Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


GNU Privacy Guard exercises

  • Install GPG on smbhost:
    apt-get install gnupg
    apt-get install haveged
    

    In the example below, there is key and message echange between users carol (Carol Wilson) and jack (Jack Black).

  • You need to create two user accounts, carol and jack on smbhost VM.
    adduser carol
    adduser jack
    
    Remember the passwords.
    Open two terminals on your desktop and SSH to smbhost as user carol in one terminal window
        
    ssh carol@192.168.122.42
    
    and user jack in the other terminal window:
        
    ssh jack@192.168.122.42
    

  • As user carol run command gpg to initialize the keys:
    gpg --gen-key
    

    Follow the instruction for generating keys below:
      Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) ENTER Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 2m Key expires at Sat 08 Jun 2013 06:40:50 PM EDT Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Carol Wilson Email address: carol@linux.class Comment: You selected this USER-ID: "Carol Wilson " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg: gpg-agent is not available in this session Enter passphrase:
    Remember the passphrase.
    Make carol's public key available for exchange by running the following command as user carol:
       gpg --export --armor carol@linux.class > carol.pub
    
    File carol.pub contains her public key.

  • User jack performs the similar procedures to generate the gpg keys and have the public key in a file:
       gpg --gen-key
       gpg --export --armor jack@linux.class > jack.pub
    


  • User jack gets carol's public key and imports it:
    cp ~carol/carol.pub .
    gpg --import carol.pub
    

    Verifies it:
    gpg --fingerprint "Carol Wilson"
    

    jack should accept the key by signing it:
    gpg --edit-key "Carol Wilson"
    

       Command> sign
        How carefully have you verified the key you are about to sign actually belongs
        to the person named above?  If you don't know what to answer, enter "0".
        Choose one of the following options (usually 2):
         (0) I will not answer. (default)
         (1) I have not checked at all.
         (2) I have done casual checking.
         (3) I have done very careful checking.
    
       Command> save
    

  • Carol Wilson creates a new file and signs it. For example, a text file, netapp.txt, and a signature:
    cat /etc/services > netapp.txt
    gpg -b netapp.txt
    
    The second command above creates a new file, netapp.txt.sig

  • The recepient, jack, who already has imported and signed her public key, copies netapp.txt with the signature file and verifies the file:
     
    cp ~carol/netapp.txt .
    cp ~carol/netapp.txt.sig .
    gpg --verify netapp.txt.sig netapp.txt
    

    If the signature is correct, the output should contain:
       gpg: Good signature from "Carol Wilson "
    


    Sending/Receiving signed encrypted messages.

  • carol imports and signs Jack's public key in the same way as he did with her's.
    cp ~jack/jack.pub .
    gpg --import jack.pub
    gpg --fingerprint "Jack Black"
    gpg --edit-key "Jack Black"
    

  • The sender, carol, uses the recepient's, jack's, public keys to encrypt a message located in file netapp.txt and save it in file forjack.gpg:
    cat netapp.txt | gpg -sea -r "Jack Black" > forjack.gpg
    

  • The recepient, jack, decrypts the message with his private key.
    cp ~carol/forjack.gpg .
    gpg -d forjack.gpg 
    

    The output can be saved in a text file, forjack.txt:
    gpg -d -o forjack.txt forjack.gpg
    


    Verify signature for dowloaded software:

    Download the following files:
       DJM-GPG-KEY.asc
       openssh-4.4p1.tar.gz
       openssh-4.4p1.tar.gz.asc
    
    Import the public key:
    gpg --import DJM-GPG-KEY.asc 
    

    Check if the key has been added:
     gpg --fingerprint
    

    Signe the key:
    gpg --edit "Damien Miller (Personal Key) "
    

       Command> sign
       Command> save
    
    Verify that the signute for the software is good:
    gpg --verify openssh-4.4p1.tar.gz.asc openssh-4.4p1.tar.gz 
    

    Delete the key from the keyring:
    gpg --delete-keys "Damien Miller (Personal Key) "
    

    Verify that the key has been deleted:
    gpg --fingerprint
    



  • Take me to the Course Website