Recent

  • Show all results for ""

🎧 New: AI-Generated Podcasts Turn your study notes into engaging audio conversations. Learn more

LPI-Learning-Material-102-500-en-478-581.pdf

Chat with Document Quiz & Flashcards
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...

Document Details

GuiltlessAshcanSchool

Uploaded by GuiltlessAshcanSchool

2023

Tags

computer networks dns linux

Related

Full Transcript

LPIC-1 (102) (Version 5.0) | Topic 109: Networking Fundamentals Starting with glibc version 2.2.5, you can force getent to use a specific data source with the -s option. The example below demonstrates this: $ getent -s files hosts learning.lpi.org ::1 learning.lpi.org $...

LPIC-1 (102) (Version 5.0) | Topic 109: Networking Fundamentals Starting with glibc version 2.2.5, you can force getent to use a specific data source with the -s option. The example below demonstrates this: $ getent -s files hosts learning.lpi.org ::1 learning.lpi.org $ getent -s dns hosts learning.lpi.org 208.94.166.198 learning.lpi.org The host Command host is a simple program for looking up DNS entries. With no options, if host is given a name, it returns the A, AAAA, and MX record sets. If given an IPv4 or IPv6 address, it outputs the PTR record if one is available: $ host wikipedia.org wikipedia.org has address 208.80.154.224 wikipedia.org has IPv6 address 2620:0:861:ed1a::1 wikipedia.org mail is handled by 10 mx1001.wikimedia.org. wikipedia.org mail is handled by 50 mx2001.wikimedia.org. $ host 208.80.154.224 224.154.80.208.in-addr.arpa domain name pointer text-lb.eqiad.wikimedia.org. If you are looking for a specific record type, you can use host -t: $ host -t NS lpi.org lpi.org name server dns1.easydns.com. lpi.org name server dns3.easydns.ca. lpi.org name server dns2.easydns.net. $ host -t SOA lpi.org lpi.org has SOA record dns1.easydns.com. zone.easydns.com. 1593109612 3600 600 1209600 300 host can also be used to query a specific name server if you do not wish to use the ones in /etc/resolv.conf. Simply add the IP address or host name of the server you wish to use as the last argument: $ host -t MX lpi.org dns1.easydns.com Using domain server: Name: dns1.easydns.com Address: 64.68.192.10#53 Aliases: 468 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 109.4 Configure client side DNS lpi.org mail is handled by 10 aspmx4.googlemail.com. lpi.org mail is handled by 10 aspmx2.googlemail.com. lpi.org mail is handled by 5 alt1.aspmx.l.google.com. lpi.org mail is handled by 0 aspmx.l.google.com. lpi.org mail is handled by 10 aspmx5.googlemail.com. lpi.org mail is handled by 10 aspmx3.googlemail.com. lpi.org mail is handled by 5 alt2.aspmx.l.google.com. The dig Command Another tool for querying DNS servers is dig. This command is much more verbose than host. By default, dig queries for A records. It is probably too verbose for simply looking up an IP address or host name. dig will work for simple lookups, but it is more suited for troubleshooting DNS server configuration: $ dig learning.lpi.org ; DiG 9.11.5-P4-5.1+deb10u1-Debian learning.lpi.org ;; global options: +cmd ;; Got answer: ;; ->>HEADERHEADERHEADER /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f91dbec0000) Now we add the following line in the file /etc/hosts.deny: sshd: ALL Finally we configure an exception in the file /etc/hosts.allow for SSH connections from the local network: sshd: LOCAL The changes take effect immediately, there is no need to restart any service. You may check this with the ssh client. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 525 LPIC-1 (102) (Version 5.0) | Topic 110: Security Guided Exercises 1. How can the previously locked account emma be unlocked? 2. Previously the account emma had an expiration date set. How can the expiration date get set to never? 3. Imagine the CUPS printing service handling print jobs is not needed on your server. How can you disable the service permanently? How can you check the appropriate port is not active anymore? 4. You have installed the nginx web server. How can you check whether nginx supports TCP wrappers? 526 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.2 Setup host security Explorational Exercises 1. Check out whether the existence of the /etc/nologin file prevents the login of the user root? 2. Does the existence of the /etc/nologin file prevent passwordless logins with SSH keys? 3. What happens on login, when the file /etc/nologin contains this line of text login currently is not possible only? 4. May an ordinary user emma obtain information about the user root contained in the file /etc/passwd e.g. with the command grep root /etc/passwd? 5. May an ordinary user emma retrieve information about her own hashed password contained in the file /etc/shadow e.g. with the command grep emma /etc/shadow? 6. What steps have to be taken to enable and check the ancient daytime service to be handled by xinetd? Note this is just an explorational excercise don’t do this in a production environment. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 527 LPIC-1 (102) (Version 5.0) | Topic 110: Security Summary In this lesson you learned: 1. In which file passwords are stored as well as some password security settings e.g. expiration time. 2. The purpose of the superdaemon xinetd and how to get it running and start the sshd service on demand. 3. To check which network services are running and how to disable unnecessary services. 4. Use TCP wrappers as sort of a simple firewall. Commands used in the lab and the exercises: chage Change the age of a user’s password. chkconfig A classic command initially used on Red Hat based systems to set whether a service would start at boot time or not. netstat A classic utility (now in the net-tools package) that will display daemons that access network ports on a system and their usage. nologin A command that can be used in place of a user’s shell to prevent them from logging in. passwd Used to create or change a user’s password. service Older method of controlling a daemon’s status, such as stopping or starting a service. ss The modern equivalent to netstat, but also displays more information about various sockets in use on the system. systemctl The system control command used to control various aspects of services and sockets on a 528 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.2 Setup host security computer using systemd. update-rc.d A classic command similar to chkconfig that enables or disables a system to start at boot time on Debian based distributions. xinetd A superdaemon that can control access to a network service on demand, thus leaving a service inactive until it is actually called upon to perform some task. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 529 LPIC-1 (102) (Version 5.0) | Topic 110: Security Answers to Guided Exercises 1. How can the previously locked account emma be unlocked? The superuser can run passwd -u emma to unlock the account. 2. Previously the account emma had an expiration date set. How can the expiration date get set to never? The superuser may use chage -E -1 emma to set the expiration date to never. This setting may be checked with chage -l emma. 3. Imagine the CUPS printing service handling print jobs is not needed on your server. How can you disable the service permanently? How can you check the appropriate port is not active anymore? As superuser issue systemctl disable cups.service --now Now you can check netstat -l | grep ":ipp "` or `ss -l | grep ":ipp " 4. You have installed the nginx web server. How can you check whether nginx supports TCP wrappers? The command ldd /usr/sbin/nginx | grep "libwrap" will show an entry in case nginx supports TCP wrappers. 530 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.2 Setup host security Answers to Explorational Exercises 1. Check out whether the existence of the /etc/nologin file prevents the login of the user root? User root is still able to login. 2. Does the existence of the /etc/nologin file prevent passwordless logins with SSH keys? Yes, also passwordless logins are prevented. 3. What happens on login, when the file /etc/nologin contains this line of text login currently is not possible only? The message login currently is not possible will be shown, and a login is prevented. 4. May an ordinary user emma obtain information about the user root contained in the file /etc/passwd e.g. with the command grep root /etc/passwd? Yes, because all users have read permission for this file. 5. May an ordinary user emma retrieve information about her own hashed password contained in the file /etc/shadow e.g. with the command grep -i emma /etc/shadow? No, because ordinary users have no read permission for this file. 6. What steps have to be taken to enable and check the ancient daytime service to be handled by xinetd? Note this is just an explorational excercise don’t do this in a production environment. First change the file /etc/xinetd.d/daytime and set the directive disable = no. Second restart the xinetd service systemctl restart xinetd.service (or service xinetd restart on systems with SyS-V-Init). Now you can check whether it works nc localhost daytime. Instead of nc you may also use netcat. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 531 LPIC-1 (102) (Version 5.0) | Topic 110: Security 110.3 Securing data with encryption Reference to LPI objectives LPIC-1 version 5.0, Exam 102, Objective 110.3 Weight 4 Key knowledge areas Perform basic OpenSSH 2 client configuration and usage. Understand the role of OpenSSH 2 server host keys. Perform basic GnuPG configuration, usage and revocation. Use GPG to encrypt, decrypt, sign and verify files. Understand SSH port tunnels (including X11 tunnels). Partial list of the used files, terms and utilities ssh ssh-keygen ssh-agent ssh-add ~/.ssh/id_rsa and id_rsa.pub ~/.ssh/id_dsa and id_dsa.pub ~/.ssh/id_ecdsa and id_ecdsa.pub ~/.ssh/id_ed25519 and id_ed25519.pub /etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub 532 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption /etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub /etc/ssh/ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key and ssh_host_ed25519_key.pub ~/.ssh/authorized_keys ssh_known_hosts gpg gpg-agent ~/.gnupg/ Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 533 LPIC-1 (102) (Version 5.0) | Topic 110: Security 110.3 Lesson 1 Certificate: LPIC-1 Version: 5.0 Topic: 110 Security Objective: 110.3 Securing data with encryption Lesson: 1 of 2 Introduction Securing data with encryption is of paramount importance in many aspects of today’s system administration — even more so when it comes to accessing systems remotely. As opposed to insecure solutions such as telnet, rlogin or FTP, the SSH (Secure Shell) protocol was designed with security in mind. Using public key cryptography, it authenticates both hosts and users and encrypts all subsequent information exchange. Furthermore, SSH can be used to establish port tunnels, which — amongst other things — allows for a non-encrypted protocol to transmit data over an encrypted SSH connection. The current, recommended version of the SSH protocol is 2.0. OpenSSH is a free and open source implementation of the SSH protocol. This lesson will cover basic OpenSSH client configuration as well as the role of OpenSSH server host keys. The concept of SSH port tunnels will also be discussed. We will be using two machines with the following setup: 534 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Machine Role OS IP Address Hostname User Client Debian 192.168.1.55 debian carol GNU/Linux 10 (buster) Server openSUSE Leap 192.168.1.77 halof ina 15.1 Basic OpenSSH Client Configuration and Usage Although the OpenSSH server and client come in separate packages, you can normally install a metapackage that will provide both at once. To establish a remote session with the SSH server you use the ssh command, specifying the user you want to connect as on the remote machine and the remote machine’s IP address or hostname. The first time you connect to a remote host you will receive a message like this: carol@debian:~$ ssh [email protected] The authenticity of host '192.168.1.77 (192.168.1.77)' can't be established. ECDSA key fingerprint is SHA256:5JF7anupYipByCQm2BPvDHRVFJJixeslmppi2NwATYI. Are you sure you want to continue connecting (yes/no)? After typing yes and hitting Enter, you will be asked for the remote user’s password. If successfully entered, you will be shown a warning message and then logged in to the remote host: Warning: Permanently added '192.168.1.77' (ECDSA) to the list of known hosts. Password: Last login: Sat Jun 20 10:52:45 2020 from 192.168.1.4 Have a lot of fun... ina@halof:~> The messages are quite self-explanatory: as it was the first time that you established a connection to the 192.168.1.77 remote server, its authenticity could not be checked against any database. Thus, the remote server provided an ECDSA key fingerprint of its public key (using the SHA256 hash function). Once you accepted the connection, the public key of the remote server was added to the known hosts database, thus enabling the authentication of the server for future connections. This list of known hosts' public keys is kept in the file known_hosts which lives in ~/.ssh: ina@halof:~> exit logout Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 535 LPIC-1 (102) (Version 5.0) | Topic 110: Security Connection to 192.168.1.77 closed. carol@debian:~$ ls.ssh/ known_hosts Both.ssh and known_hosts were created after the first remote connection was established. ~/.ssh is the default directory for user-specific configuration and authentication information. You can also use ssh to just execute a single command on the remote host and then NOTE come back to your local terminal (e.g.: running ssh ina@halof ls). If you are using the same user on both the local and remote hosts, there is no need to specify the username when establishing the SSH connection. For instance, if you are logged in as user carol on debian and wanted to connect to halof also as user carol, you would simply type ssh 192.168.1.77 or ssh halof (if the name can be resolved): carol@debian:~$ ssh halof Password: Last login: Wed Jul 1 23:45:02 2020 from 192.168.1.55 Have a lot of fun... carol@halof:~> Now suppose you establish a new remote connection with a host that happens to have the same IP address as halof (a common thing if you use DHCP in your LAN). You will be warned about the possibility of a man-in-the-middle attack: carol@debian:~$ ssh [email protected] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:KH4q3vP6C7e0SEjyG8Wlz9fVlf+jmWJ5139RBxBh3TY. Please contact your system administrator. Add correct host key in /home/carol/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/carol/.ssh/known_hosts:1 remove with: ssh-keygen -f "/home/carol/.ssh/known_hosts" -R "192.168.1.77" ECDSA host key for 192.168.1.77 has changed and you have requested strict checking. Host key verification failed. 536 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Since you are not dealing with a man-in-the-middle attack, you can safely add the public key fingerprint of the new host to.ssh/known_hosts. As the message indicates, you can first use the command ssh-keygen -f "/home/carol/.ssh/known_hosts" -R "192.168.1.77" to remove the offending key (alternatively, you can go for ssh-keygen -R 192.168.1.77 to delete all keys belonging to 192.168.1.77 from ~/.ssh/known_hosts). Then, you will be able to establish a connection to the new host. Key-Based Logins You can set up your SSH client to not provide any passwords at login but use public keys instead. This is the preferred method of connecting to a remote server via SSH, as it is far more secure. The first thing you have to do is create a key pair on the client machine. To do this, you will use ssh- keygen with the -t option specifying the type of encryption you want (Elliptic Curve Digital Signature Algorithm in our case). Then, you will be asked for the path to save the key pair (~/.ssh/ is convenient as well as the default location) and a passphrase. While a passphrase is optional, it is highly recommended to always use one. carol@debian:~/.ssh$ ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/home/carol/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/carol/.ssh/id_ecdsa. Your public key has been saved in /home/carol/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:tlamD0SaTquPZYdNepwj8XN4xvqmHCbe8g5FKKUfMo8 carol@debian The key's randomart image is: +---[ECDSA 256]---+ |. | | o. | | = o o | | B * | | E B S o | | o & O | | @ ^ = | | *.@ @. | | o.o+B+o | +----[SHA256]-----+ When creating the key pair, you can pass ssh-keygen the -b option to specify the NOTE key size in bits (e.g.: ssh-keygen -t ecdsa -b 521). Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 537 LPIC-1 (102) (Version 5.0) | Topic 110: Security The previous command produced two more files in your ~/.ssh directory: carol@debian:~/.ssh$ ls id_ecdsa id_ecdsa.pub known_hosts id_ecdsa This is your private key. id_ecdsa.pub This is your public key. In asymmetric cryptography (aka public-key cryptography), the public and private NOTE keys are mathematically related to one another in such a way that whatever is encrypted by one can only be decrypted by the other. The next thing you need to do is add your public key to the ~/.ssh/authorized_keys file of the user you want to log in as on the remote host (if the ~/.ssh directory does not already exist, you will have to create it first). You can copy your public key into the remote server in a number of ways: using a USB flash drive, through the scp command — which will transfer the file over using SSH — or by catting out the content of your public key and piping it into ssh like so: carol@debian:~/.ssh$ cat id_ecdsa.pub |ssh [email protected] 'cat >>.ssh/authorized_keys' Password: Once your public key has been added to the authorized_keys file on the remote host, you can face two scenarios when trying to establish a new connection: If you did not provide a passphrase when creating the key pair, you will be logged in automatically. Although convenient, this method can be insecure depending on the situation: carol@debian:~$ ssh [email protected] Last login: Thu Jun 25 20:31:03 2020 from 192.168.1.55 Have a lot of fun... ina@halof:~> If you provided a passphrase when creating the key pair, you will have to enter it on every connection much in the same way as if it was a password. Apart from the public key, this method adds an extra layer of security in the form of a passphrase and can — therefore — be considered more secure. As far as convenience goes — however — it is is exactly the same as 538 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption having to enter a password every time you establish a connection. If you don’t use a passphrase and someone manages to obtain your private SSH key file, they would have access to every server on which your public key is installed. carol@debian:~/.ssh$ ssh [email protected] Enter passphrase for key '/home/carol/.ssh/id_ecdsa': Last login: Thu Jun 25 20:39:30 2020 from 192.168.1.55 Have a lot of fun... ina@halof:~> There is a way which combines security and convenience, though: using the SSH authentication agent (ssh-agent). The authentication agent needs to spawn its own shell and will hold your private keys — for public key authentication — in memory for the remainder of the session. Let us see how it works in a little bit more detail: 1. Use ssh-agent to start a new Bash shell: carol@debian:~/.ssh$ ssh-agent /bin/bash carol@debian:~/.ssh$ 2. Use the ssh-add command to add your private key to a secure area of memory. If you supplied a passphrase when generating the key pair — which is recommended for extra security — you will be asked for it: carol@debian:~/.ssh$ ssh-add Enter passphrase for /home/carol/.ssh/id_ecdsa: Identity added: /home/carol/.ssh/id_ecdsa (carol@debian) Once your identity has been added, you can login to any remote server on which your public key is present without having to type your passphrase again. It is common practice on modern desktops to perform this command upon booting your computer, as it will remain in memory until the computer is shutdown (or the key is unloaded manually). Let us round this section off by listing the four types of public-key algorithms that can be specified with ssh-keygen: RSA Named after its creators Ron Rivest, Adi Shamir and Leonard Adleman, it was published in 1977. It is considered secure and still widely used today. Its minimum key size is 1024 bits (default is 2048). Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 539 LPIC-1 (102) (Version 5.0) | Topic 110: Security DSA The Digital Signature Algorithm has proven to be insecure and it was deprecated as of OpenSSH 7.0. DSA keys must be exaclty 1024 bits in length. ecdsa The Elliptic Curve Digital Signature Algorithm is an improvement on DSA and — therefore — considered more secure. It uses elliptic curve cryptography. ECDSA key length is determined by one of the three possible elliptic curve sizes in bits: 256, 384 or 521. ed25519 It is an implementation of EdDSA — Edwards-curve Digital Signature Algorithm — that uses the stronger 25519 curve. It is considered the most secure of all. All Ed25519 keys have a fixed length of 256 bits. If invoked with no -t specification, ssh-keygen will generate an RSA key pair by NOTE default. The Role of OpenSSH Server Host Keys The global configuration directory for OpenSSH lives in the /etc directory: halof:~ # tree /etc/ssh /etc/ssh ├── moduli ├── ssh_config ├── ssh_host_dsa_key ├── ssh_host_dsa_key.pub ├── ssh_host_ecdsa_key ├── ssh_host_ecdsa_key.pub ├── ssh_host_ed25519_key ├── ssh_host_ed25519_key.pub ├── ssh_host_rsa_key ├── ssh_host_rsa_key.pub └── sshd_config 0 directories, 11 files Apart from moduli and the configuration files for the client (ssh_config) and the server (sshd_config), you will find four key pairs — a key pair for each supported algorithm — that are created when the OpenSSH server is installed. As already noted, the server uses these host keys to identify itself to clients as required. Their name pattern is as follows: 540 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Private keys ssh_host_ prefix + algorithm + key suffix (e.g.: ssh_host_rsa_key) Public keys (or public key fingerprints) ssh_host_ prefix + algorithm + key.pub suffix (e.g.: ssh_host_rsa_key.pub) A fingerprint is created by applying a cryptographic hash function to a public key. NOTE As fingerprints are shorter than the keys they refer to, they come in handy to simplify certain key management tasks. The permissions on the files containing the private keys are 0600 or -rw-------: only readable and writable by the owner (root). On the other hand, all public key files are also readable by members in the owner group and everybody else (0644 or -rw-r—r--): halof:~ # ls -l /etc/ssh/ssh_host_* -rw------- 1 root root 1381 Dec 21 20:35 /etc/ssh/ssh_host_dsa_key -rw-r--r-- 1 root root 605 Dec 21 20:35 /etc/ssh/ssh_host_dsa_key.pub -rw------- 1 root root 505 Dec 21 20:35 /etc/ssh/ssh_host_ecdsa_key -rw-r--r-- 1 root root 177 Dec 21 20:35 /etc/ssh/ssh_host_ecdsa_key.pub -rw------- 1 root root 411 Dec 21 20:35 /etc/ssh/ssh_host_ed25519_key -rw-r--r-- 1 root root 97 Dec 21 20:35 /etc/ssh/ssh_host_ed25519_key.pub -rw------- 1 root root 1823 Dec 21 20:35 /etc/ssh/ssh_host_rsa_key -rw-r--r-- 1 root root 397 Dec 21 20:35 /etc/ssh/ssh_host_rsa_key.pub You can view the fingerprints of the keys by passing ssh-keygen the -l switch. You must also provide the -f to specify the key file path: halof:~ # ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key 256 SHA256:8cnPrinC49ZHc+/9Ai5pV+1JfZ4WBRZhd3rDOsc2zlA root@halof (ED25519) halof:~ # ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub 256 SHA256:8cnPrinC49ZHc+/9Ai5pV+1JfZ4WBRZhd3rDOsc2zlA root@halof (ED25519) To view the key fingerprint as well as its random art, just add the -v switch like so: halof:~ # ssh-keygen -lv -f /etc/ssh/ssh_host_ed25519_key.pub 256 SHA256:8cnPrinC49ZHc+/9Ai5pV+1JfZ4WBRZhd3rDOsc2zlA root@halof (ED25519) +--[ED25519 256]--+ | +oo| |.+o.| |...E.| | +. +.o| Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 541 LPIC-1 (102) (Version 5.0) | Topic 110: Security | S + + *o| | ooo Oo=| |... =o+.==| | = o =oo o=o| | o.o +o+..o.+| +----[SHA256]-----+ SSH Port Tunnels OpenSSH features a very powerful forwarding facility whereby traffic on a source port is tunnelled — and encrypted — through an SSH process which then redirects it to a port on a destination host. This mechanism is known as port tunnelling or port forwarding and has important advantages like the following: It allows you to bypass firewalls to access ports on remote hosts. It allows access from the outside to a host on your private network. It provides encryption for all data exchange. Roughly speaking, we can differentiate between local and remote port tunnelling. Local Port Tunnel You define a port locally to forward traffic to the destination host through the SSH process which sits in between. The SSH process can run on the local host or on a remote server. For instance, if for some reason you wanted to tunnel a connection to www.gnu.org through SSH using port 8585 on your local machine, you would do something like this: carol@debian:~$ ssh -L 8585:www.gnu.org:80 debian carol@debian's password: Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 The programs included with the Debian GNU/Linux system are free software; (...) Last login: Sun Jun 28 13:47:27 2020 from 127.0.0.1 The explanation is as follows: with the -L switch, we specify the local port 8585 to connect to http port 80 on www.gnu.org using the SSH process running on debian — our localhost. We could have written ssh -L 8585:www.gnu.org:80 localhost with the same effect. If you now use a web browser to go to http://localhost:8585, you will be forwarded to www.gnu.org. For demonstration purposes, we will use lynx (the classic, text-mode web browser): 542 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption carol@debian:~$ lynx http://localhost:8585 (...) * Back to Savannah Homepage * Not Logged in * Login * New User * This Page * Language * Clean Reload * Printer Version * Search * _ (...) If you wanted to do the exact same thing but connecting through an SSH process running on halof, you would have proceeded like so: carol@debian:~$ ssh -L 8585:www.gnu.org:80 -Nf [email protected] Enter passphrase for key '/home/carol/.ssh/id_ecdsa': carol@debian:~$ carol@debian:~$ lynx http://localhost:8585 (...) * Back to Savannah Homepage * Not Logged in * Login * New User * This Page * Language * Clean Reload * Printer Version * Search * _ (...) It is important that you note three details in the command: Thanks to the -N option we did not login to halof but did the port forwarding instead. The -f option told SSH to run in the background. We specified user ina to do the forwarding: [email protected] Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 543 LPIC-1 (102) (Version 5.0) | Topic 110: Security Remote Port Tunnel In remote port tunnelling (or reverse port forwarding) the traffic coming on a port on the remote server is forwarded to the SSH process running on your local host, and from there to the specified port on the destination server (which may also be your local machine). For example, say you wanted to let someone from outside your network access the Apache web server running on your local host through port 8585 of the SSH server running on halof (192.168.1.77). You would proceed with the following command: carol@debian:~$ ssh -R 8585:localhost:80 -Nf [email protected] Enter passphrase for key '/home/carol/.ssh/id_ecdsa': carol@debian:~$ Now anyone who establishes a connection to halof on port 8585 will see Debian's Apache2 default homepage: carol@debian:~$ lynx 192.168.1.77:8585 (...) Apache2 Debian Default Page: It works (p1 of 3) Debian Logo Apache2 Debian Default Page It works! This is the default welcome page used to test the correct operation of the Apache2 server after installation on Debian systems. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.html) before continuing to operate your HTTP server. (...) There is a third, more complex type of port forwarding which is outside the scope NOTE of this lesson: dynamic port forwarding. Instead of interacting with a single port, this type of forwarding uses various TCP communications across a range of ports. X11 Tunnels Now that you understand port tunnels, let us round this lesson off by discussing X11 tunnelling (also known as X11forwarding). Through an X11 tunnel, the X Window System on the remote host is forwarded to your local machine. For that, you just need to pass ssh the -X option: 544 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption carol@debian:~$ ssh -X ina@halof... You can now launch a graphical application such as the firefox web browser with the following result: the app will be run on the remote server, but its display will be forwarded to your local host. If you start a new SSH session with the -x option instead, X11forwarding will be disabled. Try to start firefox now and you will get an error such as the following: carol@debian:~$ ssh -x ina@halof [email protected]'s password: (...) ina@halof:~$ firefox (firefox-esr:1779): Gtk-WARNING **: 18:45:45.603: Locale not supported by C library. Using the fallback 'C' locale. Error: no DISPLAY environment variable specified The three configuration directives related to local port forwarding, remote port forwarding and X11 forwarding are AllowTcpForwarding,GatewayPorts and NOTE X11Forwarding, respectively. For more information, type man ssh_config and/or man sshd_config. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 545 LPIC-1 (102) (Version 5.0) | Topic 110: Security Guided Exercises 1. Logged in as user sonya on your client machine, carry out the following SSH tasks on the remote server halof: ◦ Execute the command to list the contents of ~/.ssh as user serena on the remote host; then return to your local terminal. ◦ Login as user serena on the remote host. ◦ Login as user sonya on the remote host. ◦ Delete all keys belonging to halof from your local ~/.ssh/known_hosts file. ◦ On your client machine, create an ecdsa key pair of 256 bits. ◦ On your client machine, create an ed25519 key pair of 256 bits. 2. Put the following steps in the right order to establish an SSH connection using the SSH authentication agent: ◦ On the client, start a new Bash shell for the authentication agent with ssh-agent /bin/bash. ◦ On the client, create a key pair using ssh-keygen. ◦ On the client, add your private key to a secure area of memory with ssh-add. ◦ Add your client’s public key to the ~/.ssh/authorized_keys file of the user you want to login as on the remote host. ◦ If it does not already exist, create ~/.ssh for the user you want to login as on the server. ◦ Connect to the remote server. The correct order is: Step 1: 546 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Step 2: Step 3: Step 4: Step 5: Step 6: 3. Regarding port forwarding, what option and directive is used for the following tunnel types: Tunnel Type Option Directive Local Remote or Reverse X 4. Suppose you type the command ssh -L 8888:localhost:80 -Nf ina@halof into the terminal of your client machine. Still on the client machine, you point a browser to http://localhost:8888. What will you get? Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 547 LPIC-1 (102) (Version 5.0) | Topic 110: Security Explorational Exercises 1. Concerning SSH security directives: ◦ What directive is used in /etc/ssh/sshd_config to enable root logins: ◦ What directive would you use in /etc/ssh/sshd_config to specify only a local account to accept SSH connections: 2. When using the same user on both the client and the server, what ssh command can you use to transfer the client’s public key over to the server so that you can login through public key authentication? 3. Create two local port tunnels in a single command forwarding local unprivileged ports 8080 and 8585 through remote server halof to the websites www.gnu.org and www.melpa.org, respectively. Use user ina on the remote server and do not forget to use the -Nf switches: 548 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Summary In this lesson we have discussed OpenSSH 2, which uses the Secure Shell protocol to encrypt communications between server and client. You learned: how to login to a remote server. how to execute commands remotely. how to create key pairs. how to establish key-based logins. how to use the authentication agent for both extra security and convenience. the public-key algorithms supported by OpenSSH: RSA, DSA, ecdsa, ed25519. the role of OpenSSH host keys. how to create port tunnels: local, remote and X. The following commands were discussed in this lesson: ssh Log into or excute commands on a remote machine. ssh-keygen Generate, manage and convert authentication keys. ssh-agent OpenSSH authentication agent. ssh-add Adds private key identities to the authentication agent. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 549 LPIC-1 (102) (Version 5.0) | Topic 110: Security Answers to Guided Exercises 1. Logged in as user sonya on your client machine, carry out the following SSH tasks on the remote server halof: ◦ Execute the command to list the contents of ~/.ssh as user serena on the remote host; then return to your local terminal. ssh serena@halof ls.ssh ◦ Login as user serena on the remote host. ssh serena@halof ◦ Login as user sonya on the remote host. ssh halof ◦ Delete all keys belonging to halof from your local ~/.ssh/known_hosts file. ssh-keygen -R halof ◦ On your client machine, create an ecdsa key pair of 256 bits. ssh-keygen -t ecdsa -b 256 ◦ On your client machine, create an ed25519 key pair of 256 bits. ssh-keygen -t ed25519 2. Put the following steps in the right order to establish an SSH connection using the SSH authentication agent: ◦ On the client, start a new Bash shell for the authentication agent with ssh-agent /bin/bash. ◦ On the client, create a key pair using ssh-keygen. ◦ On the client, add your private key to a secure area of memory with ssh-add. 550 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption ◦ Add your client’s public key to the ~/.ssh/authorized_keys file of the user you want to login as on the remote host. ◦ If it does not already exist, create ~/.ssh for the user you want to login as on the server. ◦ Connect to the remote server. The correct order is: Step 1: On the client, create a key pair using ssh- keygen. Step 2: If it does not already exist, create ~/.ssh for the user you want to login as on the server. Step 3: Add your client’s public key to the ~/.ssh/authorized_keys file of the user you want to login as on the remote host. Step 4: On the client, start a new Bash shell for the authentication agent with ssh-agent /bin/bash. Step 5: On the client, add your private key to a secure area of memory with ssh-add. Step 6: Connect to the remote server. 3. Regarding port forwarding, what option and directive is used for the following tunnel types: Tunnel Type Option Directive Local -L AllowTcpForwarding Remote or Reverse -R GatewayPorts X -X X11Forwarding 4. Suppose you type the command ssh -L 8888:localhost:80 -Nf ina@halof into the terminal of your client machine. Still on the client machine, you point a browser to http://localhost:8888. What will you get? The webserver’s homepage of halof, as localhost is understood from the server’s perspective. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 551 LPIC-1 (102) (Version 5.0) | Topic 110: Security Answers to Explorational Exercises 1. Concerning SSH security directives: ◦ What directive is used in /etc/ssh/sshd_config to enable root logins: PermitRootLogin ◦ What directive would you use in /etc/ssh/sshd_config to specify only a local account to accept SSH connections: AllowUsers 2. When using the same user on both the client and the server, what ssh command can you use to transfer the client’s public key over to the server so that you can login through public key authentication? ssh-copy-id 3. Create two local port tunnels in a single command forwarding local unprivileged ports 8080 and 8585 through remote server halof to the websites www.gnu.org and www.melpa.org, respectively. Use user ina on the remote server and do not forget to use the -Nf switches: ssh -L 8080:www.gnu.org:80 -L 8585:www.melpa.org:80 -Nf ina@halof 552 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption 110.3 Lesson 2 Certificate: LPIC-1 Version: 5.0 Topic: 110 Security Objective: 110.3 Securing data with encryption Lesson: 2 of 2 Introduction In the previous lesson we learned how to use OpenSSH to encrypt remote login sessions as well as any other subsequent exchange of information. There may be other scenarios where you may want to encrypt files or email so that they reach their recipient safely and free from prying eyes. You may also need to digitally sign those files or messages to prevent them from being tampered with. A great tool for these types of uses is the GNU Privacy Guard (aka GnuPG or simply GPG), which is a free and open source implementation of the proprietary Pretty Good Privacy (PGP). GPG uses the OpenPGP standard as defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) in RFC 4880. In this lesson we will be reviewing the basics of the GNU Privacy Guard. Perform Basic GnuPG Configuration, Usage and Revocation Just as with SSH, the underlying mechanism to GPG is that of asymmetric cryptography or public- key cryptography. A user generates a key pair which is made up of a private key and a public key. The keys are mathematically related in such a way that what is encrypted by one can only be decrypted by the other. For communication to take place successfully, the user has to send their Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 553 LPIC-1 (102) (Version 5.0) | Topic 110: Security public key to the intended recipient. GnuPG Configuration and Usage The command to work with GPG is gpg. You can pass it a number of options to carry out different tasks. Let us start by generating a key pair as user carol. For that, you will use the gpg --gen -key command: carol@debian:~$ gpg --gen-key gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/home/carol/.gnupg' created gpg: keybox '/home/carol/.gnupg/pubring.kbx' created Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: (...) After informing you — amongst other things — that the configuration directory ~/.gnupg and your public keyring ~/.gnugpg/pubring.kbx have been created, gpg goes on to ask you to provide your real name and email address: (...) Real name: carol Email address: carol@debian You selected this USER-ID: "carol " Change (N)ame, (E)mail, or (O)kay/(Q)uit? If you are OK with the resulting USER-ID and press O, you will be then asked for a passphrase (it is recommended that it has enough complexity): ┌──────────────────────────────────────────────────────┐ │ Please enter the passphrase to │ │ protect your new key │ 554 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption │ │ │ Passphrase: │ (...) Some final messages will be displayed telling you about the creation of other files as well as the keys themselves and then you are done with the key generation process: (...) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/carol/.gnupg/trustdb.gpg: trustdb created gpg: key 19BBEFD16813034E marked as ultimately trusted gpg: directory '/home/carol/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/carol/.gnupg/openpgp- revocs.d/D18FA0021F644CDAF57FD0F919BBEFD16813034E.rev' public and secret key created and signed. pub rsa3072 2020-07-03 [SC] [expires: 2022-07-03] D18FA0021F644CDAF57FD0F919BBEFD16813034E uid carol sub rsa3072 2020-07-03 [E] [expires: 2022-07-03] You can now see what is inside the ~/.gnupg directory (GPG’s configuration directory): carol@debian:~/.gnupg$ ls -l total 16 drwx------ 2 carol carol 4096 Jul 3 23:34 openpgp-revocs.d drwx------ 2 carol carol 4096 Jul 3 23:34 private-keys-v1.d -rw-r--r-- 1 carol carol 1962 Jul 3 23:34 pubring.kbx -rw------- 1 carol carol 1240 Jul 3 23:34 trustdb.gpg Let us explain the use of each file: opengp-revocs.d The revocation certificate that was created along with the key pair is kept here. The permissions on this directory are quite restrictive as anyone who has access to the certificate could revoke the key (more on key revocation in the next subsection). Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 555 LPIC-1 (102) (Version 5.0) | Topic 110: Security private-keys-v1.d This is the directory that keeps your private keys, therefore permissions are restrictive. pubring.kbx This is your public keyring. It stores your own as well as any other imported public keys. trustdb.gpg The trust database. This has to do with the concept of Web of Trust (which is outside the scope of this lesson). The arrival of GnuPG 2.1 brought along some significant changes, such as the NOTE disappearance of the secring.gpg and pubring.gpg files in favour of private- keys-v1.d and pubring.kbx, respectively. Once your key pair has been created, you can view your public keys with gpg --list- keys — which will display the contents of your public keyring: carol@debian:~/.gnupg$ gpg --list-keys /home/carol/.gnupg/pubring.kbx ------------------------------ pub rsa3072 2020-07-03 [SC] [expires: 2022-07-03] D18FA0021F644CDAF57FD0F919BBEFD16813034E uid [ultimate] carol sub rsa3072 2020-07-03 [E] [expires: 2022-07-03] The hexadecimal string D18FA0021F644CDAF57FD0F919BBEFD16813034E is your public key fingerprint. Apart from the USER-ID (carol in the example), there is also the KEY-ID. The KEY- ID consists of the last 8 hexadecimal digits in your public key fingerprint (6813 NOTE 034E). You can check your key fingerprint with the command gpg --fingerprint USER-ID. Key Distribution and Revocation Now that you have your public key, you should save it (i.e. export it) to a file so that you can make it available to your future recipients. They will then be able to use it to encrypt files or messages intended for you (since you are the only one in posssession of the private key, you will also be the only one able to decrypt and read them). Likewise, your recipients will also use it to decrypt and verify your encrypted or signed messages/files. The command to use is gpg --export followed by the USER-ID and a redirection to the output file name of your choice: 556 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption carol@debian:~/.gnupg$ gpg --export carol > carol.pub.key carol@debian:~/.gnupg$ ls carol.pub.key openpgp-revocs.d private-keys-v1.d pubring.kbx trustdb.gpg Passing the -a or --armor option to gpg --export(e.g.: gpg --export --armor NOTE carol > carol.pub.key) will create ASCII armored output (instead of the default binary OpenPGP format) which can be safely emailed. As already noted, you must now send your public key file (carol.pub.key) to the recipient with whom you want to exchange information. For instance, let us send the public key file to ina on remote server halof using scp(secure copy): carol@debian:~/.gnupg$ scp carol.pub.key ina@halof:/home/ina/ Enter passphrase for key '/home/carol/.ssh/id_ecdsa': carol.pub.key 100% 1740 775.8KB/s 00:00 carol@debian:~/.gnupg$ ina is now in the possession of carol.pub.key. She will use it to encrypt a file and send it to carol in the next section. Another means of public key distribution is through the use of key servers: you upload your public key to the server with the command gpg --keyserver NOTE keyserver-name --send-keys KEY-ID and other users will get (i.e. import) them with gpg --keyserver keyserver-name --recv-keys KEY-ID. Let us close this section by discussing key revocation. Key revocation should be used when your private keys have been compromised or retired. The first step is to create a revocation certificate by passing gpg the option --gen-revoke followed by the USER-ID. You can precede --gen -revoke with the --output option followed by a destination file name specification to save the resulting certificate into a file (instead of having it printed on the terminal screen). The output messages throughout the revocation process are quite self-explanatory: sonya@debian:~/.gnupg$ gpg --output revocation_file.asc --gen-revoke sonya sec rsa3072/0989EB7E7F9F2066 2020-07-03 sonya Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 557 LPIC-1 (102) (Version 5.0) | Topic 110: Security 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > My laptop was stolen. > Reason for revocation: Key has been compromised My laptop was stolen. Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! The revocation certificate has been saved to the file revocation_file.asc (asc for ASCII format): sonya@debian:~/.gnupg$ ls openpgp-revocs.d private-keys-v1.d pubring.kbx revocation_file.asc trustdb.gpg sonya@debian:~/.gnupg$ cat revocation_file.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: This is a revocation certificate iQHDBCABCgAtFiEEiIVjfDnnpieFi0wvnlcN6yLCeHEFAl8ASx4PHQJzdG9sZW4g bGFwdG9wAAoJEJ5XDesiwnhxT9YMAKkjQiMpo9Uyiy9hyvukPPSrLcmtAGLk4pKS pLZfzA5kxa+HPQwBglAEvfNRR6VMxqXUgUGYC/IAyQQM62oNAcY2PCPrxyJNgVF7 8l4mMZKvW++5ikjZwyg6WWV0+w6oroeo9qruJFjcu752p4T+9gsHVa2r+KRqcPQe aZ65sAvsBJlcsUDZqfWUXg2kQp9mNPCdQuqvDaKRgNCHA1zbzNFzXWVd2X5RgFo5 nY+tUP8ZQA9DTQPBLPcggICmfLopMPZYB2bft5geb2mMi2oNpf9CNPdQkdccimNV aRjqdUP9C89PwTafBQkQiONlsR/dWTFcqprG5KOWQPA7xjeMV8wretdEgsyTxqHp v1iRzwjshiJCKBXXvz7wSmQrJ4OfiMDHeS4ipR0AYdO8QCzmOzmcFQKikGSHGMy1 z/YRlttd6NZIKjf1TD0nTrFnRvPdsZOlKYSArbfqNrHRBQkgirOD4JPI1tYKTffq iOeZFx25K+fj2+0AJjvrbe4HDo5m+Q== =umI8 -----END PGP PUBLIC KEY BLOCK----- 558 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption To effectively revoke your private key, you now need to merge the certificate with the key, which is done by importing the revocation certificate file to your keyring: sonya@debian:~/.gnupg$ gpg --import revocation_file.asc gpg: key 9E570DEB22C27871: "sonya " revocation certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2022-07-04 List your keys now and you will be informed about your revoked key: sonya@debian:~/.gnupg$ gpg --list-keys /home/sonya/.gnupg/pubring.kbx pub rsa3072 2020-07-04 [SC] [revoked: 2020-07-04] 8885637C39E7A627858B4C2F9E570DEB22C27871 uid [ revoked] sonya Last — but not least — make sure you make the revoked key available to any party that has public keys associated with it (including keyservers). Use GPG to Encrypt, Decrypt, Sign and Verify Files In the previous section, carol sent her public key to ina. We will use it now to discuss how GPG can encrypt, decrypt, sign and verify files. Encrypting and Decrypting Files First, ina must import carol's public key (carol.pub.key) into her keyring so that she can start working with it: ina@halof:~> gpg --import carol.pub.key gpg: /home/ina/.gnupg/trustdb.gpg: trustdb created gpg: key 19BBEFD16813034E: public key "carol " imported gpg: Total number processed: 1 gpg: imported: 1 ina@halof:~> gpg --list-keys /home/ina/.gnupg/pubring.kbx ---------------------------- pub rsa3072 2020-07-03 [SC] [expires: 2022-07-03] Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 559 LPIC-1 (102) (Version 5.0) | Topic 110: Security D18FA0021F644CDAF57FD0F919BBEFD16813034E uid [ unknown] carol sub rsa3072 2020-07-03 [E] [expires: 2022-07-03] Next you will create a file by writing some text into it and then encrypt it using gpg (because you did not sign carol's key, you will be explicitly asked if you want to use that key): ina@halof:~> echo "This is the message..." > unencrypted-message ina@halof:~> gpg --output encrypted-message --recipient carol --armor --encrypt unencrypted- message gpg: 0227347CC92A5CB1: There is no assurance this key belongs to the named user sub rsa3072/0227347CC92A5CB1 2020-07-03 carol Primary key fingerprint: D18F A002 1F64 4CDA F57F D0F9 19BB EFD1 6813 034E Subkey fingerprint: 9D89 1BF9 39A4 C130 E44B 1135 0227 347C C92A 5CB1 It is NOT certain that the key belongs to the person named in the user ID. If you really know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y Let us break down the gpg command: --output encrypted-message Filename specification for the encrypted version of the original file (encrypted-message in the example). --recipient carol Recipient’s USER-ID specification (carol in our example). If not provided, GnuPG will ask for it (unless --default-recipient is specified). --armor This option produces ASCII armored output, which can be copied into an email. --encrypt unencrypted-message Filename specification of the original file to encrypt. You can now send the encrypted-message to carol on debian using scp: ina@halof:~> scp encrypted-message carol@debian:/home/carol/ carol@debian's password: 560 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption encrypted-message 100% 736 1.8MB/s 00:00 If you log in as carol now and try to read the encrypted-message, you will confirm that it is actually encrypted and — therefore — unreadable: carol@debian:~$ cat encrypted-message -----BEGIN PGP MESSAGE----- hQGMAwInNHzJKlyxAQv/brJ8Ubs/xya35sbv6kdRKm1C7ONLxL3OueWA4mCs0Y/P GBna6ZEUCrMEgl/rCyByj3Yq74kuiTmzxAIRUDdvHfj0TtrOWjVAqIn/fPSfMkjk dTxKo1i55tLJ+sj17dGMZDcNBinBTP4U1atuN71A5w7vH+XpcesRcFQLKiSOmYTt F7SN3/5x5J6io4ISn+b0KbJgiJNNx+Ne/ub4Uzk4NlK7tmBklyC1VRualtxcG7R9 1klBPYSld6fTdDwT1Y4MofpyILAiGMZvUR1RXauEKf7OIzwC5gWU+UQPSgeCdKQu X7QL0ZIBS0Ug2XKrO1k93lmDjf8PWsRIml6n/hNelaOBA3HMP0b6Ozv1gFeEsFvC IxhUYPb+rfuNFTMEB7xIO94AAmWB9N4qknMxdDqNE8WhA728Plw6y8L2ngsplY15 MR4lIFDpljA/CcVh4BXVe9j0TdFWDUkrFMfaIfcPQwKLXEYJp19XYIaaEazkOs5D W4pENN0YOcX0KWyAYX6r0l8BF0rq/HMenQwqAVXMG3s8ATuUOeqjBbR1x1qCvRQP CR/3V73aQwc2j5ioQmhWYpqxiro0yKX2Ar/E6rZyJtJYrq+CUk8O3JoBaudknNFj pwuRwF1amwnSZ/MZ/9kMKQ== =g1jw -----END PGP MESSAGE----- However, as you are in possession of the private key, you can easily decrypt the message by passing gpg the --decrypt option followed by the path to the encrypted file (the private key’s passphrase will be required): carol@debian:~$ gpg --decrypt encrypted-message gpg: encrypted with 3072-bit RSA key, ID 0227347CC92A5CB1, created 2020-07-03 "carol " This is the message... You can also specify the --output option to save the message into a new unencrypted file: carol@debian:~$ gpg --output unencrypted-message --decrypt encrypted-message gpg: encrypted with 3072-bit RSA key, ID 0227347CC92A5CB1, created 2020-07-03 "carol " carol@debian:~$ cat unencrypted-message This is the message... Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 561 LPIC-1 (102) (Version 5.0) | Topic 110: Security Signing and Verifying Files Apart from encrypting, GPG can also be used to sign files. The --sign option is relevant here. Let us start by creating a new message (message) and signing it with the --sign option (your private key’s passphrase will be required): carol@debian:~$ echo "This is the message to sign..." > message carol@debian:~$ gpg --output message.sig --sign message (...) Breakdown of the gpg command: --output message Filename specification of the signed version of the original file (message.sig in our example). --sign message Path to original file. Using --sign the document is compressed and then signed. The output is in binary NOTE format. Next we will transfer the file to ina on halof using scp message.sig ina@halof:/home/ina. Back as ina on halof, you can now verify it by using the --verify option: ina@halof:~> gpg --verify message.sig gpg: Signature made Sat 04 jul 2020 14:34:41 CEST gpg: using RSA key D18FA0021F644CDAF57FD0F919BBEFD16813034E gpg: Good signature from "carol " [unknown] (...) If you also want to read the file, you have to decrypt it to a new file (message in our case) using the --output option: ina@halof:~> gpg --output message --decrypt message.sig gpg: Signature made Sat 04 jul 2020 14:34:41 CEST gpg: using RSA key D18FA0021F644CDAF57FD0F919BBEFD16813034E gpg: Good signature from "carol " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D18F A002 1F64 4CDA F57F D0F9 19BB EFD1 6813 034E ina@halof:~> cat message 562 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption This is the message to sign... GPG-Agent We will round this lesson off by briefly touching upon gpg-agent. gpg-agent is the daemon that manages private keys for GPG (it is started on demand by gpg). To view a summary of the most useful options, run gpg-agent --help or gpg-agent -h: carol@debian:~$ gpg-agent --help gpg-agent (GnuPG) 2.2.4 libgcrypt 1.8.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Syntax: gpg-agent [options] [command [args]] Secret key management for GnuPG Options: --daemon run in daemon mode (background) --server run in server mode (foreground) --supervised run in supervised mode -v, --verbose verbose -q, --quiet be somewhat more quiet -s, --sh sh-style command output -c, --csh csh-style command output (...) NOTE For more information, consult the gpg-agent man page. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 563 LPIC-1 (102) (Version 5.0) | Topic 110: Security Guided Exercises 1. Complete the table by providing the correct filename: Description Filename Trust database Directory for revocation certificates Directory for private keys Public keyring 2. Answer the following questions: ◦ What type of cryptography is used by GnuPG? ◦ What are the two main components of public key cryptography? ◦ What is the KEY-ID of the public key fingerprint 07A6 5898 2D3A F3DD 43E3 DA95 1F3F 3147 FA7F 54C7? ◦ What method is used to distribute public keys at a global level? 3. Put the following steps in the right order concerning private key revocation: ◦ Make the revoked key available to your correspondents. ◦ Create a revocation certificate. ◦ Import the revocation certificate to your keyring. The correct order is: Step 1: Step 2: Step 3: 4. Regarding file encryption, what does the --armor option imply in the command gpg --output encrypted-message --recipient carol --armor --encrypt unencrypted- 564 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption message? Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 565 LPIC-1 (102) (Version 5.0) | Topic 110: Security Explorational Exercises 1. Most gpg options have both a long and a short version. Complete the table with the corresponding short version: Long version Short version --armor --output --recipient --decrypt --encrypt --sign 2. Answer the following questions concerning key export: ◦ What command would you use to export all of your public keys to a file called all.key? ◦ What command would you use to export all of your private keys to a file called all_private.key? 3. What gpg option allows for carrying out most key management related tasks by presenting you with a menu? 4. What gpg option allows you to make a cleartext signature? 566 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Summary This lesson has covered the GNU Privacy Guard, an excellent choice to encrypt/decrypt and digitally sign/verify files. You learned: how to generate a pair of keys. how to list the keys in your keyring. the contents of the ~/.gnupg directory. what USER-ID and KEY-ID are. how to distribute public keys to your correspondents. how to globally distribute public keys through keyservers. how to revoke private keys. how to encrypt and decrypt files. how to sign and verify files. the basics of the GPG-Agent. The following commands were discussed in this lesson: gpg OpenPGP encryption and signing tool. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 567 LPIC-1 (102) (Version 5.0) | Topic 110: Security Answers to Guided Exercises 1. Complete the table by providing the correct file name: Description Filename Trust database trustdb.gpg Directory for revocation certificates opengp-revocs.d Directory for private keys private-keys-v1.d Public keyring pubring.kbx 2. Answer the following questions: ◦ What type of cryptography is used by GnuPG? Public key cryptography or asymmetric cryptography. ◦ What are the two main components of public key cryptography? The public and the private keys. ◦ What is the KEY-ID of the public key fingerprint 07A6 5898 2D3A F3DD 43E3 DA95 1F3F 3147 FA7F 54C7? FA7F 54C7 ◦ What method is used to distribute public keys at a global level? Key servers. 3. Put the following steps in the right order concerning private key revocation: ◦ Make the revoked key available to your correspondents ◦ Create a revocation certificate ◦ Import the revocation certificate to your keyring The correct order is: Step 1: Create a revocation certificate Step 2: Import the revocation certificate to your keyring 568 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | 110.3 Securing data with encryption Step 3: Make the revoked key available to your correspondents 4. Regarding file encryption, what does the --armor option imply in the command gpg --output encrypted-message --recipient carol --armor --encrypt unencrypted- message? It produces ASCII armored output, which allows you to copy the resulting existing encrypted file into an email. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 569 LPIC-1 (102) (Version 5.0) | Topic 110: Security Answers to Explorational Exercises 1. Most gpg options have both a long and a short version. Complete the table with the corresponding short version: Long version Short version --armor -a --output -o --recipient -r --decrypt -d --encrypt -e --sign -s 2. Answer the following questions concerning key export: ◦ What command would you use to export all of your public keys to a file called all.key? gpg --export --output all.key or gpg --export -o all.key ◦ What command would you use to export all of your private keys to a file called all_private.key? gpg --export-secret-keys --output all_private.key or gpg --export-secret -keys -o all_private.key (--export-secret-keys can be replaced by --export -secret-subkeys with a slightly different outcome — check man pgp for more information). 3. What gpg option allows for carrying out most key management related tasks by presenting you with a menu? --edit-key 4. What gpg option allows you to make a cleartext signature? --clearsign 570 | learning.lpi.org | Licensed under CC BY-NC-ND 4.0. | Version: 2023-07-13 LPIC-1 (102) (Version 5.0) | Imprint Imprint © 2023 by Linux Professional Institute: Learning Materials, “LPIC-1 (102) (Version 5.0)”. PDF generated: 2023-07-13 This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0). To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/4.0/ While Linux Professional Institute has used good faith efforts to ensure that the information and instructions contained in this work are accurate, Linux Professional Institute disclaims all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. The LPI Learning Materials are an initiative of Linux Professional Institute (https://lpi.org). Learning Materials and their translations can be found at https://learning.lpi.org. For questions and comments on this edition as well as on the entire project write an email to: [email protected]. Version: 2023-07-13 | Licensed under CC BY-NC-ND 4.0. | learning.lpi.org | 571

Use Quizgecko on...
Browser
Open
Browser
Browser