This commit is contained in:
Bob Mottram 2017-07-30 18:20:40 +01:00
commit 332ae3e37a
8 changed files with 1038 additions and 138 deletions

67
doc/EN/app_keyserver.org Normal file
View File

@ -0,0 +1,67 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, keyserver
#+DESCRIPTION: How to use KEYSERVER
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>OpenPGP Key Server</h1>
</center>
#+END_EXPORT
The /web of trust/ is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would it be for adversaries to get implants onto them? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side.
For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to /find out how to communicate with others securely via email/. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers.
#+BEGIN_CENTER
[[file:images/keyserver.jpg]]
#+END_CENTER
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Add/Remove Apps* then *keyserver*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /keys.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for the Key server. If the certificate is obtained successfully then you will see a congratulations message.
* How to use it
Interaction with the web user interface is pretty minimal and obvious, but most likely you will also want to be able to use your keyserver from the commandline. To do that use the *--keyserver* option. For example to search for a key on your server:
#+begin_src bash
gpg --keyserver [your keyserver domain] --search-keys [email address]
#+end_src
Or to send a key to it:
#+begin_src bash
gpg --keyserver [your keyserver domain] --send-keys [email address or key ID]
#+end_src
Or to get a key:
#+begin_src bash
gpg --keyserver [your keyserver domain] --recv-keys [email address or key ID]
#+end_src
* Sync with other keyservers
Key servers avoid censorship or errors by gossiping between each other and cross referencing the data. You can define which other servers your key server will gossip with by going to the *Administrator control panel*, selecting *App Settings* then *keyserver* then *Sync with other keyserver*.
It's a good idea not to try to sync with the popular OpenPGP key servers, because those have gigantic databases which may make your server unstable and certainly would make it hard to create backups within a tractable amount of time. This option is mainly intended to sync with other Freedombone systems or small home servers within a particular community.
* Possible problems
OpenPGP key servers are not very well defended from flooding attacks. This means that an adversary could just upload a billion keys to destabilize the server and fill it with nonsense to make it unusable. Since key servers are /fully open to the public/ there isn't anything to prevent that from happening.
Within the Freedombone system there is a watchdog script which keeps track of the key server database size, and disables the key server if that gets too large. Apart from the usual firewall and web server traffic rate limits, this is a crude but probably practical way of defending against flooding.
If a flood attack does happen then really the only way to recover is to restore from the last known good backup, which can be done from the *Administrator control panel*.

View File

@ -79,6 +79,10 @@ Experimental WebRTC video conferencing system, similar to Google Hangouts. This
A simple kanban system for managing projects or TODO lists.
[[./app_kanboard.html][How to use it]]
* Key Server
An OpenPGP key server for storing and retrieving GPG public keys.
[[./app_keyserver.html][How to use it]]
* Koel
Access your music collection from any internet connected device.

BIN
img/keyserver.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

View File

@ -46,6 +46,62 @@ keyserver_variables=(ONION_ONLY
KEYSERVER_DOMAIN_NAME
KEYSERVER_CODE)
function check_keyserver_directory_size {
dirsize=$(du /var/lib/sks/DB | awk -F ' ' '{print $1}')
# 500M
if [ $dirsize -gt 500000 ]; then
echo "1"
return
fi
echo "0"
}
function keyserver_watchdog {
ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
keyserver_size_warning=$"The SKS keyserver database is getting large. Check that you aren't being spammed"
keyserver_disabled_warning=$"The SKS keyserver has been disabled because it is getting too large. This is to prevent flooding attacks from crashing the server. You may need to restore the keyserver from backup."
keyserver_mail_subject_line=$"${PROJECT_NAME} keyserver warning"
keyserver_mail_subject_line_disabled=$"${PROJECT_NAME} keyserver disabled"
read_config_param KEYSERVER_DOMAIN_NAME
keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog
echo '#!/bin/bash' > $keyserver_watchdog_script
echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
echo " echo \"$keyserver_size_warning\" | mail -s \"$keyserver_mail_subject_line\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
echo ' if [ $dirsize -gt 500000 ]; then' >> $keyserver_watchdog_script
echo " nginx_dissite $KEYSERVER_DOMAIN_NAME" >> $keyserver_watchdog_script
echo ' systemctl stop sks' >> $keyserver_watchdog_script
echo ' systemctl disable sks' >> $keyserver_watchdog_script
echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
echo ' fi' >> $keyserver_watchdog_script
echo 'fi' >> $keyserver_watchdog_script
chmod +x $keyserver_watchdog_script
}
function configure_firewall_for_keyserver {
if [[ $ONION_ONLY != "no" ]]; then
return
fi
firewall_add keyserver 11370 tcp
firewall_add keyserver 11371 tcp
firewall_add keyserver 11372 tcp
mark_completed $FUNCNAME
}
function keyserver_reset_database {
if [ -d /var/lib/sks/DB ]; then
rm -rf /var/lib/sks/DB
fi
sks build
chown -Rc debian-sks: /var/lib/sks
systemctl restart sks
}
function logging_on_keyserver {
echo -n ''
}
@ -59,6 +115,8 @@ function reconfigure_keyserver {
}
function upgrade_keyserver {
keyserver_watchdog
CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit")
if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then
return
@ -96,24 +154,149 @@ function upgrade_keyserver {
}
function backup_local_keyserver {
echo -n ''
# remove any unused log files
cd /var/lib/sks/DB
db_archive -d
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory $dest_directory
systemctl start sks
fi
}
function restore_local_keyserver {
echo -n ''
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserverconfig
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
chown -Rc debian-sks: /etc/sks/mailsync
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
function_check backup_unmount_drive
backup_unmount_drive
exit 5627294
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
systemctl enable sks
systemctl start sks
nginx_ensite $KEYSERVER_DOMAIN_NAME
}
function backup_remote_keyserver {
echo -n ''
# remove any unused log files
cd /var/lib/sks/DB
db_archive -d
source_directory=/etc/sks
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserverconfig
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
if [[ "$(check_keyserver_directory_size)" != "0" ]]; then
echo $'WARNING: Keyserver database size is too large to backup'
return
fi
source_directory=/var/lib/sks/DB
if [ -d $source_directory ]; then
systemctl stop sks
dest_directory=keyserver
function_check backup_directory_to_friend
backup_directory_to_friend $source_directory $dest_directory
systemctl start sks
fi
}
function restore_remote_keyserver {
echo -n ''
if [ ! -d /var/lib/sks/DB ]; then
return
fi
echo $"Restoring SKS Keyserver"
systemctl stop sks
temp_restore_dir=/root/tempkeyserverconfig
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserverconfig
cp -r $temp_restore_dir/etc/sks/* /etc/sks/
rm -rf $temp_restore_dir
chown -Rc debian-sks: /etc/sks/sksconf
chown -Rc debian-sks: /etc/sks/mailsync
temp_restore_dir=/root/tempkeyserver
function_check restore_directory_from_friend
restore_directory_from_friend $temp_restore_dir keyserver
mv /var/lib/sks/DB /var/lib/sks/DB_prev
cp -r $temp_restore_dir/var/lib/sks/DB /var/lib/sks/DB
if [ ! "$?" = "0" ]; then
# restore the old database
rm -rf /var/lib/sks/DB
mv /var/lib/sks/DB_prev /var/lib/sks/DB
rm -rf $temp_restore_dir
function_check set_user_permissions
set_user_permissions
return
fi
rm -rf $temp_restore_dir
chown -Rc debian-sks: /var/lib/sks
# remove the old database
rm -rf /var/lib/sks/DB_prev
systemctl enable sks
systemctl start sks
nginx_ensite $KEYSERVER_DOMAIN_NAME
}
function remove_keyserver {
systemctl stop sks
apt-get -qy remove sks
if [ -f /etc/cron.hourly/keyserver-watchdog ]; then
rm /etc/cron.hourly/keyserver-watchdog
fi
apt-get -qy remove sks dirmngr
read_config_param "KEYSERVER_DOMAIN_NAME"
nginx_dissite $KEYSERVER_DOMAIN_NAME
@ -131,9 +314,15 @@ function remove_keyserver {
remove_config_param KEYSERVER_CODE
function_check remove_onion_service
remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
remove_onion_service sks 11370 11371 11372
remove_completion_param "install_keyserver"
firewall_remove 11370 tcp
firewall_remove 11371 tcp
firewall_remove 11372 tcp
sed -i '/keyserver/d' $COMPLETION_FILE
sed -i '/sks onion/d' $COMPLETION_FILE
if [ -d /var/lib/sks ]; then
rm -rf /var/lib/sks
fi
@ -154,7 +343,29 @@ function install_interactive_keyserver {
APP_INSTALLED=1
}
function keyserver_create_mailsync {
echo $"# List of email addresses which submitted keys will be forwarded to" > /etc/sks/mailsync
echo '' >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
}
function keyserver_create_membership {
if [ -f /etc/sks/membership ]; then
return
fi
systemctl stop sks
echo $"# List of other $PROJECT_NAME SKS Keyservers to sync with." > /etc/sks/membership
echo '#' >> /etc/sks/membership
echo $"# Don't add major keyservers here, because it will take an" >> /etc/sks/membership
echo $'# Infeasible amount of time to sync and backups will become' >> /etc/sks/membership
echo $'# absurdly long and probably break your system. You have been warned.' >> /etc/sks/membership
echo '' >> /etc/sks/membership
chown -Rc debian-sks: /etc/sks/membership
systemctl start sks
}
function keyserver_import_keys {
# NOTE: this function isn't used, but kept for reference
dialog --title $"Import public keys database" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
@ -176,7 +387,109 @@ function keyserver_import_keys {
cd /var/lib/sks
echo $'Building the keyserver database from the downloaded dump'
sks build
keyserver_reset_database
}
function keyserver_sync {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"Sync with other keyserver" \
--form $"\nEnter details for the other server. Please be aware that it's not a good idea to sync with major keyservers which have exceptionally large databases. This is intended to sync with other $PROJECT_NAME systems each having a small database for a particular community." 16 60 3 \
$"Domain:" 1 1 "" 1 25 32 64 \
$"Port:" 2 1 "11370" 2 25 6 6 \
$"Sync Email (optional):" 3 1 "pgp-public-keys@" 3 25 32 64 \
2> $data
sel=$?
case $sel in
1) return;;
255) return;;
esac
other_keyserver_domain=$(cat $data | sed -n 1p)
other_keyserver_port=$(cat $data | sed -n 2p)
other_keyserver_email=$(cat $data | sed -n 3p)
if [[ "$other_keyserver_domain" != *'.'* ]]; then
return
fi
if [[ "$other_keyserver_domain" == *' '* ]]; then
return
fi
if [[ "$other_keyserver_port" == *'.'* ]]; then
return
fi
if [[ "$other_keyserver_port" == *' '* ]]; then
return
fi
if [ ${#other_keyserver_domain} -lt 4 ]; then
return
fi
if [ ${#other_keyserver_port} -lt 4 ]; then
return
fi
# Warn if trying to sync
if [[ "$other_keyserver_domain" == *"sks-keyservers.net" || "$other_keyserver_domain" == *"gnupg.net" || "$other_keyserver_domain" == *"pgp.com" || "$other_keyserver_domain" == *"pgp.mit.edu" || "$other_keyserver_domain" == *"the.earth.li" || "$other_keyserver_domain" == *"mayfirst.org" || "$other_keyserver_domain" == *"ubuntu.com" ]]; then
dialog --title $"Sync with other keyserver" \
--msgbox $"\nDon't try to sync with the major keyservers. Your system will be overloaded with an infeasible database size." 8 60
return
fi
if [[ "$other_keyserver_email" != "pgp-public-keys@" ]]; then
if [[ "$other_keyserver_email" == *"@"* ]]; then
if [[ "$other_keyserver_email" == *"."* ]]; then
keyserver_create_mailsync
if ! grep -q "$other_keyserver_email" /etc/sks/mailsync; then
echo "$other_keyserver_email" >> /etc/sks/mailsync
chown -Rc debian-sks: /etc/sks/mailsync
fi
else
dialog --title $"Sync with other keyserver" \
--msgbox $"Email doesn't look right: $other_keyserver_email" 6 60
return
fi
fi
fi
keyserver_create_membership
if grep -q "$other_keyserver_domain $other_keyserver_port" /etc/sks/membership; then
return
fi
if grep -q "$other_keyserver_domain " /etc/sks/membership; then
sed -i "s|$other_keyserver_domain .*|$other_keyserver_domain $other_keyserver_port|g" /etc/sks/membership
else
echo "$other_keyserver_domain $other_keyserver_port" >> /etc/sks/membership
fi
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
dialog --title $"Sync with other keyserver" \
--msgbox $"Keyserver added" 6 40
}
function keyserver_edit {
if [ ! -f /etc/sks/membership ]; then
return
fi
editor /etc/sks/membership
chown -Rc debian-sks: /etc/sks/membership
systemctl restart sks
}
function keyserver_remove_key {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Remove a key" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Enter the ID of the key which you wish to remove:" 12 60 2>$data
sel=$?
case $sel in
0)
remove_key_id=$(<$data)
if [ ${#remove_key_id} -gt 8 ]; then
sks drop $remove_key_id
dialog --title $"Remove a key" \
--msgbox $"The key was removed" 6 40
fi
;;
esac
}
function configure_interactive_keyserver {
@ -186,26 +499,30 @@ function configure_interactive_keyserver {
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"SKS Keyserver" \
--radiolist $"Choose an operation:" 10 70 2 \
1 $"Import public keys database" off \
2 $"Exit" on 2> $data
--radiolist $"Choose an operation:" 12 70 4 \
1 $"Remove a key" off \
2 $"Sync with other keyserver" off \
3 $"Edit sync keyservers" off \
4 $"Exit" on 2> $data
sel=$?
case $sel in
1) return;;
255) return;;
esac
case $(cat $data) in
1) keyserver_import_keys;;
2) break;;
1) keyserver_remove_key;;
2) keyserver_sync;;
3) keyserver_edit;;
4) break;;
esac
done
}
function install_keyserver {
apt-get -qy install build-essential gcc ocaml libdb-dev wget sks
sks build
chown -Rc debian-sks: /var/lib/sks/DB
keyserver_reset_database
sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks
apt-get -qy install dirmngr
systemctl restart sks
if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then
@ -254,36 +571,125 @@ function install_keyserver {
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html
sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html
sksconf_file=/var/lib/sks/sksconf
echo 'debuglevel: 3' > $sksconf_file
echo '' >> $sksconf_file
echo "hostname: $KEYSERVER_DOMAIN_NAME" >> $sksconf_file
echo '' >> $sksconf_file
echo 'hkp_address: 127.0.0.1' >> $sksconf_file
echo "hkp_port: $KEYSERVER_PORT" >> $sksconf_file
echo 'recon_port: 11370' >> $sksconf_file
echo '' >> $sksconf_file
echo "server_contact: $GPG_ID" >> $sksconf_file
echo '' >> $sksconf_file
echo 'initial_stat:' >> $sksconf_file
echo 'disable_mailsync:' >> $sksconf_file
sksconf_file=/etc/sks/sksconf
sed -i "s|#hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|hostname:.*|hostname: $KEYSERVER_DOMAIN_NAME|g" $sksconf_file
sed -i "s|#hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|hkp_port:.*|hkp_port: 11373|g" $sksconf_file
sed -i "s|#recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|recon_port:.*|recon_port: 11370|g" $sksconf_file
sed -i "s|#recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
sed -i "s|recon_address:.*|recon_address: 0.0.0.0|g" $sksconf_file
sed -i 's|#hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
sed -i 's|hkp_address:.*|hkp_address: 127.0.0.1|g' $sksconf_file
sed -i "s|#from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i "s|from_addr:.*|from_addr: \"pgp-public-keys@$DEFAULT_DOMAIN_NAME\"|g" $sksconf_file
sed -i 's|#sendmail_cmd:|sendmail_cmd:|g' $sksconf_file
if ! grep -q "#disable_mailsync" $sksconf_file; then
echo '#disable_mailsync:' >> $sksconf_file
else
sed -i 's|disable_mailsync:|#disable_mailsync:|g' $sksconf_file
fi
if ! grep -q "membership_reload_interval:" $sksconf_file; then
echo 'membership_reload_interval: 1' >> $sksconf_file
echo 'stat_hour: 12' >> $sksconf_file
echo '' >> $sksconf_file
echo 'max_matches: 500' >> $sksconf_file
else
sed -i 's|#membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
sed -i 's|membership_reload_interval:.*|membership_reload_interval: 1|g' $sksconf_file
fi
if ! grep -q "max_matches:" $sksconf_file; then
echo 'max_matches: 50' >> $sksconf_file
else
sed -i 's|#max_matches:.*|max_matches: 50|g' $sksconf_file
sed -i 's|max_matches:.*|max_matches: 50|g' $sksconf_file
fi
if ! grep -q "stat_hour:" $sksconf_file; then
echo "stat_hour: $((1 + RANDOM % 8))" >> $sksconf_file
else
sed -i "s|#stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
sed -i "s|stat_hour:.*|stat_hour: $((1 + RANDOM % 8))|g" $sksconf_file
fi
if ! grep -q "disable_log_diffs:" $sksconf_file; then
echo "disable_log_diffs:" >> $sksconf_file
else
sed -i "s|#disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
sed -i "s|disable_log_diffs:.*|disable_log_diffs:|g" $sksconf_file
fi
if ! grep -q "debuglevel:" $sksconf_file; then
echo "debuglevel: 0" >> $sksconf_file
else
sed -i "s|#debuglevel:.*|debuglevel: 0|g" $sksconf_file
sed -i "s|debuglevel:.*|debuglevel: 0|g" $sksconf_file
fi
chown debian-sks: $sksconf_file
if ! grep -q "hidden_service_sks" /etc/tor/torrc; then
echo 'HiddenServiceDir /var/lib/tor/hidden_service_sks/' >> /etc/tor/torrc
echo "HiddenServicePort 11370 127.0.0.1:11370" >> /etc/tor/torrc
echo "HiddenServicePort 11373 127.0.0.1:11371" >> /etc/tor/torrc
echo "HiddenServicePort 11372 127.0.0.1:11372" >> /etc/tor/torrc
echo $'Added onion site for sks'
fi
onion_update
wait_for_onion_service 'sks'
if [ ! -f /var/lib/tor/hidden_service_sks/hostname ]; then
echo $'sks onion site hostname not found'
exit 8352982
fi
SKS_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_sks/hostname)
KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT})
keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
function_check nginx_http_redirect
nginx_http_redirect $KEYSERVER_DOMAIN_NAME
# NOTE: without http active on port 80 the keyserver doesn't work
# from the commandline
echo 'server {' > $keyserver_nginx_site
echo ' listen 80;' >> $keyserver_nginx_site
echo ' listen 0.0.0.0:11371;' >> $keyserver_nginx_site
echo ' listen [::]:80;' >> $keyserver_nginx_site
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Logs' >> $keyserver_nginx_site
echo ' access_log /dev/null;' >> $keyserver_nginx_site
echo ' error_log /dev/null;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Root' >> $keyserver_nginx_site
echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site
echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
echo ' proxy_pass http://127.0.0.1:11373;' >> $keyserver_nginx_site
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11371 (nginx)\";" >> $keyserver_nginx_site
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '}' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo 'server {' >> $keyserver_nginx_site
echo ' listen 443 ssl;' >> $keyserver_nginx_site
echo ' listen 0.0.0.0:11372 ssl;' >> $keyserver_nginx_site
echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site
echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
echo ' deny all;' >> $keyserver_nginx_site
echo ' return 404;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' # Security' >> $keyserver_nginx_site
function_check nginx_ssl
nginx_ssl $KEYSERVER_DOMAIN_NAME
@ -310,9 +716,9 @@ function install_keyserver {
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:11372 (nginx)\";" >> $keyserver_nginx_site
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
@ -325,6 +731,13 @@ function install_keyserver {
echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site
echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' error_page 404 /404.html;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location ~ (.git|LICENSE|readme.md) {' >> $keyserver_nginx_site
echo ' deny all;' >> $keyserver_nginx_site
echo ' return 404;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME
echo '' >> $keyserver_nginx_site
@ -344,9 +757,9 @@ function install_keyserver {
echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site
echo '' >> $keyserver_nginx_site
echo ' location /pks {' >> $keyserver_nginx_site
echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site
echo " proxy_pass http://127.0.0.1:11373;" >> $keyserver_nginx_site
echo ' proxy_pass_header Server;' >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site
echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_ONION_PORT (nginx)\";" >> $keyserver_nginx_site
echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site
echo ' client_max_body_size 8m;' >> $keyserver_nginx_site
echo ' }' >> $keyserver_nginx_site
@ -373,10 +786,27 @@ function install_keyserver {
function_check nginx_ensite
nginx_ensite $KEYSERVER_DOMAIN_NAME
configure_firewall_for_keyserver
# remove membership file - don't try to sync with other keyservers
if [ -f /etc/sks/membership ]; then
rm /etc/sks/membership
fi
if ! grep -q "pgp-public-keys" /etc/aliases; then
echo 'pgp-public-keys: "|/usr/lib/sks/sks_add_mail /etc/sks"' >> /etc/aliases
fi
chown -Rc debian-sks: /etc/sks/mailsync
systemctl enable sks
systemctl restart sks
systemctl restart nginx
set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"
set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME"
set_completion_param "sks onion domain" "$SKS_ONION_HOSTNAME"
keyserver_watchdog
APP_INSTALLED=1
}

View File

@ -351,6 +351,12 @@ function show_domains {
echo -n -e "$(pad_string ${DEFAULT_DOMAIN_NAME})"
echo "$(cat ${COMPLETION_FILE} | grep 'email onion domain' | awk -F ':' '{print $2}')"
fi
if grep -q "sks onion domain" $COMPLETION_FILE; then
read_config_param "KEYSERVER_DOMAIN_NAME"
echo -n -e "$(pad_string 'SKS')"
echo -n -e "$(pad_string ${KEYSERVER_DOMAIN_NAME})"
echo "$(cat ${COMPLETION_FILE} | grep 'sks onion domain' | awk -F ':' '{print $2}')"
fi
for app_name in "${APPS_INSTALLED_NAMES[@]}"
do

View File

@ -67,6 +67,12 @@ fi
update-ca-certificates
# remove any keyserver log files
if [ -d /var/lib/sks/DB ]; then
cd /var/lib/sks/DB
db_archive -d
fi
if [ ! -d $PROJECT_DIR ]; then
git_clone $PROJECT_REPO $PROJECT_DIR
fi

View File

@ -0,0 +1,375 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-07-30 Sun 18:18 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title></title>
<meta name="generator" content="Org mode" />
<meta name="author" content="Bob Mottram" />
<meta name="description" content="How to use KEYSERVER"
/>
<meta name="keywords" content="freedombone, keyserver" />
<style type="text/css">
<!--/*--><![CDATA[/*><!--*/
.title { text-align: center;
margin-bottom: .2em; }
.subtitle { text-align: center;
font-size: medium;
font-weight: bold;
margin-top:0; }
.todo { font-family: monospace; color: red; }
.done { font-family: monospace; color: green; }
.priority { font-family: monospace; color: orange; }
.tag { background-color: #eee; font-family: monospace;
padding: 2px; font-size: 80%; font-weight: normal; }
.timestamp { color: #bebebe; }
.timestamp-kwd { color: #5f9ea0; }
.org-right { margin-left: auto; margin-right: 0px; text-align: right; }
.org-left { margin-left: 0px; margin-right: auto; text-align: left; }
.org-center { margin-left: auto; margin-right: auto; text-align: center; }
.underline { text-decoration: underline; }
#postamble p, #preamble p { font-size: 90%; margin: .2em; }
p.verse { margin-left: 3%; }
pre {
border: 1px solid #ccc;
box-shadow: 3px 3px 3px #eee;
padding: 8pt;
font-family: monospace;
overflow: auto;
margin: 1.2em;
}
pre.src {
position: relative;
overflow: visible;
padding-top: 1.2em;
}
pre.src:before {
display: none;
position: absolute;
background-color: white;
top: -10px;
right: 10px;
padding: 3px;
border: 1px solid black;
}
pre.src:hover:before { display: inline;}
/* Languages per Org manual */
pre.src-asymptote:before { content: 'Asymptote'; }
pre.src-awk:before { content: 'Awk'; }
pre.src-C:before { content: 'C'; }
/* pre.src-C++ doesn't work in CSS */
pre.src-clojure:before { content: 'Clojure'; }
pre.src-css:before { content: 'CSS'; }
pre.src-D:before { content: 'D'; }
pre.src-ditaa:before { content: 'ditaa'; }
pre.src-dot:before { content: 'Graphviz'; }
pre.src-calc:before { content: 'Emacs Calc'; }
pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
pre.src-fortran:before { content: 'Fortran'; }
pre.src-gnuplot:before { content: 'gnuplot'; }
pre.src-haskell:before { content: 'Haskell'; }
pre.src-hledger:before { content: 'hledger'; }
pre.src-java:before { content: 'Java'; }
pre.src-js:before { content: 'Javascript'; }
pre.src-latex:before { content: 'LaTeX'; }
pre.src-ledger:before { content: 'Ledger'; }
pre.src-lisp:before { content: 'Lisp'; }
pre.src-lilypond:before { content: 'Lilypond'; }
pre.src-lua:before { content: 'Lua'; }
pre.src-matlab:before { content: 'MATLAB'; }
pre.src-mscgen:before { content: 'Mscgen'; }
pre.src-ocaml:before { content: 'Objective Caml'; }
pre.src-octave:before { content: 'Octave'; }
pre.src-org:before { content: 'Org mode'; }
pre.src-oz:before { content: 'OZ'; }
pre.src-plantuml:before { content: 'Plantuml'; }
pre.src-processing:before { content: 'Processing.js'; }
pre.src-python:before { content: 'Python'; }
pre.src-R:before { content: 'R'; }
pre.src-ruby:before { content: 'Ruby'; }
pre.src-sass:before { content: 'Sass'; }
pre.src-scheme:before { content: 'Scheme'; }
pre.src-screen:before { content: 'Gnu Screen'; }
pre.src-sed:before { content: 'Sed'; }
pre.src-sh:before { content: 'shell'; }
pre.src-sql:before { content: 'SQL'; }
pre.src-sqlite:before { content: 'SQLite'; }
/* additional languages in org.el's org-babel-load-languages alist */
pre.src-forth:before { content: 'Forth'; }
pre.src-io:before { content: 'IO'; }
pre.src-J:before { content: 'J'; }
pre.src-makefile:before { content: 'Makefile'; }
pre.src-maxima:before { content: 'Maxima'; }
pre.src-perl:before { content: 'Perl'; }
pre.src-picolisp:before { content: 'Pico Lisp'; }
pre.src-scala:before { content: 'Scala'; }
pre.src-shell:before { content: 'Shell Script'; }
pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
/* additional language identifiers per "defun org-babel-execute"
in ob-*.el */
pre.src-cpp:before { content: 'C++'; }
pre.src-abc:before { content: 'ABC'; }
pre.src-coq:before { content: 'Coq'; }
pre.src-groovy:before { content: 'Groovy'; }
/* additional language identifiers from org-babel-shell-names in
ob-shell.el: ob-shell is the only babel language using a lambda to put
the execution function name together. */
pre.src-bash:before { content: 'bash'; }
pre.src-csh:before { content: 'csh'; }
pre.src-ash:before { content: 'ash'; }
pre.src-dash:before { content: 'dash'; }
pre.src-ksh:before { content: 'ksh'; }
pre.src-mksh:before { content: 'mksh'; }
pre.src-posh:before { content: 'posh'; }
/* Additional Emacs modes also supported by the LaTeX listings package */
pre.src-ada:before { content: 'Ada'; }
pre.src-asm:before { content: 'Assembler'; }
pre.src-caml:before { content: 'Caml'; }
pre.src-delphi:before { content: 'Delphi'; }
pre.src-html:before { content: 'HTML'; }
pre.src-idl:before { content: 'IDL'; }
pre.src-mercury:before { content: 'Mercury'; }
pre.src-metapost:before { content: 'MetaPost'; }
pre.src-modula-2:before { content: 'Modula-2'; }
pre.src-pascal:before { content: 'Pascal'; }
pre.src-ps:before { content: 'PostScript'; }
pre.src-prolog:before { content: 'Prolog'; }
pre.src-simula:before { content: 'Simula'; }
pre.src-tcl:before { content: 'tcl'; }
pre.src-tex:before { content: 'TeX'; }
pre.src-plain-tex:before { content: 'Plain TeX'; }
pre.src-verilog:before { content: 'Verilog'; }
pre.src-vhdl:before { content: 'VHDL'; }
pre.src-xml:before { content: 'XML'; }
pre.src-nxml:before { content: 'XML'; }
/* add a generic configuration mode; LaTeX export needs an additional
(add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
pre.src-conf:before { content: 'Configuration File'; }
table { border-collapse:collapse; }
caption.t-above { caption-side: top; }
caption.t-bottom { caption-side: bottom; }
td, th { vertical-align:top; }
th.org-right { text-align: center; }
th.org-left { text-align: center; }
th.org-center { text-align: center; }
td.org-right { text-align: right; }
td.org-left { text-align: left; }
td.org-center { text-align: center; }
dt { font-weight: bold; }
.footpara { display: inline; }
.footdef { margin-bottom: 1em; }
.figure { padding: 1em; }
.figure p { text-align: center; }
.inlinetask {
padding: 10px;
border: 2px solid gray;
margin: 10px;
background: #ffffcc;
}
#org-div-home-and-up
{ text-align: right; font-size: 70%; white-space: nowrap; }
textarea { overflow-x: auto; }
.linenr { font-size: smaller }
.code-highlighted { background-color: #ffff00; }
.org-info-js_info-navigation { border-style: none; }
#org-info-js_console-label
{ font-size: 10px; font-weight: bold; white-space: nowrap; }
.org-info-js_search-highlight
{ background-color: #ffff00; color: #000000; font-weight: bold; }
.org-svg { width: 90%; }
/*]]>*/-->
</style>
<link rel="stylesheet" type="text/css" href="freedombone.css" />
<script type="text/javascript">
/*
@licstart The following is the entire license notice for the
JavaScript code in this tag.
Copyright (C) 2012-2017 Free Software Foundation, Inc.
The JavaScript code in this tag is free software: you can
redistribute it and/or modify it under the terms of the GNU
General Public License (GNU GPL) as published by the Free Software
Foundation, either version 3 of the License, or (at your option)
any later version. The code is distributed WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU GPL for more details.
As additional permission under GNU GPL version 3 section 7, you
may distribute non-source (e.g., minimized or compacted) forms of
that code without the copy of the GNU GPL normally required by
section 4, provided you include this license notice and a URL
through which recipients can access the Corresponding Source.
@licend The above is the entire license notice
for the JavaScript code in this tag.
*/
<!--/*--><![CDATA[/*><!--*/
function CodeHighlightOn(elem, id)
{
var target = document.getElementById(id);
if(null != target) {
elem.cacheClassElem = elem.className;
elem.cacheClassTarget = target.className;
target.className = "code-highlighted";
elem.className = "code-highlighted";
}
}
function CodeHighlightOff(elem, id)
{
var target = document.getElementById(id);
if(elem.cacheClassElem)
elem.className = elem.cacheClassElem;
if(elem.cacheClassTarget)
target.className = elem.cacheClassTarget;
}
/*]]>*///-->
</script>
</head>
<body>
<div id="preamble" class="status">
<a name="top" id="top"></a>
</div>
<div id="content">
<div class="org-center">
<div class="figure">
<p><img src="images/logo.png" alt="logo.png" />
</p>
</div>
</div>
<center>
<h1>OpenPGP Key Server</h1>
</center>
<p>
The <i>web of trust</i> is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would it be for adversaries to get implants onto them? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side.
</p>
<p>
For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to <i>find out how to communicate with others securely via email</i>. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers.
</p>
<div class="org-center">
<div class="figure">
<p><img src="images/keyserver.jpg" alt="keyserver.jpg" />
</p>
</div>
</div>
<div id="outline-container-orgfcf6c32" class="outline-2">
<h2 id="orgfcf6c32">Installation</h2>
<div class="outline-text-2" id="text-orgfcf6c32">
<p>
ssh into the system with:
</p>
<div class="org-src-container">
<pre><code class="src src-bash">ssh myusername@mydomain.com -p 2222
</code></pre>
</div>
<p>
Select <b>Add/Remove Apps</b> then <b>keyserver</b>. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under <b>Dynamic DNS</b> on the FreeDNS site (the random string from "<i>quick cron example</i>" which appears after <i>update.php?</i> and before <i>&gt;&gt;</i>). For more details on obtaining a domain and making it accessible via dynamic DNS see the <a href="./faq.html">FAQ</a>. Typically the domain name you use will be a subdomain, such as <i>keys.mydomainname.net</i>. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
</p>
<p>
After the install has completed go to <b>Security settings</b> and select <b>Create a new Let's Encrypt certificate</b> and enter the domain name that you are using for the Key server. If the certificate is obtained successfully then you will see a congratulations message.
</p>
</div>
</div>
<div id="outline-container-org8e2baf7" class="outline-2">
<h2 id="org8e2baf7">How to use it</h2>
<div class="outline-text-2" id="text-org8e2baf7">
<p>
Interaction with the web user interface is pretty minimal and obvious, but most likely you will also want to be able to use your keyserver from the commandline. To do that use the <b>&#x2013;keyserver</b> option. For example to search for a key on your server:
</p>
<div class="org-src-container">
<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --search-keys [email address]
</code></pre>
</div>
<p>
Or to send a key to it:
</p>
<div class="org-src-container">
<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --send-keys [email address or key ID]
</code></pre>
</div>
<p>
Or to get a key:
</p>
<div class="org-src-container">
<pre><code class="src src-bash">gpg --keyserver [your keyserver domain] --recv-keys [email address or key ID]
</code></pre>
</div>
</div>
</div>
<div id="outline-container-orgf7e93ae" class="outline-2">
<h2 id="orgf7e93ae">Sync with other keyservers</h2>
<div class="outline-text-2" id="text-orgf7e93ae">
<p>
Key servers avoid censorship or errors by gossiping between each other and cross referencing the data. You can define which other servers your key server will gossip with by going to the <b>Administrator control panel</b>, selecting <b>App Settings</b> then <b>keyserver</b> then <b>Sync with other keyserver</b>.
</p>
<p>
It's a good idea not to try to sync with the popular OpenPGP key servers, because those have gigantic databases which may make your server unstable and certainly would make it hard to create backups within a tractable amount of time. This option is mainly intended to sync with other Freedombone systems or small home servers within a particular community.
</p>
</div>
</div>
<div id="outline-container-org7be3c82" class="outline-2">
<h2 id="org7be3c82">Possible problems</h2>
<div class="outline-text-2" id="text-org7be3c82">
<p>
OpenPGP key servers are not very well defended from flooding attacks. This means that an adversary could just upload a billion keys to destabilize the server and fill it with nonsense to make it unusable. Since key servers are <i>fully open to the public</i> there isn't anything to prevent that from happening.
</p>
<p>
Within the Freedombone system there is a watchdog script which keeps track of the key server database size, and disables the key server if that gets too large. Apart from the usual firewall and web server traffic rate limits, this is a crude but probably practical way of defending against flooding.
</p>
<p>
If a flood attack does happen then really the only way to recover is to restore from the last known good backup, which can be done from the <b>Administrator control panel</b>.
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<style type="text/css">
.back-to-top {
position: fixed;
bottom: 2em;
right: 0px;
text-decoration: none;
color: #000000;
background-color: rgba(235, 235, 235, 0.80);
font-size: 12px;
padding: 1em;
display: none;
}
.back-to-top:hover {
background-color: rgba(135, 135, 135, 0.50);
}
</style>
<div class="back-to-top">
<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
</div>
</div>
</body>
</html>

View File

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-07-25 Tue 23:25 -->
<!-- 2017-07-28 Fri 22:42 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title></title>
@ -264,9 +264,9 @@ The base install of the system just contains an email server and Mutt client, bu
</div>
</div>
<div id="outline-container-org9a19246" class="outline-2">
<h2 id="org9a19246">CryptPad</h2>
<div class="outline-text-2" id="text-org9a19246">
<div id="outline-container-orgbe17d63" class="outline-2">
<h2 id="orgbe17d63">CryptPad</h2>
<div class="outline-text-2" id="text-orgbe17d63">
<p>
Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.
</p>
@ -276,9 +276,9 @@ Collaborate on editing documents, presentations and source code, or vote on thin
</p>
</div>
</div>
<div id="outline-container-orgaf887a3" class="outline-2">
<h2 id="orgaf887a3">DLNA</h2>
<div class="outline-text-2" id="text-orgaf887a3">
<div id="outline-container-orgeb85cd1" class="outline-2">
<h2 id="orgeb85cd1">DLNA</h2>
<div class="outline-text-2" id="text-orgeb85cd1">
<p>
Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
</p>
@ -288,9 +288,9 @@ Enables you to use the system as a music server which any DLNA compatible device
</p>
</div>
</div>
<div id="outline-container-org24b3d95" class="outline-2">
<h2 id="org24b3d95">Dokuwiki</h2>
<div class="outline-text-2" id="text-org24b3d95">
<div id="outline-container-orge7dce56" class="outline-2">
<h2 id="orge7dce56">Dokuwiki</h2>
<div class="outline-text-2" id="text-orge7dce56">
<p>
A databaseless wiki system.
</p>
@ -300,9 +300,9 @@ A databaseless wiki system.
</p>
</div>
</div>
<div id="outline-container-orga7568ea" class="outline-2">
<h2 id="orga7568ea">Emacs</h2>
<div class="outline-text-2" id="text-orga7568ea">
<div id="outline-container-org16980fe" class="outline-2">
<h2 id="org16980fe">Emacs</h2>
<div class="outline-text-2" id="text-org16980fe">
<p>
If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
</p>
@ -312,9 +312,9 @@ If you use the Mutt client to read your email then this will set it up to use em
</p>
</div>
</div>
<div id="outline-container-org3d4300f" class="outline-2">
<h2 id="org3d4300f">Etherpad</h2>
<div class="outline-text-2" id="text-org3d4300f">
<div id="outline-container-orge6eede4" class="outline-2">
<h2 id="orge6eede4">Etherpad</h2>
<div class="outline-text-2" id="text-orge6eede4">
<p>
Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
</p>
@ -324,9 +324,9 @@ Collaborate on creating documents in real time. Maybe you're planning a holiday
</p>
</div>
</div>
<div id="outline-container-org91f769f" class="outline-2">
<h2 id="org91f769f">Friendica</h2>
<div class="outline-text-2" id="text-org91f769f">
<div id="outline-container-org72aea62" class="outline-2">
<h2 id="org72aea62">Friendica</h2>
<div class="outline-text-2" id="text-org72aea62">
<p>
Federated social network system.
</p>
@ -336,9 +336,9 @@ Federated social network system.
</p>
</div>
</div>
<div id="outline-container-org6266e6b" class="outline-2">
<h2 id="org6266e6b">Ghost</h2>
<div class="outline-text-2" id="text-org6266e6b">
<div id="outline-container-org75bbd1d" class="outline-2">
<h2 id="org75bbd1d">Ghost</h2>
<div class="outline-text-2" id="text-org75bbd1d">
<p>
Modern looking blogging system.
</p>
@ -348,9 +348,9 @@ Modern looking blogging system.
</p>
</div>
</div>
<div id="outline-container-orge7307c0" class="outline-2">
<h2 id="orge7307c0">GNU Social</h2>
<div class="outline-text-2" id="text-orge7307c0">
<div id="outline-container-org879241a" class="outline-2">
<h2 id="org879241a">GNU Social</h2>
<div class="outline-text-2" id="text-org879241a">
<p>
Federated social network. You can "<i>remote follow</i>" other users within the GNU Social federation.
</p>
@ -360,9 +360,9 @@ Federated social network. You can "<i>remote follow</i>" other users within the
</p>
</div>
</div>
<div id="outline-container-org42d8a6c" class="outline-2">
<h2 id="org42d8a6c">Gogs</h2>
<div class="outline-text-2" id="text-org42d8a6c">
<div id="outline-container-org0c63c0d" class="outline-2">
<h2 id="org0c63c0d">Gogs</h2>
<div class="outline-text-2" id="text-org0c63c0d">
<p>
Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar <i>fork-and-pull</i> workflow. If you can use Github then you can also use Gogs.
</p>
@ -372,9 +372,9 @@ Lightweight git project hosting system. You can mirror projects from Github, or
</p>
</div>
</div>
<div id="outline-container-org21d5b80" class="outline-2">
<h2 id="org21d5b80">HTMLy</h2>
<div class="outline-text-2" id="text-org21d5b80">
<div id="outline-container-org8d5a195" class="outline-2">
<h2 id="org8d5a195">HTMLy</h2>
<div class="outline-text-2" id="text-org8d5a195">
<p>
Databaseless blogging system. Quite simple and with a markdown-like format.
</p>
@ -384,9 +384,9 @@ Databaseless blogging system. Quite simple and with a markdown-like format.
</p>
</div>
</div>
<div id="outline-container-org47d8fc7" class="outline-2">
<h2 id="org47d8fc7">Hubzilla</h2>
<div class="outline-text-2" id="text-org47d8fc7">
<div id="outline-container-orgbc0a684" class="outline-2">
<h2 id="orgbc0a684">Hubzilla</h2>
<div class="outline-text-2" id="text-orgbc0a684">
<p>
Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
</p>
@ -396,9 +396,9 @@ Web publishing platform with social network like features and good privacy contr
</p>
</div>
</div>
<div id="outline-container-org71113c6" class="outline-2">
<h2 id="org71113c6">IRC Server (ngirc)</h2>
<div class="outline-text-2" id="text-org71113c6">
<div id="outline-container-org4f18360" class="outline-2">
<h2 id="org4f18360">IRC Server (ngirc)</h2>
<div class="outline-text-2" id="text-org4f18360">
<p>
Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
</p>
@ -408,18 +408,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl
</p>
</div>
</div>
<div id="outline-container-org9f28087" class="outline-2">
<h2 id="org9f28087">Jitsi Meet</h2>
<div class="outline-text-2" id="text-org9f28087">
<div id="outline-container-orgc105f39" class="outline-2">
<h2 id="orgc105f39">Jitsi Meet</h2>
<div class="outline-text-2" id="text-orgc105f39">
<p>
Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
</p>
</div>
</div>
<div id="outline-container-orgbad5922" class="outline-2">
<h2 id="orgbad5922">KanBoard</h2>
<div class="outline-text-2" id="text-orgbad5922">
<div id="outline-container-org10fbc88" class="outline-2">
<h2 id="org10fbc88">KanBoard</h2>
<div class="outline-text-2" id="text-org10fbc88">
<p>
A simple kanban system for managing projects or TODO lists.
</p>
@ -429,9 +429,21 @@ A simple kanban system for managing projects or TODO lists.
</p>
</div>
</div>
<div id="outline-container-org6529912" class="outline-2">
<h2 id="org6529912">Koel</h2>
<div class="outline-text-2" id="text-org6529912">
<div id="outline-container-orgb3097e7" class="outline-2">
<h2 id="orgb3097e7">Key Server</h2>
<div class="outline-text-2" id="text-orgb3097e7">
<p>
An OpenPGP key server for storing and retrieving GPG public keys.
</p>
<p>
<a href="./app_keyserver.html">How to use it</a>
</p>
</div>
</div>
<div id="outline-container-orga3542ee" class="outline-2">
<h2 id="orga3542ee">Koel</h2>
<div class="outline-text-2" id="text-orga3542ee">
<p>
Access your music collection from any internet connected device.
</p>
@ -441,9 +453,9 @@ Access your music collection from any internet connected device.
</p>
</div>
</div>
<div id="outline-container-orgc0eae1a" class="outline-2">
<h2 id="orgc0eae1a">Lychee</h2>
<div class="outline-text-2" id="text-orgc0eae1a">
<div id="outline-container-orga662c8f" class="outline-2">
<h2 id="orga662c8f">Lychee</h2>
<div class="outline-text-2" id="text-orga662c8f">
<p>
Make your photo albums available on the web.
</p>
@ -453,9 +465,9 @@ Make your photo albums available on the web.
</p>
</div>
</div>
<div id="outline-container-orga4bfc9d" class="outline-2">
<h2 id="orga4bfc9d">Mailpile</h2>
<div class="outline-text-2" id="text-orga4bfc9d">
<div id="outline-container-orgccf23ee" class="outline-2">
<h2 id="orgccf23ee">Mailpile</h2>
<div class="outline-text-2" id="text-orgccf23ee">
<p>
Modern email client which supports GPG encryption.
</p>
@ -465,9 +477,9 @@ Modern email client which supports GPG encryption.
</p>
</div>
</div>
<div id="outline-container-org672b48e" class="outline-2">
<h2 id="org672b48e">Matrix</h2>
<div class="outline-text-2" id="text-org672b48e">
<div id="outline-container-orgdee374a" class="outline-2">
<h2 id="orgdee374a">Matrix</h2>
<div class="outline-text-2" id="text-orgdee374a">
<p>
Multi-user chat with some security and moderation controls.
</p>
@ -477,9 +489,9 @@ Multi-user chat with some security and moderation controls.
</p>
</div>
</div>
<div id="outline-container-orgce218ca" class="outline-2">
<h2 id="orgce218ca">Mediagoblin</h2>
<div class="outline-text-2" id="text-orgce218ca">
<div id="outline-container-org7faaca0" class="outline-2">
<h2 id="org7faaca0">Mediagoblin</h2>
<div class="outline-text-2" id="text-org7faaca0">
<p>
Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.
</p>
@ -489,9 +501,9 @@ Publicly host video and audio files so that you don't need to use YouTube/Vimeo/
</p>
</div>
</div>
<div id="outline-container-orgb224245" class="outline-2">
<h2 id="orgb224245">Mumble</h2>
<div class="outline-text-2" id="text-orgb224245">
<div id="outline-container-orgfa87291" class="outline-2">
<h2 id="orgfa87291">Mumble</h2>
<div class="outline-text-2" id="text-orgfa87291">
<p>
The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
</p>
@ -501,9 +513,9 @@ The popular VoIP and text chat system. Say goodbye to old-fashioned telephony co
</p>
</div>
</div>
<div id="outline-container-org2786fbb" class="outline-2">
<h2 id="org2786fbb">NextCloud</h2>
<div class="outline-text-2" id="text-org2786fbb">
<div id="outline-container-org88bc444" class="outline-2">
<h2 id="org88bc444">NextCloud</h2>
<div class="outline-text-2" id="text-org88bc444">
<p>
Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.
</p>
@ -513,9 +525,9 @@ Store files on your server and sync them with laptops or mobile devices. Include
</p>
</div>
</div>
<div id="outline-container-orgaad15be" class="outline-2">
<h2 id="orgaad15be">PI-Hole</h2>
<div class="outline-text-2" id="text-orgaad15be">
<div id="outline-container-orgd909087" class="outline-2">
<h2 id="orgd909087">PI-Hole</h2>
<div class="outline-text-2" id="text-orgd909087">
<p>
The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
</p>
@ -525,9 +537,9 @@ The black hole for web adverts. Block adverts at the domain name level within yo
</p>
</div>
</div>
<div id="outline-container-org0cb789f" class="outline-2">
<h2 id="org0cb789f">PostActiv</h2>
<div class="outline-text-2" id="text-org0cb789f">
<div id="outline-container-org54cc393" class="outline-2">
<h2 id="org54cc393">PostActiv</h2>
<div class="outline-text-2" id="text-org54cc393">
<p>
An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
</p>
@ -537,9 +549,9 @@ An alternative federated social networking system compatible with GNU Social. It
</p>
</div>
</div>
<div id="outline-container-org6b2db26" class="outline-2">
<h2 id="org6b2db26">Profanity</h2>
<div class="outline-text-2" id="text-org6b2db26">
<div id="outline-container-orgbf4385b" class="outline-2">
<h2 id="orgbf4385b">Profanity</h2>
<div class="outline-text-2" id="text-orgbf4385b">
<p>
A shell based XMPP client which you can run on the Freedombone server via ssh.
</p>
@ -549,9 +561,9 @@ A shell based XMPP client which you can run on the Freedombone server via ssh.
</p>
</div>
</div>
<div id="outline-container-org4dea572" class="outline-2">
<h2 id="org4dea572">Riot Web</h2>
<div class="outline-text-2" id="text-org4dea572">
<div id="outline-container-orgda318c9" class="outline-2">
<h2 id="orgda318c9">Riot Web</h2>
<div class="outline-text-2" id="text-orgda318c9">
<p>
A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.
</p>
@ -561,9 +573,9 @@ A browser based user interface for the Matrix federated communications system, i
</p>
</div>
</div>
<div id="outline-container-org7e88433" class="outline-2">
<h2 id="org7e88433">SearX</h2>
<div class="outline-text-2" id="text-org7e88433">
<div id="outline-container-org99449d0" class="outline-2">
<h2 id="org99449d0">SearX</h2>
<div class="outline-text-2" id="text-org99449d0">
<p>
A metasearch engine for customised and private web searches.
</p>
@ -573,9 +585,9 @@ A metasearch engine for customised and private web searches.
</p>
</div>
</div>
<div id="outline-container-orgcfc1af4" class="outline-2">
<h2 id="orgcfc1af4">tt-rss</h2>
<div class="outline-text-2" id="text-orgcfc1af4">
<div id="outline-container-org761a652" class="outline-2">
<h2 id="org761a652">tt-rss</h2>
<div class="outline-text-2" id="text-org761a652">
<p>
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "<i>the right to read</i>" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
</p>
@ -585,9 +597,9 @@ Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via a
</p>
</div>
</div>
<div id="outline-container-org526d1e5" class="outline-2">
<h2 id="org526d1e5">Syncthing</h2>
<div class="outline-text-2" id="text-org526d1e5">
<div id="outline-container-orga6e23d7" class="outline-2">
<h2 id="orga6e23d7">Syncthing</h2>
<div class="outline-text-2" id="text-orga6e23d7">
<p>
Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
</p>
@ -597,9 +609,9 @@ Possibly the best way to synchronise files across all of your devices. Once it h
</p>
</div>
</div>
<div id="outline-container-org43bcb4f" class="outline-2">
<h2 id="org43bcb4f">Tahoe-LAFS</h2>
<div class="outline-text-2" id="text-org43bcb4f">
<div id="outline-container-org643b86b" class="outline-2">
<h2 id="org643b86b">Tahoe-LAFS</h2>
<div class="outline-text-2" id="text-org643b86b">
<p>
Robust and encrypted storage of files on one or more server.
</p>
@ -609,9 +621,9 @@ Robust and encrypted storage of files on one or more server.
</p>
</div>
</div>
<div id="outline-container-org29d522e" class="outline-2">
<h2 id="org29d522e">Tox</h2>
<div class="outline-text-2" id="text-org29d522e">
<div id="outline-container-org8eb9d12" class="outline-2">
<h2 id="org8eb9d12">Tox</h2>
<div class="outline-text-2" id="text-org8eb9d12">
<p>
Client and bootstrap node for the Tox chat/VoIP system.
</p>
@ -621,9 +633,9 @@ Client and bootstrap node for the Tox chat/VoIP system.
</p>
</div>
</div>
<div id="outline-container-org71eba9a" class="outline-2">
<h2 id="org71eba9a">Turtl</h2>
<div class="outline-text-2" id="text-org71eba9a">
<div id="outline-container-org5a0e4e5" class="outline-2">
<h2 id="org5a0e4e5">Turtl</h2>
<div class="outline-text-2" id="text-org5a0e4e5">
<p>
A system for privately creating and sharing notes and images, similar to Evernote but without the spying.
</p>
@ -633,18 +645,18 @@ A system for privately creating and sharing notes and images, similar to Evernot
</p>
</div>
</div>
<div id="outline-container-org95cabfd" class="outline-2">
<h2 id="org95cabfd">Vim</h2>
<div class="outline-text-2" id="text-org95cabfd">
<div id="outline-container-orgdeeab5b" class="outline-2">
<h2 id="orgdeeab5b">Vim</h2>
<div class="outline-text-2" id="text-orgdeeab5b">
<p>
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
</p>
</div>
</div>
<div id="outline-container-org07897b8" class="outline-2">
<h2 id="org07897b8">XMPP</h2>
<div class="outline-text-2" id="text-org07897b8">
<div id="outline-container-orgdbd802c" class="outline-2">
<h2 id="orgdbd802c">XMPP</h2>
<div class="outline-text-2" id="text-orgdbd802c">
<p>
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as <i>client state notification</i> to save battery power on your mobile devices, support for seamless roaming between networks and <i>message carbons</i> so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
</p>