gpg
Материал из LinTest Wiki
Организация проверки PGP подписей
OpenLDAP schema to store OpenPGP keys
On Sat, Feb 18, 2006 at 10:11:32PM +0100, Peter Palfrader wrote: > Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > > > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > > use with GnuPG). Please note that I already have a working OpenLDAP > > server, so I'd only need to add schema, acls and keys, of course. > > > > Btw, can GnuPG also store secret keys in the keyserver? > > > > However, I was unable to find any schema definiton... > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip > > If you get an LDAP keyserver running please document your steps > somewhere and let us know. Here's a rough guide for OpenLDAP: 0) Have a working OpenLDAP server running already. 1) Copy pgp-keyserver.schema wherever your schemas go. 2) Add an include line in /etc/openldap/slapd.conf for it: include /etc/openldap/schema/pgp-keyserver.schema 3) Add a place to store the keys to /etc/openldap/slapd.conf: database bdb suffix "ou=PGP Keys,dc=DOMAIN,dc=COM" index objectClass eq index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq index pgpDisabled,pgpRevoked eq directory /var/lib/ldap access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write rootdn "cn=Manager,dc=DOMAIN,dc=COM" 4) Restart slapd 5) Make this file: cat > pgp.ldif dn: ou=PGP Keys,dc=DOMAIN,dc=COM objectclass: organizationalUnit ou: PGP Keys dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM cn: PGPServerInfo objectclass: pgpserverinfo pgpSoftware: OpenLDAP pgpVersion: 2.2.29 pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM ^D 6) ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgp.ldif The configuration above obviously allows anyone to write/delete keys. That may or may not be what you want. Note that GPG will use TLS or LDAPS just fine if you want to use that.
Howto setup an OpenLDAP PGP keyserver
After all issues are finally resolved, I'm glad to post this howto about setting up a PGP keyserver with OpenLDAP. The inital thread that finally leads to here starts at: http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2 Many thanks to Peter Palfrader for providing the LDAP schema and especially to David Shaw for providing invaluable help and adding LDAP basic authentication to GnuPG. Used software: OpenLDAP 2.2.27, run under SuSE 10.0 GnuPG 1.4.3rc1 (subversion revision 4020). If you don't want to wait until 1.4.3 is officially released, grab yourself a copy from svn: > svn co svn://cvs.gnupg.org/gnupg/trunk Attached is tarball with the files for OpenLDAP configuration, to which will be refered to below. I hope this doesn't violate the rules of this list but the attachment is very small anyways. You should have a basic understanding about LDAP first. If not, I'd recommend to read the OpenLDAP Admin Guide on http://www.openldap.org, which provides excellent documentation. Also, as an LDAP client and excellent server management tool, I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net The LDAP tree created in this example setup looks like: dc=EXAMPLE,dc=COM | +----cn=Manager +----cn=PGPServerInfo +----ou=PGP Keys | +---pgpCertID=... | +---pgpCertID=... +----ou=PGP Users +---uid=... +---uid=... where dc=EXAMPLE,dc=COM is obviously the base DN. First, install pgp-keyserver.schema from the tarball into to your schema directory. There are two more files which are not used here, but have been part of the schema I got from Peter, so I kept them for completeness. Next, install slapd.conf and edit to suit your needs. That is, select either anonymous or user authentication. In the provided file, anonymous writes are enabled. However, access is restricted to writes from localhost only. You may lift this restriction by modifying the peername.ip statement. See slapd.access(5) for details and examples. Think twice before opening up anonymous writes, as _any_ user who can connect to your LDAP server can not only upload but also delete keys. For user authentication, comment out update_anon and the access rule for anonymous writes. Users are stored as DN "uid=<username>,ou=PGP Users,dc=EXAMPLE,dc=COM". You need to create users to bind to LDAP. One sample user is provided in ldif/pgpusers.ldif. Just copy the entry and modify it to create more and read the file to learn the used password. Also, the password for the OpenLDAP manager is stored as a hash. It is 'gpg'. Run slappasswd(8) to create a stronger password and replace the hash in slapd.conf. Try to start your OpenLDAP server now. Under SuSE, I run "/etc/init.d/ldap start". Next, populate the directory with the basic layout by importing the example.ldif file (enter on a single line): > cat example.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" When prompted for a password, enter the one you've created above or 'gpg' if you did not. If you selected anonymous writes, you're done configuring your OpenLDAP PGP keyserver. If you selected user authentication, you need to add users now: > cat pgpusers.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" Finally, you can use GnuPG to add keys (always on a single line): For anonymous write: > gpg --keyserver ldap://localhost --send-key 12345678 For user authentication (insecure on command-line, see below): > gpg --keyserver ldap://localhost --keyserver-options "binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\"" --keyserver-options bindpw=user1 --send-keys 12345678 To receive keys, simply do: > gpg --keyserver ldap://localhost --recv-keys 12345678 Further notes: * GnuPG looks for PGPServerInfo under the base DN. If you decide to put it somewhere else, use keyserver-option basedn to specify the new location, e.g.: keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" * Beware of shell quoting, like above which is the correct format if you have spaces in your DN and specify the keyserver option on the command line. * GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the keyserver-options tls. It takes 'no','try','warn' or 'require' as an argument, e.g.: keyserver-options tls=require * Put other keyserver options into ~/.gnupg/gpg.conf, e.g.: keyserver ldap://localhost keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM" keyserver-options bindpw=verysecret keyserver-options tls=try keyserver-options verbose Then the following will just work: > gpg --send-keys 12345678 or > gpg --recv-keys 12345678 * As it is INSECURE to specify your bind password on the command line, you should put it to your ~/.gnupg/gpg.conf and protect this file with 0600 permissions. Well, that's it for now. I hope this howto is helpful and somewhat complete! Good luck setting up your PGP keyserver with OpenLDAP. I'd be glad if someone could verify the steps so that there are no glitches. Comments, notes, questions or else are appreciated. Last but not least a final request: Please add a CC: to my email address too if you reply to this list. Thanks.