requires far less memory.

       -nodiskptree
           Use in-mem ptree.

       -max_ptree_nodes
           Maximum number of allowed ptree nodes. Only meaningful if -diskptree is set.

       -prob
           Set probability. Used for testing code only.

       -recon_sync_interval
           Set sync interval for reconserver.

       -gossip_interval
           Set time between gossips in minutes.

       -dontgossip
           Don't gossip automatically. Host will still respond to requests from other
           hosts.

       -db_sync_interval
           Set sync interval for dbserver.

       -checkpoint_interval
           Time period between checkpoints.

       -recon_checkpoint_interval
           Time period between checkpoints for reconserver.

       -ptree_thresh_mult
           Multiple of thresh which specifies minimum node size in prefix tree.

       -recon_thresh_mult
           Multiple of thresh which specifies minimum node size that is included in
           reconciliation.

       -max_recover
           Maximum number of differences to recover in one round.

       -http_fetch_size
           Number of keys for reconserver to fetch from dbserver in one go.

       -wserver_timeout
           Timeout in seconds for webserver requests.

       -reconciliation_timeout
           Timeout for reconciliation runs in minutes.

       -stat_hour
           Hour at which to run database statistics.

       -initial_stat
           Runs database statistics calculation on boot.

       -reconciliation_config_timeout
           Set timeout in seconds for initial exchange of config info in reconciliation.

       -missing_keys_timeout
           Timeout in seconds for get_missing_keys.

       -command_timeout
           Timeout in seconds for commands set over command socket.

       -sendmail_cmd
           Command used for sending mail.

       -from_addr
           From address used in synchronization emails used to communicate with PKS.

       -dump_new_only
           When doing a database dump, only dump new keys, not keys already contained in a
           keydump file.

       -max_outstanding_recon_requests
           Maximum number of outstanding requests in reconciliation.

       -membership_reload_interval
           Maximum interval (in hours) at which membership file is reloaded.

       -disable_mailsync
           Disable sending of PKS mailsync messages.  ONLY FOR STANDALONE SERVERS!  THIS IS
           THE MECHANIASM FOR SENDING UPDATES TO NON-SKS SERVERS.

       -disable_log_diffs
           Disable logging of recent hashset diffs.

       -server_contact
           Set OpenPGP KeyID of the server contact

       --help, -help
       -stdin
           Read keyids from stdin (sksclient only)

           Displays list of options.

FILES
       Information about important files located in your SKS basedir.

       bin/sks
           The main SKS executable.

       bin/sks_add_mail
           The executable responsible for parsing incoming mails from PKS key servers.

       bin/sks_build.sh
           Script to generate an initial database.

       mailsync
           The mailsync should contains a list of email addresses of PKS keyservers. This
           file is important, because it ensures that keys submitted directly to an SKS
           keyserver are also forwarded to PKS keyservers. IMPORTANT : don't add someone to
           your mailsync file without getting their permission first!

       membership
           With SKS, two hosts can efficiently compare their databases then repair whatever
           differences are found.  In order to set up reconciliation, you first need to
           find other SKS servers that will agree to gossip with you. The hostname and port
           of the server that has agreed to do so should be added to this file.

       sksconf
           The configuration file for your SKS server.

EXAMPLES
       membership
            keyserver.ahost.org 11370 # Comments are allowed
            keyserver.foo.org 11370   # Another host with default ports

       sksconf
            membership_reload_interval: 1
            initial_stat:
            hostname: keyserver.example.com
            from_addr: pgp-public-keys@keyserver.example.com

       Procmail
            PATH=/path/of/sks/exectuables
            :0
            * ^Subject: incremental
            | /path/of/sks_add_mail /path/to/sks/directory

       /etc/aliases
            pgp-public-keys:      "|/path/of/sks_add_mail /path/to/sks/directory"

SEE ALSO
        The SKS website is located at https://bitbucket.org/skskeyserver/sks-keyserver/.
        The SKS website is located at https://bitbucket.org/skskeyserver/sks-keyserver/.

AUTHOR
       The first draft was written by Thomas Sjogren <thomas@northernsecurity.net>.

0.1                                      2014-05-05                                  sks(8)

Konfiguration

Die Konfiguration unseres sks-Keyservers gestaltet sich unter CentOS 7.x relativ einfach, werden entsprechende Konfigurationsbeispiele im RPM mitgeliefert, auf die wir nun zurückkreifen werden.

Konfigurations- und Arbeitsverzeichnis

Im ersten Schritt legen wir uns unser Zielverzeichnis für unsere Konfigurationsdateien an.

 # mkdir /etc/sks

Das Arbeitsverzeichnis legen wir auch noch entsprechend an.

 # mkdir /var/lib/sks

Anschließend passen wir die Dateiberechtigungen der gerade angelegten Verzeichnisse an.

 # chown sks:sks /etc/sks /var/lib/sks

Logverzeichnis

Damit für spätere Überwachungs- und ggf. Fehlersuchaufgaben auch entsprechende Logdateien geschrieben werden können, legen wir uns noch das passende Verzeichnis an.

 # mkdir /var/log/sks

Die Datei- und Verzeichnis-Berechtigungen passen wir auch hier an.

 # chown sks:sks /var/log/sks/

Logrotate

Damit uns unser Logverzeichnis nicht voll läuft, werden wir unseren SKS-Server so einstellen, dass er in regelmässigen Abständen das Logfile archiviert und ein neues anlegt. Hierzu legen wir uns im Verzeichnis /etc/logrotate.d/ die Datei sks mit nachfolgendem Inhalt an.

 # vim /etc/logrotate.d/sks
/etc/logrotate.d/sks
/var/log/sks/*.log {
   rotate 4
   weekly
   notifempty
   missingok
   delaycompress
   sharedscripts
   postrotate
	/bin/kill -HUP `cat /var/run/sks-db.pid    2>/dev/null` 2>/dev/null || true
	/bin/kill -HUP `cat /var/run/sks-recon.pid 2>/dev/null` 2>/dev/null || true
   endscript
}

Konfigurationsdateien

sksconf

Im RPM-Paket ist eine typische Konfigurationsdatei enthalten, die wir als Basis für die Konfiguration heranziehen wollen. Wir kopieren also zunächst diese Datei sksconf.typical in unser zuvor angelegtes Konfigurationsverzeichnis /etc/sks/.

 # cp /usr/share/doc/sks-*/sampleConfig/sksconf.typical /etc/sks/sksconf

Anschließend bearbeiten wir diese Datei und vermerken dort unsere Serverspezifischen Angaben.

 # vim /etc/sks/sksconf
/etc/sks/sksconf
#************************************************************************#
#* sksconf.typical - Typical configuration settings for a SKS server    *#
#*                                                                      *#
#* Copyright (C) 2011, 2012, 2013  John Clizbe                          *#
#*                                                                      *#
#* This file is part of SKS.  SKS is free software; you can             *#
#* redistribute it and/or modify it under the terms of the GNU General  *#
#* Public License as published by the Free Software Foundation; either  *#
#* version 2 of the License, or (at your option) any later version.     *#
#*                                                                      *#
#* This program is distributed in the hope that it will be useful, but  *#
#* WITHOUT ANY WARRANTY; without even the implied warranty of           *#
#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU    *#
#* General Public License for more details.                             *#
#*                                                                      *#
#* You should have received a copy of the GNU General Public License    *#
#* along with this program; if not, write to the Free Software          *#
#* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  *#
#* USA or see <http://www.gnu.org/licenses/>.                           *#
#************************************************************************#
 
#  sksconf -- SKS main configuration
#
# Django : 2015-07-08
# default: basedir:             /srv/sks
basedir:                        /var/lib/sks
 
# debuglevel 3 is default (max. debuglevel is 10)
debuglevel:                     3
 
# Django : 2015-07-08
# default: hostname:            keyserver.example.tld
hostname:                       keyserver.nausch.org
hkp_port:                       11371
recon_port:                     11370
 
# Django : 2015-07-08
# default: unset
hkp_address:                    127.0.0.1
 
# Django : 2015-07-08
# default: server_contact:      0xDECAFBADDEADBEEF
server_contact:                 0x074ECF6150A6BFED
 
# Django : 2015-07-08
# default: from_addr:           pgp-public-keys@example.tld
from_addr:                      sks@keyserver.nausch.org
sendmail_cmd:                   /usr/sbin/sendmail -t -oi
 
# Django : 2015-07-08
# Runs database statistics calculation on boot
initial_stat:
 
# Django : 2015-07-08
# Maximum interval (in hours) at which membership file is reloaded
membership_reload_interval:     1
 
# Django : 2015-07-08
# Hour at which to run database statistics.
# default: stat_hour:           17
stat_hour:                      0
 
# Django: 2015-07-08
# Have the HKP interface listen on port 80, as well as the hkp_port.
#use_port_80
 
# set DB file pagesize as recommended by db_tuner
# pagesize is (n * 512) bytes
# NOTE: These must be set _BEFORE_ [fast]build & pbuild and remain set
# for the life of the database files. To change a value requires recreating
# the database from a dump
#
# KDB/key               65536
pagesize:                       128
#
# KDB/keyid             32768
keyid_pagesize:                 64
#
# KDB/meta              512
meta_pagesize:                  1
# KDB/subkeyid          65536
subkeyid_pagesize:              128
#
# KDB/time              65536
time_pagesize:                  128
#
# KDB/tqueue            512
tqueue_pagesize:                1
#
# KDB/word - db_tuner suggests 512 bytes. This locked the build process
# Better to use a default of 8 (4096 bytes) for now
#word_pagesize:                 8
#
# PTree/ptree           4096
ptree_pagesize:                 8

mailsync

Wie schon zuvor bei der Hauptkonfigurationsdatei, kopieren wir auch bei der Datei mailsync die Vorlagedatei und bearbeiten diese nach Rücksprache mit den Mailpearing-Kontakten entsprechend.

 # cp /usr/share/doc/sks-*/sampleConfig/mailsync /etc/sks/mailsync
 # vim /etc/sks/mailsync
/etc/sks/mailsync
#************************************************************************#
#* mailsync - servers that should receive email updates from SKS        *#
#*                                                                      *#
#* Copyright (C) 2011, 2012, 2013  John Clizbe                          *#
#*                                                                      *#
#* This file is part of SKS.  SKS is free software; you can             *#
#* redistribute it and/or modify it under the terms of the GNU General  *#
#* Public License as published by the Free Software Foundation; either  *#
#* version 2 of the License, or (at your option) any later version.     *#
#*                                                                      *#
#* This program is distributed in the hope that it will be useful, but  *#
#* WITHOUT ANY WARRANTY; without even the implied warranty of           *#
#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU    *#
#* General Public License for more details.                             *#
#*                                                                      *#
#* You should have received a copy of the GNU General Public License    *#
#* along with this program; if not, write to the Free Software          *#
#* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  *#
#* USA or see <http://www.gnu.org/licenses/>.                           *#
#************************************************************************#
#
# The mailsync should contains a list of email addresses of PKS
# keyservers, one per line. This file is important, because it ensures
# that keys submitted directly to an SKS keyserver are also forwarded
# to PKS keyservers.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# IMPORTANT: don't add someone to your mailsync file without getting
# their permission first!
#
# Hironobu Suzuki operates the OpenPKSD server <suzuki.hironobu@gmail.com>
#pgp-public-keys@pgp.nic.ad.jp
#
# Jonathon McDowell openrates the ONAK server <noodles@earth.li>
# http://www.earth.li/projectpurple/progs/onak.html
#pgp-public-keys@the.earth.li
#
# V. Alex Brennen operates the CKS (CrytptNet) servers <vab@cryptnet.net>
#
# Django : 2015-07-08
pgp-public-keys@pgp.mit.edu

membership

Die dritte Konfigurationsdatei beinhaltet eine Liste sämtlicher SKS-Knotenserver mit denen wir unsere Schlüssel austauschen. Wie bei den beiden anderen Konfigurationsdateien, kopieren wir auch hier die entsprechende Datei membership in unser Konfigurationsverzeichnis /etc/sks/.

 # cp /usr/share/doc/sks-*/sampleConfig/membership /etc/sks/membership

Nach Rücksprache mit den Pearingpartnern tragen wir die entsprechenden Kontaktdaten in der Datei ein.

 # vim /etc/sks/membership
/etc/sks/membership
#************************************************************************#
#* membership - list of servers to peer with along with optional        *#
#*              administrative contact information                      *#
#*                                                                      *#
#* Copyright (C) 2011, 2012, 2013  John Clizbe                          *#
#*                                                                      *#
#* This file is part of SKS.  SKS is free software; you can             *#
#* redistribute it and/or modify it under the terms of the GNU General  *#
#* Public License as published by the Free Software Foundation; either  *#
#* version 2 of the License, or (at your option) any later version.     *#
#*                                                                      *#
#* This program is distributed in the hope that it will be useful, but  *#
#* WITHOUT ANY WARRANTY; without even the implied warranty of           *#
#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU    *#
#* General Public License for more details.                             *#
#*                                                                      *#
#* You should have received a copy of the GNU General Public License    *#
#* along with this program; if not, write to the Free Software          *#
#* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  *#
#* USA or see <http://www.gnu.org/licenses/>.                           *#
#************************************************************************#
 
#
# With SKS, two hosts can efficiently compare their databases then
# repair whatever differences are found.  In order to set up
# reconciliation, you first need to find other SKS servers that will
# agree to gossip with you. The hostname and port of the server that
# has agreed to do so should be added to this file.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'. Comments preceded by '#'
# are allowed at the ends of lines
#
# Example:
# keyserver.linux.it 11370
#
# The following operators have agreed to have their peering info included in this sample file.
# NOTE: This does NOT mean you may uncomment the lines and have peers. First you must contact the
# server owner and ask permission. You should include a line styled like these for your own server.
# Until two SKS membership files contain eact others peering info, they will not gossip.
#
#yourserver.example.net         11370   # Your full name <emailaddress for admin purposes>     0xPreferrefPGPkey
#keyserver.gingerbear.net       11370   # John P. Clizbe <John@Gingerbear.net>                  0xD6569825
#sks.keyservers.net             11370   # John P. Clizbe <John@Gingerbear.net>                  0xD6569825
#keyserver.rainydayz.org        11370   # Andy Ruddock <andy.ruddock@rainydayz.org>             0xEEC3AFB3
#keyserver.computer42.org       11370   # H.-Dirk Schmitt <dirk@computer42.org>                 0x6A017B17
#
key.adeti.org                   11370   # Marco RODRIGUES <mro@adeti.org>                       0x7CE697FC
keys.niif.hu                    11370   # Gabor Kiss <kissg@ssg.ki.iif.hu>                      0xBB6ABB38
keyserver.adamas.ai             11370   # virii (A bit paranoid eh?) <virii@tormail.net>        0xAA90EDCC
keyserver.ccc-hanau.de          11370   # Jens Leinenbach <jens@ccc-hanau.de>                   0x534EDA85
keyserver.computer42.org        11370   # H.-Dirk Schmitt <dirk@computer42.org>                 0x6A017B17
keyserver.gingerbear.net        11370   # John P. Clizbe <John@Gingerbear.net>                  0xD6569825
keyserver.kjsl.org              11310   # Javier Henderson <javier@kjsl.org>                    0x9BF88EE5
keyserver.serviz.fr             11370   # robert <sks@serviz.fr>                                0xEF333C7E
keyserver.siccegge.de           11370   # Christoph Egger <christoph@christoph-egger.org>       0xD49AE731
keyserver.stack.nl              11370   # Johan van Selst <johans@stack.nl>                     0x6F2708F4
pgp.codelabs.ru                 11370   # Eygene Ryabinkin <rea@codelabs.ru>                    0x8152ECFB
pgpkeys.co.uk                   11370   # Daniel Austin <daniel@kewlio.net>                     0x7F003DE6
pgpkeys.eu                      11370   # Daniel Austin <daniel@kewlio.net>                     0x7F003DE6
pks.aaiedu.hr                   11370   # Dinko Korunic <kreator@srce.hr>                       0xEA160D0B
keyserver.singpolyma.net        11370   # Stephen Paul Weber <singpolyma@singpolyma.net>        0xCE519CDE
sks.pkqs.net                    11370   # Stephan Beyer <s-beyer@gmx.net>                       0xFCC5040F
sks.powdarrmonkey.net           11370   # Jonathan Wiltshire <jmw@debian.org>                   0xD3524C51
sks.spodhuis.org                11370   # Phil Pennock <pdp@spodhuis.org>                       0x3903637F
www.pretzlaff.co                11370   # Rüdiger Pretzlaff <ruedigerqpretzlaff.info>           0xB0ECBAA9
keys.itunix.eu                  11370   # Sebastian Korotkiewicz <sebastian@korotkiewicz.eu>    0x626DEAC0
sks.rainydayz.org               11370   # Admin <admin@rainydayz.org>                           0xE20840AC
ice.mudshark.org                11370   # Jack Cummings <jack@mudshark.org>                     0x7917F802

SKS-basedir option

Laut dem Abschnitt Setup and Configuration aus der Programmdokumentation /usr/share/doc/sks-*/README.md arbeitet der SKS Keyserver mit der Option basedir. Dieses lautet bei der Installation aus dem epel-RPM einfach /srv/sks.

-- Setup and Configuration ---------------------
 
You need to set up a directory for the SKS installation.  It will contain the
database files along with configuration and log files.
 
Configuration options can be passed in on the command-line or put in the
"sksconf" file in the SKS directory.  the -basedir option specifies the SKS
directory itself, which defaults to the current working directory.

Da wir aber, wie unter Linux üblich die Konfigurationsdateien unter /etc/ und die Logdateien unter /var/log/ vorfinden wollen, operieren wir bei unserem SKS-Keyserver mit einfachen symbolischen Links.

/etc/sks/

Für die drei zuvor angelegten Konfigurationsdateien setzen wir nun jeweils einen symlink.

 # ln -s /etc/sks/mailsync /var/lib/sks/mailsync
 # ln -s /etc/sks/membership /var/lib/sks/membership
 # ln -s /etc/sks/sksconf /var/lib/sks/sksconf

/var/log/sks/

Die beiden Serverprozesse schreiben jeweils ein eigenes logfile:

Diese beiden Logdateien legen wir nun als leere Files an:

 # touch /var/log/sks/db.log /var/log/sks/recon.log

Die Dateiberechtigung passen wir auch noch an.

 # chown sks.sks /var/log/sks/db.log /var/log/sks/recon.log

Anschliessend setzen wir auch hier jeweils einen symbolischen link in Richtung unseres basedir des SKS-Keyservers.

 # ln -s /var/log/sks/db.log /var/lib/sks/db.log
 # ln -s /var/log/sks/recon.log /var/lib/sks/recon.log

systemd

In den Systemd Service Definition der beiden Daemon sks-db und sks-recon isd das SKS-Base-Directory direkt eingetragen. Diese Definition müssen wir nun noch auf unsere Umgebung anpassen.

Wir ändern aber keinen Falls die originalen Systemd Service Definition aus dem Verzeichnis /usr/lib/systemd/system/ sondern kopieren uns diese nach /etc/systemd/system/ und korrigieren dort jeweils das SKS-Base-Directory.

 # cp /usr/lib/systemd/system/sks-recon.service /etc/systemd/system/
 # vim /etc/systemd/system/sks-recon.service
/etc/systemd/system/sks-recon.service
[Unit]
Description=SKS reconciliation service
 
[Service]
Type=simple
# Django : 2015-07-11
# default: ExecStart=/bin/bash -c "cd /srv/sks; /usr/bin/sks recon"
ExecStart=/bin/bash -c "cd /var/lib/sks; /usr/bin/sks recon"
User=sks
BindTo=sks-db.service
After=sks-db.service
 
[Install]
WantedBy=multi-user.target
 # cp /usr/lib/systemd/system/sks-db.service /etc/systemd/system/
 # vim /etc/systemd/system/sks-db.service
/etc/systemd/system/sks-db.service
[Unit]
Description=SKS database service
 
[Service]
Type=simple
# Django : 2015-07-11
# default: ExecStart=/bin/bash -c "cd /srv/sks; /usr/bin/sks db"
ExecStart=/bin/bash -c "cd /var/lib/sks; /usr/bin/sks db"
User=sks
 
[Install]
WantedBy=multi-user.target

Abschließend machen wir unsere Änderungen im System bekannt.

 # systemctl daemon-reload

SKS-Sysconfig

Wollen wir unseren SKS-Keyserver nicht unter Root-Rechten laufen lassen, legen wir uns noch eine passende Konfigrationsdatei im Verzeichnis /etc/sysconfig an.

 # vim /etc/sysconfig/sks
/etc/sysconfig/sks
# /etc/sysconfig/sks
#
# User to run the daemon as
# Django : 2015-07-08
# default: unset
RUN_AS="sks"
#
# Add extra daemon options here
# OPTIONS=""

DB_CONFIG

Damit später die einzelnen Log-Dateien das Datenbankverzeichnis nicht zum Überlaufen kopieren wir noch die mitgelieferte BerkleyDB Konfiguartionsdatei für den SKS-Keyserver in der Datenbankverzeichnis.

 # cp /usr/share/doc/sks-1.1.6/sampleConfig/DB_CONFIG /var/lib/sks/KDB/

Der entscheidende Konfigurationsparameter ist dabei das flag DB_LOG_AUTOREMOVE.

 # vim /var/lib/sks/KDB/DB_CONFIG
/var/lib/sks/KDB/DB_CONFIG
#************************************************************************#
#* DB_CONFIG - Sample Berkeley DB tunables for use with SKS             *#
#*                                                                      *#
#* Copyright (C) 2011, 2012, 2013  John Clizbe                          *#
#*                                                                      *#
#* This file is part of SKS.  SKS is free software; you can             *#
#* redistribute it and/or modify it under the terms of the GNU General  *#
#* Public License as published by the Free Software Foundation; either  *#
#* version 2 of the License, or (at your option) any later version.     *#
#*                                                                      *#
#* This program is distributed in the hope that it will be useful, but  *#
#* WITHOUT ANY WARRANTY; without even the implied warranty of           *#
#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU    *#
#* General Public License for more details.                             *#
#*                                                                      *#
#* You should have received a copy of the GNU General Public License    *#
#* along with this program; if not, write to the Free Software          *#
#* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  *#
#* USA or see <http://www.gnu.org/licenses/>.                           *#
#************************************************************************#
 
set_mp_mmapsize         268435456
set_cachesize	 0	134217728 1
set_flags		DB_LOG_AUTOREMOVE
set_lg_regionmax	1048576
set_lg_max		104857600
set_lg_bsize		2097152
set_lk_detect		DB_LOCK_DEFAULT
set_tmp_dir		/tmp
set_lock_timeout	1000
set_txn_timeout		1000
mutex_set_max		65536

WEB-Verzeichnis

Unser SKS-Keyserver wird später ein Webformular präsentieren, über das folgende Funktionen zur Verfügung gestellt werden.

Für dieses Webseite legen wir uns nun ein passendes Verzeichnis an.

 # mkdir /var/lib/sks/web

Die Datei- und Verzeichnis-Berechtigungen passen wir auch hier an.

 # chown sks:sks /var/lib/sks/web

Als Muster für die Webseite können wir uns entweder die Vorlagen aus dem RPM zu eigen machen, die wir im Verzeichnis /usr/share/doc/sks-*/sampleWeb finden.

 # ll /usr/share/doc/sks-*/sampleWeb
total 12
drwxr-xr-x. 2 root root 4096 Jul  8 13:28 HTML5
drwxr-xr-x. 2 root root 4096 Jul  8 13:28 OpenPKG
drwxr-xr-x. 2 root root 4096 Jul  8 13:28 XHTML+ES

Alternativ dazu können wir auch nachfolgende Datei nutzen, die wir entsprechend individualisieren und unseren Bedürfnissen anpassen.

 # vim /var/lib/sks/web/index.html
/var/lib/sks/web/index.html
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>SKS key server at nausch.org</title>
    <meta name="description" content="sks-keyserver">
    <meta name="author" content="django@nausch.org">
    <!-- Mobile viewport optimized: j.mp/bplateviewport -->
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <style type="text/css">
    h1,
    h2,
    p {
      margin: 0; /* Let's zero those margins */
    }
 
    #container {
      border: 1px solid #555; /* Nice transition from white background */ 
      width: 600px; /* Should be narrow enough for small screens */
      margin: 0 auto; /* Centering */
      font-size: 1.1em; /* Font big enough not to need to squint */
      line-height: 1.3em;
    }
 
    #title { 
      background-color:#e2e5e2;
      padding: 10px;
    }
 
    #title h1, #title h2 {
      margin-top: 0.3em;
    }
 
    #info { 
      background-color:#e2e5e2;
      padding: 5px 10px;
    }
 
    #main {
      background : #FAFBEA;
      padding: 0 10px 10px 10px;
    }
 
    #main header {
      padding-top: 1em;
    }
 
    #main p {
      margin: 0.5em 0;
    }
 
    #keytext {
      width: 100%;
      height: 150px;
      border: 1px solid #555;
      background : #fff;
      max-width: 100%;
      display: block;
    }
 
    ul {
      width: 100%;
      list-style-type: none;
      padding-left: 0;
    }
 
    li {
      width: 99%;
    }
 
    li label {
      width: 57%;
      display: inline-block;
    }
 
    button {
      border-radius: 3px;
      -moz-border-radius: 3px;
      background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#ddd));
      background: -moz-linear-gradient(top, #fff, #ddd);  
      border: 1px solid #bbb;
    }
 
    #info p {line-height: 1.1em; margin-bottom: 0.3em;}
    </style>
  </head>
  <body>
    <div id="container">
      <header id="title">
        <hgroup>
          <h1>SKS OpenPGP2</h1>
          <h2>keyserver.nausch.org</h2>
        </hgroup>
      </header>
      <div id="main" role="main">
        <header>
          <h2>Einen Schl&uuml;ssel suchen</h2>
        </header>
        <p>Sie k&ouml;nnen hier bequem nach einen Schl&uuml;ssel suchen. Geben Sie hierzu
           eine beliebige Zeichen der UserID oder den Usernamen an. M&ouml;chten Sie nach einer 
           Key-ID suchen, so stellen Sie der Schl&uuml;ssel-ID (hexadezimale Zeichenfolge) 
           einfach die Zeichenfolge <code>("0x...")</code> voran.
        </p>
        <form id="lookup" action="/pks/lookup" method="get">
          <fieldset checked="true"> <legend>&Ouml;ffentlichen Schl&uuml;ssel suchen</legend>
            <ul>
              <li> <label for="search">Zeichenfolge</label> <input id="search"
                  name="search" placeholder="0x074ECF6150A6BFE" required="" autofocus=""
                  type="text"> </li>
              <li> <label for="fingerprint">PGP Fingerprints anzeigen</label>
                <input id="fingerprint" name="fingerprint" type="checkbox">
              </li>
              <li> <label for="hash">Zeige SKS full-key hashes</label> <input
                  id="hash" name="hash" type="checkbox"> </li>
              <li> <label for="matching">Ausgabe der gefundenen Schl&uuml;ssel in Kurzform</label> 
                   <input id="matching" name="op" value="index"
                   type="radio"> </li>
              <li> <label for="verbose"><b>ausf&uuml;hrliche</b> Ausgabe der gefunden 
                  Schl&uuml;ssel anzeigen</label> 
                  <input id="verbose" name="op" value="vindex"
                  checked="checked" type="radio"> </li>
              <li> <label for="asciiarmored">Schl&uuml;ssel im Format ASCII-armored anzeigen</label> 
              <input id="asciiarmored" name="op" value="get"
                  type="radio"> </li>
              <li> <label for="fullkey">Schl&uuml;ssel an Hand von Full-Key Hashes suchen</label>
                <input id="fullkey" name="op" value="hget" type="radio">
              </li>
            </ul>
            <button type="reset">Reset</button> <button type="submit">Schl&uuml;ssel suchen</button> </fieldset>
        </form>
        <header>
          <h2>Schl&uuml;ssel zum Keyserver &uuml;bertragen</h2>
        </header>
        <p>Sie k&ouml;nnen Ihren Schl&uuml;ssel zum Keyserver hochladen. 
           F&uuml;ge Sie hierzu einfach Ihren public-key ein, den Sie mit
           <br><b>gpg – export –armor keyID > public-key.asc</b><br>
           generiert haben (ASCII armored Version) und klicken auf den Button 
           <u>Diesen Schl&uuml;ssel zum Keyserver &uuml;bertragen!</u>
        </p>
        <form id="add" action="/pks/add" method="post">
          <fieldset> <textarea id="keytext" name="keytext" rows="5" cols="30"></textarea>
            <button type="reset">Reset</button> <button checked="true"
              type="submit">Diesen Schl&uuml;ssel zum Keyserver &uuml;bertragen</button></fieldset>
        </form>
      </div>
      <!-- end of #main -->
      <footer id="info">
        <p>Dieser <a href="http://www.openpgp.org/">OpenPGP</a> KeyServer l&auml;uft mit Hilfe von SKS, 
           der <a href="https://bitbucket.org/skskeyserver/sks-keyserver/">Synchronizing Key Server</a> Software.
        </p><hr>
        <p>
           Wenn Sie mit meinem Keyserver eine Partnerschaft zum Schl&uuml;sselaustausch eingehen m&ouml;chten, 
           wenn Sie Anmerkungen oder Fragen haben, oder wenn Sie den Administrator des Servers anderweitig 
           kontaktieren m&ouml;chten, dann schicken Sie einfach eine eMail an
           <a href="mailto:michael@nausch.org?subject=SKS Keyserver"> Michael Nausch 
           &lt;michael<nbr>@<nbr>nausch.org&gt;</a>.
        </p><hr>
        <p>
          Benutzen Sie zum Verschl&uuml;sseln Ihrer Nachricht meinen public-key
          <a href="http://keyserver.nausch.org:11371/pks/lookup?search=0x074ECF6150A6BFED&fingerprint=on&op=index">
          <b><u>0x074ECF6150A6BFED</u></b></a>, den Sie hier auf dem Keyserver abfragen k&ouml;nnen.
        </p><hr>
        <p style="text-align: center;"><a href="/pks/lookup?op=stats">SKS keyserver Statistiken</a></p>
      </footer>
    </div>
    <!--! end of #container -->
  </body>
</html>

Reverse Proxy

Da der integrierte Web-Server des SKS-Daemon keine parallelen Zugriffe abarbeiten kann, werden wir einen Reverse-Proxy vorschalten, der dann alle Anfragen unserer Clients auf Port 11371 annehmen und zum SKS-Keyserver einzeln weiterreichen kann. Die Antworten des SKS-Keyservers wird der Reverse-proxy dann dem anfragenden Client zurücksenden. Somit können wir einen potentiellen DOS-Angriff auf unserem SKS-Daemon minimieren.

Ein weiterer Vorteil des Reverse-Proxy ist, dass wir auch Nutzern, denen der Zugriff auf Port 11371 auf Grund von Sicherheits- und Proxyeinstellungen verwehrt ist, auf Port 80 und/oder 443 die Webseite des SKS-Daemon zur Verfügung stellen können.

Das nachfolgende Schaubild zeigt die einzelnen Kommunikationsstellen, die unser reverse-Proxy bzw. unser SKS-Keyserver zur Verfügung stellen wird.

Apache_bzw_NGINX_ServerSKS_KeyserverHKP-ReverseproxyEntgegennehmen der Clientanfragen Daemon           nginx bzw. httpdPort                        11371Adresse                 10.0.0.37HTTP-ReverseproxyEntgegennehmen der Clientanfragen Daemon           nginx bzw. httpdPort                           80Adresse                 10.0.0.37HTTPS-ReverseproxyEntgegennehmen der Clientanfragen Daemon           nginx bzw. httpdPort                          443Adresse                 10.0.0.37sks-dbBeantworten der Clientanfragenund Verwalten der Key-Datenbank Daemon                  sks-dbPort                     11371Adresse              127.0.0.1sks-reconAustausch der neuen undgeänderten PGP-Schlüsselmit den Pearing-Partnern Daemon         sks-reconPort               11370Adresse        10.0.0.37SKS Pearing-Partner/etc/sks/membership key.adeti.org                   11370keys.niif.hu                    11370keyserver.adamas.ai             11370keyserver.ccc-hanau.de          11370keyserver.computer42.org        11370keyserver.gingerbear.net        11370keyserver.kjsl.org              11370keyserver.serviz.fr             11370keyserver.siccegge.de           11370keyserver.stack.nl              11370pgp.codelabs.ru                 11370pgpkeys.co.uk                   11370pgpkeys.eu                      11370pks.aaiedu.hr                   11370keyserver.singpolyma.net        11370sks.pkqs.net                    11370sks.powdarrmonkey.net           11370sks.spodhuis.org                11370www.pretzlaff.co                11370keys.itunix.eu                  11370sks.rainydayz.org               11370ice.mudshark.org                11370SKS clientClients stellen Anfragen an denSKS-Keyserver: keyserver.nausch.org Suche, hoch- und herunterladenvon neuen PGP-Schlüsseln durchdie Endanweder


In den beiden nachfolgenden Konfigurationsbeispiele lautet die „offizielle IP-Adresse“ des Keyservers 10.0.0.37.

Apache-Server

Im ersten Konfigurationsbeispiel richten wir uns einen vHOST für unseren Apache-Webserver ein; hierzu legen wir uns folgende Beispielkonfigurationsdatei /etc/httpd/conf.d/keyserver.conf an.

 # vim /etc/httpd/conf.d/keyserver.conf
#
# keyserver.nausch.org:11371
#
<VirtualHost 10.0.0.37:11371>
        ServerAdmin webmaster@nausch.org
        ServerName keyserver.nausch.org:80
        ServerAlias keyserver.nausch.org
        ServerPath /
 
        <Proxy *>
                Require all granted
        </Proxy>
 
        ProxyPass / http://127.0.0.1:11371/
        ProxyPassReverse / http://127.0.0.1:11371/
        ProxyVia On
        SetEnv proxy-nokeepalive 1
 
        ErrorLog logs/keyserver_error.log
        CustomLog logs/keyserver_access.log combined
</VirtualHost>
 
 
#
# keyserver.nausch.org:80
#
<VirtualHost 10.0.0.37:80>
        ServerAdmin webmaster@nausch.org
        ServerName keyserver.nausch.org:80
        ServerAlias keyserver.nausch.org
        ServerPath /
 
        <Proxy *>
                Require all granted
        </Proxy>
 
        ProxyPass / http://127.0.0.1:11371/
        ProxyPassReverse / http://127.0.0.1:11371/
        ProxyVia On
        SetEnv proxy-nokeepalive 1
 
        ErrorLog logs/keyserver_error.log
        CustomLog logs/keyserver_access.log combined
</VirtualHost>
 
 
#
# keyserver.nausch.org:443
#
<VirtualHost 10.0.0.37:443>
        ServerAdmin webmaster@nausch.org
        ServerName keyserver.nausch.org:80
        ServerAlias keyserver.nausch.org
        ServerPath /
 
        # Django
        # Required, because there is a host with same ServerName and
        # ServerAlias LISTENING ON PORT 80, - and if these lines are
        # not present, and .htaccess-Files or LDAP-Access is enabled
        # for one or more Directory the host on PORT 443 and PORT 80
        # will ASK for .htaccess ord LDAP-Access, so please remember
        # ----------------------------------------------------------
        # -- DO NOT DELETE THE FOLLOWING LINES, STARTING WITH SSL --
        # --         WHEN USING .htaccess or LDAP-Access!         --
        # ----------------------------------------------------------
        SSLEngine on
        SSLProtocol -ALL +TLSv1
        SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/pki/tls/certs/keyserver.nausch.org.certificatechain_141229.pem
        SSLCertificateKeyFile /etc/pki/tls/private/keyserver.nausch.org.serverkey.pem
        SSLCertificateChainFile /etc/pki/tls/private/CAcert_chain.crt
 
        <Proxy *>
                Require all granted
        </Proxy>
 
        ProxyPass / http://127.0.0.1:11371/
        ProxyPassReverse / http://127.0.0.1:11371/
        ProxyVia On
        SetEnv proxy-nokeepalive 1
 
        ErrorLog logs/keyserver_error.log
        CustomLog logs/keyserver_access.log combined
</VirtualHost>

Bevor wir unseren Apache-Webserver neu durchstarten überprüfen wir noch, ob sich auch kein Fehler in unserer neuen Konfigurationsdatei eingeschlichen hat.

 # apachectl -t
Syntax OK

Ist alles O.K. starten wir unseren Webserver einmal durch.

 # systemctl condrestart httpd.service

NGINX-Server

Nutzen wir als Webserver NGiNX verwenden wir einfach nachfolgendes Konfigurationsbeispiel /etc/nginx/conf.d/keyserver.conf.

 # vim /etc/nginx/conf.d/keyserver.conf
/etc/nginx/conf.d/keyserver.conf
server {
                                # Django : 2015-05-28
                                # auf welchem Port soll der Server lauschen (HTTP: 11371)?
        listen                  10.0.0.37:11371;
 
                                # auf welchen Servernamen (vHOST) soll der Server reagieren?
        server_name             keyserver.nausch.org;
 
                                # Welches Access- und Error-Logfile soll beschrieben werden?
        access_log              /var/log/nginx/keyserver_access.log;
        error_log               /var/log/nginx/keyserver_errors.log;
 
                                # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests
                                # weitergeleitet werden?
        location / {
                                proxy_pass                      http://127.0.0.1:11371/;
                                proxy_pass_header               Server;
                                add_header                      Via "1.1 keyserver.nausch.org:11371 (nginx)";
                                proxy_ignore_client_abort       on;
                                client_max_body_size            8m;
                                proxy_redirect                  http://127.0.0.1:11371   http://keyserver.nausch.org;
        }
}
 
 
server {
                                # Django : 2015-05-28
                                # auf welchem Port soll der Server lauschen (HTTP: 80)?
        listen                  10.0.0.37:80;
 
                                # auf welchen Servernamen (vHOST) soll der Server reagieren?
        server_name             keyserver.nausch.org;
 
                                # Welches Access- und Error-Logfile soll beschrieben werden?
        access_log              /var/log/nginx/keyserver_access.log;
        error_log               /var/log/nginx/keyserver_errors.log;
 
                                # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests
                                # weitergeleitet werden?
        location / {
                                proxy_pass                      http://127.0.0.1:11371/;
                                proxy_pass_header               Server;
                                add_header                      Via "1.1 keyserver.nausch.org:11371 (nginx)";
                                proxy_ignore_client_abort       on;
                                client_max_body_size            8m;
                                proxy_redirect                  http://127.0.0.1:11371   http://keyserver.nausch.org;
        }
}
 
 
server {
                                # Django : 2015-05-28
                                # auf welchem Port soll der Server lauschen (HTTPS: 443)?
                                # neben TLS soll auch SPDY (http://de.wikipedia.org/wiki/SPDY) angeboten werden.
        listen                  10.0.0.37:443 ssl spdy;
 
                                # auf welchen Servernamen (vHOST) soll der Server reagieren?
        server_name             keyserver.nausch.org;
 
                                # Welches Access- und Error-Logfile soll beschrieben werden?
        access_log              /var/log/nginx/keyserver_access.log;
        error_log               /var/log/nginx/keyserver_errors.log;
 
                                # Standard-Parameter für TLS-Verschlüsselung inkludieren
        include                 /etc/nginx/ssl_params;
                                # Zertifikatsdatei inkl. ggf. notwendiger Zwischen- und Root-Zertifikaten
                                # 1) Server-Zertifikat, 2) Intermediate-Root-Zertifikat und 3) Root-Zertifikat der CA
        ssl_certificate         /etc/pki/tls/certs/keyserver.nausch.org.certificatechain_141229.pem;
                                # Schlüsseldatei, mit der der CSR erstellt wurde
        ssl_certificate_key     /etc/pki/tls/private/keyserver.nausch.org.serverkey.pem;
 
                                # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests
                                # weitergeleitet werden?
        location / {
                                proxy_pass                      http://127.0.0.1:11371/;
                                proxy_pass_header               Server;
                                add_header                      Via "1.1 keyserver.nausch.org:11371 (nginx)";
                                proxy_ignore_client_abort       on;
                                client_max_body_size            8m;
                                proxy_redirect                  http://127.0.0.1:11371   https://keyserver.nausch.org;
        }
}

Bevor wir unseren Apache-Webserver neu durchstarten überprüfen wir noch, ob sich auch kein Fehler in unserer neuen Konfigurationsdatei eingeschlichen hat.

 # nginx -t
Syntax OK

Ist alles O.K. starten wir unseren Webserver einmal durch.

 # systemctl condrestart nginx.service

Paketfilter / Firewall

Damit nun die Clients sich mit unserem Keyserver mit den Ports 11371, 80 und 443 verbinden können, müssen wir noch entsprechende Firewall-Regeln definieren. Gleiches gilt natürlich auch für die Pearing-Partner, die sich mit Port 11370 verbinden werden.

Unter CentOS 7 wird als Standard-Firewall die dynamische firewalld verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbiundungen kurz getrennt werden. Sondern unsere Änderungen können on-the-fly aktiviert oder auch wieder deaktiviert werden.

In unserem Konfigurationsbeispiel hat unser Keyserver-Server die IP-Adresse 10.0.0.37. Wir brauchen also eine Firewall-Definition, die Verbindungen von allen Source-IPs also 0.0.0.0/0 auf die Destination-IP 10.0.0.37 auf folgenden Ports gestattet.

Mit Hilfe des Programms firewall-cmd legen wir nun eine permanente Regel in der Zone public, dies entspricht in unserem Beispiel das Netzwerk-Interface eth0 mit der IP 10.0.0.37 an. Als Source-IP geben wir die IP-Adresse unseres Postfix-Servers also die 0.0.0.0/0 an. Genug der Vorrede, mit nachfolgendem Befehl wird diese restriktive Regel angelegt.

 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="0.0.0.0" port protocol="tcp" port="11371" destination address="10.0.0.37/32" accept"
 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="0.0.0.0" port protocol="tcp" port="11370" destination address="10.0.0.37/32" accept"
 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="0.0.0.0" port protocol="tcp" port="80" destination address="10.0.0.37/32" accept"
 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="0.0.0.0" port protocol="tcp" port="443" destination address="10.0.0.37/32" accept"

Zum Aktivieren brauchen wir nun nur einen reload des Firewall-Daemon vornehmen.

 # firewall-cmd --reload

Fragen wir nun den Regelsatz unserer iptables-basieten Firewall ab, finden wir in der Chain IN_public_allow unsere aktive Regel.

 # iptables -nvL IN_public_allow
# iptables -nvL IN_public_allow
Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.37            tcp dpt:11370 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.37            tcp dpt:11371 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.37            tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.37            tcp dpt:443 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Datenbank initial befüllen

Download Keydump

Zur Erstbefüllung unseres SKS-Keyservers benötigen wir ein Dumpfile der kompletten SKS-Datenbank. Ohnen einen solchen Datenbank-Backup müssten sonst alle Schlüssel von den einzelnen Peering-Partnern geholt werden. Dies würde diese unnötig belasten und auch die Zeitspanne bis dies erledigt wäre, wäre kaum überschaubar. Beinhaltet doch die Datenbank mit Stand 27.12.2011 3.026.036 Schlüssel und täglich werden es mehr!

Wir legen uns also ein temporäres Verzeichnis für den Empfang der Dumpfiles an.

 # mkdir /var/lib/sks/dump

Die Berechtigungen passen wir für das Verzeichnis auch noch an.

Anschließend wechseln wir in das Zielverzeichnis.

 # cd /var/lib/sks/dump

Im dritten Schritt holen wir uns nun das Datenbankbackup, das in einzelne 20 MB große Häppchen aufgeteilt wurde auf unseren Server. Bis die über 6,1 GB Daten auf unseren Rechner geladen wurden, wird es ein paar Stunden dauern, je nach zur Verfügung stehender Bandbreite. Ein paar Kaffee oder CLUB-MATE sollte man hierzu griffbereit haben. ;)

 # wget --recursive --timestamping --level=1 --cut-dirs=3 --no-host-directories https://research.daylightpirates.org/sks-dumps/latest/pgp/

Sind alle Dateien auf unseren Server geladen überprüfen wir nun noch die MD5-Checksummen, die uns unser Quellserver entsprechend bereitstellt MD5SUMS.

 # cd /var/lib/sks/dump/
 # md5sum -c /var/lib/sks/dump/MD5SUMS
sks-dump-0000.pgp: OK
sks-dump-0001.pgp: OK
sks-dump-0002.pgp: OK
sks-dump-0003.pgp: OK
sks-dump-0004.pgp: OK
sks-dump-0005.pgp: OK
sks-dump-0006.pgp: OK
sks-dump-0007.pgp: OK
sks-dump-0008.pgp: OK
sks-dump-0009.pgp: OK
sks-dump-0010.pgp: OK
...

...
sks-dump-0390.pgp: OK
sks-dump-0391.pgp: OK
sks-dump-0392.pgp: OK
sks-dump-0393.pgp: OK
sks-dump-0394.pgp: OK
sks-dump-0395.pgp: OK
sks-dump-0396.pgp: OK
sks-dump-0397.pgp: OK
sks-dump-0398.pgp: OK

Datenbank mit Hilfe des Keydump anlegen

Sind alle Dateien fehlerfrei auf unseren Server heruntergeladen worden, ist es an der Zeit die lokale Datenbank zu bauen. Hierzu wechseln wir erst einmal in das Stammverzeichnis unserer SKS-Installation /var/lib/sks/.

 # cd /var/lib/sks/

Dort starten wir das Script sks_build.sh welches uns bei der Installation unseres SKS-RPMs mitgeliefert wurde. Hat unser Server nur begrenzt Ressourcen wie CPU und RAM zur Verfügung, so müssen wir die Werte beim Aufruf von fastbuild und pbuild unseren Systemressourcen unseres Servers anpassen.

/usr/bin/sks_build.sh
#!/bin/bash
 
# SKS build script.
# cd to directory with "dump" subdirectory, and run
# You might want to edit this file to reduce or increase memory usage
# depending on your system
 
trap ignore_signal USR1 USR2
 
ignore_signal() {
    echo "Caught user signal 1 or 2, ignoring"
}
 
ask_mode() {
    echo "Please select the mode in which you want to import the keydump:"
    echo ""
    echo "1 - fastbuild"
    echo "    only an index of the keydump is created and the keydump cannot be"
    echo "    removed."
    echo ""
    echo "2 - normalbuild"
    echo ""
    echo "    all the keydump will be imported in a new database. It takes longer"
    echo "    time and more disk space, but the server will run faster (depending"
    echo "    from the source/age of the keydump)."
    echo "    The keydump can be removed after the import."
    echo ""
    echo -n "Enter enter the mode (1/2): "
    read
    case "$REPLY" in
     1)
        mode="fastbuild"
     ;;
     2)
        # Django : 2015-07-11
        # default: mode="build /srv/sks/dump/*.pgp"
        mode="build /var/lib/sks/dump/*.pgp"
     ;;
     *)
        echo "Option unknown. bye!"
        exit 1
     ;;
    esac
}
 
fail() { echo Command failed unexpectedly.  Bailing out; exit -1; }
 
ask_mode
 
echo "=== Running (fast)build... ==="
if ! /usr/bin/sks $mode -n 10 -cache 100; then fail; fi
echo === Cleaning key database... ===
if ! /usr/bin/sks cleandb; then fail; fi
echo === Building ptree database... ===
if ! /usr/bin/sks pbuild -cache 20 -ptree_cache 70; then fail; fi
echo === Done! ===

Mit dem Aufruf des Shellscriptes sks_build.sh starten wir den Import des Keydumps. Als erstes werden wir gefragt, ob wir

  1. fastbuild Den Keydump behalten und lediglich den Datenbankindex anlegen lassen wollen
  2. normalbuild die Datenbank komplett neu bauen wollen.

Den Bearbeitungsstand des Datenbankbaus kann man bei Bedarf in folgenden Logdateien verfolgen:

 # /usr/bin/sks_build.sh
Please select the mode in which you want to import the keydump:
 
1 - fastbuild
    only an index of the keydump is created and the keydump cannot be
    removed.
 
2 - normalbuild
 
    all the keydump will be imported in a new database. It takes longer
    time and more disk space, but the server will run faster (depending
    from the source/age of the keydump).
    The keydump can be removed after the import.
 
Enter enter the mode (1/2): 2
=== Running (fast)build... ===
Loading keys...done
DB time:  0.42 min.  Total time: 0.50 min.
Loading keys...done
DB time:  0.62 min.  Total time: 0.77 min.
Loading keys...done
DB time:  0.42 min.  Total time: 1.54 min.
Loading keys...done
DB time:  0.41 min.  Total time: 1.68 min.
Loading keys...done
DB time:  0.46 min.  Total time: 2.12 min.
Loading keys...done
DB time:  1.10 min.  Total time: 2.81 min.
Loading keys...done
DB time:  0.55 min.  Total time: 2.77 min.
Loading keys...done
DB time:  2.85 min.  Total time: 4.47 min.
Loading keys...done
DB time:  0.78 min.  Total time: 5.23 min.
Loading keys...done
DB time:  5.02 min.  Total time: 6.58 min.
Loading keys...done
DB time:  0.71 min.  Total time: 3.36 min.
Loading keys...done
DB time:  1.30 min.  Total time: 4.01 min.
Loading keys...done
DB time:  1.08 min.  Total time: 3.33 min.
Loading keys...done
DB time:  1.01 min.  Total time: 4.07 min.
Loading keys...done
DB time:  3.03 min.  Total time: 5.33 min.
Loading keys...done
DB time:  5.24 min.  Total time: 7.58 min.
Loading keys...done
DB time:  6.25 min.  Total time: 8.98 min.
Loading keys...done
DB time:  4.32 min.  Total time: 7.58 min.
Loading keys...done
DB time:  6.78 min.  Total time: 9.65 min.
Loading keys...done
DB time:  6.48 min.  Total time: 11.65 min.
Loading keys...done
DB time:  2.89 min.  Total time: 8.35 min.
Loading keys...done
DB time:  6.68 min.  Total time: 8.69 min.
Loading keys...done
DB time:  5.29 min.  Total time: 7.38 min.
Loading keys...done
DB time:  6.05 min.  Total time: 8.57 min.
Loading keys...done
DB time:  5.89 min.  Total time: 8.82 min.
Loading keys...done
DB time:  6.90 min.  Total time: 9.88 min.
Loading keys...done
DB time:  3.95 min.  Total time: 5.66 min.
=== Cleaning key database... ===
=== Building ptree database... ===
=== Done! ===

Achtung: Das Verzeichnis dump darf auf keinen Fall gelöscht werden, wenn man sich entschlossen hat, lediglich einen fastbuild, als den Datenbankindex erstellt hat. Die originalen Schlüsseldaten werden nämlich nicht in die Datenbank kopiert - diese verbleiben nach wie vor im Verzeichnis dump!

Die Generierung der Datenbank-(Teile) wurde entsprechend in den Logdateien protokolliert:

 # less /var/lib/sks/build.log
2015-07-10 21:09:51 Opening log
2015-07-10 21:09:51 Running SKS 1.1.5
2015-07-10 21:09:51 Opening KeyDB database
 # /var/lib/sks/clean.log
2015-07-10 23:49:01 Opening log
2015-07-10 23:49:01 Running SKS 1.1.5
2015-07-10 23:49:01 Opening KeyDB database
2015-07-10 23:49:01 Keydb opened
2015-07-10 23:49:01 Database already deduped
2015-07-10 23:49:01 Merging keys in database
2015-07-10 23:49:01 Starting key merge
2015-07-10 23:49:01 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:49:01 Hash: 0601937B551C30D7326D10AEC232FE9D
2015-07-10 23:49:01 Hash: 25762EBCF3D9A13DBEC6A5833C3E574B
2015-07-10 23:49:01 Hash: 19B3AA9F77E354BDB49F82CA49A7527E
2015-07-10 23:49:01 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:49:01 Hash: 4DED36458ABCB8265E13E8C450ABCCAE
2015-07-10 23:49:01 Hash: D5110071F82A6E7EEE82A46471D9AD3C
2015-07-10 23:49:01 Hash: 5D61CB0A6F7FD10A60ACDC37799DFF5C
2015-07-10 23:49:01 Hash: 5C5FED1F17ED372635DDBD270D327DC8
2015-07-10 23:49:01 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:49:01 Hash: 0D18FBFDD73B9C77298F0872A0FD5FB4
2015-07-10 23:49:01 Hash: AAC4EE9160676C62F1BEDF8B74108154
2015-07-10 23:49:01 Multiple keys found with same ID.  merge_from_hashes called
...

...
2015-07-10 23:50:34 3970 thousand steps processed
2015-07-10 23:50:34 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:50:34 Hash: 5F87E0022D727FF3849FDE84849F569C
2015-07-10 23:50:34 Hash: 900769245D28075C44CFF208B3229C84
2015-07-10 23:50:34 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:50:34 Hash: 56A881BCB74216F8709FFEE62A0A085B
2015-07-10 23:50:34 Hash: 64BD2DEA21284CB142D9502D655DD588
2015-07-10 23:50:34 Multiple keys found with same ID.  merge_from_hashes called
2015-07-10 23:50:34 Hash: 5BDC703C635488A6E449D626E4B783B2
2015-07-10 23:50:34 Hash: BD582C386E381B241339D65A21E69628
2015-07-10 23:50:34 Completed key merge
 # cat /var/lib/sks/pbuild.log
2015-07-10 23:50:34 Opening log
2015-07-10 23:50:34 Running SKS 1.1.5
2015-07-10 23:50:34 Opening PTree database
2015-07-10 23:50:35 Opening dbs...
2015-07-10 23:50:35 Opening KeyDB database
2015-07-10 23:50:35 5000 hashes processed
2015-07-10 23:50:35 10000 hashes processed
2015-07-10 23:50:36 15000 hashes processed
2015-07-10 23:50:37 20000 hashes processed
2015-07-10 23:50:37 25000 hashes processed
...

...
2015-07-11 00:35:16 3940000 hashes processed
2015-07-11 00:35:21 3945000 hashes processed
2015-07-11 00:35:25 3950000 hashes processed
2015-07-11 00:35:29 3955000 hashes processed
2015-07-11 00:35:34 3960000 hashes processed
2015-07-11 00:35:38 3965000 hashes processed
2015-07-11 00:35:42 3970000 hashes processed
2015-07-11 00:35:47 3975000 hashes processed
2015-07-11 00:35:47 3975295 hashes processed
2015-07-11 00:35:47 Cleaning Tree.

Nachdem wir unsere Datenbank nur 1x initial bauen müssen, verschieben wir wir die Logfiles, die beim Anlegen der Datenbank erzeugt wurden, einfach an Ort und Stelle, nämlich nach /var/log/sks/.

 # mv /var/lib/sks/*log /var/log/sks/

Da unser Keyserver mit den Rechten des Users sks laufen wird, „schenken“ wir nun genau diesem User die neu generierte Datenbank.

 # chown sks.sks /var/lib/sks/ -R

Bevor wir nun unseren Keyserver das erste mal starten, kontrollieren und berichtigen wir noch die Berechtigungen in den Konfigurations- und Logverzeichnissen.

 # chown sks.sks /etc/sks/ -R
 # chown sks.sks /var/log/sks/ -R

SKS-Serverdienste starten

sks-db

Nachdem wir die Initialbefüllung der Schlüsseldatenbank erfolgreich beendet haben, ist es an der Zeit den SKS-Datenbankdeamon sks-db zu starten.

 # systemctl start sks-db

Den erfolgreichen Start können wir wie folgt abfragen:

 # systemctl status sks-db
sks-db.service - SKS database service
   Loaded: loaded (/etc/systemd/system/sks-db.service; disabled)
   Active: active (running) since Sat 2015-07-11 00:39:55 CEST; 4s ago
 Main PID: 6531 (bash)
   CGroup: /system.slice/sks-db.service
           ├─6531 /bin/bash -c cd /var/lib/sks; /usr/bin/sks db
           └─6532 /usr/bin/sks db

Jul 11 00:39:55 vml000037.dmz.nausch.org systemd[1]: Started SKS database service.

In der Logdatei des Datenbank-Daemons wird der Start auch entsprechend protokolliert.

 # tailf /var/log/sks/db.log
2015-07-11 00:39:55 Opening log
2015-07-11 00:39:55 sks_db, SKS version 1.1.5
2015-07-11 00:39:55 Using BerkelyDB version 5.3.21
2015-07-11 00:39:55 Copyright Yaron Minsky 2002, 2003, 2004
2015-07-11 00:39:55 Licensed under GPL. See LICENSE file for details
2015-07-11 00:39:55 http port: 11371
2015-07-11 00:39:55 address for key.adeti.org:11370 changed from [] to [<ADDR_INET [91.121.41.109]:11370>, <ADDR_INET [2001:41d0:8:44d7::1:1]:11370>]
2015-07-11 00:39:55 address for keys.niif.hu:11370 changed from [] to [<ADDR_INET [193.224.163.43]:11370>, <ADDR_INET [2001:738:0:600:216:3eff:fe02:42]:11370>]
2015-07-11 00:39:56 address for keyserver.adamas.ai:11370 changed from [] to [<ADDR_INET [80.90.43.162]:11370>]
2015-07-11 00:39:56 address for keyserver.ccc-hanau.de:11370 changed from [] to [<ADDR_INET [83.169.43.165]:11370>, <ADDR_INET [2a01:488:66:1000:53a9:2ba5:0:1]:11370>]
2015-07-11 00:39:56 address for keyserver.computer42.org:11370 changed from [] to [<ADDR_INET [88.134.6.58]:11370>]
2015-07-11 00:39:56 address for keyserver.kjsl.org:11370 changed from [] to [<ADDR_INET [66.109.111.12]:11370>, <ADDR_INET [2001:1868:2003::12]:11370>]
2015-07-11 00:40:06 address for keyserver.siccegge.de:11370 changed from [] to [<ADDR_INET [92.43.111.21]:11370>, <ADDR_INET [2a01:4a0:59:1000:223:9eff:fe00:100f]:11370>]
2015-07-11 00:40:06 address for keyserver.stack.nl:11370 changed from [] to [<ADDR_INET [131.155.141.70]:11370>, <ADDR_INET [2001:610:1108:5011::70]:11370>]
2015-07-11 00:40:06 address for pgp.codelabs.ru:11370 changed from [] to [<ADDR_INET [144.206.233.74]:11370>]
2015-07-11 00:40:06 address for pgpkeys.co.uk:11370 changed from [] to [<ADDR_INET [192.146.137.11]:11370>, <ADDR_INET [2001:67c:26b4::2c6b]:11370>]
2015-07-11 00:40:07 address for pgpkeys.eu:11370 changed from [] to [<ADDR_INET [37.59.144.15]:11370>, <ADDR_INET [2001:41d0:2:babd:4f56:862a:d056:11c9]:11370>]
2015-07-11 00:40:07 address for pks.aaiedu.hr:11370 changed from [] to [<ADDR_INET [161.53.2.219]:11370>]
2015-07-11 00:40:07 address for keyserver.singpolyma.net:11370 changed from [] to [<ADDR_INET [167.88.35.197]:11370>]
2015-07-11 00:40:07 address for sks.pkqs.net:11370 changed from [] to [<ADDR_INET [213.133.103.71]:11370>]
2015-07-11 00:40:07 address for sks.powdarrmonkey.net:11370 changed from [] to [<ADDR_INET [78.157.209.9]:11370>, <ADDR_INET [2a01:a500:385:1::9:1]:11370>]
2015-07-11 00:40:07 address for sks.spodhuis.org:11370 changed from [] to [<ADDR_INET [94.142.242.225]:11370>, <ADDR_INET [2a02:898:31:0:48:4558:73:6b73]:11370>]
2015-07-11 00:40:07 address for www.pretzlaff.co:11370 changed from [] to [<ADDR_INET [85.214.198.115]:11370>]
2015-07-11 00:40:07 address for keys.itunix.eu:11370 changed from [] to [<ADDR_INET [94.23.204.11]:11370>, <ADDR_INET [2001:41d0:2:4f0b::1]:11370>]
2015-07-11 00:40:07 address for sks.rainydayz.org:11370 changed from [] to [<ADDR_INET [82.6.213.168]:11370>, <ADDR_INET [2001:470:1f09:1d75::80]:11370>]
2015-07-11 00:40:08 address for ice.mudshark.org:11370 changed from [] to [<ADDR_INET [208.77.198.101]:11370>]
2015-07-11 00:40:08 Opening KeyDB database
2015-07-11 00:40:08 Calculating DB stats
2015-07-11 00:40:13 Done calculating DB stats
2015-07-11 00:40:13 Database opened
2015-07-11 00:40:13 Applied filters: yminsky.dedup, yminsky.merge
2015-07-11 00:40:13 Calculating DB stats
2015-07-11 00:40:18 Done calculating DB stats

Fragen wir nun via netstat die geöffneten Ports ab, sehen wir neben den Ports des Reverseproxys 80, 443 und 11371 auch den an der Adresse 127.0.0.1/32 gebundenen Port 11371 des SKS-Datenbankdaemons.

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:11371         0.0.0.0:*               LISTEN      997        43212      6532/sks
tcp        0      0 10.0.0.37:11371         0.0.0.0:*               LISTEN      0          22162      1238/nginx: master  
tcp        0      0 10.0.0.37:80            0.0.0.0:*               LISTEN      0          22163      1238/nginx: master  
tcp        0      0 10.0.0.37:443           0.0.0.0:*               LISTEN      0          22163      1238/nginx: master 

Damit der Daemon beim Systemstart auch automatisch startet, führen wir noch nachfolgenden Befehl aus.

 # systemctl enable sks-db
ln -s '/etc/systemd/system/sks-db.service' '/etc/systemd/system/multi-user.target.wants/sks-db.service'

Möchten wir wissen, ob der Daemon automatisch beim Starten des Servers auch gestartet wird, nutzen wir die Option is-enabled

 # systemctl is-enabled sks-db
enabled

sks-recon

Als nächstes starten wir nun noch den sks-recon Daemon, also den Daemon, der für den Austausch der Schlüssel mit den Pearingpartnern zuständig ist.

 # systemctl start sks-recon

Sollte sich der Daemon beim ersten Starten weigern, anzustarten, kann es hilfreich sein, den Daemon nicht über systemctl zu starten, sondern auf Vordergrundprozess manuell. Hierzu wechseln wir in das SKS-Arbeitsverzeichnis.

 # cd /var/lib/sks/

Anschließend starten wir den Daemon von Hand.

 # sks recon

So können wir im Fehlerfall an Hand der Rückmeldungen des Daemon gezielter auf Fehlersuche gehen. Zum Stoppen des Vordergrundprozesses nutzen wir dann die Tastenkombination „ctrl c“ bzw. kill -9 sks-recon.

Den erfolgreichen Start können wir wie folgt abfragen:

 # systemctl status sks-recon
sks-recon.service - SKS reconciliation service
   Loaded: loaded (/etc/systemd/system/sks-recon.service; disabled)
   Active: active (running) since Sat 2015-07-11 00:54:37 CEST; 1s ago
 Main PID: 6645 (bash)
   CGroup: /system.slice/sks-recon.service
           ├─6645 /bin/bash -c cd /var/lib/sks; /usr/bin/sks recon
           └─6646 /usr/bin/sks recon

Jul 11 00:54:37 vml000037.dmz.nausch.org systemd[1]: Starting SKS reconciliation service...
Jul 11 00:54:37 vml000037.dmz.nausch.org systemd[1]: Started SKS reconciliation service.

In der Logdatei des Datenbank-Daemons wird der Start auch entsprechend protokolliert.

 # tailf /var/log/sks/recon.log
2015-07-11 00:52:49 Opening log
2015-07-11 00:52:49 sks_recon, SKS version 1.1.5
2015-07-11 00:52:49 Using BerkelyDB version 5.3.21
2015-07-11 00:52:49 Copyright Yaron Minsky 2002-2013
2015-07-11 00:52:49 Licensed under GPL.  See LICENSE file for details
2015-07-11 00:52:49 Opening PTree database
2015-07-11 00:52:49 Setting up PTree data structure
2015-07-11 00:52:49 PTree setup complete
2015-07-11 00:55:35 address for key.adeti.org:11370 changed from [] to [<ADDR_INET [91.121.41.109]:11370>, <ADDR_INET [2001:41d0:8:44d7::1:1]:11370>]
2015-07-11 00:55:35 address for keys.niif.hu:11370 changed from [] to [<ADDR_INET [193.224.163.43]:11370>, <ADDR_INET [2001:738:0:600:216:3eff:fe02:42]:11370>]
2015-07-11 00:55:35 address for keyserver.adamas.ai:11370 changed from [] to [<ADDR_INET [80.90.43.162]:11370>]
2015-07-11 00:55:35 address for keyserver.ccc-hanau.de:11370 changed from [] to [<ADDR_INET [83.169.43.165]:11370>, <ADDR_INET [2a01:488:66:1000:53a9:2ba5:0:1]:11370>]
2015-07-11 00:55:35 address for keyserver.computer42.org:11370 changed from [] to [<ADDR_INET [88.134.6.58]:11370>]
2015-07-11 00:55:35 address for keyserver.kjsl.org:11370 changed from [] to [<ADDR_INET [66.109.111.12]:11370>, <ADDR_INET [2001:1868:2003::12]:11370>]
2015-07-11 00:55:40 address for keyserver.siccegge.de:11370 changed from [] to [<ADDR_INET [92.43.111.21]:11370>, <ADDR_INET [2a01:4a0:59:1000:223:9eff:fe00:100f]:11370>]
2015-07-11 00:55:40 address for keyserver.stack.nl:11370 changed from [] to [<ADDR_INET [131.155.141.70]:11370>, <ADDR_INET [2001:610:1108:5011::70]:11370>]
2015-07-11 00:55:40 address for pgp.codelabs.ru:11370 changed from [] to [<ADDR_INET [144.206.233.74]:11370>]
2015-07-11 00:55:40 address for pgpkeys.co.uk:11370 changed from [] to [<ADDR_INET [192.146.137.11]:11370>, <ADDR_INET [2001:67c:26b4::2c6b]:11370>]
2015-07-11 00:55:40 address for pgpkeys.eu:11370 changed from [] to [<ADDR_INET [37.59.144.15]:11370>, <ADDR_INET [2001:41d0:2:babd:4f56:862a:d056:11c9]:11370>]
2015-07-11 00:55:40 address for pks.aaiedu.hr:11370 changed from [] to [<ADDR_INET [161.53.2.219]:11370>]
2015-07-11 00:55:41 address for keyserver.singpolyma.net:11370 changed from [] to [<ADDR_INET [167.88.35.197]:11370>]
2015-07-11 00:55:41 address for sks.pkqs.net:11370 changed from [] to [<ADDR_INET [213.133.103.71]:11370>]
2015-07-11 00:55:41 address for sks.powdarrmonkey.net:11370 changed from [] to [<ADDR_INET [78.157.209.9]:11370>, <ADDR_INET [2a01:a500:385:1::9:1]:11370>]
2015-07-11 00:55:41 address for sks.spodhuis.org:11370 changed from [] to [<ADDR_INET [94.142.242.225]:11370>, <ADDR_INET [2a02:898:31:0:48:4558:73:6b73]:11370>]
2015-07-11 00:55:41 address for www.pretzlaff.co:11370 changed from [] to [<ADDR_INET [85.214.198.115]:11370>]
2015-07-11 00:55:41 address for keys.itunix.eu:11370 changed from [] to [<ADDR_INET [94.23.204.11]:11370>, <ADDR_INET [2001:41d0:2:4f0b::1]:11370>]
2015-07-11 00:55:41 address for sks.rainydayz.org:11370 changed from [] to [<ADDR_INET [82.6.213.168]:11370>, <ADDR_INET [2001:470:1f09:1d75::80]:11370>]
2015-07-11 00:55:41 address for ice.mudshark.org:11370 changed from [] to [<ADDR_INET [208.77.198.101]:11370>]

Fragen wir nun via netstat die geöffneten Ports ab, sehen wir neben den bereits geöffneten Ports des Reverseproxys 80, 443 und 11371 und die 127.0.0.1/32 gebundenen Port 11371 des SKS-Datenbankdaemons. Zusätzlich sehen wir nun auch den Port 11370 des SKS-Recon-Daemon

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        1      0 0.0.0.0:11370           0.0.0.0:*               LISTEN      997        46101      6646/sks            
tcp        0      0 127.0.0.1:11371         0.0.0.0:*               LISTEN      997        43212      6532/sks            
tcp        0      0 10.0.0.37:11371         0.0.0.0:*               LISTEN      0          22162      1238/nginx: master  
tcp        0      0 10.0.0.37:80            0.0.0.0:*               LISTEN      0          22163      1238/nginx: master  
tcp        0      0 10.0.0.37:443           0.0.0.0:*               LISTEN      0          22163      1238/nginx: master  

Damit der Daemon beim Systemstart auch automatisch startet, führen wir noch nachfolgenden Befehl aus.

 # systemctl enable sks-recon
ln -s '/etc/systemd/system/sks-recon.service' '/etc/systemd/system/multi-user.target.wants/sks-recon.service'

Möchten wir wissen, ob der Daemon automatisch beim Starten des Servers auch gestartet wird, nutzen wir die Option is-enabled

 # systemctl is-enabled sks-recon
enabled

Links