sks(8)
NAME
SKS - Synchronizing Key Server
SYNOPSIS
sks [options] -debug
DESCRIPTION
SKS is a OpenPGP keyserver whose goal is to provide easy to deploy,
decentralized, and highly reliable synchronization. That means that a
key submitted to one SKS server will quickly be distributed to all key
servers, and even wildly out-of-date servers, or servers that
experience spotty connectivity, can fully synchronize with rest of the
system.
The design of SKS is deliberately simple. The server consists of two
single-threaded processes. The first, "sks db", fulfills the normal
jobs associated with a public key server, such as answering web
requests. The only special functionality of "sks db" is that it keeps a
log summarizing the changes to the key database. "sks recon" does all
the work with respect to reconciling hosts databases. "sks recon" keeps
track of specialized summary information about the database, and can
use that information to efficiently determine the differences between
its database and that of another host.
FEATURES
Highly efficient and reliable reconciliation algorithm
Follows RFC2440 and RFC2440bis carefully - unlike PKS, SKS supports new
and old style packets, photoID packets, multiple subkeys, and pretty
much everything allowed by the RFCs.
Fully compatible with PKS system - can both send and receive syncs from
PKS servers, ensuring seamless connectivity.
Simple configuration: each host just needs a (partial) list of the
other participating key servers. Gossip is used to distribute
information without putting a heavy load an any one host.
Supports HKP/web-based querying, and soon-to-be-standard machine
readable indices
OPTIONS
SKS binary command options are as follows:
- db
- Initiates database server.
- recon
- Initiates reconciliation server.
- cleandb
- Apply filters to all keys in database, fixing some common problems.
- build
- Build key database, including body of keys directly in database.
- fastbuild -n [size] -cache [mbytes]
- Build key database, doesn't include keys directly in database,
faster than build. -n specifies the mulitple of 15000 keys to read in at once, and -cache specifies the database cache to use in
megabytes. - pbuild -cache [mbytes] -ptree_cache [mbytes]
- Build prefix-tree database, used by reconciliation server, from key
database. Allows for specification of cache for key database and
for ptree database. - dump #keys dumpdir
- Create a raw dump of the keys in the database.
- merge
- Adds key from key files to existing database.
- drop
- Drops key from database.
- update_subkeys [-n # of updates / 1000]
- Updates subkey keyid index to include all current keys. Only useful when upgrading versions 1.0.4 or before of SKS.
- help
- Prints the help message.
ADDITIONAL OPTIONS
You won't need most of the options below for normal operation. These
options can be given in basedir/sksconf or as command line option for
the sks binary.
- -debug
- Debugging mode.
- -debuglevel
- Debugging level -- sets verbosity of logging.
- -q
- Number of bits defining a bin.
- -mbar
- Number of errors that can be corrected in one shot.
- -seed
- Seed used by RNG.
- -hostname
- Current hostname.
- -d
- Number of keys to drop at random when synchronizing.
- -n
- Multiple of 15,000 keys to load at once.
- -max_internal_matches
- Maximum number of matches for most specific word in a multi-word
search. - -max_matches
- Maximum number of matches that will be returned from a query.
- -max_uid_fetches
- Maximum number of uid fetches performed in a verbose index query.
- -pagesize
- Pagesize in bytes for key db.
- -cache
- Cache size in megs for key db.
- -ptree_pagesize
- Pagesize in bytes for prefix tree db.
- -ptree_cache
- Cache size in megs for prefix tree db.
- -baseport
- Set base port number.
- -recon_port
- Set recon port number.
- -recon_address
- Set recon binding address. Can be a list of whitespace separated
IP addresses. - -hkp_port
- Set hkp port number.
- -hkp_address
- Set hkp binding address. Can be a list of whitespace separated IP addresses.
- -use_port_80
- Have the HKP interface listen on port 80, as well as the hkp_port.
- -basedir
- Set base directory.
- -stdoutlog
- Send log messages to stdout instead of log file.
- -diskptree
- Use a disk-based ptree implementation. Slower, but requires far
less memory. - -nodiskptree
- Use in-mem ptree.
- -max_ptree_nodes
- Maximum number of allowed ptree nodes. Only meaningful if
-diskptree is set. - -prob
- Set probability. Used for testing code only.
- -recon_sync_interval
- Set sync interval for reconserver.
- -gossip_interval
- Set time between gossips in minutes.
- -dontgossip
- Don't gossip automatically. Host will still respond to requests
from other hosts. - -db_sync_interval
- Set sync interval for dbserver.
- -checkpoint_interval
- Time period between checkpoints.
- -recon_checkpoint_interval
- Time period between checkpoints for reconserver.
- -ptree_thresh_mult
- Multiple of thresh which specifies minimum node size in prefix
tree. - -recon_thresh_mult
- Multiple of thresh which specifies minimum node size that is
included in reconciliation. - -max_recover
- Maximum number of differences to recover in one round.
- -http_fetch_size
- Number of keys for reconserver to fetch from dbserver in one go.
- -wserver_timeout
- Timeout in seconds for webserver requests.
- -reconciliation_timeout
- Timeout for reconciliation runs in minutes.
- -stat_hour
- Hour at which to run database statistics.
- -initial_stat
- Runs database statistics calculation on boot.
- -reconciliation_config_timeout
- Set timeout in seconds for initial exchange of config info in
reconciliation. - -missing_keys_timeout
- Timeout in seconds for get_missing_keys.
- -command_timeout
- Timeout in seconds for commands set over command socket.
- -sendmail_cmd
- Command used for sending mail.
- -from_addr
- From address used in synchronization emails used to communicate
with PKS. - -dump_new_only
- When doing a database dump, only dump new keys, not keys already
contained in a keydump file. - -max_outstanding_recon_requests
- Maximum number of outstanding requests in reconciliation.
- -membership_reload_interval
- Maximum interval (in hours) at which membership file is reloaded.
- --help, -help
- Displays list of options.
FILES
Information about important files located in your SKS basedir.
- bin/sks
- The main SKS executable.
- bin/sks_add_mail
- The executable responsible for parsing incoming mails from PKS key servers.
- bin/sks_build.sh
- Script to generate an initial database.
- mailsync
- The mailsync should contains a list of email addresses of PKS
keyservers. This file is important, because it ensures that keys
submitted directly to an SKS keyserver are also forwarded to PKS
keyservers. IMPORTANT : don't add someone to your mailsync file
without getting their permission first! - membership
- With SKS, two hosts can efficiently compare their databases then
repair whatever differences are found. In order to set up
reconciliation, you first need to find other SKS servers that will agree to gossip with you. The hostname and port of the server that has agreed to do so should be added to this file. - sksconf
- The configuration file for your SKS server.
EXAMPLES
- membership
- keyserver.ahost.org 11370 # Comments are allowed
keyserver.foo.org 11370 # Another host with default ports - sksconf
- membership_reload_interval: 1
initial_stat:
hostname: keyserver.example.com
from_addr: pgp-public-keys@keyserver.example.com - Procmail
- PATH=/path/of/sks/exectuables
:0
* ^Subject: incremental
| /path/of/sks_add_mail /path/to/sks/directory - /etc/aliases
- pgp-public-keys: "|/path/of/sks_add_mail /path/to/sks/directory"
SEE ALSO
The SKS website is located at http://minskyprimus.net/sks/.
AUTHOR
- The first draft was written by Thomas Sjogren
<thomas@northernsecurity.net>.