1sks(8) SKS OpenPGP Key server sks(8)
2
6 SKS - Synchronizing Key Server
7
9 sks [options] -debug
10
12 SKS is a OpenPGP keyserver whose goal is to provide easy to deploy,
13 decentralized, and highly reliable synchronization. That means that a
14 key submitted to one SKS server will quickly be distributed to all key
15 servers, and even wildly out-of-date servers, or servers that
16 experience spotty connectivity, can fully synchronize with rest of the
17 system.
18 The design of SKS is deliberately simple. The server consists of two
20 single-threaded processes. The first, "sks db", fulfills the normal
21 jobs associated with a public key server, such as answering web
22 requests. The only special functionality of "sks db" is that it keeps a
23 log summarizing the changes to the key database. "sks recon" does all
24 the work with respect to reconciling hosts databases. "sks recon" keeps
25 track of specialized summary information about the database, and can
26 use that information to efficiently determine the differences between
27 its database and that of another host.
28
30 Highly efficient and reliable reconciliation algorithm
31 Follows RFC2440 and RFC2440bis carefully - unlike PKS, SKS supports new
33 and old style packets, photoID packets, multiple subkeys, and pretty
34 much everything allowed by the RFCs.
35 Fully compatible with PKS system - can both send and receive syncs from
37 PKS servers, ensuring seamless connectivity.
38 Simple configuration: each host just needs a (partial) list of the
40 other participating key servers. Gossip is used to distribute
41 information without putting a heavy load an any one host.
42 Supports HKP/web-based querying, and soon-to-be-standard machine
44 readable indices
45
47 SKS binary command options are as follows:
48 db
50 Initiates database server.
51 recon
53 Initiates reconciliation server.
54 cleandb
56 Apply filters to all keys in database, fixing some common problems.
57 build
59 Build key database, including body of keys directly in database.
60 fastbuild -n [size] -cache [mbytes]
62 Build key database, doesn't include keys directly in database,
63 faster than build. -n specifies the mulitple of 15000 keys to read
64 in at once, and -cache specifies the database cache to use in
65 megabytes.
66 pbuild -cache [mbytes] -ptree_cache [mbytes]
68 Build prefix-tree database, used by reconciliation server, from key
69 database. Allows for specification of cache for key database and
70 for ptree database.
71 dump #keys dumpdir
73 Create a raw dump of the keys in the database.
74 merge
76 Adds key from key files to existing database.
77 drop
79 Drops key from database.
80 update_subkeys [-n # of updates / 1000]
82 Updates subkey keyid index to include all current keys. Only useful
83 when upgrading versions 1.0.4 or before of SKS.
84 help
86 Prints the help message.
87
89 You won't need most of the options below for normal operation. These
90 options can be given in basedir/sksconf or as command line option for
91 the sks binary.
92 -debug
94 Debugging mode.
95 -debuglevel
97 Debugging level -- sets verbosity of logging.
98 -q
100 Number of bits defining a bin.
101 -mbar
103 Number of errors that can be corrected in one shot.
104 -seed
106 Seed used by RNG.
107 -hostname
109 Current hostname.
110 -d
112 Number of keys to drop at random when synchronizing.
113 -n
115 Multiple of 15,000 keys to load at once.
116 -max_internal_matches
118 Maximum number of matches for most specific word in a multi-word
119 search.
120 -max_matches
122 Maximum number of matches that will be returned from a query.
123 -max_uid_fetches
125 Maximum number of uid fetches performed in a verbose index query.
126 -pagesize
128 Pagesize in bytes for key db.
129 -cache
131 Cache size in megs for key db.
132 -ptree_pagesize
134 Pagesize in bytes for prefix tree db.
135 -ptree_cache
137 Cache size in megs for prefix tree db.
138 -baseport
140 Set base port number.
141 -recon_port
143 Set recon port number.
144 -recon_address
146 Set recon binding address. Can be a list of whitespace separated
147 IP addresses.
148 -hkp_port
150 Set hkp port number.
151 -hkp_address
153 Set hkp binding address. Can be a list of whitespace separated IP
154 addresses.
155 -use_port_80
157 Have the HKP interface listen on port 80, as well as the hkp_port.
158 -basedir
160 Set base directory.
161 -stdoutlog
163 Send log messages to stdout instead of log file.
164 -diskptree
166 Use a disk-based ptree implementation. Slower, but requires far
167 less memory.
168 -nodiskptree
170 Use in-mem ptree.
171 -max_ptree_nodes
173 Maximum number of allowed ptree nodes. Only meaningful if
174 -diskptree is set.
175 -prob
177 Set probability. Used for testing code only.
178 -recon_sync_interval
180 Set sync interval for reconserver.
181 -gossip_interval
183 Set time between gossips in minutes.
184 -dontgossip
186 Don't gossip automatically. Host will still respond to requests
187 from other hosts.
188 -db_sync_interval
190 Set sync interval for dbserver.
191 -checkpoint_interval
193 Time period between checkpoints.
194 -recon_checkpoint_interval
196 Time period between checkpoints for reconserver.
197 -ptree_thresh_mult
199 Multiple of thresh which specifies minimum node size in prefix
200 tree.
201 -recon_thresh_mult
203 Multiple of thresh which specifies minimum node size that is
204 included in reconciliation.
205 -max_recover
207 Maximum number of differences to recover in one round.
208 -http_fetch_size
210 Number of keys for reconserver to fetch from dbserver in one go.
211 -wserver_timeout
213 Timeout in seconds for webserver requests.
214 -reconciliation_timeout
216 Timeout for reconciliation runs in minutes.
217 -stat_hour
219 Hour at which to run database statistics.
220 -initial_stat
222 Runs database statistics calculation on boot.
223 -reconciliation_config_timeout
225 Set timeout in seconds for initial exchange of config info in
226 reconciliation.
227 -missing_keys_timeout
229 Timeout in seconds for get_missing_keys.
230 -command_timeout
232 Timeout in seconds for commands set over command socket.
233 -sendmail_cmd
235 Command used for sending mail.
236 -from_addr
238 From address used in synchronization emails used to communicate
239 with PKS.
240 -dump_new_only
242 When doing a database dump, only dump new keys, not keys already
243 contained in a keydump file.
244 -max_outstanding_recon_requests
246 Maximum number of outstanding requests in reconciliation.
247 -membership_reload_interval
249 Maximum interval (in hours) at which membership file is reloaded.
250 --help, -help
252 Displays list of options.
253
255 Information about important files located in your SKS basedir.
256 bin/sks
258 The main SKS executable.
259 bin/sks_add_mail
261 The executable responsible for parsing incoming mails from PKS key
262 servers.
263 bin/sks_build.sh
265 Script to generate an initial database.
266 mailsync
268 The mailsync should contains a list of email addresses of PKS
269 keyservers. This file is important, because it ensures that keys
270 submitted directly to an SKS keyserver are also forwarded to PKS
271 keyservers. IMPORTANT : don't add someone to your mailsync file
272 without getting their permission first!
273 membership
275 With SKS, two hosts can efficiently compare their databases then
276 repair whatever differences are found. In order to set up
277 reconciliation, you first need to find other SKS servers that will
278 agree to gossip with you. The hostname and port of the server that
279 has agreed to do so should be added to this file.
280 sksconf
282 The configuration file for your SKS server.
283
285 membership
286 keyserver.ahost.org 11370 # Comments are allowed
287 keyserver.foo.org 11370 # Another host with default ports
288 sksconf
290 membership_reload_interval: 1
291 initial_stat:
292 hostname: keyserver.example.com
293 from_addr: pgp-public-keys@keyserver.example.com
294 Procmail
296 PATH=/path/of/sks/exectuables
297 :0
298 * ^Subject: incremental
299 | /path/of/sks_add_mail /path/to/sks/directory
300 /etc/aliases
302 pgp-public-keys: "|/path/of/sks_add_mail /path/to/sks/directory"
303
305 The SKS website is located at http://minskyprimus.net/sks/.
306
308 The first draft was written by Thomas Sjogren
309 <thomas@northernsecurity.net>.
3100.1 2009-03-29 sks(8)