gpg
Материал из LinTest Wiki
Организация проверки PGP подписей
OpenLDAP schema to store OpenPGP keys
On Sat, Feb 18, 2006 at 10:11:32PM +0100, Peter Palfrader wrote: > Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > > > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > > use with GnuPG). Please note that I already have a working OpenLDAP > > server, so I'd only need to add schema, acls and keys, of course. > > > > Btw, can GnuPG also store secret keys in the keyserver? > > > > However, I was unable to find any schema definiton... > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip > > If you get an LDAP keyserver running please document your steps > somewhere and let us know. Here's a rough guide for OpenLDAP: 0) Have a working OpenLDAP server running already. 1) Copy pgp-keyserver.schema wherever your schemas go. 2) Add an include line in /etc/openldap/slapd.conf for it: include /etc/openldap/schema/pgp-keyserver.schema 3) Add a place to store the keys to /etc/openldap/slapd.conf: database bdb suffix "ou=PGP Keys,dc=DOMAIN,dc=COM" index objectClass eq index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq index pgpDisabled,pgpRevoked eq directory /var/lib/ldap access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write rootdn "cn=Manager,dc=DOMAIN,dc=COM" 4) Restart slapd 5) Make this file: cat > pgp.ldif dn: ou=PGP Keys,dc=DOMAIN,dc=COM objectclass: organizationalUnit ou: PGP Keys dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM cn: PGPServerInfo objectclass: pgpserverinfo pgpSoftware: OpenLDAP pgpVersion: 2.2.29 pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM ^D 6) ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgp.ldif The configuration above obviously allows anyone to write/delete keys. That may or may not be what you want. Note that GPG will use TLS or LDAPS just fine if you want to use that.
Howto setup an OpenLDAP PGP keyserver
After all issues are finally resolved, I'm glad to post this
howto about setting up a PGP keyserver with OpenLDAP.
The inital thread that finally leads to here starts at:
http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2
Many thanks to Peter Palfrader for providing the LDAP schema and
especially to David Shaw for providing invaluable help and adding
LDAP basic authentication to GnuPG.
Used software: OpenLDAP 2.2.27, run under SuSE 10.0
GnuPG 1.4.3rc1 (subversion revision 4020).
If you don't want to wait until 1.4.3 is officially released,
grab yourself a copy from svn:
> svn co svn://cvs.gnupg.org/gnupg/trunk
Attached is tarball with the files for OpenLDAP configuration,
to which will be refered to below. I hope this doesn't violate
the rules of this list but the attachment is very small anyways.
You should have a basic understanding about LDAP first.
If not, I'd recommend to read the OpenLDAP Admin Guide on
http://www.openldap.org, which provides excellent documentation.
Also, as an LDAP client and excellent server management tool,
I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net
The LDAP tree created in this example setup looks like:
dc=EXAMPLE,dc=COM
|
+----cn=Manager
+----cn=PGPServerInfo
+----ou=PGP Keys
| +---pgpCertID=...
| +---pgpCertID=...
+----ou=PGP Users
+---uid=...
+---uid=...
where dc=EXAMPLE,dc=COM is obviously the base DN.
First, install pgp-keyserver.schema from the tarball into to your
schema directory. There are two more files which are not used here,
but have been part of the schema I got from Peter, so I kept them
for completeness.
Next, install slapd.conf and edit to suit your needs.
That is, select either anonymous or user authentication.
In the provided file, anonymous writes are enabled.
However, access is restricted to writes from localhost only.
You may lift this restriction by modifying the peername.ip
statement. See slapd.access(5) for details and examples.
Think twice before opening up anonymous writes, as _any_ user
who can connect to your LDAP server can not only upload but also
delete keys.
For user authentication, comment out update_anon and the
access rule for anonymous writes. Users are stored as
DN "uid=<username>,ou=PGP Users,dc=EXAMPLE,dc=COM".
You need to create users to bind to LDAP. One sample user is
provided in ldif/pgpusers.ldif. Just copy the entry and
modify it to create more and read the file to learn
the used password.
Also, the password for the OpenLDAP manager is stored
as a hash. It is 'gpg'. Run slappasswd(8) to create a
stronger password and replace the hash in slapd.conf.
Try to start your OpenLDAP server now.
Under SuSE, I run "/etc/init.d/ldap start".
Next, populate the directory with the basic layout by
importing the example.ldif file (enter on a single line):
> cat example.ldif | ldapadd -x -W -h localhost
-D "cn=Manager,dc=EXAMPLE,dc=COM"
When prompted for a password, enter the one you've created
above or 'gpg' if you did not.
If you selected anonymous writes, you're done configuring
your OpenLDAP PGP keyserver.
If you selected user authentication, you need to add users now:
> cat pgpusers.ldif | ldapadd -x -W -h localhost
-D "cn=Manager,dc=EXAMPLE,dc=COM"
Finally, you can use GnuPG to add keys (always on a single line):
For anonymous write:
> gpg --keyserver ldap://localhost --send-key 12345678
For user authentication (insecure on command-line, see below):
> gpg --keyserver ldap://localhost --keyserver-options
"binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\""
--keyserver-options bindpw=user1 --send-keys 12345678
To receive keys, simply do:
> gpg --keyserver ldap://localhost --recv-keys 12345678
Further notes:
* GnuPG looks for PGPServerInfo under the base DN.
If you decide to put it somewhere else, use keyserver-option
basedn to specify the new location, e.g.:
keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""
* Beware of shell quoting, like above which is the correct format
if you have spaces in your DN and specify the keyserver option
on the command line.
* GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the
keyserver-options tls. It takes 'no','try','warn' or 'require'
as an argument, e.g.:
keyserver-options tls=require
* Put other keyserver options into ~/.gnupg/gpg.conf, e.g.:
keyserver ldap://localhost
keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM"
keyserver-options bindpw=verysecret
keyserver-options tls=try
keyserver-options verbose
Then the following will just work:
> gpg --send-keys 12345678
or
> gpg --recv-keys 12345678
* As it is INSECURE to specify your bind password on the command
line, you should put it to your ~/.gnupg/gpg.conf and protect
this file with 0600 permissions.
Well, that's it for now. I hope this howto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.
I'd be glad if someone could verify the steps so that there are no
glitches. Comments, notes, questions or else are appreciated.
Last but not least a final request: Please add a CC: to my email
address too if you reply to this list. Thanks.
