linux
Table of Content

110.3 Securing data with encryption

Weight: 3

Description: The candidate should be able to use public key techniques to secure data and communication.

Key Knowledge Areas:

  • Perform basic OpenSSH 2 client configuration and usage
  • Understand the role of OpenSSH 2 server host keys
  • Perform basic GnuPG configuration, usage and revocation
  • Understand SSH port tunnels (including X11 tunnels)

Terms and Utilities:

ssh
ssh-keygen
ssh-agent
ssh-add
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/id_dsa and id_dsa.pub
/etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub
~/.ssh/authorized_keys
ssh_known_hosts
gpg
~/.gnupg/

ssh config

oldhorse@dclab:~$ cat /etc/ssh/sshd_config|grep -i protocol 
Protocol 2

oldhorse@dclab:~$ cat /etc/ssh/sshd_config|grep -i permit
PermitRootLogin without-password
PermitEmptyPasswords no

oldhorse@dclab:~$ cat /etc/ssh/sshd_config|grep -i x11
X11Forwarding yes
X11DisplayOffset 10

PermitRootLogin without-password // means allow root login with public key authentication, not allow using root password 

[oldhorse@dclab-centos7 ~]$ ssh root@192.168.126.51
The authenticity of host '192.168.126.51 (192.168.126.51)' can't be established.
ECDSA key fingerprint is f4:90:3c:0c:95:09:1c:50:8c:b5:1e:55:9c:2f:a3:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.126.51' (ECDSA) to the list of known hosts.
root@192.168.126.51's password: 
Permission denied, please try again.
root@192.168.126.51's password:

ssh key

# ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N ''
# ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
# ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''

scp

scp test.txt oldhorse@192.168.126.51:  // will copy to target home folder
[oldhorse@dclab-centos7 ~]$ scp test.txt oldhorse@192.168.126.51:ubuntu_test.txt   // rename it 

oldhorse@dclab:~$ cat ubuntu_test.txt 
test from centos7

ssh passwordless

1. login to ssh client
2. generate a version 2 SSH key:
$ ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C '' -N ''

[oldhorse@dclab-centos7 ~]$ ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C '' -N ''
[oldhorse@dclab-centos7 ~]$ ll .ssh
total 12
-rw-------. 1 oldhorse oldhorse 1679 Mar 14 14:57 id_rsa
-rw-r--r--. 1 oldhorse oldhorse  382 Mar 14 14:57 id_rsa.pub

3. transfer pub key to remote ssh server
[oldhorse@dclab-centos7 ~]$ scp ~/.ssh/id_rsa.pub oldhorse@192.168.126.51:~/.ssh/temp.rsa
oldhorse@192.168.126.51's password: 
id_rsa.pub 

4. on ssh server, generate ~/.ssh/authorized_keys using temp.rsa

oldhorse@dclab:~/.ssh$ ls
known_hosts  temp.rsa
oldhorse@dclab:~/.ssh$ cat temp.rsa 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMjE2TpM0AXfzaNdl5JLTU/G0fIjMf42+LYkk4bP0GZaPJQNVkd2U9fxLDoJDuHJnN3PvJEwYTIVZUZIE7lOZIMs4QmPEBpiLLY7CFsZE/FqFY8De86KBqUAgp9+7qjh1/FdCghiQKiamfpaMRLJ2RKDSKbsAvx+I3IaAdS0EvYcgMp2aBRwX+c3P3m2xeFf3HDh3bmOKaZcUjkio/DBok8Egl66kydu6b421/IYOSp0MNmZGkGcpw1kaqGCwBlnMGZKLQO0FWp4sCd1AmZKL/9JJVjD0BC0UHLYA2Auf4TwpP1GN48qF+M7y9547X1PImnrylJ6AIefSqtaGSqTm/ 
oldhorse@dclab:~/.ssh$ cat temp.rsa > authorized_keys
oldhorse@dclab:~/.ssh$ ls -ltr
total 12
-rw-r--r-- 1 oldhorse oldhorse 444 Mar 14 13:31 known_hosts
-rw-r--r-- 1 oldhorse oldhorse 382 Mar 14 14:59 temp.rsa
-rw-rw-r-- 1 oldhorse oldhorse 382 Mar 14 15:00 authorized_keys
oldhorse@dclab:~/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMjE2TpM0AXfzaNdl5JLTU/G0fIjMf42+LYkk4bP0GZaPJQNVkd2U9fxLDoJDuHJnN3PvJEwYTIVZUZIE7lOZIMs4QmPEBpiLLY7CFsZE/FqFY8De86KBqUAgp9+7qjh1/FdCghiQKiamfpaMRLJ2RKDSKbsAvx+I3IaAdS0EvYcgMp2aBRwX+c3P3m2xeFf3HDh3bmOKaZcUjkio/DBok8Egl66kydu6b421/IYOSp0MNmZGkGcpw1kaqGCwBlnMGZKLQO0FWp4sCd1AmZKL/9JJVjD0BC0UHLYA2Auf4TwpP1GN48qF+M7y9547X1PImnrylJ6AIefSqtaGSqTm/

-rw-rw-r-- 1 oldhorse oldhorse 382 Mar 14 15:00 authorized_keys
oldhorse@dclab:~/.ssh$ chmod 0600 authorized_keys
-rw-------  1 oldhorse oldhorse  382 Mar 14 15:00 authorized_keys

5 ssh from client to server without password
[oldhorse@dclab-centos7 ~]$ ssh oldhorse@192.168.126.51
Last login: Mon Mar 14 13:37:49 2016 from 192.168.100.129
oldhorse@dclab:~$

ssh-agent

1. generate ssh key on ssh client with passphrase

oldhorse@dclab:~/.ssh$ ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C ''
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
stack
-rw-------  1 oldhorse oldhorse 1766 Mar 14 15:11 id_rsa
-rw-r--r--  1 oldhorse oldhorse  382 Mar 14 15:11 id_rsa.pub

transfer pub key to ssh server
scp id_rsa.pub oldhorse@192.168.126.50:.ssh/authorized_keys

on ssh server 
chmod 0600 ~/.ssh/authorized_keys

2. 1st ssh login 

oldhorse@dclab:~/.ssh$ ssh-agent /bin/bash

3. add RSA key to set by ssh-agent

oldhorse@dclab:~/.ssh$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/oldhorse/.ssh/id_rsa: 
Identity added: /home/oldhorse/.ssh/id_rsa (/home/oldhorse/.ssh/id_rsa)

4. from above ssh session, ssh to remote host without password 

oldhorse@dclab:~$ ssh oldhorse@192.168.126.50
Last login: Mon Mar 14 15:17:13 2016 from 192.168.126.51
[oldhorse@dclab-centos7 ~]$

ssh tunnel

-N Do not execute a remote command, only forward
-f Requests ssh to go to background just before command execution
-L [bind_address:]port:host:hostport

$ sudo ssh -N -f -L 142:mail.luna.edu:143 benf@mail.luna.edu

GPG

encrypt message like email.

You can sign your messages with your private key, and readers can verify it with your public key.

Also, you can encrypt a message with another user’s public key, and it can be decrypted only with that user’s private key.

sudo aptitude install haveged

oldhorse@dclab:~$ gpg --gen-key --no-use-agent

gpg: key 82F8DD70 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/82F8DD70 2016-03-15
      Key fingerprint = 2854 119B 2782 B732 EC13  3FDF 35D0 2F7A 82F8 DD70
uid                  abc 
sub   2048R/4446E73F 2016-03-15

oldhorse@dclab:~$ ll .gnupg/
total 40
drwx------  2 oldhorse oldhorse 4096 Mar 15 07:30 ./
drwxr-xr-x 29 oldhorse oldhorse 4096 Mar 14 14:55 ../
-rw-------  1 oldhorse oldhorse 9398 Sep 14  2015 gpg.conf
-rw-rw-r--  1 oldhorse oldhorse    0 Mar 14 16:49 gpg.pub
-rw-------  1 oldhorse oldhorse 1197 Mar 15 07:30 pubring.gpg
-rw-------  1 oldhorse oldhorse 1197 Mar 15 07:30 pubring.gpg~
-rw-------  1 oldhorse oldhorse  600 Mar 15 07:30 random_seed
-rw-------  1 oldhorse oldhorse 2575 Mar 15 07:30 secring.gpg
-rw-------  1 oldhorse oldhorse 1280 Mar 15 07:30 trustdb.gpg

$ gpg --export abc@gmail.com --armor > gpg.pub

gpg --keyserver pgp.mit.edu --send-keys 82F8DD70

oldhorse@dclab:/etc$ gpg --list-keys
/home/oldhorse/.gnupg/pubring.gpg
---------------------------------
pub   2048R/82F8DD70 2016-03-15
uid                  abc 
sub   2048R/4446E73F 2016-03-15

gpg --gen-revoke abc@gamil.com
gpg --out encrypted-file --recipient uid --armor --encrypt orig_file
gpg --out decrypted-file --decrypt encrypted-file
gpg --clearsign orig_file     # .asc
gpg --sign orig_file    #  .gpg
gpg --verify received_file