Материал из LinTest Wiki
Перейти к: навигация, поиск

Организация проверки PGP подписей


OpenLDAP schema to store OpenPGP keys

On Sat, Feb 18, 2006 at 10:11:32PM +0100, Peter Palfrader wrote:
> Walter Haidinger schrieb am Samstag, dem 18. Feber 2006:
> > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for
> > use with GnuPG). Please note that I already have a working OpenLDAP
> > server, so I'd only need to add schema, acls and keys, of course.
> > 
> > Btw, can GnuPG also store secret keys in the keyserver?
> > 
> > However, I was unable to find any schema definiton...
> If you get an LDAP keyserver running please document your steps
> somewhere and let us know.

Here's a rough guide for OpenLDAP:

0) Have a working OpenLDAP server running already.

1) Copy pgp-keyserver.schema wherever your schemas go.

2) Add an include line in /etc/openldap/slapd.conf for it:

 include         /etc/openldap/schema/pgp-keyserver.schema

3) Add a place to store the keys to /etc/openldap/slapd.conf:

 database    bdb
 suffix      "ou=PGP Keys,dc=DOMAIN,dc=COM"
 index       objectClass eq
 index       pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq
 index       pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq
 index       pgpDisabled,pgpRevoked eq
 directory   /var/lib/ldap
 access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write
 rootdn          "cn=Manager,dc=DOMAIN,dc=COM"

4) Restart slapd

5) Make this file:
cat > pgp.ldif
dn: ou=PGP Keys,dc=DOMAIN,dc=COM
objectclass: organizationalUnit
ou: PGP Keys

dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM
cn: PGPServerInfo
objectclass: pgpserverinfo
pgpSoftware: OpenLDAP
pgpVersion: 2.2.29
pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM
6) ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgp.ldif

The configuration above obviously allows anyone to write/delete keys.
That may or may not be what you want.  Note that GPG will use TLS or
LDAPS just fine if you want to use that.

Howto setup an OpenLDAP PGP keyserver

After all issues are finally resolved, I'm glad to post this
howto about setting up a PGP keyserver with OpenLDAP.
The inital thread that finally leads to here starts at:

Many thanks to Peter Palfrader for providing the LDAP schema and
especially to David Shaw for providing invaluable help and adding
LDAP basic authentication to GnuPG.

Used software: OpenLDAP 2.2.27, run under SuSE 10.0
GnuPG 1.4.3rc1 (subversion revision 4020).

If you don't want to wait until 1.4.3 is officially released,
grab yourself a copy from svn:
> svn co svn://

Attached is tarball with the files for OpenLDAP configuration,
to which will be refered to below. I hope this doesn't violate
the rules of this list but the attachment is very small anyways.

You should have a basic understanding about LDAP first.
If not, I'd recommend to read the OpenLDAP Admin Guide on, which provides excellent documentation.

Also, as an LDAP client and excellent server management tool,
I'd recommend phpLDAPadmin:

The LDAP tree created in this example setup looks like:

  +----ou=PGP Keys
  |    +---pgpCertID=...
  |    +---pgpCertID=...
  +----ou=PGP Users

where dc=EXAMPLE,dc=COM is obviously the base DN.

First, install pgp-keyserver.schema from the tarball into to your
schema directory. There are two more files which are not used here,
but have been part of the schema I got from Peter, so I kept them
for completeness.

Next, install slapd.conf and edit to suit your needs.
That is, select either anonymous or user authentication.

In the provided file, anonymous writes are enabled.
However, access is restricted to writes from localhost only.
You may lift this restriction by modifying the peername.ip
statement. See slapd.access(5) for details and examples.

Think twice before opening up anonymous writes, as _any_ user
who can connect to your LDAP server can not only upload but also
delete keys.

For user authentication, comment out update_anon and the
access rule for anonymous writes. Users are stored as
DN "uid=<username>,ou=PGP Users,dc=EXAMPLE,dc=COM".

You need to create users to bind to LDAP. One sample user is
provided in ldif/pgpusers.ldif. Just copy the entry and
modify it to create more and read the file to learn
the used password.

Also, the password for the OpenLDAP manager is stored
as a hash. It is 'gpg'. Run slappasswd(8) to create a
stronger password and replace the hash in slapd.conf.

Try to start your OpenLDAP server now.
Under SuSE, I run "/etc/init.d/ldap start".

Next, populate the directory with the basic layout by
importing the example.ldif file (enter on a single line):
> cat example.ldif | ldapadd -x -W -h localhost
      -D "cn=Manager,dc=EXAMPLE,dc=COM"

When prompted for a password, enter the one you've created
above or 'gpg' if you did not.

If you selected anonymous writes, you're done configuring
your OpenLDAP PGP keyserver.

If you selected user authentication, you need to add users now:
> cat pgpusers.ldif | ldapadd -x -W -h localhost
      -D "cn=Manager,dc=EXAMPLE,dc=COM"

Finally, you can use GnuPG to add keys (always on a single line):

For anonymous write:
> gpg --keyserver ldap://localhost --send-key 12345678

For user authentication (insecure on command-line, see below):
> gpg --keyserver ldap://localhost --keyserver-options
   --keyserver-options bindpw=user1 --send-keys 12345678

To receive keys, simply do:
> gpg --keyserver ldap://localhost --recv-keys 12345678

Further notes:
* GnuPG looks for PGPServerInfo under the base DN.
  If you decide to put it somewhere else, use keyserver-option
  basedn to specify the new location, e.g.:
  keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""

* Beware of shell quoting, like above which is the correct format
  if you  have spaces in your DN and specify the keyserver option
  on the command line.

* GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the
  keyserver-options tls. It takes 'no','try','warn' or 'require'
  as an argument, e.g.:
  keyserver-options tls=require

* Put other keyserver options into ~/.gnupg/gpg.conf, e.g.:

  keyserver ldap://localhost
  keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM"
  keyserver-options bindpw=verysecret
  keyserver-options tls=try
  keyserver-options verbose

  Then the following will just work:
  > gpg --send-keys 12345678
  > gpg --recv-keys 12345678

* As it is INSECURE to specify your bind password on the command
  line, you should put it to your ~/.gnupg/gpg.conf and protect
  this file with 0600 permissions.

Well, that's it for now. I hope this howto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.

I'd be glad if someone could verify the steps so that there are no
glitches. Comments, notes, questions or else are appreciated.

Last but not least a final request: Please add a CC: to my email
address too if you reply to this list. Thanks.

Персональные инструменты
Пространства имён