[Sks-devel] Shutdown of pgp.ustc.edu.cn
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I have shutdown pgp.ustc.edu.cn. Please remove this server from your membership file. Thanks! Shengjing Zhu -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAl0bfEwACgkQONAPABi+ PjWY5Af/TgKjHnl1KKhKeHNH8ZEc2nBoMqxH7Ob/UepTJjwHnvVXI0LqH5fycGlK kVXW98qKaCKoObaH4OFbNqd0l5hFbKK8zinWf6y5RfRxCtFaXfILEbqeWobSaTqM A2Y8nHJOL/ijK6KsKR86Rz11kRPNkdGoZUQIxBkqUxEg3usBMLiptEg6k5J8fqsc 0b3Mc5WOc1QH6SgpIVt4m1+b17HwPKjadGWQ50gd2/qsVZGadAUjESfr47LgsJvV /MNAiho1MlfC4y/N+xiBJrDRPDA6T3jzW5XAvZgFWxqjhx6nN9OA/fQ4j0PQZ6NX t4wX+e1Uo0BlZV++lxurcEZKmS0LAQ== =YOhV -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659
Sorry for top replying. I'm using mobile phone. Requests are coming from different network, at least hundreds IP. And it seems my server(pgp.ustc.edu.cn) is down again... I'll check it when I got home. If it's caused by the two keys.. I may blacklist them... brent s. 于 2019年1月13日周日 04:45写道: > On 1/12/19 2:15 PM, Shengjing Zhu wrote: > > Hi, > > > > While I rescued my key server back this night, I found the unusual > > traffic for key 0x69D2EAD9 and 0xB33B4659. It caused load to my server > > when it tried to sync up with the network. > > > > Request counted in 2h: > > > >178 0xB33B4659 > > 186 0x69D2EAD9 > > 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659 > > 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9 > > > > Requests come from pool.sks-keyservers.net. Compare to the server > > number behind the pool, I think these requests are quite unusual. > > Does anyone know what happens to these two keys? > > > > they're for FreePBX and have caused at least one other issue: > > https://lists.gnu.org/archive/html/sks-devel/2018-07/msg00077.html > > based on this: > > > https://www.dslreports.com/forum/r30661088-PBX-FreePBX-for-the-Raspberry-Pi~start=810 > > it would SEEM they're part of the FreePBX installation process, but it's > possible that something from normal operation even fetches the key > operationally and frequently. > > i see three possible situations: > > 0.) a recent update was made to FreePBX that fetches the key, even if it > exists in the keyring or a key refresh is called (very likely) > 1.) a random attack targeting you specifically is ocurring and they just > randomly picked that key ID (a little likely, but not very) > 2.) the key has been compromised and is being used as part of a botnet > for some purpose (extremely unlikely) > > i'll see if i can find out from the freepbx source/the project devs. > > will reply when i have further info. > > > meanwhile, can you let us know if those requests are all coming from the > same IP or allocation block? > > -- > brent saner > https://square-r00t.net/ > GPG info: https://square-r00t.net/gpg-info > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659
Hi, While I rescued my key server back this night, I found the unusual traffic for key 0x69D2EAD9 and 0xB33B4659. It caused load to my server when it tried to sync up with the network. Request counted in 2h: 178 0xB33B4659 186 0x69D2EAD9 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9 Requests come from pool.sks-keyservers.net. Compare to the server number behind the pool, I think these requests are quite unusual. Does anyone know what happens to these two keys? -- Regards, Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Add new check to pool: HKP connect with only IP (no Host)
Hi, Recently I find those keys send to my key server are never synced to others. Finally I found the reason, I configured my HTTP proxy to only accept requests with whitelist domains(on 11371 port too). See https://github.com/zhsj/sks-ustc/commit/8920c4e However in recon, the peer will connect without Host value in the HTTP request(which is `POST /pks/hashquery`). So the peers can't fetch new changes from my server. But my server is included in the pool, so I think the pool inclusion checks should add this one. -- Regards, Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] seeking peers for sks.itq.de
On Thu, Jul 26, 2018 at 10:17 PM Matthias Wassermann wrote: > I have loaded a keydump from ftp://keyserver.mattrude.com/current, > dated 2018-07-23. > I see 5102357 keys loaded. It's far behind the network, currently it's near 5244773. -- Regards, Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] history
On Tue, Jul 24, 2018 at 12:37 AM Michael Jones wrote: > > also, i can see there seems to be alot more keys the last 2 days; There's someone abusing/attacking the sks network, these keys look like /pks/lookup?op=vindex=0x54ECA4E4B7509280 pub 1024R/B7509280 2018-07-22 uid DLTLYUPYVRSPOAXPURYBXLEVLWCPRW sig sig3 B7509280 2018-07-22 __ __ [selfsig] uid DNHALKLJXDGZXHDCKNHHOJDIWSUJEF sig sig3 B7509280 2018-07-22 __ __ [selfsig] uid FFQEYQHYIPGDUMJPIZMSGVKECXIZRP sig sig3 B7509280 2018-07-22 __ __ [selfsig] ... -- Regards, Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks patch to refuse poison key
On Sun, Jul 15, 2018 at 06:28:24PM +1000, Haw Loeung wrote: > I don't think these patches should land in SKS. It's to work around > one key and doesn't scale very well. Instead, I think more work should > be done adding the ability to not accept and send keys of a certain > size as well as options to exclude specific list of keys. I'm not sure > if there's another mailing list used by SKS developers to discuss > this. Thanks, I see the patches hard code key id, so I think it shouldn't land in upstream too. > > If you're interested in the patches, you should be able to download > the *.debian.tar.xz file from the link below: > > | > https://launchpad.net/~canonical-sysadmins/+archive/ubuntu/sks-public/+packages > > Extract that and the series of patches to-date are: > > | 0012-poison-key.patch > | poison-key-id-update > | 0014-poison-key-output-fix > | 0091-pjdc-compare-short-keyid.patch > I don't know ocaml, but these patches are in a mess, shouldn't it be simplified to, diff --git a/keydb.ml b/keydb.ml index 949a1f4..7ff976a 100644 --- a/keydb.ml +++ b/keydb.ml @@ -1166,6 +1166,11 @@ struct try if has_hash hash then [] else let keyid = Fingerprint.keyid_from_key ~short:true key in +let keyid_long = Fingerprint.keyid_to_string ~short:false (Fingerprint.keyid_from_key ~short:false key) in + +(* Blacklist poison key - RT#112669 *) +plerror 4 "considering keyid %s" keyid_long; +if List.mem keyid_long ["E41ED3A107A7DBC7"] then [] else let potential_merges = List.filter ~f:(fun x -> x <> key) (get_by_short_keyid keyid) in -- Best regards, Shengjing Zhu signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] withdrawal of service: sks.spodhuis.org
Hi Haw, On Sun, Jul 15, 2018 at 9:17 AM Haw Loeung wrote: > > On Fri, Jul 13, 2018 at 07:53:01PM +0100, Andrew Gallagher wrote: > > I am still willing to help with possible upgrades and/or > > replacements for the SKS network. At this point I have come to > > believe that a minimal network containing only key material, SBINDs > > and revocations (no id packets, no third party sigs) is the absolute > > maximum functionality we can hope to sustain in the long term. And > > for this to be bulletproof, all such material must be > > cryptographically verified (otherwise people could just create > > “random” key material containing arbitrary data). > > If it helps others, we have a patched SKS packaged to exclude the bad > key (one of them at least)[1]. A couple of others in my team did all > the work so I can't comment on the details. > Could you provide the patch on bitbucket[1], I'm not sure if Kristian will accpet it or not. But I'd like to see it in patch form and include it in my own build. [1] https://bitbucket.org/skskeyserver/sks-keyserver/ -- Regards, Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] disk full, keys.niif.hu crashed
Hi, My server disk is also fulled with logs. I tried to run db_archive, but the command never returns. So I deleted all the log.* file, now I can't start the sks. Is there anything I can do except rebuilding? Thanks Shengjing Zhu ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks.ustclug.org move to pgp.ustc.edu.cn
On Tue, Apr 24, 2018 at 11:40:54AM +0200, Moritz Wirth wrote: > Hi, > > I hope you dont mind that I get back on the Docker thing, but I started > to think about autoscaling SKS keyservers around the world. > > The main problem I came up with was the storage of the keydatabase - I > think its a normal BerkeleyDB? and it is not possible to share it > between multiple clients, so every instance needs its own database. > Yes, it's a normal BerkeleyDB. > Do you just keep the keyserver as a docker file and download and import > the dump manually or do you store the dump somewhere (and update it > every few hours) so the provisioning of a new machine does not take > longer than a few seconds. Sad to say I don't scale the service, I just ran a single container, previously in a docker cluster, but it's only one instance. When I migrated sks this time, from one datacenter to another, I just stop old container, sync the KDB dir to new server, rebuild PTree, and start the new container. I think the PTree can be directly syned too, but I didn't try. So back to the problem, when you provision new machine, you don't need to dump/build, just sync the DB dir. Because we use the same container, same DB version, same libraries, even same DB path(inside container). I don't think there's risk to skip the dump/build process. BTW, we're off the list, I hope you don't mind I bring it back to the list :) BR, Shengjing signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks.ustclug.org move to pgp.ustc.edu.cn
FWIW, since sks.ustclug.org(Aug 2016), I run sks inside a docker container, I'm pretty sure the service runs well :) When move to pgp.ustc.edu.cn, I have a dedicated server. But I still run sks in docker, with host network. The new Dockerfile can be found at https://github.com/zhsj/dockerfile/tree/master/sks-full It bundles a web server Caddy, so the deployment is much easier :) And, I designed a new web page, if you interested, just look at https://pgp.ustc.edu.cn/ signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] disk space
Hi Paul, On Mon, Jan 22, 2018 at 07:01:19PM +0100, Paul Fontela wrote: > Hi All, > > Checked, I went from 118G in /var/lib/sks/KDB/ to 3GB after adding the > DB_CONFIG file inside the KDB folder. > More than 11,000 files have been deleted log.0xx. > Just want to confirm your KDB directory is 3GB? I setup a new server today, and I see it's 20GB. BR, Shengjing Zhu signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks.ustclug.org move to pgp.ustc.edu.cn
Hi all, I have moved sks.ustclug.org to a new home, with new domain pgp.ustc.edu.cn. Previously the server is maintained by a student association, LUG@USTC(aka Linux User Group, University of Science and Technology of China). Now the server moved to the university information center. The new server has following IP: pgp.ustc.edu.cn 600 IN A202.38.95.91 pgp.ustc.edu.cn 600 IN 2001:da8:d800:95::91 If you have peered with sks.ustclug.org before, please update your membership file to: pgp.ustc.edu.cn 11370 # Shengjing Zhu <zsj950...@gmail.com> 0xCF0E265B7DFBB2F2 I'll send a separate email to my peers in next few days. If you want to establish a new peer membership with me, please let me know!. Thanks, Shengjing Zhu signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] SKS behind NAT firewall
On Tue, Jan 23, 2018 at 10:48:04PM +0200, Hendrik Visage wrote: > Hi there, > > Anybody else running a SKS behind a NAT firewall? > Could you perhaps share any advice on the recon/hkp settings? (I’ll be > setting up/running nginx reverse proxy for HKP) > > Or should I rather have the outside IP bound to a virtual/loopback > interface, and then route it directly via the firewall to the SKS server? > > Reason I’m asking: I’m not quite clear in understanding the recon settings, > and I’d rather ask experience before I chase down the wrong alley. > For hkp, I think it's quite clear since it's just HTTP, you can do whaterver you have done for other HTTP services. For recon, I think you need to use SNAT. Your sks instance will only response to ip resolved from the domains you set in your membership file. With SNAT, your sks will know the real ip of your peer. Best regards, Shengjing signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel