1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
onak 0.6.4
Copyright 2002-2025 Jonathan McDowell
https://www.earth.li/projectpurple/progs/onak.html
Introduction:
onak is an OpenPGP compatible keyserver. It's primary purpose is the
storage and retrieval of OpenPGP keys but it also has features that make
use of the stored keys for various other purposes. The most useful of
these is probably the pathfinder. This takes two keys, a & b, and
attempts to find a path of trust from a to b in the key database. I
started work on it because at the time there was no DFSG compliant
server that supported multiple subkeys and could act as a drop in
replacement for pksd, which I was running at the time.
Installation:
onak has been mainly developed under Linux with a bit of work on FreeBSD
at times also. It should run on all architectures, but has only been
tested on i386, AMD64 and PowerPC so far.
Typing "./configure && make" should produce a version of onak with
support for the DB4 backend. If you want to choose a different backend
(see below for a discussion about the options) you'll need to pass the
appropriate option to ./configure.
Once make has completed you'll end up with various binaries:
* onak
This is the main program. It's intended to be run from the command
line and allows the addition, deletion and searching of keys in the
database.
* onak-mail.pl
The mail processor. Takes incoming mail (usually to
pgp-public-keys@host) and calls onak to do the necessary work.
Currently only supports INCREMENTAL mails for syncing with other
keyservers and INDEX mails from users.
* add, lookup & gpgwww
The CGI programs. add & lookup are common to all PGP keyservers while
gpgwww is the pathfinder component of onak. To get a keyserver that
clients such as GPG can sync with you'll need to put these in a /pks
directory on a web server running on port 11371. There's an example
mathopd.conf file provided that I used for testing, but I'm now using
Apache for the public test rig as it's already present on the host
running it.
* splitkeys
Utility to take a keyring and split it up into a bunch of smaller ones.
Config:
I've finally added config file support. onak.ini is an example config;
the main thing to change is the location in the backend section to
whereever you want to put your database files. The configure script allows
you to specific where it should live; by default it'll be PREFIX/etc/onak.ini.
Backends:
Currently there is support for 6 different database backends:
* file
The original backend. Very simple and ideal for testing. Stores each
key as a separate file. Doesn't support searching based on key text.
* pg (PostgreSQL)
Once the preferred backend. Use onak.sql to create the tables
necessary to run with this. Unfortunately although suitable for the
keyserver side it was found to be too slow for running the pathfinder
with a large number of keys. This may well be due to my use of it - if
you can help speed it up info would be appreciated.
* db4 (Berkeley libdb4)
The currently preferred backend. Supports the full range of functions
like the pg backend but is considerably faster. Also easier to setup
assuming you have libdb4 installed; there's no need to have an SQL
database running and configured.
* fs (file backend)
A fuller featured file based backend. Doesn't need any external
libraries and supports the full range of operations (such as text and
subkey searching). Needs a good filesystem to get good performance
though as it creates many, many files and links.
* hkp
A proxying backend. No keys are stored locally; all fetch and store
requests are forwarded to the provided keyserver.
Other keyservers:
I'm aware of the following other keyservers. If you know of any more
please let me know and I'll add them.
* pks
http://sf.net/projects/pks/
The original mainstream keyserver; what I used to run on
wwwkeys.uk.pgp.net. Died off due to lack of support for more modern
key features such as multiple subkeys, to the extent that it would
manage them. Largely replaced by SKS.
* CryptNET Keyserver
http://www.cryptnet.net/fsp/cks/
A GPLed server with support for multiple subkeys, but unfortunately
when I looked at it there was no support for syncing via email which
means it can't replace a pks server to act as part of pgp.net.
* Hockeypuck
https://hockeypuck.io/
Written in Go and with support for the SKS synchronisation protocol.
* OpenPKSD
http://openpksd.org/
Don't really know a lot about this. Primarily Japanese development
AFAICT.
* SKS
https://github.com/SKS-Keyserver/sks-keyserver
Probably the most popular keyserver currently. Improves dramatically
on the email synchronisation method by using an HTTP based set
reconciliation approach ensuring the keyserver network eventually
reaches consistency.
Contacting the author:
I can be reached via email as noodles@earth.li. I'm usually on IRC on
OFTC (irc.oftc.net) as Noodles.
All constructive criticism, bugs reports, patches and ideas are welcome.
Obtaining later versions:
onak lives at:
https://www.earth.li/projectpurple/progs/onak.html
Development is carried out using git; you can access the repository
with something like:
git clone https://the.earth.li/git/onak.git
or it can be browsed via gitweb at:
https://the.earth.li/gitweb/?p=onak.git;a=summary
It is also mirrored on GitHub at:
https://github.com/u1f35c/onak
License:
onak is distributed under the GNU Public License version 2, a copy of
which should have been provided with this archive as LICENSE.
|
