LPI Linux Certification in a Nutshell (70 page)

ssh
has the ability to forward
arbitrary IP-based protocols. The syntax is given next.

ssh-keygen

ssh-keygen [-b
bits
] -t
type
ssh-keygen -p [ -t
type
]
ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N ''
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''

ssh-keygen
generates keys to
identify hosts or users in the SSH protocol, versions 1 and
2.

The first form creates a key. For version 1 of the protocol,
the type should be
rsa1
. For
version 2, it can be either
rsa
or
dsa
. The
-b
option sets the number of bits in the
keys: 512 is the minimum, and 1024 bits is the default. In
general, you can use as many bits as you like. During
key generation, you will be asked to give a
passphrase. A passphrase is different from a password in that it
is a phrase, not simply a word, and is expected to be long. If a
key pair has a passphrase associated with it, you
will be expected to provide that passphrase interactively every
time you need to access that key pair. If this is undesirable (for
example, if you have unattended processes accessing the key pair),
you don’t want to provide a passphrase.

The second form is used to change your passphrase.

The three last forms are used to generate the three
different kinds of host keys. The first is for version 1 of the
protocol; the two others are for version 2. The
-f
option sets the output filename; if
you omit the option, you will be prompted for the name. The
-C
option sets a comment on the
key, and
-N
sets the
passphrase.

Generate a private key and then change its
passphrase:

$
ssh-keygen -t dsa -b 2048
Generating /files/05/01/27/f050127/public/private dsa key pair. Enter file in which to save the key
(/home/janl/.ssh/id_dsa):

Created directory '/home/janl/.ssh'.Enter passphrase \
(empty for no passphrase):
passphrase
Enter same passphrase again:
passphrase
Your identification has been saved in /home/janl/.ssh/id_dsa.
Your public key has been saved in /home/janl/.ssh/id_dsa.pub.
The key fingerprint is:
c2:be:20:4a:17:2e:3f:b2:73:46:5c:00:ef:38:ca:03 janl@debian
$
ssh-keygen -p -t dsa
Enter file in which the key is (/home/janl/.ssh/id_dsa):

Enter old passphrase:
passphrase
Key has comment '/home/janl/.ssh/id_dsa'
Enter new passphrase (empty for no passphrase):
passphrase
Enter same passphrase again:
passphrase
Your identification has been saved with the new passphrase.

ssh -R|L

ssh -R|L
port
:
host:host_port
[
user
@]
hostname
[
command
]

When the main option is
-L
,
ssh
redirects traffic from the local port
port
to the remote machine and port given
by
host:host_port
. The
host
is resolved by the resolver on the
host you connect to. For security reasons, it binds only to the
localhost address, not to any ethernet or other interfaces you may
have.

When a program connects to the localhost port, the connection
is forwarded to the remote side. A very useful application for this
is to forward local ports to your company’s mail server so you can
send email as if you were at the office. All you have to do then is
configure your email client to connect to the right port on
localhost
. This is shown by the example in
the following section.

When using
-R
, the reverse happens. The
port
port of the remote host’s localhost
interface is bound to the local machine, and connections to it will
be forwarded to the local machine given by
host:host_port
.

Log into
login.example.com
. Then, forward
connections that come into localhost port 2525 to port 25 on
mail.example.com
, which would otherwise reject
relaying for you. The reason for binding to port 2525 is that you
need to be
root
to bind to port 25:

$
ssh -L 2525:mail.example.com:25 login.example.com

On the Exam

SSH is an involved and highly configurable piece of software, and
detailed knowledge of its setup is not required. However, SSH is an
important part of the security landscape. Be aware that all
communications using SSH are encrypted using /files/05/01/27/f050127/public/private key
encryption, which means that plain-text passwords are not exposed by SSH
and are therefore unlikely to be compromised.

• Generate a key pair
  

• Import (i.e., add) a public key to a GPG keyring
  

• Sign keys
  

• List keys
  

• Export both a public and private key
  

• Encrypt and decrypt a file
  

Following is an example of the sequence necessary for
generating a key pair in GPG:

$
gpg --gen-key
pg (GnuPG) 1.2.1; Copyright (C) 2008 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring '/home/james/.gnupg/secring.gpg' created
gpg: keyring '/home/james/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
5
What keysize do you want? (1024)
2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
  = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
3y
Key expires at Fri Sep 18 00:23:00 2009 CET
Is this correct (y/n)?
y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"James Stanger (James Stanger) "
Real name:
James Stanger
Email address: [email protected]
Comment: 
You selected this USER-ID:
"James Stanger "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
o
You need a Passphrase to protect your secret key.
Enter passphrase:

Repeat passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
+++++
public and secret key created and signed.
key marked as ultimately trusted.
pub  2048R/97DAFDB2 2004-01-12 James Stanger 
Key fingerprint = 85B2 0933 AC51 430B 3A38  D673 3437 9CAC 97DA FDB2
Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a secondary key for this purpose.

Notice that you have several options when you first issue the
gpg --gen-key
command
:

The GPG public key repository is called a “keyring.” The
keyring contains your private key (or multiple private keys), plus all
of the public keys of individuals you wish to communicate with. To add a
public key to your keyring, you generally obtain a text file that
contains the public key. If, for example, the file were named
andy_oram_oreilly.asc
, you would issue the
following command:

$
gpg --import andy_oram_oreilly.asc

Before you can safely use an imported key, you need to
sign it. To do so, issue the following command from your
terminal:

$
gpg --edit-key
username

If, for example, you wished to sign the key within the
andy_oram_oreilly.asc
file, you would need to
obtain the username of that key. Let’s assume that the username is
Andyo
. You would then issue the following
command:

$
gpg --edit-key "Andyo"

You will then be asked if you wish to really sign the key. As your
reply, you need to provide the password for your private key. Once you
do this, GPG will sign the key you have just imported.

Once you have imported keys, you can then list all of them
by using the
--list-keys
option:

$
gpg --list-keys

This command lists both your private key (you usually have only
one, but you can have as many as you like) as well as the public keys
you have imported. An example of output from the command on a keyring
that contains keys for James Stanger and Andy Oram would appear as
follows:

/home/james/.gnupg/pubring.gpg
---------------------------------------
pub  2048g/CC7877gh 2009-09-11 James (Stanger) 
sub  2048g/89G5B4KM 2009-09-11
pub  2048D/4g37NJ27 2009-12-09 Andyo (Oram) 
sub  2048D/4g37GK38 2009-12-09

The
pub
defines the DSA master
signing key, and the
sub
defines the
ElGamal encryption subkey.

If you wish to list just the private keys, or what GPG calls
“secret keys,” use the
--list-secret-keys
option. To list just the public keys, use the
--list-public-keys
option.

Exporting your private key is useful because you will want
to create a backup should your system somehow become unavailable or
experience a problem. To create a backup of all keys to a single file,
issue the following command:

$
gpg --export -o
gpg_backup_file

If, for example, your username were James Stanger, the following
command would export only your private key to a file named
private.key
:

$
gpg --export-secret-key -a "James Stanger" -o private.key

To export your public key, you would issue the following
command:

$
gpg -- export-public-key -a "James Stanger" -o stanger.pub

Now suppose that you wish to encrypt a file named
chapter24.odt
so that only the user named Andy Oram
can use it. You would issue the following command:

$
gpg -e -u "James Stanger" -r "Andy Oram" chapter24.odt

The resulting file would be called
chapter24.odt.gpg
.

Once Andy receives this file, he would issue the following
command:

$
gpg -d chapter24.odt.gpg

He would then be able to read the file using OpenOffice.

The LPI exam also expects you to identify the files in the
~/.gnupg
directory, mainly because
you may need to troubleshoot an installation or obtain a private key.
Following is a listing of the files found in a typical GPG
implementation, regardless of Linux distribution: