LPI Linux Certification in a Nutshell (70 page)

Read LPI Linux Certification in a Nutshell Online

Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger

Tags: #Reference:Computers

BOOK: LPI Linux Certification in a Nutshell
10.8Mb size Format: txt, pdf, ePub
SSH Port Forwarding

ssh
has the ability to forward
arbitrary IP-based protocols. The syntax is given next.

Name

ssh-keygen

Syntax
ssh-keygen [-b
bits
] -t
type
ssh-keygen -p [ -t
type
]
ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N ''
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
Description

ssh-keygen
generates keys to
identify hosts or users in the SSH protocol, versions 1 and
2.

The first form creates a key. For version 1 of the protocol,
the type should be
rsa1
. For
version 2, it can be either
rsa
or
dsa
. The
-b
option sets the number of bits in the
keys: 512 is the minimum, and 1024 bits is the default. In
general, you can use as many bits as you like. During
key generation, you will be asked to give a
passphrase. A passphrase is different from a password in that it
is a phrase, not simply a word, and is expected to be long. If a
key pair has a passphrase associated with it, you
will be expected to provide that passphrase interactively every
time you need to access that key pair. If this is undesirable (for
example, if you have unattended processes accessing the key pair),
you don’t want to provide a passphrase.

The second form is used to change your passphrase.

The three last forms are used to generate the three
different kinds of host keys. The first is for version 1 of the
protocol; the two others are for version 2. The
-f
option sets the output filename; if
you omit the option, you will be prompted for the name. The
-C
option sets a comment on the
key, and
-N
sets the
passphrase.

Example

Generate a private key and then change its
passphrase:

$
ssh-keygen -t dsa -b 2048
Generating /files/05/01/27/f050127/public/private dsa key pair. Enter file in which to save the key
(/home/janl/.ssh/id_dsa):

Created directory '/home/janl/.ssh'.Enter passphrase \
(empty for no passphrase):
passphrase
Enter same passphrase again:
passphrase
Your identification has been saved in /home/janl/.ssh/id_dsa.
Your public key has been saved in /home/janl/.ssh/id_dsa.pub.
The key fingerprint is:
c2:be:20:4a:17:2e:3f:b2:73:46:5c:00:ef:38:ca:03 janl@debian
$
ssh-keygen -p -t dsa
Enter file in which the key is (/home/janl/.ssh/id_dsa):

Enter old passphrase:
passphrase
Key has comment '/home/janl/.ssh/id_dsa'
Enter new passphrase (empty for no passphrase):
passphrase
Enter same passphrase again:
passphrase
Your identification has been saved with the new passphrase.
Name

ssh -R|L

Syntax
ssh -R|L
port
:
host:host_port
[
user
@]
hostname
[
command
]
Description

When the main option is
-L
,
ssh
redirects traffic from the local port
port
to the remote machine and port given
by
host:host_port
. The
host
is resolved by the resolver on the
host you connect to. For security reasons, it binds only to the
localhost address, not to any ethernet or other interfaces you may
have.

When a program connects to the localhost port, the connection
is forwarded to the remote side. A very useful application for this
is to forward local ports to your company’s mail server so you can
send email as if you were at the office. All you have to do then is
configure your email client to connect to the right port on
localhost
. This is shown by the example in
the following section.

When using
-R
, the reverse happens. The
port
port of the remote host’s localhost
interface is bound to the local machine, and connections to it will
be forwarded to the local machine given by
host:host_port
.

Example

Log into
login.example.com
. Then, forward
connections that come into localhost port 2525 to port 25 on
mail.example.com
, which would otherwise reject
relaying for you. The reason for binding to port 2525 is that you
need to be
root
to bind to port 25:

$
ssh -L 2525:mail.example.com:25 login.example.com
Configuring OpenSSH

This section explains how to acquire, compile, install, and
configure OpenSSH for Linux, so that you can use it in place of
telnet
,
rsh
, and
rlogin
.

In the unlikely event that your Linux distribution does not include
OpenSSH, it is available at
http://www.openssh.com/portable.html
and at many mirror
sites around the world. It is a simple matter to compile and install
OpenSSH if you have
gcc
,
make
,
and the necessary libraries and header files installed. The OpenSSH build
uses
autoconf
(the usual
configure
,
make
, and so on) like
most other free software/open source projects.

To enable login from remote systems using OpenSSH, you must start
sshd
, which may be done simply by issuing the
following command:

#
sshd

Note that you do not need to put this command in the background, as
it handles this detail itself. Once the
sshd
daemon
is running, you may connect from another SSH-equipped system:

#
ssh mysecurehost

The default configuration should be adequate for basic use of
SSH.

On the Exam

SSH is an involved and highly configurable piece of software, and
detailed knowledge of its setup is not required. However, SSH is an
important part of the security landscape. Be aware that all
communications using SSH are encrypted using /files/05/01/27/f050127/public/private key
encryption, which means that plain-text passwords are not exposed by SSH
and are therefore unlikely to be compromised.

Configuring and Using GNU Privacy Guard (GPG)

This book isn’t the place for a full GPG tutorial. However,
the LPI 102 exam requires you to understand how to use the standard GPG
command to:

  • Generate a key pair

  • Import (i.e., add) a public key to a GPG keyring

  • Sign keys

  • List keys

  • Export both a public and private key

  • Encrypt and decrypt a file

You will also be expected to
troubleshoot a standard implementation, which means that
you’ll need to understand the files in the
~/.gnupg/
directory.

Generating a Key Pair

Following is an example of the sequence necessary for
generating a key pair in GPG:

$
gpg --gen-key
pg (GnuPG) 1.2.1; Copyright (C) 2008 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring '/home/james/.gnupg/secring.gpg' created
gpg: keyring '/home/james/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
5
What keysize do you want? (1024)
2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
3y
Key expires at Fri Sep 18 00:23:00 2009 CET
Is this correct (y/n)?
y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"James Stanger (James Stanger) "
Real name:
James Stanger
Email address: [email protected]
Comment:
You selected this USER-ID:
"James Stanger "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
o
You need a Passphrase to protect your secret key.
Enter passphrase:

Repeat passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
+++++
public and secret key created and signed.
key marked as ultimately trusted.
pub 2048R/97DAFDB2 2004-01-12 James Stanger
Key fingerprint = 85B2 0933 AC51 430B 3A38 D673 3437 9CAC 97DA FDB2
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a secondary key for this purpose.

Notice that you have several options when you first issue the
gpg --gen-key
command
:

DSA and ElGamal

A DSA key pair is created for making signatures to sign
files, and an ElGamal key pair is created to encrypt files.

DSA sign only

A faster method, but only creates a key pair that can sign
files.

RSA sign only

Same as option 2 but uses RSA encryption instead of
DSA.

On the Exam

You will only need to know about option 1, DSA and ElGamal. You
will not be expected to know how to use GPG with email applications,
such as Mozilla
Thunderbird
.

Importing a Public Key to a GPG Keyring

The GPG public key repository is called a “keyring.” The
keyring contains your private key (or multiple private keys), plus all
of the public keys of individuals you wish to communicate with. To add a
public key to your keyring, you generally obtain a text file that
contains the public key. If, for example, the file were named
andy_oram_oreilly.asc
, you would issue the
following command:

$
gpg --import andy_oram_oreilly.asc
Signing Keys

Before you can safely use an imported key, you need to
sign it. To do so, issue the following command from your
terminal:

$
gpg --edit-key
username

If, for example, you wished to sign the key within the
andy_oram_oreilly.asc
file, you would need to
obtain the username of that key. Let’s assume that the username is
Andyo
. You would then issue the following
command:

$
gpg --edit-key "Andyo"

You will then be asked if you wish to really sign the key. As your
reply, you need to provide the password for your private key. Once you
do this, GPG will sign the key you have just imported.

Listing Keys

Once you have imported keys, you can then list all of them
by using the
--list-keys
option:

$
gpg --list-keys

This command lists both your private key (you usually have only
one, but you can have as many as you like) as well as the public keys
you have imported. An example of output from the command on a keyring
that contains keys for James Stanger and Andy Oram would appear as
follows:

/home/james/.gnupg/pubring.gpg
---------------------------------------
pub 2048g/CC7877gh 2009-09-11 James (Stanger)
sub 2048g/89G5B4KM 2009-09-11
pub 2048D/4g37NJ27 2009-12-09 Andyo (Oram)
sub 2048D/4g37GK38 2009-12-09

The
pub
defines the DSA master
signing key, and the
sub
defines the
ElGamal encryption subkey.

If you wish to list just the private keys, or what GPG calls
“secret keys,” use the
--list-secret-keys
option. To list just the public keys, use the
--list-public-keys
option.

Export both a Public and Private Key

Exporting your private key is useful because you will want
to create a backup should your system somehow become unavailable or
experience a problem. To create a backup of all keys to a single file,
issue the following command:

$
gpg --export -o
gpg_backup_file

If, for example, your username were James Stanger, the following
command would export only your private key to a file named
private.key
:

$
gpg --export-secret-key -a "James Stanger" -o private.key

To export your public key, you would issue the following
command:

$
gpg -- export-public-key -a "James Stanger" -o stanger.pub
Encrypting a File

Now suppose that you wish to encrypt a file named
chapter24.odt
so that only the user named Andy Oram
can use it. You would issue the following command:

$
gpg -e -u "James Stanger" -r "Andy Oram" chapter24.odt

The resulting file would be called
chapter24.odt.gpg
.

Once Andy receives this file, he would issue the following
command:

$
gpg -d chapter24.odt.gpg

He would then be able to read the file using OpenOffice.

Troubleshooting Files in the ~/.gnupg/ Directory

The LPI exam also expects you to identify the files in the
~/.gnupg
directory, mainly because
you may need to troubleshoot an installation or obtain a private key.
Following is a listing of the files found in a typical GPG
implementation, regardless of Linux distribution:

gpg.conf

Allows you to create default settings for GPG, including a
preferred
key server. A key server contains the public keys of
any user who wishes to upload her keys.

pubring.gpg

Contains the public keys that you have imported.

random_seed

A text file containing settings that enable GPG to create
random numbers more quickly and easily.

secring.gpg

Contains the private key that determines your
identity.

trustdb.gpg

The trust database, which contains the information
concerning the trust values you have assigned to various public
keys. A user may set variable levels of trust to public keys in
his key ring. More information on trust can be found in the
GPG
documentation
.

On the Exam

Make sure that you understand how to import a public key and
export both public and private keys.

Other books

Parker 01 - The Mark by Pinter, Jason
Wayward Angel by K. Renee, Vivian Cummings
Snare (Falling Stars #3) by Sadie Grubor
Honeysuckle Summer by Sherryl Woods
The Care of Time by Eric Ambler
Willow by Wayland Drew
Ana Leigh by The Mackenzies