1
2
3 The OpenPGP Public Key Server (PKS)
4
5
6* Dependencies
7
8 PKS requires Berkeley DB 4.1.25 or higher. If Berkeley DB 4 is
9found in either /usr or /usr/local, it will be used by default. If
10Berkeley DB 4 is not installed system-wide or is installed in a
11non-standard location, the --with-db option to the configure script
12can be used to specify the location of the files to use.
13
14 PKS requires OpenSSL. The minimum version of OpenSSL is not known
15at this time. It is recommended that you use version 0.9.7b or
16later. If OpenSSL is found in either /usr or /usr/local, it will be
17used by default. If OpenSSL is not installed system-wide or is
18installed in a non-standard location, the --with-opensll option to
19the configure script can be used to specify the location of the
20files to use.
21
22
23* Building Berkeley DB 4.1.25 (OPTIONAL)
24
25 Alternatively, if Berkeley DB 4 is only going to be used for PKS
26on your system, you may find it easiest to statically link PKS with
27the Berkeley code. To do so, unpack the db archive into the same
28directory as you unpacked the pks archive into. Build db without
29installing it. One file, hmac/sha1.c, may trigger some optimizier
30bugs in GCC. (Turning off optimization for this file may help.) The
31following commands will probably work for you:
32
33 cd db-4.1.25/build_unix
34 ../dist/configure
35 make
36 cd ../..
37
38
39* Building OpenSSL 0.9.7b (OPTIONAL)
40
41 Alternatively, if OpenSSL is only going to be used for PKS on your
42system, you may find it easiest to statically link PKS with the
43OpenSSL code. To do so, unpack the openssl archive into the same
44directory as you unpacked the pks archive into. Build OpenSSL
45without installing it. The following commands will probably work for
46you:
47
48 cd openssl-0.9.7b
49 ./configure
50 make
51 cd ..
52
53
54* Installation Choices
55
56 Choose a location to install the software. The software itself
57takes up very little space. As the keyserver will be running fairly
58constantly, the code doesn't need to be installed on a local disk if
59installing on a networked drive works better in your situation. By
60default, PKS is installed under /usr/local. This directory can be
61changed by the --prefix option to the configure script. Throughout,
62this directory will be referred to as PREFIX.
63
64 However, the key database can grow very large. If you plan on
65running with a full key database, you should have at least 5 GB free.
66The database is accessed frequently in a fairly random pattern, so it
67should be stored on a local disk. By default, the database is
68installed in PREFIX/var. This directory can be changed by the
69--localstatedir option ot the configure script. Throughout, this
70directory will be referred to as LOCALSTATEDIR.
71
72 Several situations require the software to be installed as root.
73To lessen the impact of a security breach, PKS supports dropping root
74privileges when they are no longer needed. Also, PKS supports
75running in a chroot() jail.
76
77
78* Building PKS
79
80 In the top level of the PKS source directory run the following
81commands. These commands do not require root privileges.
82
83 ./configure
84 make
85
86 The configure script accepts several options which can be used to
87customize your installation of PKS. To see a list of all available
88options, run the following command in the top level of the PKS
89source directory.
90
91 ./configure --help
92
93 Common options for configure include:
94
95 --prefix=PREFIX Install the software under PREFIX
96 --localstatedir=DIR Install the database under DIR
97
98 --enable-debug Enable Debugging Mode
99 --enable-optimizations Enable Compiler Optimizations
100
101 --with-db=DIR Use Berkeley DB in DIR
102 --with-ipv6 Enable IPv6 Support
103 --with-libwrap Use libwrap (TCP Wrappers)
104 --with-openssl=DIR Use OpenSSL in DIR
105
106
107 On some systems, you may have to use GNU make. If the build
108process fails, try using GNU make.
109
110
111* Installing PKS
112
113 In the top level of the PKS source directory run the following
114command. This command will probably require root privileges.
115
116 make install
117
118 You can look in PREFIX/man for more detailed documentation on the
119various programs. An overview is in pks-intro(8).
120
121
122* Configuring PKS
123
124 After installing pks, the necessary directory hierarchy will be
125created, but there are some things you may need to do yourself.
126Actions marked with [*] may be different for your operating system.
127
128 Create an empty database as follows:
129 cd /home/pksd
130 ./bin/pksclient var/db create 1
131
132 Import keys. (Repeat for each KEYDUMP file.)
133 ./bin/pksclient var/db add /PATH/TO/KEYDUMP -dt
134 ./bin/pksclient var/db recover
135
136 NOTE: A full keyring contains over 1.8 million keys. Importing
137such a large number of keys takes a long time (just under 3 days on
138an idle machine), even with transactions turned off (using -dt flag
139as specified above). The following log snippets help to illustrate
140this process:
141
142 [Thu Feb 13 23:37:00 2003] kd_open: completed successfully
143 [Thu Feb 13 23:37:00 2003] kd_add: flags=100000
144 [Thu Feb 13 23:37:00 2003] display_new_key: new keyid 1 869B5F7C
145 ...
146 [Sun Feb 16 20:48:49 2003] display_new_key: new keyid 1801882 8A90ADBD
147 [Sun Feb 16 20:48:50 2003] display_new_key: new keyid 1801883 C56B6758
148 [Sun Feb 16 20:49:31 2003] kd_add: pub+1801883 sig+0 sig=0 uid+0 uid=0 rev+0 rev!0
149
150 If you're planning on letting pksd setuid/setgid itself to a
151special pksd uid and/or gid, create the appropriate user and group
152and set the permissions as follows:
153
154 groupadd pksd [*]
155 useradd -g pksd -d /home/pksd -s /sbin/nologin pksd [*]
156 chown -R pksd:pksd LOCALSTATEDIR/db LOCALSTATEDIR/incoming
157
158 To run PKS inside a chroot() jail, you will need to add an
159additional log socket inside the chroot dir.
160 mkdir /PATH/TO/CHROOT/JAIL/dev
161 kill `cat /var/run/syslogd.pid`
162 syslogd -a /PATH/TO/CHROOT/JAIL/dev/log [*]
163
164 As a part of the installation, a template configuration file was
165installed in PREFIX/etc/pksd.conf. This file is fully documented in
166pksd.conf(5). PKS may not give you useful output unless you
167configure the following options:
168
169 www_readonly
170 max_last
171 max_last_reply_keys
172 max_reply_keys
173
174 The key server uses syslog for logging. It logs using the local2
175facility (if available), and various priority levels as described in
176pksd(8). If you want to get any logging, you should add an
177appropriate entry to /etc/syslog.conf on your machine.
178
179 If you have configured the mail server component of the key
180server, there is one more step you need to take so that the server
181can actually handle mail. In your aliases file (usually one of
182/etc/aliases or /etc/mail/aliases), create the following lines:
183
184 pgp-public-keys: "|PREFIX/bin/pks-mail.sh PREFIX/etc/pksd.conf"
185 pgp: pgp-public-keys
186
187 You might also need to add aliases for the mail addresses you
188configured in pksd.conf. You will also need to make sure the
189permissions on PREFIX/var/incoming allow both the mailer and whatever
190user the pksd program runs as to insert and delete files.
191
192 By default, PKS installs index.html into the configured
193localstatedir (the location of the database). The key server does
194not server arbitrary files. At most, it will serve this index.html
195file. Tranlated versions of this file are included in the source
196distribution as pks-commands.html.XX, where XX is the ISO language
197code of the translation.
198
199
200* Running PKS
201
202 Before running the server, read and familiarize yourself with the
203information in the DATABASE ADMINISTRATION section of pks-intro(8)
204(PREFIX/man/man8/pks-intro.8), in particular the section on
205checkpointing.
206
207 To have the daemon run when the system boots, you should run the
208following commands in your /etc/rc.local or equivalent file:
209
210 PREFIX/bin/pksd PREFIX/etc/pksd.conf
211 sleep 5
212 PREFIX/bin/pks-queue-run.sh PREFIX/etc/pksd.conf &
213
214 You can always run this command by hand if you want.
215
216 Alternatively, a System V style init script is provided in the
217source distribution as pks.init.
218
219
220* Obtaining Support
221
222 Send an e-mail to pgp-keyserver-folk@flame.org. This is a public
223listserv dedicated to all keyserver issues, regardless of keyserver
224software. As such, normal listserv etiquette is expected. Be sure
225to mention that you're running PKS and provide the version number.
226
227
228
229$Id: README,v 1.8 2003/07/31 18:25:09 rlaager Exp $
230