1 | <html><head> |
---|
2 | <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Cryptography |
---|
3 | Exercises: Track 2 Workshop: PacNOG 7: American Samoa</title></head><body> |
---|
4 | <a name="top"></a> |
---|
5 | <div align="center"> |
---|
6 | <h2>Cryptography Exercises: Track 2 Workshop</h2> |
---|
7 | <h3>PacNOG 7: American Samoa</h3> |
---|
8 | June 30, 2010 |
---|
9 | </div> |
---|
10 | <h2>Exercises</h2> |
---|
11 | <ol> |
---|
12 | <b>Using SSH public/private Keys for Authentication</b> |
---|
13 | <p> |
---|
14 | </p><li><a href="#hash">Munging a Document and Comparing Message Digests</a></li> |
---|
15 | <li><a href="#gen">Generate a public/private Key Pair for SSH</a></li> |
---|
16 | <li><a href="#copy">Copy Your Public Key to Your Neighbor's admin |
---|
17 | Account</a></li> |
---|
18 | </ol> |
---|
19 | |
---|
20 | |
---|
21 | <h3>Notes</h3> |
---|
22 | <ol> |
---|
23 | <li>The "#" and "$" characters before commands represents your system |
---|
24 | prompt and is not part of the command itself. "#" indicates a command |
---|
25 | issued as root while "$" indicates a command issued as a normal user.</li> |
---|
26 | </ol> |
---|
27 | |
---|
28 | |
---|
29 | <!------- *********************** ------> |
---|
30 | |
---|
31 | <p> |
---|
32 | |
---|
33 | <a name="hash"></a> |
---|
34 | <b><font size="+1">1.) Munging a Document and Comparing Message Digests</font></b> |
---|
35 | [<a href="#top">Top</a>] |
---|
36 | </p><p> |
---|
37 | To do this exercise you will need to be root. |
---|
38 | </p><p> |
---|
39 | On your machine type: |
---|
40 | </p><blockquote> |
---|
41 | <code> |
---|
42 | # cat /etc/motd |
---|
43 | </code> |
---|
44 | </blockquote> |
---|
45 | Look at your neighbour's machine. Is their file exactly the same as |
---|
46 | yours? Can you be sure? |
---|
47 | <p> |
---|
48 | Now run the file through the sha1 one-way hashing function: |
---|
49 | </p><blockquote> |
---|
50 | <code> |
---|
51 | # sha1sum /etc/motd |
---|
52 | </code> |
---|
53 | </blockquote> |
---|
54 | Let's do this again and save the results to a file: |
---|
55 | <blockquote> |
---|
56 | <code> |
---|
57 | # sha1sum /etc/motd > /tmp/motd-hash |
---|
58 | </code> |
---|
59 | </blockquote> |
---|
60 | Now change ONE (1) character in your /etc/motd file and repeat the sha1 |
---|
61 | test. You may want to do this using two terminals. One to have your sha1 |
---|
62 | output displayed and the other for editing the /etc/motd file. |
---|
63 | <p> |
---|
64 | Example: |
---|
65 | </p><blockquote> |
---|
66 | <code> |
---|
67 | # vi /etc/motd |
---|
68 | </code> |
---|
69 | </blockquote> |
---|
70 | One character change. Save the file and exit. Now we'll run sha1 |
---|
71 | again, save the results to the same <code>motd-hash</code> file and |
---|
72 | compare the hashes. |
---|
73 | <blockquote> |
---|
74 | <code> |
---|
75 | # sha1sum /etc/motd >> /tmp/motd-hash |
---|
76 | </code> |
---|
77 | </blockquote> |
---|
78 | <p> |
---|
79 | Compare the results with your neighbor, or with your previous sha1 |
---|
80 | message digest. They should be very different. |
---|
81 | </p><p> |
---|
82 | As discused the sha1 hashing algorithm is no longer considered |
---|
83 | reliable. You can do this same exercises using <code>sha256sum</code> |
---|
84 | or even <code>sha512sum</code> instead. |
---|
85 | </p><p> |
---|
86 | <b>Note:</b> In UNIX the equivalent hashing functions are named |
---|
87 | <code>sha1</code> and <code>sha256</code>, etc. |
---|
88 | |
---|
89 | |
---|
90 | |
---|
91 | <!------- *********************** ------> |
---|
92 | |
---|
93 | </p><p><br> |
---|
94 | |
---|
95 | <a name="gen"></a> |
---|
96 | <font size="+1"><b>2.) Generate Public/Private Key Pair for SSH</b></font> |
---|
97 | [<a href="#top">Top</a>] |
---|
98 | </p> |
---|
99 | <p> |
---|
100 | <b>Note:</b> <i>Please</i> be sure that you are logged in and using your |
---|
101 | <i>pacnog</i> account for this exercise - not root. |
---|
102 | </p><p> |
---|
103 | <b>NOTE:</b> If you are using a laptop and you are not running Linux on your |
---|
104 | laptop, then you should do this exercise with someone who is sitting at a |
---|
105 | desktop machine. |
---|
106 | </p><p> |
---|
107 | We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do |
---|
108 | this, issue the following commands: |
---|
109 | </p><blockquote> |
---|
110 | <code> |
---|
111 | $ cd |
---|
112 | </code> |
---|
113 | <br> |
---|
114 | <code> |
---|
115 | $ ssh-keygen -t rsa -b 2048 |
---|
116 | </code> |
---|
117 | </blockquote> |
---|
118 | You will be prompted for a file location for the key as well as for a |
---|
119 | passphrase to encrypt the key file. <b>Do not change the default |
---|
120 | filename or location for the key</b>. |
---|
121 | <p> |
---|
122 | This command output should look like: |
---|
123 | </p><blockquote> |
---|
124 | <pre>Generating public/private rsa key pair. |
---|
125 | Enter file in which to save the key (/home/pacnog/.ssh/id_rsa): [PRESS ENTER] |
---|
126 | Created directory '/home/pacnog/.ssh'. |
---|
127 | Enter passphrase (empty for no passphrase): [TYPE IN PASSPHRASE] |
---|
128 | Enter the same passphrase again: [TYPE IN SAME PASSPHRASE] |
---|
129 | ... |
---|
130 | </pre> |
---|
131 | </blockquote> |
---|
132 | Be sure to enter a passphrase. Private key files without passphrases are |
---|
133 | a security hole. Your passphrase can be pretty much anything you want |
---|
134 | and as long as you want - including spaces. |
---|
135 | <p> |
---|
136 | You will see something like this: |
---|
137 | </p> |
---|
138 | <blockquote> |
---|
139 | <pre>Your identification has been saved in /home/pacnog/.ssh/id_rsa. |
---|
140 | Your public key has been saved in /home/pacnog/.ssh/id_rsa.pub. |
---|
141 | The key fingerprint is: |
---|
142 | d9:99:7c:ad:80:90:df:8c:1b:7e:79:a4:bb:c3:89:a1 pacnog@pc10.pacnog.bluesky.as |
---|
143 | The key's randomart image is: |
---|
144 | +--[ RSA 2048]----+ |
---|
145 | | E. | |
---|
146 | | .. | |
---|
147 | | . | |
---|
148 | | + | |
---|
149 | | o oSo . | |
---|
150 | | = o.o . | |
---|
151 | | . o *.o. | |
---|
152 | | = *o. | |
---|
153 | | =** | |
---|
154 | +-----------------+ |
---|
155 | </pre> |
---|
156 | </blockquote> |
---|
157 | Your private key should now be protected by a passphrase. This means to |
---|
158 | use your public/private key combination you will need to type in your |
---|
159 | passphrase (not your afnog account's password) when prompted. |
---|
160 | |
---|
161 | |
---|
162 | |
---|
163 | <!------- *********************** ------> |
---|
164 | |
---|
165 | <p><br> |
---|
166 | |
---|
167 | <a name="copy"></a> |
---|
168 | <font size="+1"><b>3.) Copy Your Public Key to an account we have created for |
---|
169 | on the NOC box</b></font> [<a href="#top">Top</a>] |
---|
170 | </p><p> |
---|
171 | We have created the accounts pc1, pc2, pc3, pc4 through pc15 on the classroom |
---|
172 | noc server. For users on the desktop machines you should do this exercise using |
---|
173 | the corresponding account on the noc box. For users on laptops please ask the |
---|
174 | instructor to determine which account you should use. The password for these accounts |
---|
175 | is the same as the password for the <i>pacnog</i> user on your desktop machines |
---|
176 | </p><p> |
---|
177 | The first thing you will do is to copy your public key file over to the home directory |
---|
178 | of your account on the noc box. |
---|
179 | </p><p> |
---|
180 | Please remember - you must do this exercise as the <i>pacnog</i> user on your local |
---|
181 | machine. |
---|
182 | <blockquote> |
---|
183 | <code> |
---|
184 | $ cd |
---|
185 | <br /> |
---|
186 | $ cd .ssh |
---|
187 | <br /> |
---|
188 | $ scp id_rsa.pub pcX@noc:. |
---|
189 | </code> |
---|
190 | </blockquote> |
---|
191 | It is critical that you pay close attention to the command above. Be sure you include |
---|
192 | the ":" and the "." at the end of the command. |
---|
193 | <p> |
---|
194 | You should see something like this on your screen: |
---|
195 | <blockquote> |
---|
196 | <pre> |
---|
197 | The authenticity of host 'noc (67.218.55.67)' can't be established. |
---|
198 | RSA key fingerprint is ca:0b:74:d5:65:9a:bc:cf:1d:e3:c2:39:5f:7d:f9:07. |
---|
199 | Are you sure you want to continue connecting (yes/no)? |
---|
200 | </pre> |
---|
201 | </blockquote> |
---|
202 | Response with "yes" to accept this public key from noc. |
---|
203 | <p> |
---|
204 | This is the initial exchange of the noc's ssh public key's fingerprint to your machine so |
---|
205 | that the next time you log in ssh on your machine can compare this information to what |
---|
206 | it has seen before. |
---|
207 | </p><p> |
---|
208 | Afer you say yes, type in the password for the pcX account on the noc box, then you will have copied your public ssh key to your corresponding pcX account on our classroom |
---|
209 | noc machine. Now log in to your account on the noc box to execute a few more commands: |
---|
210 | </p> |
---|
211 | <blockquote> |
---|
212 | <code> |
---|
213 | $ ssh pcX@noc |
---|
214 | </code> |
---|
215 | </blockquote> |
---|
216 | You will no be logged in to the noc machine as the user pcX. |
---|
217 | </p><p> |
---|
218 | Now do the following: |
---|
219 | <blockquote> |
---|
220 | <code> |
---|
221 | $ cd |
---|
222 | <br /> |
---|
223 | $ mkdir .ssh |
---|
224 | <br /> |
---|
225 | $ cat id_rsa.pub >> .ssh/authorized_keys |
---|
226 | <br /> |
---|
227 | $ rm id_rsa.pub |
---|
228 | </code> |
---|
229 | </blockquote> |
---|
230 | Note: You could have done this all remotely, but I wanted you to see what logging in to the |
---|
231 | noc box looks like using a password. |
---|
232 | <p> |
---|
233 | Now log off from the noc box: |
---|
234 | <blockquote> |
---|
235 | <code> |
---|
236 | $ exit |
---|
237 | </code> |
---|
238 | </blockquote> |
---|
239 | Now try logging back in to the noc box: |
---|
240 | <blockquote> |
---|
241 | <code> |
---|
242 | $ ssh pcX@noc |
---|
243 | </code> |
---|
244 | </blockquote> |
---|
245 | What just happened? If everything worked you should have been asked for the passphrase of the |
---|
246 | private key of your ssh key on your local machine. This is pretty cool! |
---|
247 | <p> |
---|
248 | You can exit from the noc machine by type: |
---|
249 | <blockquote> |
---|
250 | <code> |
---|
251 | $ exit |
---|
252 | </code> |
---|
253 | </blockquote> |
---|
254 | |
---|
255 | <p> |
---|
256 | </p><div align="center"> |
---|
257 | [<a href="#top">Return to Top</a>] |
---|
258 | </div> |
---|
259 | <p> |
---|
260 | <font size="1"> |
---|
261 | Hervey Allen |
---|
262 | </font> |
---|
263 | </p><p> |
---|
264 | </p><hr align="left" width="224" size="3"> |
---|
265 | <font size="1"> |
---|
266 | <!-- Created: Sun Jun 12 00:54:08 CLT 2005 --> |
---|
267 | <!-- hhmts start -->Last modified: Wed Jun 30 12:29:45 SST 2010 <!-- hhmts end --> |
---|
268 | </font> |
---|
269 | </body></html> |
---|