LPIC1 Exam Guide
Search…
110.3. Securing data with encryption
Weight: 3
Description: The candidate should be able to use public key techniques to secure data and communication.
Key Knowledge Areas:
- Perform basic OpenSSH 2 client configuration and usage
- Understand the role of OpenSSH 2 server host keys
- Perform basic GnuPG configuration, usage and revocation
- Understand SSH port tunnels (including X11 tunnels)
Terms and Utilities:
- ssh
- ssh-keygen
- ssh-agent
- ssh-add
- ~/.ssh/id_rsa and id_rsa.pub
- ~/.ssh/id_dsa and id_dsa.pub
- /etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
- /etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub
- ~/.ssh/authorized_keys
- ssh_known_hosts
- gpg
- ~/.gnupg/
First lets start about some concepts.
Cryptography
Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it. Encryption is a key concept in cryptography
- Encryption :In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
- Decryption: The conversion of encrypted data into its original form is called Decryption. It is generally a reverse process of encryption.
Symmetric vs. asymmetric encryption
Encryption algorithms are often divided into two categories, known as symmetric and asymmetric encryption.
Symmetric Encryption
Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.
Asymmetric Encryption
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.
Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.
This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public).
A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.
encryption vs signing
When encrypting, you use their public key to write a message and they use their private key to read it.
When signing, you use your private key to write message's signature, and they use your public key to check if it's really yours.
Whats is a key server?
Key server (cryptographic), a server on which public keys are stored for others to use
With that introduction lets talk about SSH.
Whats is SSH?
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
Typical uses of the SSH protocol are:
- providing secure access for users and automated processes
- interactive and automated file transfers
- issuing remote commands
- managing network infrastructure and other mission-critical system components.
How does the ssh protocol work?
The way SSH works is by making use of a client-server model to allow for authentication of two remote systems and encryption of the data that passes between them.
SSH operates on TCP port 22 by default (though this can be changed if needed). The host (server) listens on port 22 (or any other SSH assigned port) for incoming connections.
SSH provides multiple mechanisms for authenticating the server and the client. Two of the commonly used authentication mechanism are password based, and key based authentication. Although password based authentication is also secure, its advisable to use key based authentication instead.
the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.
What is OpenSSH?
OpenSSH is a free, open source implementation of the SSH (Secure Shell) protocols. Open OpenSSH is so popular among system administrators because of its multi-platform capability and very useful nice features.
All communications and user credentials using OpenSSH are encrypted, they are also protected from man in the middle attacks. If a third party tries to intercept our connection, OpenSSH detects it and informs us about that.
We use Ubuntu16-1 as ssh server and Ubuntu16-2 as client.
/etc/ssh
OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd).
1
[email protected]:~# ls -1 /etc/ssh
2
moduli
3
ssh_config
4
sshd_config
5
ssh_host_dsa_key
6
ssh_host_dsa_key.pub
7
ssh_host_ecdsa_key
8
ssh_host_ecdsa_key.pub
9
ssh_host_ed25519_key
10
ssh_host_ed25519_key.pub
11
ssh_host_rsa_key
12
ssh_host_rsa_key.pub
13
ssh_import_id
Copied!
The
sshd_configis the ssh daemon(or ssh server process) configuration file, Whereas, the ssh_config file is the ssh client configuration file. The client configuration file only has bearing on when you use the ssh command to connect to another ssh host . As you can see there are public keys and private keys here with different algorithems and they can be used by SSH to encrypt the session.ssh client configurations
Till now we have understood how ssh works. As we mentioned when ssh connection is started, the public key of ssh server is tranfered to the client(stored in ./ssh/known_hosts) and the client will use it to continue negotiation with the server and user will be required to get authenticated by sending username and password.
Lets start by connecting toUbuntu16-1 from Ubuntu16-2 and see the keys:
1
2
The authenticity of host '192.168.52.146 (192.168.52.146)' can't be established.
3
ECDSA key fingerprint is SHA256:GV/PpX9YGvMZTAbuz6w3zBDreokesZHhVSM1zrXmHLw.
4
Are you sure you want to continue connecting (yes/no)? yes
5
Warning: Permanently added '192.168.52.146' (ECDSA) to the list of known hosts.
6
[email protected]'s password:
7
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)
8
9
* Documentation: https://help.ubuntu.com
10
* Management: https://landscape.canonical.com
11
* Support: https://ubuntu.com/advantage
12
13
445 packages can be updated.
14
365 updates are security updates.
15
16
New release '18.04.4 LTS' available.
17
Run 'do-release-upgrade' to upgrade to it.
18
19
Last login: Fri Mar 27 15:51:55 2020 from 192.168.52.133
20
Copied!
What is fingerprint ? a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.
now lets compare the keys in server and client:
1
### server
2
[email protected]:~$ cat /etc/ssh/ssh_host_ecdsa_key.pub
3
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIjnKq9Wr0C2faQCf4+gcqPN4bOMFyx1nywTjLS/mh/S30V0r/mvy9cvfWvA2LY/y7zqxg+/gMvELQznikQiaTo= [email protected]
Copied!
1
### client
2
[email protected]:~$ tree .ssh/
3
.ssh/
4
└── known_hosts
5
6
0 directories, 1 file
7
[email protected]:~$ cat .ssh/known_hosts
8
|1|gD2R1tW6jKBSyL1A0XpynmG8Vok=|1X2nzVcwHLQGT5T8FOUxeCejtvQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIjnKq9Wr0C2faQCf4+gcqPN4bOMFyx1nywTjLS/mh/S30V0r/mvy9cvfWvA2LY/y7zqxg+/gMvELQznikQiaTo=
Copied!
Configuring SSH Key Based authentication
Its possible to omit entring user name and password and get connected to the ssh server using client public and private key.
Now lets generate public and private keys for client and copy client public key to the server.
ssh-keygen
ssh-keygen - creates a key pair for public key authentication:
1
[email protected]:~$ ssh-keygen
2
Generating public/private rsa key pair.
3
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
4
Enter passphrase (empty for no passphrase):
5
Enter same passphrase again:
6
Your identification has been saved in /home/user1/.ssh/id_rsa.
7
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
8
The key fingerprint is:
9
SHA256:rer76yQU+8Mmrg33xCA51RtnpTUVHT1cVMX7kB2+aUI [email protected]
10
The key's randomart image is:
11
+---[RSA 2048]----+
12
| +.+*@|
13
| . + . ++|
14
| o o + .o+|
15
| o o * Eoo.|
16
| + + S . . .+|
17
| + = . . +.|
18
| . + X o |
19
| = O . |
20
| .o*+=. |
21
+----[SHA256]-----+
22
23
[email protected]:~$ tree .ssh
24
.ssh
25
├── id_rsa
26
├── id_rsa.pub
27
└── known_hosts
28
29
0 directories, 3 files
30
[email protected]:~$ cat .ssh/id_rsa.pub
31
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC818rxUXbwnwwxtFhUKvgtZV+Ygao1nUEHcaBvYEsXsBa4hQcV0+ITPEMHfk0zUag3sKyQZWckKmREK+lpiF+7Nrw83eKxjgHdwZC0ibxPTenklZNSBEMZMBDeq8H3bKoAfuyczX0IfVDA2Iyebsg2KYIIZQ/Otw7hAm2IH3perUqzeYliLhIYb0Gd3jyOpl4VMaPb2p+f5+fG87MnzjDplyorruhZyUcv8CMUc6XZ3dJjeiSsNNCRKLEb6Cm6msQxuCUq+Xz1n0+ay6fsaJbbhzFwNvbRH2YSzBg5BmtBXVt68U6XM3SzynWAqQaDS44Cuv3M1q88baTlOTjRkFRZ [email protected]
32
33
34
Copied!
We haven't set passphrase in our demonstration but if we set we would be asked to enter it when we copy it to the server.
ssh-copy-id
we use ssh-copy-id - configures a public key as authorized on a server
1
[email protected]:~$ ssh-copy-id -i .ssh/id_rsa.pub [email protected]
2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
3
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
4
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
5
[email protected]'s password:
6
7
Number of key(s) added: 1
8
9
Now try logging into the machine, with: "ssh '[email protected]'"
10
and check to make sure that only the key(s) you wanted were added.
Copied!
Now lets take a look the server side:
1
[email protected]:~$ cat .ssh/authorized_keys
2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC818rxUXbwnwwxtFhUKvgtZV+Ygao1nUEHcaBvYEsXsBa4hQcV0+ITPEMHfk0zUag3sKyQZWckKmREK+lpiF+7Nrw83eKxjgHdwZC0ibxPTenklZNSBEMZMBDeq8H3bKoAfuyczX0IfVDA2Iyebsg2KYIIZQ/Otw7hAm2IH3perUqzeYliLhIYb0Gd3jyOpl4VMaPb2p+f5+fG87MnzjDplyorruhZyUcv8CMUc6XZ3dJjeiSsNNCRKLEb6Cm6msQxuCUq+Xz1n0+ay6fsaJbbhzFwNvbRH2YSzBg5BmtBXVt68U6XM3SzynWAqQaDS44Cuv3M1q88baTlOTjRkFRZ [email protected]
Copied!
now lets check the result from the client:
1
2
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)
3
4
* Documentation: https://help.ubuntu.com
5
* Management: https://landscape.canonical.com
6
* Support: https://ubuntu.com/advantage
7
8
445 packages can be updated.
9
365 updates are security updates.
10
11
New release '18.04.4 LTS' available.
12
Run 'do-release-upgrade' to upgrade to it.
13
14
Last login: Fri Mar 27 15:57:29 2020 from 192.168.52.133
15
16
Copied!
and it seems okey.We can copy and paste the keys for other users if you like, but do not forget that these keys give power to users to login with out the password.
Why use passphrase? Why it is for?
We have configured a password less ssh connection using key based authentication. But what would happened if our system compromised? An evil hacker would be able to get connected to other servers using key based authentication without knowning the passwords.
Passphrase can help us to avoid this kinds of security issues by requiring a passphrase at the beginning of every ssh key-based authentication. So let clear previous authorized_key, and start:
2
[email protected]:~$ vim .ssh/authorized_keys
3
[email protected]:~$ cat .ssh/authorized_keys
4
[email protected]:~$ exit
5
logout
6
Connection to 192.168.52.146 closed.
Copied!
Now generate a new key pairs with passphrase on the client (Let it over write current private and public key):
1
[email protected]:~$ ssh-keygen
2
Generating public/private rsa key pair.
3
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
4
/home/user1/.ssh/id_rsa already exists.
5
Overwrite (y/n)? y
6
Enter passphrase (empty for no passphrase):
7
Enter same passphrase again:
8
Your identification has been saved in /home/user1/.ssh/id_rsa.
9
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
10
The key fingerprint is:
11
SHA256:NYUt7TiSY2pBH7jtmZqGDdV545CRZxTFvOg3KJ3trxo [email protected]
12
The key's randomart image is:
13
+---[RSA 2048]----+
14
| . ooOo |
15
| o + =.= |
16
| . = Oo= . |
17
| + %.*.o |
18
| . [email protected] * |
19
| . o = * + |
20
| = o .Eo . |
21
| . = .. |
22
| . ...o. |
23
+----[SHA256]-----+
24
25
[email protected]:~$ tree .ssh/
26
.ssh/
27
├── id_rsa
28
├── id_rsa.pub
29
└── known_hosts
30
31
0 directories, 3 files
32
[email protected]:~$ cat .ssh/id_rsa.pub
33
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjF4K2XDLQIysT9QvwQKFFvJ6LeBN3XsmEO9cTZfnRPhPjKOpcwvyCPaFJwXpiSXLE+RUjy2lwghZ6sOIXezGG9+oqkVegBOJ9RonQfvg5nUCr/Khx+dT/5ZV8JEjJVYqWnrgxKiKgzFHfzInE3qKG4kN2yuanomqIPFGQs0Mk/ShmYCPEEDIxyapRWkSJMa1OeS4/Elk1gGcna0TwgNVF8zmGkg5JO3ruwia2uSbdDWxA2vVtae2qA02lFh0Gb/LJO8vR24MAwlyMMHU2UdszA4eWqQBrZtpKmQ0A4plT8EUkh2cZHgaUeMVloWDmFRyiU2LIFgC5AacnwRIFTtTD [email protected]
34
Copied!
Now lets tranfer our new public key to the server:
1
[email protected]:~$ ssh-copy-id -i .ssh/id_rsa.pub [email protected]
2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
3
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
4
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
5
[email protected]'s password:
6
7
Number of key(s) added: 1
8
9
Now try logging into the machine, with: "ssh '[email protected]'"
10
and check to make sure that only the key(s) you wanted were added.
Copied!
Lets check the key we have copied on the server:
1
[email protected]:~$ cat .ssh/authorized_keys
2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjF4K2XDLQIysT9QvwQKFFvJ6LeBN3XsmEO9cTZfnRPhPjKOpcwvyCPaFJwXpiSXLE+RUjy2lwghZ6sOIXezGG9+oqkVegBOJ9RonQfvg5nUCr/Khx+dT/5ZV8JEjJVYqWnrgxKiKgzFHfzInE3qKG4kN2yuanomqIPFGQs0Mk/ShmYCPEEDIxyapRWkSJMa1OeS4/Elk1gGcna0TwgNVF8zmGkg5JO3ruwia2uSbdDWxA2vVtae2qA02lFh0Gb/LJO8vR24MAwlyMMHU2UdszA4eWqQBrZtpKmQ0A4plT8EUkh2cZHgaUeMVloWDmFRyiU2LIFgC5AacnwRIFTtTD [email protected]
Copied!
Now when we ssh to the remote server (ubuntu16-1) from our client(ubuntu16-2), we are asked to enter our local key passphrase intead of remote user account password:
1
2
Enter passphrase for key '/home/user1/.ssh/id_rsa':
3
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)
4
5
* Documentation: https://help.ubuntu.com
6
* Management: https://landscape.canonical.com
7
* Support: https://ubuntu.com/advantage
8
9
445 packages can be updated.
10
365 updates are security updates.
11
12
New release '18.04.4 LTS' available.
13
Run 'do-release-upgrade' to upgrade to it.
14
15
Last login: Fri Mar 27 16:19:57 2020 from 192.168.52.133
16
Copied!
lets exit and ssh again and again:
1
[email protected]:~$ exit
2
logout
3
Connection to 192.168.52.146 closed.
4
5
6
Enter passphrase for key '/home/user1/.ssh/id_rsa':
7
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)
8
9
* Documentation: https://help.ubuntu.com
10
* Management: https://landscape.canonical.com
11
* Support: https://ubuntu.com/advantage
12
13
445 packages can be updated.
14
365 updates are security updates.
15
16
New release '18.04.4 LTS' available.
17
Run 'do-release-upgrade' to upgrade to it.
18
19
Last login: Fri Mar 27 16:30:00 2020 from 192.168.52.133
20
[email protected]:~$ exit
21
logout
22
Connection to 192.168.52.146 closed.
23
Copied!
as you can see each time we are asked to enter passphrase and that was what we were seeking for inorder to stop a hacker if our system get compromised. There is way to stick passphrase to the current user session and keept if for next ssh connections inorder to avoid entering passphrase again and again.
ssh-agent
The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO). The SSH agent is used for SSH public key authentication.
1
[email protected]:~$ ssh-agent
2
SSH_AUTH_SOCK=/tmp/ssh-7dlnU2k64PSA/agent.65150; export SSH_AUTH_SOCK;
3
SSH_AGENT_PID=65151; export SSH_AGENT_PID;
4
echo Agent pid 65151;
Copied!
if you got an error try ssh-agent /bin/bash first.
ssh-add
By default, the agent uses SSH keys stored in the
.ssh directory under the user's home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa, .ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/identity. Otherwise, give it the name of the private key file to add as an argument.1
[email protected]:~$ ssh-add
2
Enter passphrase for /home/user1/.ssh/id_rsa:
3
Identity added: /home/user1/.ssh/id_rsa (/home/user1/.ssh/id_rsa)
4
5
[email protected]:~$ ssh-add -l
6
2048 SHA256:NYUt7TiSY2pBH7jtmZqGDdV545CRZxTFvOg3KJ3trxo /home/user1/.ssh/id_rsa (RSA)
Copied!
-l will list private keys currently accessible to the agent, -DDeletes all identities from the agent, if you like!And then we can login to OpenSSH server (ubuntu16-1) without any password or passphrase again and again:
1
2
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)
3
4
* Documentation: https://help.ubuntu.com
5
* Management: https://landscape.canonical.com
6
* Support: https://ubuntu.com/advantage
7
8
445 packages can be updated.
9
365 updates are security updates.
10
11
New release '18.04.4 LTS' available.
12
Run 'do-release-upgrade' to upgrade to it.
13
14
Last login: Fri Mar 27 16:31:26 2020 from 192.168.52.133
15
[email protected]:~$ exit
16
logout
17
Copied!
Until we exit from the bash that uses associated key with that, then we would need to enter passphrase again.
What is SSH Tunneling ?
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.
SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.
what is ssh port forwarding?
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network.
There are three types of SSH port forwarding:
- Local port forwarding - connections from an SSH client are forwarded, via the SSH server, to a destination server.
- Remote port forwarding - connections from an SSH server are forwarded, via the SSH client, to a destination server
- Dynamic port forwarding - connections from various programs are forwarded, via the SSH client to an SSH server, and finally to several destination servers.
ssh
Like other command ssh has also some options.Lets take a look at most usefull switches:
SSH commands
Description
ssh -V
Shows ssh client version
Connect to the remote host, add "-v" for verbose mode
ssh -l login_name server1.example.com
Specifies the user to log in as on the remote machine.
ssh [email protected] <command>
Running <command> on the remote host over ssh
ssh -X [email protected]
Enable Xforwarding on the clients side, X11Forwarding should be enabled on the server side in sshd_config file.
data encryption
Encryption is important because it allows you to securely protect data that you don't want anyone else to have access to.
gpg
GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.
for demonstration, we use two users on ubuntu16, user1 and user2.
okey, lets login via user1 and start creating keypairs using
gpg --gen-key command:1
[email protected]:~$ gpg --gen-key
2
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
3
This is free software: you are free to change and redistribute it.
4
There is NO WARRANTY, to the extent permitted by law.
5
6
gpg: keyring `/home/user1/.gnupg/secring.gpg' created
7
Please select what kind of key you want:
8
(1) RSA and RSA (default)
9
(2) DSA and Elgamal
10
(3) DSA (sign only)
11
(4) RSA (sign only)
12
Your selection? 1
13
RSA keys may be between 1024 and 4096 bits long.
14
What keysize do you want? (2048)
15
Requested keysize is 2048 bits
16
Please specify how long the key should be valid.
17
0 = key does not expire
18
<n> = key expires in n days
19
<n>w = key expires in n weeks
20
<n>m = key expires in n months
21
<n>y = key expires in n years
22
Key is valid for? (0)
23
Key does not expire at all
24
Is this correct? (y/N) y
25
26
You need a user ID to identify your key; the software constructs the user ID
27
from the Real Name, Comment and Email Address in this form:
28
"Heinrich Heine (Der Dichter) <[email protected]>"
29
30
Real name: RealUser1
31
Email address: [email protected]
32
Comment: created by user1
33
You selected this USER-ID:
34
"RealUser1 (created by user1) <[email protected]>"
35
36
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
37
You need a Passphrase to protect your secret key.
38
39
We need to generate a lot of random bytes. It is a good idea to perform
40
some other action (type on the keyboard, move the mouse, utilize the
41
disks) during the prime generation; this gives the random number
42
generator a better chance to gain enough entropy.
43
.+++++
44
+++++
45
We need to generate a lot of random bytes. It is a good idea to perform
46
some other action (type on the keyboard, move the mouse, utilize the
47
disks) during the prime generation; this gives the random number
48
generator a better chance to gain enough entropy.
49
50
Not enough random bytes available. Please do some other work to give
51
the OS a chance to collect more entropy! (Need 74 more bytes)
52
....+++++
53
54
gpg: key 6D187851 marked as ultimately trusted
55
public and secret key created and signed.
56
57
gpg: checking the trustdb
58
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
59
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
60
pub 2048R/6D187851 2020-03-28
61
Key fingerprint = 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851
62
uid RealUser1 (created by user1) <[email protected]>
63
sub 2048R/F00A0A74 2020-03-28
Copied!
it create keys inside ~/.gupg directory.
lets see the created key-pair using
gpg --list-key commmand:1
[email protected]:~$ gpg --list-key
2
/home/user1/.gnupg/pubring.gpg
3
------------------------------
4
pub 2048R/6D187851 2020-03-28
5
uid RealUser1 (created by user1) <[email protected]>
6
sub 2048R/F00A0A74 2020-03-28
Copied!
Then we need to share our public key to other people. To export our public key file we need to run:
1
[email protected]:~$ gpg --export RealUser1 > user1.pub
Copied!
lets put in /tmp directory for user2:
1
[email protected]:~$ mv user1.pub /tmp/
Copied!
now login as user2 and import user1 public key via
gpg --import :1
[email protected]:~$ gpg --import /tmp/user1.pub
2
gpg: directory `/home/user2/.gnupg' created
3
gpg: new configuration file `/home/user2/.gnupg/gpg.conf' created
4
gpg: WARNING: options in `/home/user2/.gnupg/gpg.conf' are not yet active during this run
5
gpg: keyring `/home/user2/.gnupg/secring.gpg' created
6
gpg: keyring `/home/user2/.gnupg/pubring.gpg' created
7
gpg: /home/user2/.gnupg/trustdb.gpg: trustdb created
8
gpg: key 6D187851: public key "RealUser1 (created by user1) <[email protected]>" imported
9
gpg: Total number processed: 1
10
gpg: imported: 1 (RSA: 1)
Copied!
next create a sample file for encrypting:
1
[email protected]:~$ vim user2file
2
[email protected]:~$ cat user2file
3
water boils at 100 degrees celsius!
Copied!
every thing is ready for encrypting user2 file:
1
### list keys
2
[email protected]:~$ gpg --list-key
3
/home/user2/.gnupg/pubring.gpg
4
------------------------------
5
pub 2048R/6D187851 2020-03-28
6
uid RealUser1 (created by user1) <[email protected]>
7
sub 2048R/F00A0A74 2020-03-28
Copied!
1
### encrypt
2
[email protected]:~$ gpg --output user2secret --recipient Realuser1 --encrypt user2file
3
gpg: F00A0A74: There is no assurance this key belongs to the named user
4
5
pub 2048R/F00A0A74 2020-03-28 RealUser1 (created by user1) <[email protected]>
6
Primary key fingerprint: 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851
7
Subkey fingerprint: 28DD 00C2 443C EA3B CD1A 9D5F 901E 5A02 F00A 0A74
8
9
It is NOT certain that the key belongs to the person named
10
in the user ID. If you *really* know what you are doing,
11
you may answer the next question with yes.
12
13
Use this key anyway? (y/N) y
Copied!
1
### take a look at inside encrypted file!
2
[email protected]:~$ cat user2secret
3
�
4
�
Z�
5
6
t�}�D?�Y���Ky
7
��Ƹ�TB$+�� !�M�z�(�s}jc�
_�#,$u�z��]�K�Kܮ�H�g���m˚�o���^;J��IvI������ �&(���W��Y'
Y�Mm,���*���F)��-��$vj�Um��
��M
���(Xr�����I�+H�ko�%k^��Lߍ5h�7�s�[�N.2 o�fe�d ���Ż�[Dӿ�'�^�fⳐKn{
AS
&#,� �̊ښ��}�5�!01e;Ē�h�j1������Jkt��VY
6��
�k�H
�߳�rt�-nA
8
?gzȬ��#j1)]
9
(�
10
L�1Ey���CJ�
Ĭ�cуk��QP�
11
I2y_���8G�[email protected]:~$
Copied!
time to send user 2 secret to user1:
1
[email protected]:~$ mv user2secret /tmp/
Copied!
Log in as user1 and try to decrypt user2 secret:
1
[email protected]:~$ gpg --out from_user2 --decrypt /tmp/user2secret
2
3
You need a passphrase to unlock the secret key for
4
user: "RealUser1 (created by user1) <[email protected]>"
5
2048-bit RSA key, ID F00A0A74, created 2020-03-28 (main key ID 6D187851)
6
7
gpg: encrypted with 2048-bit RSA key, ID F00A0A74, created 2020-03-28
8
"RealUser1 (created by user1) <[email protected]>"
Copied!
lets see what is user2 secret information?
1
[email protected]:~$ cat from_user2
2
water boils at 100 degrees celsius!
Copied!
Generating a Revocation Certificate
If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.
1
[email protected]:~$ gpg --output revoke_User1.crt --gen-revoke [email protected]
2
3
sec 2048R/6D187851 2020-03-28 RealUser1 (created by user1) <[email protected]>
4
5
Create a revocation certificate for this key? (y/N) y
6
Please select the reason for the revocation:
7
0 = No reason specified
8
1 = Key has been compromised
9
2 = Key is superseded
10
3 = Key is no longer used
11
Q = Cancel
12
(Probably you want to select 1 here)
13
Your decision? 0
14
Enter an optional description; end it with an empty line:
15
>
16
Reason for revocation: No reason specified
17
(No description given)
18
Is this okay? (y/N) y
19
20
You need a passphrase to unlock the secret key for
21
user: "RealUser1 (created by user1) <[email protected]>"
22
2048-bit RSA key, ID 6D187851, created 2020-03-28
23
24
ASCII armored output forced.
25
Revocation certificate created.
26
27
Please move it to a medium which you can hide away; if Mallory gets
28
access to this certificate he can use it to make your key unusable.
29
It is smart to print this certificate and store it away, just in case
30
your media become unreadable. But have some caution: The print system of
31
your machine might store the data and make it available to others!
Copied!
The
--output option must be followed by the filename of the certificate you wish to create. The --gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address that you used when the keys were generated.1
[email protected]:~$ cat revoke_User1.crt
2
-----BEGIN PGP PUBLIC KEY BLOCK-----
3
Version: GnuPG v1
4
Comment: A revocation certificate should follow
5
6
iQEfBCABAgAJBQJef1iqAh0AAAoJEOBsMxdtGHhRuU0H/RHrxodSkniRE+iD15PW
7
dfcWcPZVAv9m2SWzmPN0vU/ywgUE5G60pNsOC6bxWbtmxbxm/PutCA+ipC/KPTcZ
8
RwZvU8ge0PLulrQ5km9xea2295b2dOBEPCzOkgv6BTeAMADrBmi2shhLqUWeoRRr
9
7H6oTC6RFr76o1jPb9UUMVDh840ttMlpYPAlir6JqCvwSL2ZJE58vWSuC/rou1ds
10
4Z1Q0EFjpMQ5S1TmukVF4h4xxGsiZpgoubKJb++1CtYfqoPgCV/yiQFjaSGdiQbL
11
0uqjfEERjOUUc5FKAY9fmvfAjmRzUBhit1U9wWiQ7O+JBxzMUDda3eas5OzpweeK
12
0Lw=
13
=z2hv
14
-----END PGP PUBLIC KEY BLOCK-----
Copied!
signing
By encrypting a document using your private key, you let everyone to try to open it using your public key and if they succeed, they will be sure that you have signed it using YOUR private key!
gpg has a specific command to sign documents:1
[email protected]:~$ vim notice
2
[email protected]:~$ cat notice
3
Lets start learning LPIC-2!
5
[email protected]:~$ gpg --clearsign notice
6
7
You need a passphrase to unlock the secret key for
8
user: "RealUser1 (created by user1) <[email protected]>"
9
2048-bit RSA key, ID 6D187851, created 2020-03-28
Copied!
here the --clearsign tells the gpg to include the clear text message in the output file too. The output file will be
originalfile.asc :1
[email protected]:~$ cat notice.asc
2
-----BEGIN PGP SIGNED MESSAGE-----
3
Hash: SHA1
4
5
Lets start learning LPIC-2!
6
-----BEGIN PGP SIGNATURE-----
7
Version: GnuPG v1
8
9
iQEcBAEBAgAGBQJef2DyAAoJEOBsMxdtGHhReQoH/j33csnEJUlS6IqdlzeIDyw3
10
D6HVli8TaywfdZLTCXhSRHNM7NISCIsPdULHVs1J8vwYKLqshNOlx7F+HNAmkYtv
11
WqHlNL03x2TOEca+qr31iUFdtpRKrMsQ3mpai2aaI8MoILO1gRYGMZ717O31YGGh
12
yQ5Teft6q2QorWXpbACN0JlWcKs5OiFCgcCOOp2RHnjM4NtCJEmI+ZGBuqVJL98P
13
Aa/fP5AteexMuj4GwRfC542f9Tsaw03je4SlAcgq7cJ+iwpy5vHGwN0sPwbRoqbS
14
ABL1zaTA2TZmnS5Jx5ii8IyndObuVHtDUEGROaqxiVWZ/JrMAAfAjtv/mnL79HQ=
15
=W+EU
16
-----END PGP SIGNATURE-----
Copied!
copy notice.asc file to /tmp and other users can verify that a document is singed correctly:
1
[email protected]:~$ gpg --verify /tmp/notice.asc
2
gpg: Signature made Sat 28 Mar 2020 07:06:34 PM +0430 using RSA key ID 6D187851
3
gpg: Good signature from "RealUser1 (created by user1) <[email protected]>"
4
gpg: WARNING: This key is not certified with a trusted signature!
5
gpg: There is no indication that the signature belongs to the owner.
6
Primary key fingerprint: 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851
Copied!
and that's all folks!
.
.
.
.
Last modified 2yr ago
Copy link
Contents
Cryptography
Symmetric vs. asymmetric encryption
Whats is SSH?
How does the ssh protocol work?
What is OpenSSH?
ssh client configurations
Configuring SSH Key Based authentication
ssh-keygen
ssh-copy-id
ssh-agent
ssh-add
ssh
data encryption
gpg
Generating a Revocation Certificate
signing
Congratulation we have done lpic1-102 !!! do not forget to give a start and donate :-)
You can start studying my LPIC-2 book: https://borosan.gitbook.io/lpic2-exam-guide/