Re: Howto setup an OpenLDAP PGP keyserver

[David Shaw]

Another thing worth adding to your HOWTO is that if the LDAP server is
going to be publically available, a good name to use is
"keys.(yourdomain)".  The reason for this is that both PGP and GnuPG
(as of 1.4.3) can automatically locate keys using that name.  For
example, let's say I want to encrypt a message to [EMAIL PROTECTED], but
I have no [EMAIL PROTECTED] key.  GnuPG can automatically ask
ldap://keys.example.com for [EMAIL PROTECTED] and import it.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Howto setup an OpenLDAP PGP keyserver

[David Shaw]

On Thu, Feb 23, 2006 at 05:01:08PM +0100, Walter Haidinger wrote:

Thanks for writing this up!  I will certainly be pointing people to
this when they ask inthe future.

One comment:

> Further notes:
> * GnuPG looks for PGPServerInfo under the base DN.
>   If you decide to put it somewhere else, use keyserver-option
>   basedn to specify the new location, e.g.:
>   keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""

This isn't quite correct.  GnuPG looks for PGPServerInfo under each
namingContext in order until it finds one.  It is perfectly fine not
to have PGPServerInfo under the base DN.  PGP as well as PGP Universal
does this the same way.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[David Shaw]

On Thu, Feb 23, 2006 at 03:52:37PM +, Walter Haidinger wrote:

> I was unaware that _all_ keyserver options apply to any type, i.e.
> http/hkp/ldap.
> The manpage talks about 'a' preferred keyserver, though, so I thought
> that there can be only one, which means all options are global anyways.

No.  Preferred keyservers are a different sort of thing.  Look at it
this way: you have one list of options, with which you can use any
keyserver.  Preferred keyservers are the OpenPGP way for the keyholder
to say "I like this keyserver - when using my key, please use this
keyserver".  It's like an automated way of changing --keyserver on a
per-user ID basis.

> > They're not "options for keyserver x" - they are "options that pertain
> > to keyservers".

> No, not yet but would make sense now with binddn and binddn.

That's true.  Here's what I did - keyserver-options must be global,
but I added the ability to have per-keyserver options as well:

Global options:
  keyserver-options option1 option2 

Options tied to ldap://my.ldap.server:
  keyserver ldap://my.ldap.server option1 option2 option3

In your case you could do something like:
  keyserver ldap://server binddn="ou=pgp keys, etc..." bindpw=secret

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Howto setup an OpenLDAP PGP keyserver

[Walter Haidinger]

Hi!

After all issues are finally resolved, I'm glad to post this
howto about setting up a PGP keyserver with OpenLDAP.
The inital thread that finally leads to here starts at:
http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2

Many thanks to Peter Palfrader for providing the LDAP schema and
especially to David Shaw for providing invaluable help and adding
LDAP basic authentication to GnuPG.

Used software: OpenLDAP 2.2.27, run under SuSE 10.0
GnuPG 1.4.3rc1 (subversion revision 4020).

If you don't want to wait until 1.4.3 is officially released,
grab yourself a copy from svn:
> svn co svn://cvs.gnupg.org/gnupg/trunk

Attached is tarball with the files for OpenLDAP configuration,
to which will be refered to below. I hope this doesn't violate
the rules of this list but the attachment is very small anyways.

You should have a basic understanding about LDAP first.
If not, I'd recommend to read the OpenLDAP Admin Guide on
http://www.openldap.org, which provides excellent documentation.

Also, as an LDAP client and excellent server management tool,
I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net

The LDAP tree created in this example setup looks like:

  dc=EXAMPLE,dc=COM
  |
  +cn=Manager
  +cn=PGPServerInfo
  +ou=PGP Keys
  |+---pgpCertID=...
  |+---pgpCertID=...
  +ou=PGP Users
   +---uid=...
   +---uid=...

where dc=EXAMPLE,dc=COM is obviously the base DN.

First, install pgp-keyserver.schema from the tarball into to your
schema directory. There are two more files which are not used here,
but have been part of the schema I got from Peter, so I kept them
for completeness.

Next, install slapd.conf and edit to suit your needs.
That is, select either anonymous or user authentication.

In the provided file, anonymous writes are enabled.
However, access is restricted to writes from localhost only.
You may lift this restriction by modifying the peername.ip
statement. See slapd.access(5) for details and examples.

Think twice before opening up anonymous writes, as _any_ user
who can connect to your LDAP server can not only upload but also
delete keys.

For user authentication, comment out update_anon and the
access rule for anonymous writes. Users are stored as
DN "uid=,ou=PGP Users,dc=EXAMPLE,dc=COM".

You need to create users to bind to LDAP. One sample user is
provided in ldif/pgpusers.ldif. Just copy the entry and
modify it to create more and read the file to learn
the used password.

Also, the password for the OpenLDAP manager is stored
as a hash. It is 'gpg'. Run slappasswd(8) to create a
stronger password and replace the hash in slapd.conf.

Try to start your OpenLDAP server now.
Under SuSE, I run "/etc/init.d/ldap start".

Next, populate the directory with the basic layout by
importing the example.ldif file (enter on a single line):
> cat example.ldif | ldapadd -x -W -h localhost
  -D "cn=Manager,dc=EXAMPLE,dc=COM"

When prompted for a password, enter the one you've created
above or 'gpg' if you did not.

If you selected anonymous writes, you're done configuring
your OpenLDAP PGP keyserver.

If you selected user authentication, you need to add users now:
> cat pgpusers.ldif | ldapadd -x -W -h localhost
  -D "cn=Manager,dc=EXAMPLE,dc=COM"

Finally, you can use GnuPG to add keys (always on a single line):

For anonymous write:
> gpg --keyserver ldap://localhost --send-key 12345678

For user authentication (insecure on command-line, see below):
> gpg --keyserver ldap://localhost --keyserver-options
   "binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\""
   --keyserver-options bindpw=user1 --send-keys 12345678

To receive keys, simply do:
> gpg --keyserver ldap://localhost --recv-keys 12345678

Further notes:
* GnuPG looks for PGPServerInfo under the base DN.
  If you decide to put it somewhere else, use keyserver-option
  basedn to specify the new location, e.g.:
  keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\""

* Beware of shell quoting, like above which is the correct format
  if you  have spaces in your DN and specify the keyserver option
  on the command line.

* GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the
  keyserver-options tls. It takes 'no','try','warn' or 'require'
  as an argument, e.g.:
  keyserver-options tls=require

* Put other keyserver options into ~/.gnupg/gpg.conf, e.g.:

  keyserver ldap://localhost
  keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM"
  keyserver-options bindpw=verysecret
  keyserver-options tls=try
  keyserver-options verbose

  Then the following will just work:
  > gpg --send-keys 12345678
  or
  > gpg --recv-keys 12345678

* As it is INSECURE to specify your bind password on the command
  line, you should put it to your ~/.gnupg/gpg.conf and protect
  this file with 0600 permissions.

Well, that's it for now. I hope this howto is helpful and somewhat
complete! Good luck setting up your PGP keyserver with OpenLDAP.

I'd be glad if someone could v

Re: OpenLDAP schema to store OpenPGP keys?

[Walter Haidinger]

On Thu, February 23, 2006 16:22, David Shaw wrote:
>> What is wrong here?
>
> keyserver-options.  Not keyserver-option.  The 's' is part of the
> option name.  It works on the command line for convenience, but the
> config file must be strict.

Thanks.

I've just read the following from the manpage which is a bit misleading:
"Long  options  can  be put in an options file (default "~/.gnupg/gpg.conf").
[...] Do not write the 2 dashes, but simply the name of the option and any
required arguments."

Walter

PS: I've written a brief howto to summarize this thread and will
post it shortly.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GpgME: Compile under MinGW

[Pawel Shajdo]

On Feb 22, 2006 at 21:52 +0100, Kiefer, Sascha wrote:
> I downloaded the latest GpgME version and called configure.
> The last lines it outputes are:
> 
> configure: WARNING:
> ***
> *** ttyname() is not thread-safe and ttyname_r() does not exist
> ***
> checking whether we are using the GNU C Library 2.1 or newer... no
> checking for getenv_r... no
> configure: WARNING:
> ***
> *** getenv() is not thread-safe and getenv_r() does not exist
> ***
> checking for timegm... no
> configure: WARNING:
> ***
> *** timegm() not available - a non-thread-safe kludge will be used
> *** and the TZ variable might be changed at runtime.
> ***
> checking for gpg-error-config... no
> checking for GPG Error - version >= 0.5... no
> configure: error: libgpg-error was not found
> 
> 
> What do i need to do?
You must install libgpg-error. But I'm not sure if gpgme can
be compiled in the mingw at all.

Vale!
-- 
   Pawel I. Shajdo

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[Walter Haidinger]

On Thu, February 23, 2006 14:03, David Shaw wrote:
>  --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""

I've got yet another problem when I put keyserver-options into
~/.gnupg/gpg.conf, like:

> nl -b a ~/.gnupg/gpg.conf | tail -5
   225  keyserver ldap://localhost
   226  keyserver-option verbose
   227  keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM"
   228  keyserver-option bindpw=user1
   229

> gpg --list-keys
gpg: /home/walter/.gnupg/gpg.conf:226: invalid option
gpg: /home/walter/.gnupg/gpg.conf:227: invalid option
gpg: /home/walter/.gnupg/gpg.conf:228: invalid option

What is wrong here?

Walter




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[David Shaw]

On Thu, Feb 23, 2006 at 04:13:51PM +0100, Walter Haidinger wrote:
> On Thu, February 23, 2006 14:03, David Shaw wrote:
> >  --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""
> 
> I've got yet another problem when I put keyserver-options into
> ~/.gnupg/gpg.conf, like:
> 
> > nl -b a ~/.gnupg/gpg.conf | tail -5
>225  keyserver ldap://localhost
>226  keyserver-option verbose
>227  keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM"
>228  keyserver-option bindpw=user1
>229
> 
> > gpg --list-keys
> gpg: /home/walter/.gnupg/gpg.conf:226: invalid option
> gpg: /home/walter/.gnupg/gpg.conf:227: invalid option
> gpg: /home/walter/.gnupg/gpg.conf:228: invalid option
> 
> What is wrong here?

keyserver-options.  Not keyserver-option.  The 's' is part of the
option name.  It works on the command line for convenience, but the
config file must be strict.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[Walter Haidinger]

On Thu, February 23, 2006 14:03, David Shaw wrote:
> Not a bug - you're quoting it wrong in the shell.  It takes a lot to
> make the shell not eat stuff sometimes:
>
>  --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""
>
> That is, quote the value, not the name=value.  The parser in GPG
> understands quotes.

Of course, should have thought of that! Silly me. <:|

Everything works now! :-)
Thanks a _lot_ for your help to get this operational!

Walter

PS: Tweaked the ACLs a bit to:

# let PGP users change their passwords
access to dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$"
by self write
by * none

# PGP keystore: only users may write
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
by dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$" write
by * read



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[David Shaw]

On Thu, Feb 23, 2006 at 01:01:48PM +0100, Walter Haidinger wrote:
> On Thu, February 23, 2006 00:28, David Shaw wrote:
> >> Next release of 1.4.x or 1.9.x?
> >
> > 1.4.3.  I've added the new feature, so you could probably grab the
> > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.  There
> > aren't significant changes to the keyserver protocol between the two.
> > Just replace the existing gpgkeys_ldap.c with the new one and
> > recompile.
> 
> I've checked out rev. 4020 (gpg reports version 1.4.3rc1).
> 
> First the good news: Anonymous access works, can send and receive
> keys just fine. The problem about the pgpKeysize is gone, although
> I did _not_ do any changes to the code. The CVS diffs show that you
> probably took care of this.

I did.

> There is a bug in the option parsing. Added a few diagnostics
> in main() of gpgkeys_ldap.c, which showed that binddn is already
> truncated after and including the first comma when you strdup() it
> from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'.
> Had a quick look but no obvious origin of the problem.

Not a bug - you're quoting it wrong in the shell.  It takes a lot to
make the shell not eat stuff sometimes:

 --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\""

That is, quote the value, not the name=value.  The parser in GPG
understands quotes.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[Walter Haidinger]

On Thu, February 23, 2006 00:28, David Shaw wrote:
>> Next release of 1.4.x or 1.9.x?
>
> 1.4.3.  I've added the new feature, so you could probably grab the
> gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like.  There
> aren't significant changes to the keyserver protocol between the two.
> Just replace the existing gpgkeys_ldap.c with the new one and
> recompile.

I've checked out rev. 4020 (gpg reports version 1.4.3rc1).

First the good news: Anonymous access works, can send and receive
keys just fine. The problem about the pgpKeysize is gone, although
I did _not_ do any changes to the code. The CVS diffs show that you
probably took care of this.

Now for the bad news: binding with a DN does not work yet.
I tried the new binddn and bindpw options with the following setup:

> cat pgpusers.ldif
dn: ou=PGP Users,dc=EXAMPLE,dc=COM
objectclass: organizationalUnit
ou: PGP Users

dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM
objectClass: inetOrgPerson
objectClass: uidObject
uid: user1
# password is 'user1'. Use slappasswd(8) to create a new
# one and replace the string here!
userPassword: {SSHA}sLbxdJt53SZvU9BMRSSmdD78vfiSoPHR
sn: User1
cn: Test User1

> ldapadd -x -h localhost -W -D "cn=Manager,dc=EXAMPLE,dc=COM" < pgpusers.ldif
adding new entry "ou=PGP Users,dc=EXAMPLE,dc=COM"
...

Changed the acl in slapd.conf from

# PGP keystore: limit write access to localhost
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
   by peername.ip=127.0.0.1 write
   by * read

to:

# PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write
access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM"
by dn.regex="uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM" write
by * read

and tried the following:

> gpg --keyserver ldap://localhost --keyserver-option verbose --keyserver-option
"binddn=uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" --keyserver-option 
bindpw=user1
--send-keys B15BBBE2
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: sending key B15BBBE2 to ldap server localhost
gpgkeys: internal LDAP bind error: Invalid credentials
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error

Syslog shows that pgp only binds with DN 'uid=user1' instead
of the whole specified DN:
slapd[10055]: conn=6 op=2 BIND dn="uid=user1" method=128

There is a bug in the option parsing. Added a few diagnostics
in main() of gpgkeys_ldap.c, which showed that binddn is already
truncated after and including the first comma when you strdup() it
from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'.
Had a quick look but no obvious origin of the problem.

Walter


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Necessity of GPG when using SSL

[Janusz A. Urbanowicz]

On Wed, Feb 22, 2006 at 10:38:19AM -0500, Benjamin Esham wrote:
> On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote:
> 
> >And there is really no point in ecryptiong the whole access since the
> >contents, the emails usually travel the rest of the net unencrypted.
 
> But wouldn't it be much easier for an attacker to intercept all of your
> e-mail by listening in on an unencrypted webmail session than by trying to
> intercept each e-mail individually somewhere else?  I think there
> certainly is a benefit to having SSL-encrypted webmail for exactly that
> reason: less determined attackers will not have access to the plaintext of
> the messages. (Although granted, it would be kind of foolish to depend
> upon SSL webmail if the messages are sent in plain text.)

Answering this question is impossible without actually describing the
attacker's powers (defining a formal threat model). Clarify your question
and ask again, now the answer is: Mu.

A.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[Walter Haidinger]

On Thu, February 23, 2006 04:24, David Shaw wrote:
>> Does GnuPG support remote keyrings?
>
> No, unless it's via a remote filesystem (NFS, SMB, some magic with
> fuse, etc).

Well, would have been nice, though. I'll stick to rsync to distribute
secret keyrings then.

>> This is a general limitation, not to be solved by the ldap code,
>> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right?
>> Therefore, any keyserver options apply to the one set. There should
>> be a mechanism to specify multiple keyservers, each with its own
>> option set, binddn and bindpw just being one of them.
>
> I'm not sure I agree with this.  GnuPG does support multiple
> keyservers in the sense that it handles preferred keyserver records on
> keys, as well as the new auto-key-locate feature.  All of these have
> the same set of options, as keyserver options are not per-keyserver.

I was unaware that _all_ keyserver options apply to any type, i.e.
http/hkp/ldap.
The manpage talks about 'a' preferred keyserver, though, so I thought
that there can be only one, which means all options are global anyways.
Haven't had a look at the new auto-key-locate feature yet.

> They're not "options for keyserver x" - they are "options that pertain
> to keyservers".

No, not yet but would make sense now with binddn and binddn.
However, just a single LDAP server I can authenticate against, is fine for me.

> Until yesterday, in fact, when I added binddn and bindpw, all the
> options were not meaningful except in the general sense.

That's what I meant with "general limitation" above.

> I think the right place for the solution is in gpgkeys_ldap itself.
> Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to.

If you create a framework which allows for options to apply to
certain keyservers, why limit yourself to LDAP only?
What if HTTP or FTP keyservers require authentication?
How would you do e.g. basic authentication against multiple
HTTP keyservers, each with different username and password?

Therefore, implementing keyserver specific options _just_ for LDAP
simply doesn't make sense, or does it?

Walter


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users