PGP Key Server¶
A Public Key Shelf¶
Keyservers play an important role in public key cryptography, as the name implies, the public keys need to be distributed publicly.
- The recipient of a signed message needs the public key of the sender in order to verify the signature of the message.
- The sender of an encrypted message needs the public key of the recipient in order to encrypt the message.
Keyservers act as central repositories to distribute these public keys.
In OpenPGP clients connect to OpenPGP keyservers to import public keys it needs, if they are not already stored in its local public key-ring. Keys also need to be updated, after they have changed or revoked.
OpenPGP clients and keyservers use the HKP (OpenPGP HTTP Keyserver Protocol) protocol or HKPS for the the TLS secured version.
How Can I Trust a Keyserver?¶
Since the keyserver plays such an important role we have to put a great deal of trust in the keyserver and its operators:
- A keyserver could provide you with his own keys instead of the ones you ask for and subsequently decrypt your messages sent to them or send you signed messages with fake signatures.
- By asking the server for specific keys, you also disclose with whom you communicate.
So the short answer to the question above is: You can’t!
The Keyserver Pool¶
But to mitigate the risk of anyone surveying or controlling this important part of the “Web of Trust” keyservers have been organized in large pools of individual keyservers.
A pool is maintained in DNS. When a OpenPGP client needs to talk to a keyserver
he asks for the IP address of the host hkps.pool.sks-keyservers.net. A DNS
lookup for this host returns many IPv4 and IPv6 addresses of which the client
will randomly select one to connect to.
The domain sks-keyservers.net is secured with DNSSEC and therefore can not by spoofed easily.
The keyservers in the pool are run by organizations and individuals voluntarily all over the Internet. Everybody can setup and run a keyserver and thus become part of the pool.
The Synchronizing OpenPGP Key Server (SKS)¶
To run you own keyserver, be it for your own personal use or network, or to be part of the pool, run the Synchronizing OpenPGP Key Server (SKS) software on your server.
SKS is an OpenPGP key server that correctly handles all OpenPGP features defined in RFC 2440, including photoID packages and multiple subkeys.
This keyserver implementation uses an efficient and reliable reconciliation algorithm to keep the database in sync with other SKS servers. Additionally it can both send and receive PKS style sync emails.
Requirements¶
Storage Space¶
- 11 GB download of a full database dump;
- 23 GB total after import database import;
Preparations¶
SKS Mailing List¶
Join the SKS mailing list where you can ask for peers and will get notified about software issues and updates of SKS.
Database Dump¶
Rather than starting with an empty database and attempting to populate it by syncing with other keyservers (a bad idea because it loads up your peers with lots of traffic and will probably fail anyway with deadlocks in the conflict resolution system) we’ll grab a static dump from an existing SKS server. Currently known sources are:
- ftp://keyserver.mattrude.com/ generated every day at 8:00 UTC
- https://keys.niif.hu/keydump/ generated every Monday
- http://stueve.us/keydump/ generated every Saturday
As of November 2018 the archive size is approximately 11G, holding over 5 million keys in 90 files.
The download can take several hours. Thats why we start this first in screen session and let it run.
Warning
Don’t download from the current directory on the server! If the server creates new dump files while you are downloading you will have to start over again. Use the directory with the latest date.
The dump is divided into a bunch of individual numbered files so you’ll need to fetch all of them.
$ screen sudo -sH
$ mkdir -p /var/lib/sks/dump
$ cd /var/lib/sks/dump
$ wget --continue \
-r \
--page-requisites \
--execute robots=off \
--timestamping \
--level=1 \
--cut-dirs=3 \
--no-host-directories \
https://keyserver.mattrude.com/dump/2018-02-13/
Proceed to import the database dump, when the download completes.
SKS Daemon User¶
For security reasons its best to run the daemon with its own unprivileged user profile. Create this user on the server system with the following command:
$ sudo adduser --system \
--home /var/lib/sks
--shell /bin/bash
--group \
debian-sks
IP Address¶
Add IPv4 and IPV6 network adresses for the keyserver:
$ sudo ip addr add 192.0.2.37/24 dev eth0
$ sudo ip addr add 2001:db8::37/64 dev eth0
Also add them to the file /etc/network/interfaces to make them
persistent across system restarts:
# keyserver.example.net
iface eth0 inet static
address 192.0.2.37/24
iface eth0 inet6 static
address 2001:db8::37/64
DNS Records¶
| Name | Type | Content | Priority | TTL |
|---|---|---|---|---|
| keyserver | A | 198.51.100.240 | 300 | |
| keyserver | AAAA | 2001:db8::37 | ||
| _pgpkey-http._tcp.keyserver | SRV | 0 11371 keyserver.urown.net | 10 | |
| _pgpkey-https._tcp.keyserver | SRV | 0 11372 keyserver.urown.net | 10 |
Check the “Add also reverse record” when adding the IPv6 entry.
Firewall Rules¶
IPv4 NAT port forwarding:
| Protocol | Port No. | Forward To | Description |
|---|---|---|---|
| TCP | 11370 | 192.0.2.37 | OpenPGP Keyserver Recon |
| TCP | 11371 | 192.0.2.37 | OpenPGP Keyserver HKP |
| TCP | 11372 | 192.0.2.37 | OpenPGP Keyserver HKPS |
Allowed IPv6 connections:
| Protocol | Port No. | Destination | Description |
|---|---|---|---|
| TCP | 80 | 2001:db8::37 | OpenPGP Keyserver HKP and HTTP |
| TCP | 443 | 2001:db8::37 | OpenPGP Keyserver HKPS and HTTPS |
| TCP | 11370 | 2001:db8::37 | OpenPGP Keyserver Recon |
| TCP | 11371 | 2001:db8::37 | OpenPGP Keyserver HKP |
| TCP | 11372 | 2001:db8::37 | OpenPGP Keyserver HKPS |
Software Prerequisites¶
To build, install and run SKS from source we need the Gnu C-compiler, the Ocaml programming language and the Berkeley database libraries.
They can be installed from the Ubuntu software repository:
$ sudo apt-get install gcc ocaml libdb-dev db-util
SKS Source Download¶
As of September 2016 Ubuntu 16.04 has SKS version 1.1.5 in its repository. Since the servers eligible for inclusion into the SKS server pool need to run version 1.1.6 we install a newer version.
We download the source code from the SKS project website.
The source code is signed by the SKS Keyserver Signing Key. The KeyID and fingerprint are published on their website, which is a secure site wit EV certification to Altassian Inc.
Get that in our keyring, so we can verify downloaded source code is legit:
$ gpg2 --recv-key 0x41259773973A612A
gpg: requesting key 0x41259773973A612A from hkps server hkps.pool.sks-keyservers.net
gpg: key 0x41259773973A612A: public key "SKS Keyserver Signing Key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Be sure to check that, key-id, name and fingerprint all match with the published information:
$ pub 4096R/0x41259773973A612A 2012-06-27
Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A
uid [ unknown] SKS Keyserver Signing Key
If everything checks out, sign the SKS key as trusted:
$ gpg2 --lsign-key 0x41259773973A612A
Now go ahead to download:
$ cd /usr/loca/src
$ wget https://bitbucket.org/skskeyserver/sks-keyserver/downloads/sks-1.1.6.tgz
$ wget https://bitbucket.org/skskeyserver/sks-keyserver/downloads/sks-1.1.6.tgz.asc
Verify the downloaded file:
$ gpg2 --verify sks-1.1.6.tgz.asc
gpg: assuming signed data in `sks-1.1.6.tgz'
gpg: Signature made Sun 07 Aug 2016 04:26:45 PM CEST
gpg: using RSA key 41259773973A612A
gpg: Good signature from "SKS Keyserver Signing Key" [unknown]
Primary key fingerprint: C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A
Configuration¶
$ cd /usr/local/src
$ tar -xzf sks-1.1.6.tgz
$ cd sks-1.1.6
$ cp Makefile.local.unused Makefile.local
Edit Makefile.local by changing the following lines as highlighted below:
1 2 3 4 5 6 7 8 9 10 | BDBLIB=-L/usr/lib
BDBINCLUDE=-I/usr/include
PREFIX=/usr/local
LIBDB=-ldb-5.3
MANDIR=/usr/local/share/man
export BDBLIB
export BDBINCLUDE
export PREFIX
export LIBDB
export MANDIR
|
Build and Install¶
$ cd /usr/local/src/sks-1.1.6
$ make dep
$ make all
$ make install
SKS Configuration¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | # /etc/sks/sksconf
#
# The configuration file for your SKS server.
# You can find more options in sks(8) manpage.
# Set server hostname
hostname: keyserver.example.net
# Set recon binding address
recon_address: 127.0.0.1 192.0.2.37 2001:db8::37
# Set recon port number
recon_port: 11370
# Set hkp binding address
hkp_address: 127.0.0.1
# Set hkp port number
hkp_port: 11371
# Have the HKP interface listen on port 80, as well as the hkp_port
#use_port_80:
# From address used in synchronization emails used to communicate with PKS
from_addr: "PGP Key Server Administrator <pgp-public-keys@example.net>"
# The PGP ID for the Server Contact
server_contact: 0x0123456789ABCDEF
# Disable sending of PKS mailsync messages.
disable_mailsync:
# Command used for sending mail (you can use -f option to specify the
# envelope sender address, if your MTA trusts the sks user)
#sendmail_cmd: /usr/lib/sendmail -t -oi
# Runs database statistics calculation on boot (time and cpu expensive)
initial_stat:
# Maximum interval (in hours) at which membership file is reloaded.
membership_reload_interval: 1
# Hour at which to run database statistics.
stat_hour: 12
# Maximum number of matches that will be returned from a query.
max_matches: 500
# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
pagesize: 16
#
# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
# very good results with 8196
ptree_pagesize: 16
|
1 2 3 4 5 6 7 8 9 10 11 12 13 | # /etc/sks/membership
#
# With SKS, two hosts can efficiently compare their databases then
# repair whatever differences are found. In order to set up
# reconciliation, you first need to find other SKS servers that will
# agree to gossip with you. The hostname and port of the server that
# has agreed to do so should be added to this file.
#
# Empty lines and whitespace-only lines are ignored, as are lines
# whose first non-whitespace character is a `#'.
#
# Example:
# keyserver.linux.it 11370
|
System Configuration¶
The following is adapted from the Ubuntu/Debian SKS software package.
Directories¶
Create a system envoronment for SKS, change ownership of the data directory and various other stuff:
$ mkdir -p /var/{lib,log,spool}/sks
$ chown -R debian-sks:debian-sks /var/{lib,log,spool}/sks
$ chmod -R 700 /var/{lib,log,spool}/sks
$ find /var/{lib,log,spool}/sks -type f -exec chmod 600 '{}' ';'
$ chgrp -R adm /var/log/sks
$ chmod -R g+rX /var/log/sks
$ chmod g+s /var/log/sks
System Service¶
1 2 3 | # by default we do NOT start sks!
# Set to yes if you want to start it in the init script.
initstart=no
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 | #!/bin/sh -e
#
### BEGIN INIT INFO
# Provides: sks
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
#
# Start/stops the sks daemons.
#
#
# Reads config file
[ -r /etc/default/sks ] && . /etc/default/sks
DAEMON=/usr/sbin/sks
SKSDBPID=/var/run/sks/sksdb.pid
SKSRECONPID=/var/run/sks/sksrecon.pid
# See if the daemon is there
test -e $DAEMON || exit 0
if [ ! -x $DAEMON ]; then
echo "ERROR: $DAEMON is not executable"
exit 1
fi
. /lib/lsb/init-functions
wait_for_deaddaemon () {
pidfile=$1
pid=`cat $pidfile 2>/dev/null` || true
sleep 1
if test -n "$pid"
then
if kill -0 $pid 2>/dev/null
then
echo -n "."
cnt=0
while kill -0 $pid 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 30 ]
then
echo " FAILED."
return 1
fi
sleep 2
echo -n "."
done
rm -f $pidfile
else
rm -f $pidfile
fi
fi
return 0
}
case "$1" in
start)
echo -n "Starting sks daemons:"
if [ "$initstart" != "yes" ]; then
echo " Not starting sks (as configured in /etc/default/sks)"
exit 0
fi
mkdir -p `dirname "$SKSDBPID"`
chown debian-sks `dirname "$SKSDBPID"`
echo -n " sksdb.."
start-stop-daemon --start --quiet --oknodo \
--chuid debian-sks:debian-sks \
--make-pidfile \
--pidfile $SKSDBPID \
--exec $DAEMON -- db &
echo -n " sksrecon.."
start-stop-daemon --start --quiet --oknodo \
--chuid debian-sks:debian-sks \
--make-pidfile \
--pidfile $SKSRECONPID \
--exec $DAEMON -- recon &
echo " done."
;;
stop)
echo -n "Stopping sks daemons:"
echo -n " sksrecon.."
start-stop-daemon --stop --quiet --oknodo --pidfile $SKSRECONPID
wait_for_deaddaemon $SKSRECONPID || exit 1
echo -n " sksdb.."
start-stop-daemon --stop --quiet --oknodo --pidfile $SKSDBPID
wait_for_deaddaemon $SKSDBPID || exit 1
echo " done."
;;
reload)
# Hupping at least reopens logfiles.
# membership and mailsync are regularily read anyway
# not sure about the rest
# -- weasel
echo -n "Reloading sks daemons:"
echo -n " sksrecon.."
start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $SKSRECONPID
echo -n " sksdb.."
start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile $SKSDBPID
echo " done."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart|force-reload}"
exit 1
;;
esac
exit 0
|
Daily Cron Job¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | #!/bin/sh
# daily cron to cleanup DB's log files.
set -e
[ -r /etc/sks/cron.conf ] && . /etc/sks/cron.conf
# First, remove old diff-1.2.3.4.txt files
# those files hold differences discovered during recon
# eventhing that hasn't been touched in the last 2 weeks
# is probably old and the result of a host that changed IP.
[ -d /var/spool/sks ] || exit 0
find /var/spool/sks -type f -name 'diff-*.txt' -mtime +14 | xargs --no-run-if-empty rm -f
[ -d /var/spool/sks/failed_messages ] || exit 0
# Also remove failed messages
find /var/spool/sks/failed_messages -type f -name 'msg-*.ready' -mtime +14 | xargs --no-run-if-empty rm -f
[ "$REMOVE_DB_LOGS" = "no" ] && exit 0
clean_directory() {
dir=$1
if [ -d "$dir" ]
then
db_archive -h $dir -d
fi
return 0
}
# The DB directory holds indexes and keys.
clean_directory /var/lib/sks/DB
# PTree is for the hashes used with the reconciliation algorithm. (I think)
clean_directory /var/lib/sks/PTree
exit 0
|
Log Rotation¶
1 2 3 4 5 6 7 8 9 10 11 | /var/log/sks/*.log {
daily
rotate 5
compress
delaycompress
missingok
notifempty
postrotate
/etc/init.d/sks reload > /dev/null
endscript
}
|
Nginx Web-Server Configuration¶
For better performance and as requirement of the SKS keyserver pool, SKS traffic is handled by Nginx and sent to SKS as a reverse proxy back-end.
Server¶
/etc/nginx/servers-available/keyserver.example.net.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | #
# keyserver.example.net
# OpenPGP Public SKS Key Server
#
# Unsecured HTTP server
server {
# IPv4 private address (Port-forwarded from NAT firewall/router)
listen 192.0.2.10:80;
#listen 192.0.2.37:11371; Disabled for sslh listener
# IPv6 global address
listen [2001:db8::37]:80;
listen [2001:db8::37]:11371;
server_name keyserver.example.net
*.sks-keyservers.net *.pool.sks-keyservers.net
keys.gnupg.net pgp.ipfire.org pgp.mit.edu;
# Server Default Settings
include server-defaults/*.conf;
# Public Documents Root
root /var/www/example.net/keyserver/public_html;
# SKS Keyserver Configuration
include webapps/sks-keyserver.conf;
}
# Secured HTTPS server
server {
# IPv4 private address (Port-forwarded from NAT firewall/router)
listen 192.0.2.10:443 ssl spdy;
listen 192.0.2.37:11372 ssl spdy;
# IPv6 global address
listen [2001:db8::37]:443 ssl spdy;
listen [2001:db8::37]:11372 ssl spdy;
server_name keyserver.example.net
*.sks-keyservers.net *.pool.sks-keyservers.net
keys.gnupg.net pgp.ipfire.org pgp.mit.edu;
# Server Default Settings
include server-defaults/*.conf;
# Public Documents Root
root /var/www/example.net/keyserver/public_html;
# SKS Keyserver Configuration
include webapps/sks-keyserver.conf;
}
# Tor Hidden Service
server {
# IPv4 local address (Port-forwarded from Tor Onion router)
listen 127.0.0.37:80;
listen 127.0.0.37:11371;
server_name duskgytldkxiuqc6.onion;
# Server Default Settings
include server-defaults/*.conf;
# Public Documents Root
root /var/www/example.net/keyserver/public_html;
# SKS Keyserver Configuration
include webapps/sks-keyserver.conf;
}
|
SKS Web Application¶
/etc/nginx/webapps/sks-keyserver.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | #
# SKS Keyserver Proxy
#
rewrite ^/stats /pks/lookup?op=stats;
rewrite ^/s/(.*) /pks/lookup?search=$1;
rewrite ^/search/(.*) /pks/lookup?search=$1;
rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;
rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;
location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
add_header Via "1.1 $server_name:$proxy_port (nginx)";
proxy_ignore_client_abort on;
client_max_body_size 8m;
proxy_intercept_errors off;
# Disallow Search Engines to index keyserver search results
add_header X-Robots-Tag 'noindex, nofollow' always;
# Client Security HTTP Headers
include server-conf.d/20_client-security.conf;
# Content Security Policy (CSP)
include csp/sks.csp.conf;
# Strict Transport Security (HSTS)
include hsts.conf;
}
|
Keyserver Website¶
Keyservers can be accessed by normal web-browsers, apart from OpenPGP clients. Typically you can search for, view, download and upload keys on a rudimentary web-interface. They usually look like the web was invented only last week.
Luckily Matt Rude has created a more modern OpenPGP Keyserver Website available from Github:
$ sudo mkdir -p /var/www/example.net/keyserver/public_html
$ cd /var/www/example.net/keyserver/public_html
$ sudo git clone https://github.com/mattrude/pgpkeyserver-lite.git
$ sudo chown -R www-data:www-data /var/www/example.net/keyserver/public_html
Restart Nginx¶
$ sudo ln -s /etc/nginx/servers-available/keyserver.example.net /etc/nginx/sites-enabled/
$ sudo service nginx restart
HKP and HSTS¶
The Problem¶
With our Nginx configuration web-browser can access the HTML interface over plain unencrypted HTTP on the standard HTTP TCP port 80 and the non-standard HTTP (but standard HKP) TCP port 11371. For the security aware encrypted HTTPS connections are provided on port 443. the standard TCP port for both, HKP and HTTPS.
Now if your domain and sub-domains have strict HSTS enabled, this creates a problem.
If a modern browser is directed to a website on a non-standard TCP port in a HSTS enabled domain, the browser will attempt to initiate a TLS connection on that port, even if the URL starts with http:// and not https://. If that fails, an error page is displayed to the user and thats it.
So users visiting our keyservers web-interface on port 11371 will be greeted with a security error message.
This behavior may seem strange but its currently the only way of ensuring security. The browser MUST enforce HSTS but also has no secure way to learn about or assume on what other presumably non-standard TCP port number, he could attempt a secure connection.
The problem and and subsequent decision on how this needs to be handled are described in this blog post by Andy Steingruebl.
The Workaroud¶
There is software who can sniff out the protocol connecting on a given port. OpenVPN for example supports this, so you can hide your secret VPN gateway behind a unsuspicious website and may also help clients to connect trough overzealous firewalls.
sslh is one such an Applicative Protocol Multiplexer who allows to run multiple protocols on the same port.
sslh Installation¶
sslh is available in the Ubuntu, Debian, SUSE and Fedora software package repositories:
$ sudo apt-get install sslh
sslh configuration¶
Configuration is stored in the file
/etc/sslh.cfg. The installation does not create that, but an example configuration file is provided in
/usr/share/doc/sslh/examples/example.cfg.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | #
# sslh configuration for HKP OpenPGP keyservers
#
verbose: false;
foreground: false;
inetd: false;
numeric: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";
# List of interfaces on which we should listen
listen:
(
{ host: "192.0.2.37"; port: "11371"; },
{ host: "2001:db8::37"; port: "11371"; }
);
# List of protocols
protocols:
(
{ name: "http"; host: "127.0.0.37"; port: "11371"; probe: "builtin"; },
{ name: "https"; host: "127.0.0.37"; port: "443"; probe: [ "" ]; }
);
# Fallback protocol
on-timeout: "http";
|
Testing¶
Launch it by hand to see of it is working alright:
$ sudo sslh -F /etc/sslh.cfg --verbose --foreground
Then open https://keyserver.example.net:11371/ with your browser.
Output should look about as follows:
http addr: 127.0.0.37:hkp. libwrap service: (null) family 2 2
ssl addr: 127.0.0.37:https. libwrap service: (null) family 2 2
listening on:
192.0.2.37:hkp
keyserver.example.net:hkp
timeout: 2
on-timeout: http
listening to 2 addresses
turning into nobody
sslh-fork 1.15 started
accepted fd 5
**** writing defered on fd -1
probing for http
probe http successful
connecting to 127.0.0.37:hkp family 2 len 16
connection from some-client.some.net:43635 to keyserver.example.net:hkp forwarded from localhost:47333 to 127.0.0.37:hkp
flushing defered data to fd 4
client socket closed
connection closed down
...
connection from some-other-client.some-other.net:43730 to keyserver.example.net:hkp forwarded from localhost:38496 to 127.0.0.37:https
flushing defered data to fd 4
accepted fd 5
**** writing defered on fd -1
probing for http
probing for ssl
probe ssl successful
connecting to 127.0.0.37:https family 2 len 16
...
server socket closed
connection closed down
If you got a connection from the SKS pool testing scripts during your test-run, you may visit your server status page on the SKS pool website, to see if it still works.
Set up as Service¶
If test are successful, set it up as service.
Open /etc/default/sslh.
- Enable the service by changing the line 12 from “no” to “yes”.
- Replace the the command line options on line 17 with a reference to our configuration file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # Default options for sslh initscript
# sourced by /etc/init.d/sslh
# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)
RUN=yes
# binary to use: forked (sslh) or single-thread (sslh-select) version
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="-F /etc/sslh.cfg"
|
Start the Service¶
$ sudo service sslh start
Database Import¶
Lets hope the download of the database dump we started earlier has completed in the meantime.
If so check that all the pieces have been downloaded correctly by comparing their checksums against the list published by the dump provider:
$ cd /var/lib/sks/dump
$ md5sum -c metadata-sks-dump.txt
sks-dump-0000.pgp: OK
...
sks-dump-0261.pgp: OK
The dump now needs to be imported into the SKS database. There are two ways to do this: either a full build (which reads in the dump you just downloaded and leaves you with a complete, self-contained database) or a fastbuild (which just references the dump and requires it to be left in place after the fastbuild is complete):
$ cd /var/lib/sks
$ sudo /usr/local/bin/sks_build.sh
On the next screen, choose 2.
Please select the mode in which you want to import the keydump:
1 - fastbuild
only an index of the keydump is created and the keydump cannot be
removed.
2 - normalbuild
all the keydump will be imported in a new database. It takes longer
time and more disk space, but the server will run faster (depending
from the source/age of the keydump).
The keydump can be removed after the import.
Enter enter the mode (1/2): 2
This took around 4 hours on my machine (Intel Core2 Duo CPU @ 2.10GHz with 3GB RAM) doing a normal build (option 2).
Clustering¶
If you have even more disk space available on your server, you can run additional instances.
Copy the database directory:
$ sudo systemctl stop sks-recon.service sks.service
$ sudo cp -r /var/lib/sks /var/lib/sks2
$ sudo systemctl start sks-recon.service sks.service
$ sudo cp -r /var/lib/sks2 /var/lib/sks3
$ sudo sudo chown -R debian-sks:debian-sks /var/lib/sks*
It might take a few minutes to copy 23 GB of data.
Copy the configuration directory:
$ sudo cp -r /etc/sks /etc/sks2
$ sudo cp -r /etc/sks2 /etc/sks3
Edit the new configuration file /etc/sks2/sksconf:
# Set server hostname
hostname: pgpkeys.example.net
nodename: sks2
# Set recon binding address
recon_address: 127.0.0.2 ::2
# Set recon port number
recon_port: 11370
# Set hkp binding address
hkp_address: 127.0.0.2 ::2
# Set hkp port number
hkp_port: 11371
Edit the new configuration file /etc/sks3/sksconf:
# Set server hostname
hostname: pgpkeys.example.net
nodename: sks3
# Set recon binding address
recon_address: 127.0.0.3 ::3
# Set recon port number
recon_port: 11370
# Set hkp binding address
hkp_address: 127.0.0.3 ::3
# Set hkp port number
hkp_port: 11371
Edit the new membership file /etc/sks3/membership:
.. to be continued ..
References¶
- Matt Rudes Public Keyserver Guides
- Ubuntu sks man page (Ubuntu Utopic 16.04)