Lesson 10

Date: 4/2/2014

Basics of Linux Security

Linux for Engineering and IT Applications

GNU Privacy Guard exercises

Install GPG on smbhost:

apt-get install gnupg
apt-get install haveged

In the example below, there is key and message echange between users carol (Carol Wilson) and jack (Jack Black).

You need to create two user accounts, carol and jack on smbhost VM.

adduser carol
adduser jack

Remember the passwords.
Open two terminals on your desktop and SSH to smbhost as user carol in one terminal window

    
ssh carol@192.168.122.42

and user jack in the other terminal window:

    
ssh jack@192.168.122.42

As user carol run command gpg to initialize the keys:

gpg --gen-key

Follow the instruction for generating keys below:


Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) ENTER 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 08 Jun 2013 06:40:50 PM EDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Carol Wilson
Email address: carol@linux.class
Comment: 
You selected this USER-ID:
    "Carol Wilson "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
Enter passphrase:

Remember the passphrase.
Make carol's public key available for exchange by running the following command as user carol:

   gpg --export --armor carol@linux.class > carol.pub

File carol.pub contains her public key.

User jack performs the similar procedures to generate the gpg keys and have the public key in a file:

   gpg --gen-key
   gpg --export --armor jack@linux.class > jack.pub

User jack gets carol's public key and imports it:

cp ~carol/carol.pub .
gpg --import carol.pub

Verifies it:

gpg --fingerprint "Carol Wilson"

jack should accept the key by signing it:

gpg --edit-key "Carol Wilson"

   Command> sign
    How carefully have you verified the key you are about to sign actually belongs
    to the person named above?  If you don't know what to answer, enter "0".
    Choose one of the following options (usually 2):
     (0) I will not answer. (default)
     (1) I have not checked at all.
     (2) I have done casual checking.
     (3) I have done very careful checking.

   Command> save

Carol Wilson creates a new file and signs it. For example, a text file, netapp.txt, and a signature:

cat /etc/services > netapp.txt
gpg -b netapp.txt

The second command above creates a new file, netapp.txt.sig

The recepient, jack, who already has imported and signed her public key, copies netapp.txt with the signature file and verifies the file:

 
cp ~carol/netapp.txt .
cp ~carol/netapp.txt.sig .
gpg --verify netapp.txt.sig netapp.txt

If the signature is correct, the output should contain:

   gpg: Good signature from "Carol Wilson "

Sending/Receiving signed encrypted messages.

carol imports and signs Jack's public key in the same way as he did with her's.

cp ~jack/jack.pub .
gpg --import jack.pub
gpg --fingerprint "Jack Black"
gpg --edit-key "Jack Black"

The sender, carol, uses the recepient's, jack's, public keys to encrypt a message located in file netapp.txt and save it in file forjack.gpg:

cat netapp.txt | gpg -sea -r "Jack Black" > forjack.gpg

The recepient, jack, decrypts the message with his private key.

cp ~carol/forjack.gpg .
gpg -d forjack.gpg

The output can be saved in a text file, forjack.txt:

gpg -d -o forjack.txt forjack.gpg

Verify signature for dowloaded software:

Download the following files:

   DJM-GPG-KEY.asc
   openssh-4.4p1.tar.gz
   openssh-4.4p1.tar.gz.asc

Import the public key:

gpg --import DJM-GPG-KEY.asc

Check if the key has been added:

 gpg --fingerprint

Signe the key:

gpg --edit "Damien Miller (Personal Key) "

   Command> sign
   Command> save

Verify that the signute for the software is good:

gpg --verify openssh-4.4p1.tar.gz.asc openssh-4.4p1.tar.gz

Delete the key from the keyring:

gpg --delete-keys "Damien Miller (Personal Key) "

Verify that the key has been deleted:

gpg --fingerprint

Fundamentals of Linux security
How systems get compromised
Trojan script exercise
Stack overflow
Package upgrades and verification
Open Ports List exercise
Closing Ports
TCP Wrappers exercise
IP filtering firewalls (iptables)
Building iptables rules
Simple iptables script
NAT table
NAT script
Exercises with iptables
Port scanning exercises
GNU Privacy Guard
GPG exercises
Logs
System Integrity checks
GNUtar exercises
References
Take me to the Course Website