Cryptography Exercises: System Administration Workshop: AfNOG 2010: Kigali

Cryptography Exercises: System Administration Workshop

AfNOG 2010: Kigali

May 27, 2010

Exercises

Using SSH public/private Keys for Authentication

Munging a Document and Comparing Message Digests
Generate a public/private Key Pair for SSH
Copy Your Public Key to Your Neighbor's admin Account

Notes

The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

1.) Munging a Document and Comparing Message Digests [Top]

To do this exercise you will need to be root.

On your machine type:

# cat /etc/motd

Look at your neighbour's machine. Is their file exactly the same as yours? Can you be sure?

Now run the file through the sha1 one-way hashing function:

# sha1 /etc/motd

Let's do this again and save the results to a file:

# sha1 /etc/motd > /tmp/motd-hash

Now change ONE (1) character in your /etc/motd file and repeat the sha1 test. You may want to do this using two terminals. One to have your sha1 output displayed and the other for editing the /etc/motd file.

Example:

# vi /etc/motd

One character change. Save the file and exit. Now we'll run sha1 again, save the results to the same motd-hash file and compare the hashes.

# sha1 /etc/motd >> /tmp/motd-hash

Compare the results with your neighbor, or with your previous sha1 message digest. They should be very different.

As discused the sha1 hashing algorithm is no longer considered reliable. You can do this same exercises using sha256 instead.

Note: In Linux the equivalent hashing functions are named sha1sum and sha256sum.

2.) Generate Public/Private Key Pair for SSH [Top]

Note: Please be sure that you are logged in and using your afnog account for this exercise - not root.

We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following commands:

$ cd
$ ssh-keygen -t rsa -b 2048

You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Do not change the default filename or location for the key.

This command output should look like:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/afnog/.ssh/id_rsa):   [PRESS ENTER]
Created directory '/home/afnog/.ssh'.
Enter passphrase (empty for no passphrase):     [TYPE IN PASSPHRASE]
Enter the same passphrase again:                [TYPE IN SAME PASSPHRASE]
...

Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want and as long as you want - including spaces.

You will see something like this:

Your identification has been saved in /home/afnog/.ssh/id_rsa.
Your public key has been saved in /home/afnog/.ssh/id_rsa.pub.
The key fingerprint is:
d9:99:7c:ad:80:90:df:8c:1b:7e:79:a4:bb:c3:89:a1 afnog@pc10.sae.ws.afnog.org
The key's randomart image is:
+--[ RSA 2048]----+
|      E.         |
|       ..        |
|         .       |
|        +        |
|     o oSo .     |
|      = o.o .    |
|     . o *.o.    |
|        = *o.    |
|         =**     |
+-----------------+

Your private key should now be protected by a passphrase. This means to use your public/private key combination you will need to type in your passphrase (not your afnog account's password) when prompted.

3.) Copy Your Public Key to Your Neighbor's afnog Account [Top]

To avoid problems please use this neighbor list for this exercise:

Neighbor List

pc1 <==> pc2
pc3 <==> pc5
pc6 <==> pc7
pc9 <==> pc10
pc11 <==> pc12
pc13 <==> pc14
pc15 <==> pc16
pc17 <==> pc18
pc19 <==> pc20
pc21 <==> pc22
etc...

Note: "pcX" refers to your neighbor's machine. If your neighbor is pc10, then pcX would be pc10, etc.

This exercise can be confusing. To make thing easier open two terminal windows on your desktop. In one window make sure you are the afnog user on your machine. We will call this your local window.

In another window type:

$ ssh afnog@pcX

This will be your remote window.

You have already generated your public/private ssh key pair. In your local window do the following:

$ cd ~/.ssh $ scp id_rsa.pub afnog@pcX:/tmp/.

In your remote window do:

$ cd ~/.ssh $ cat /tmp/id_rsa.pub >> authorized_keys $ rm /tmp/id_rsa.pub

You now have your public key for the afnog user in the authorized_keys file for the afnog on your neighbor's machine.

In your local window connect to your neighbor's machine as afnogusing ssh:

$ ssh afnog@pcX

You should have been prompted for the passphrase of your private key instead of the password for afnog on your neighbor's machine. If this is what happened, then you are done. Your public/private key pair is now in use between your machine and your neighbor's machine.

If you remember our discussion in the presentation this is cool.

Remember to log out of your neighbor's machine in both your local window and your remote window by doing:

# exit

[Return to Top]

Hervey Allen

Last modified: Wed May 26 18:20:36 CAT 2010