MITSign: A Kerberized PGP Keysigner Derek Atkins 17 Dec 1994 Introduction MITSign is a Kerberized PGP Keysigner system which will allow you to use an installed Kerberos base to generate a PGP Certification Authority. The MITSign package contains a client and a server which you can configure and install for your site. You can configure MITSign to accept multiple Kerberos realms and mail domains, so that a single Signer Key can sign PGP keys for multiple locations. Configuring MITSign To configure MITSign for your site, you need to check two files, pgpsign.h and Makefile. Almost all of the configuration of MITSign is in the C header file, pgpsign.h. In the top of the file are a number of configuration variables that you can use to set simple, site-specific values. You should edit the file to set the appropriate values for your site before you attempt to build the MITSign code. The Makefile contains some more site-specific configuration. The only major configuration done in the Makefile is to define if your site has Hesiod, and also setting a flag if your platform has memset, memcpy, etc. This second value can be added to the Make rule for your target or can be set on the command-line. Configuring the Client For clients, there is only one important value, the default PGP Keysigner host. This is in pgpsign.h, and it defines the host that your client will use, if you either do not have Hesiod, or if the Hesiod lookup fails. Configuring the Server For server configuration, there is a lot more that needs to be configured. First, you need to configure the directory locations of your server platform. In particular, you should configure the path to the PGP program, the file containing the PGP key passphrase, the location of the Kerberos srvtab, and the location of the PGP keyring information. In addition to configuring the server structure, you must also configure the behavior of the server process. In particular, you need to define what Kerberos Realm you will accept, and how those realms will behave. This is done by first creating a NULL-terminated list of Kerberos realms, which define all the Kerberos realms that are accepted by this server. Only principals in these realms will be accepted as valid. Next, a NULL-terminated list of lists is created which defines the accepted mail domains for each Kerberos realm. For example, in the Kerberos realm ATHENA.MIT.EDU, valid mail domains are "Athena.MIT.EDU" and "MIT.EDU". This is realized by setting the realm list and mail domains to: {"ATHENA.MIT.EDU", ""} and { {"ATHENA.MIT.EDU", "Athena.MIT.EDU", "MIT.EDU", ""} {""} } Building the Software Once you have configured the software, you can build it for each platform at your site. The Makefile that is included with the distribution will build both the client and the server for MITSign. You should try to use the make rule for your particular platform. If your platform is not defined in the makefile, then you can try using the default settings. If those don't work for you, you will have to try to port the software to your platform. If you get this to work, please send email with the make rule you generated. Setting up the Server The server requires some configuration; it is designed to run out of inetd. You need to add a line to the services file and to inetd.conf to run the pgpsign server. Also, given the configuration done above, you need to install the appropriate binaries and configuration files on the keysigner. The default configuration expects a directory /var/pgpsign, which contains the following: /var/pgpsign/bin - Contains PGPSign binaries pgpsignd - MITSign Daemon pgp - PGP Program /var/pgpsign/control passphrase - contains the passphrase to the MITSign PGP Key srvtab - contains the Kerberos srvtab /var/pgpsign/keyring - Contains the Keyserver Keyring config.txt - PGP Configuration pubring.pgp - Contains the Keyserver Public Key randseed.bin - PGP Random Number Generator Seed secring.pgp - Contains the Keyserver Secret Key Most of these files are self-explanatory. The PGP Key should be generated on the server for the best security, and should be as big as you see fit. The passphrase file should just contain the clear-text passphrase to the PGP Key. The config.txt file just needs to exist; it really does not need to contain anything important. However, it would probably be a good thing to have a config.txt that contains: MyName = MITSign # This is who I am! Language = en # English tmp = /tmp # Tempfiles into /tmp Armorlines = 0 # Generate a single armorfile MITSign is expecting to authenticate using the Kerberos principal pgpsigner.hostname@REALM.SITE.ORG. The srvtab file needs to contain this key, so that the MITSign Daemon can decode the authenticator sent by the client. You will need to add these lines to /etc/services and inetd.conf to get the MITSign Daemon to run. These are only examples, and you should modify these to taste depending on your site. At MIT, we run the MITSign Daemon as it's own user, and all the files are owned by this user. pgpsigner 2792/tcp # PGP Key signer pgpsigner stream tcp nowait pgpsign \ /var/pgpsign/bin/pgpsignd pgpsignd Reporting Bugs and Improvements If you find any bugs in the software, or if you have to make any changes to get it to build on another platform, please send me mail. Changes would be best sent as UNIX context diffs, and should have any platform-specific code changes within #ifdefs. You can email me at this address: warlord@MIT.EDU