Re: Howto setup an OpenLDAP PGP keyserver
Another thing worth adding to your HOWTO is that if the LDAP server is going to be publically available, a good name to use is "keys.(yourdomain)". The reason for this is that both PGP and GnuPG (as of 1.4.3) can automatically locate keys using that name. For example, let's say I want to encrypt a message to [EMAIL PROTECTED], but I have no [EMAIL PROTECTED] key. GnuPG can automatically ask ldap://keys.example.com for [EMAIL PROTECTED] and import it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto setup an OpenLDAP PGP keyserver
On Thu, Feb 23, 2006 at 05:01:08PM +0100, Walter Haidinger wrote: Thanks for writing this up! I will certainly be pointing people to this when they ask inthe future. One comment: > Further notes: > * GnuPG looks for PGPServerInfo under the base DN. > If you decide to put it somewhere else, use keyserver-option > basedn to specify the new location, e.g.: > keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" This isn't quite correct. GnuPG looks for PGPServerInfo under each namingContext in order until it finds one. It is perfectly fine not to have PGPServerInfo under the base DN. PGP as well as PGP Universal does this the same way. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, Feb 23, 2006 at 03:52:37PM +, Walter Haidinger wrote: > I was unaware that _all_ keyserver options apply to any type, i.e. > http/hkp/ldap. > The manpage talks about 'a' preferred keyserver, though, so I thought > that there can be only one, which means all options are global anyways. No. Preferred keyservers are a different sort of thing. Look at it this way: you have one list of options, with which you can use any keyserver. Preferred keyservers are the OpenPGP way for the keyholder to say "I like this keyserver - when using my key, please use this keyserver". It's like an automated way of changing --keyserver on a per-user ID basis. > > They're not "options for keyserver x" - they are "options that pertain > > to keyservers". > No, not yet but would make sense now with binddn and binddn. That's true. Here's what I did - keyserver-options must be global, but I added the ability to have per-keyserver options as well: Global options: keyserver-options option1 option2 Options tied to ldap://my.ldap.server: keyserver ldap://my.ldap.server option1 option2 option3 In your case you could do something like: keyserver ldap://server binddn="ou=pgp keys, etc..." bindpw=secret David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Howto setup an OpenLDAP PGP keyserver
Hi! After all issues are finally resolved, I'm glad to post this howto about setting up a PGP keyserver with OpenLDAP. The inital thread that finally leads to here starts at: http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2 Many thanks to Peter Palfrader for providing the LDAP schema and especially to David Shaw for providing invaluable help and adding LDAP basic authentication to GnuPG. Used software: OpenLDAP 2.2.27, run under SuSE 10.0 GnuPG 1.4.3rc1 (subversion revision 4020). If you don't want to wait until 1.4.3 is officially released, grab yourself a copy from svn: > svn co svn://cvs.gnupg.org/gnupg/trunk Attached is tarball with the files for OpenLDAP configuration, to which will be refered to below. I hope this doesn't violate the rules of this list but the attachment is very small anyways. You should have a basic understanding about LDAP first. If not, I'd recommend to read the OpenLDAP Admin Guide on http://www.openldap.org, which provides excellent documentation. Also, as an LDAP client and excellent server management tool, I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net The LDAP tree created in this example setup looks like: dc=EXAMPLE,dc=COM | +cn=Manager +cn=PGPServerInfo +ou=PGP Keys |+---pgpCertID=... |+---pgpCertID=... +ou=PGP Users +---uid=... +---uid=... where dc=EXAMPLE,dc=COM is obviously the base DN. First, install pgp-keyserver.schema from the tarball into to your schema directory. There are two more files which are not used here, but have been part of the schema I got from Peter, so I kept them for completeness. Next, install slapd.conf and edit to suit your needs. That is, select either anonymous or user authentication. In the provided file, anonymous writes are enabled. However, access is restricted to writes from localhost only. You may lift this restriction by modifying the peername.ip statement. See slapd.access(5) for details and examples. Think twice before opening up anonymous writes, as _any_ user who can connect to your LDAP server can not only upload but also delete keys. For user authentication, comment out update_anon and the access rule for anonymous writes. Users are stored as DN "uid=,ou=PGP Users,dc=EXAMPLE,dc=COM". You need to create users to bind to LDAP. One sample user is provided in ldif/pgpusers.ldif. Just copy the entry and modify it to create more and read the file to learn the used password. Also, the password for the OpenLDAP manager is stored as a hash. It is 'gpg'. Run slappasswd(8) to create a stronger password and replace the hash in slapd.conf. Try to start your OpenLDAP server now. Under SuSE, I run "/etc/init.d/ldap start". Next, populate the directory with the basic layout by importing the example.ldif file (enter on a single line): > cat example.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" When prompted for a password, enter the one you've created above or 'gpg' if you did not. If you selected anonymous writes, you're done configuring your OpenLDAP PGP keyserver. If you selected user authentication, you need to add users now: > cat pgpusers.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" Finally, you can use GnuPG to add keys (always on a single line): For anonymous write: > gpg --keyserver ldap://localhost --send-key 12345678 For user authentication (insecure on command-line, see below): > gpg --keyserver ldap://localhost --keyserver-options "binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\"" --keyserver-options bindpw=user1 --send-keys 12345678 To receive keys, simply do: > gpg --keyserver ldap://localhost --recv-keys 12345678 Further notes: * GnuPG looks for PGPServerInfo under the base DN. If you decide to put it somewhere else, use keyserver-option basedn to specify the new location, e.g.: keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" * Beware of shell quoting, like above which is the correct format if you have spaces in your DN and specify the keyserver option on the command line. * GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the keyserver-options tls. It takes 'no','try','warn' or 'require' as an argument, e.g.: keyserver-options tls=require * Put other keyserver options into ~/.gnupg/gpg.conf, e.g.: keyserver ldap://localhost keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM" keyserver-options bindpw=verysecret keyserver-options tls=try keyserver-options verbose Then the following will just work: > gpg --send-keys 12345678 or > gpg --recv-keys 12345678 * As it is INSECURE to specify your bind password on the command line, you should put it to your ~/.gnupg/gpg.conf and protect this file with 0600 permissions. Well, that's it for now. I hope this howto is helpful and somewhat complete! Good luck setting up your PGP keyserver with OpenLDAP. I'd be glad if someone could v
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, February 23, 2006 16:22, David Shaw wrote: >> What is wrong here? > > keyserver-options. Not keyserver-option. The 's' is part of the > option name. It works on the command line for convenience, but the > config file must be strict. Thanks. I've just read the following from the manpage which is a bit misleading: "Long options can be put in an options file (default "~/.gnupg/gpg.conf"). [...] Do not write the 2 dashes, but simply the name of the option and any required arguments." Walter PS: I've written a brief howto to summarize this thread and will post it shortly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GpgME: Compile under MinGW
On Feb 22, 2006 at 21:52 +0100, Kiefer, Sascha wrote: > I downloaded the latest GpgME version and called configure. > The last lines it outputes are: > > configure: WARNING: > *** > *** ttyname() is not thread-safe and ttyname_r() does not exist > *** > checking whether we are using the GNU C Library 2.1 or newer... no > checking for getenv_r... no > configure: WARNING: > *** > *** getenv() is not thread-safe and getenv_r() does not exist > *** > checking for timegm... no > configure: WARNING: > *** > *** timegm() not available - a non-thread-safe kludge will be used > *** and the TZ variable might be changed at runtime. > *** > checking for gpg-error-config... no > checking for GPG Error - version >= 0.5... no > configure: error: libgpg-error was not found > > > What do i need to do? You must install libgpg-error. But I'm not sure if gpgme can be compiled in the mingw at all. Vale! -- Pawel I. Shajdo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, February 23, 2006 14:03, David Shaw wrote: > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" I've got yet another problem when I put keyserver-options into ~/.gnupg/gpg.conf, like: > nl -b a ~/.gnupg/gpg.conf | tail -5 225 keyserver ldap://localhost 226 keyserver-option verbose 227 keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" 228 keyserver-option bindpw=user1 229 > gpg --list-keys gpg: /home/walter/.gnupg/gpg.conf:226: invalid option gpg: /home/walter/.gnupg/gpg.conf:227: invalid option gpg: /home/walter/.gnupg/gpg.conf:228: invalid option What is wrong here? Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, Feb 23, 2006 at 04:13:51PM +0100, Walter Haidinger wrote: > On Thu, February 23, 2006 14:03, David Shaw wrote: > > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" > > I've got yet another problem when I put keyserver-options into > ~/.gnupg/gpg.conf, like: > > > nl -b a ~/.gnupg/gpg.conf | tail -5 >225 keyserver ldap://localhost >226 keyserver-option verbose >227 keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" >228 keyserver-option bindpw=user1 >229 > > > gpg --list-keys > gpg: /home/walter/.gnupg/gpg.conf:226: invalid option > gpg: /home/walter/.gnupg/gpg.conf:227: invalid option > gpg: /home/walter/.gnupg/gpg.conf:228: invalid option > > What is wrong here? keyserver-options. Not keyserver-option. The 's' is part of the option name. It works on the command line for convenience, but the config file must be strict. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, February 23, 2006 14:03, David Shaw wrote: > Not a bug - you're quoting it wrong in the shell. It takes a lot to > make the shell not eat stuff sometimes: > > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" > > That is, quote the value, not the name=value. The parser in GPG > understands quotes. Of course, should have thought of that! Silly me. <:| Everything works now! :-) Thanks a _lot_ for your help to get this operational! Walter PS: Tweaked the ACLs a bit to: # let PGP users change their passwords access to dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$" by self write by * none # PGP keystore: only users may write access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$" write by * read ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, Feb 23, 2006 at 01:01:48PM +0100, Walter Haidinger wrote: > On Thu, February 23, 2006 00:28, David Shaw wrote: > >> Next release of 1.4.x or 1.9.x? > > > > 1.4.3. I've added the new feature, so you could probably grab the > > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There > > aren't significant changes to the keyserver protocol between the two. > > Just replace the existing gpgkeys_ldap.c with the new one and > > recompile. > > I've checked out rev. 4020 (gpg reports version 1.4.3rc1). > > First the good news: Anonymous access works, can send and receive > keys just fine. The problem about the pgpKeysize is gone, although > I did _not_ do any changes to the code. The CVS diffs show that you > probably took care of this. I did. > There is a bug in the option parsing. Added a few diagnostics > in main() of gpgkeys_ldap.c, which showed that binddn is already > truncated after and including the first comma when you strdup() it > from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'. > Had a quick look but no obvious origin of the problem. Not a bug - you're quoting it wrong in the shell. It takes a lot to make the shell not eat stuff sometimes: --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" That is, quote the value, not the name=value. The parser in GPG understands quotes. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, February 23, 2006 00:28, David Shaw wrote: >> Next release of 1.4.x or 1.9.x? > > 1.4.3. I've added the new feature, so you could probably grab the > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There > aren't significant changes to the keyserver protocol between the two. > Just replace the existing gpgkeys_ldap.c with the new one and > recompile. I've checked out rev. 4020 (gpg reports version 1.4.3rc1). First the good news: Anonymous access works, can send and receive keys just fine. The problem about the pgpKeysize is gone, although I did _not_ do any changes to the code. The CVS diffs show that you probably took care of this. Now for the bad news: binding with a DN does not work yet. I tried the new binddn and bindpw options with the following setup: > cat pgpusers.ldif dn: ou=PGP Users,dc=EXAMPLE,dc=COM objectclass: organizationalUnit ou: PGP Users dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM objectClass: inetOrgPerson objectClass: uidObject uid: user1 # password is 'user1'. Use slappasswd(8) to create a new # one and replace the string here! userPassword: {SSHA}sLbxdJt53SZvU9BMRSSmdD78vfiSoPHR sn: User1 cn: Test User1 > ldapadd -x -h localhost -W -D "cn=Manager,dc=EXAMPLE,dc=COM" < pgpusers.ldif adding new entry "ou=PGP Users,dc=EXAMPLE,dc=COM" ... Changed the acl in slapd.conf from # PGP keystore: limit write access to localhost access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by peername.ip=127.0.0.1 write by * read to: # PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by dn.regex="uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM" write by * read and tried the following: > gpg --keyserver ldap://localhost --keyserver-option verbose --keyserver-option "binddn=uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" --keyserver-option bindpw=user1 --send-keys B15BBBE2 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: sending key B15BBBE2 to ldap server localhost gpgkeys: internal LDAP bind error: Invalid credentials gpg: keyserver internal error gpg: keyserver send failed: keyserver error Syslog shows that pgp only binds with DN 'uid=user1' instead of the whole specified DN: slapd[10055]: conn=6 op=2 BIND dn="uid=user1" method=128 There is a bug in the option parsing. Added a few diagnostics in main() of gpgkeys_ldap.c, which showed that binddn is already truncated after and including the first comma when you strdup() it from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'. Had a quick look but no obvious origin of the problem. Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Wed, Feb 22, 2006 at 10:38:19AM -0500, Benjamin Esham wrote: > On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > > >And there is really no point in ecryptiong the whole access since the > >contents, the emails usually travel the rest of the net unencrypted. > But wouldn't it be much easier for an attacker to intercept all of your > e-mail by listening in on an unencrypted webmail session than by trying to > intercept each e-mail individually somewhere else? I think there > certainly is a benefit to having SSL-encrypted webmail for exactly that > reason: less determined attackers will not have access to the plaintext of > the messages. (Although granted, it would be kind of foolish to depend > upon SSL webmail if the messages are sent in plain text.) Answering this question is impossible without actually describing the attacker's powers (defining a formal threat model). Clarify your question and ask again, now the answer is: Mu. A. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, February 23, 2006 04:24, David Shaw wrote: >> Does GnuPG support remote keyrings? > > No, unless it's via a remote filesystem (NFS, SMB, some magic with > fuse, etc). Well, would have been nice, though. I'll stick to rsync to distribute secret keyrings then. >> This is a general limitation, not to be solved by the ldap code, >> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? >> Therefore, any keyserver options apply to the one set. There should >> be a mechanism to specify multiple keyservers, each with its own >> option set, binddn and bindpw just being one of them. > > I'm not sure I agree with this. GnuPG does support multiple > keyservers in the sense that it handles preferred keyserver records on > keys, as well as the new auto-key-locate feature. All of these have > the same set of options, as keyserver options are not per-keyserver. I was unaware that _all_ keyserver options apply to any type, i.e. http/hkp/ldap. The manpage talks about 'a' preferred keyserver, though, so I thought that there can be only one, which means all options are global anyways. Haven't had a look at the new auto-key-locate feature yet. > They're not "options for keyserver x" - they are "options that pertain > to keyservers". No, not yet but would make sense now with binddn and binddn. However, just a single LDAP server I can authenticate against, is fine for me. > Until yesterday, in fact, when I added binddn and bindpw, all the > options were not meaningful except in the general sense. That's what I meant with "general limitation" above. > I think the right place for the solution is in gpgkeys_ldap itself. > Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to. If you create a framework which allows for options to apply to certain keyservers, why limit yourself to LDAP only? What if HTTP or FTP keyservers require authentication? How would you do e.g. basic authentication against multiple HTTP keyservers, each with different username and password? Therefore, implementing keyserver specific options _just_ for LDAP simply doesn't make sense, or does it? Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users