Cryptography Exercises: Track 2 Workshop

PacNOG 7: American Samoa

June 30, 2010

Exercises

    Using SSH public/private Keys for Authentication

  1. Munging a Document and Comparing Message Digests
  2. Generate a public/private Key Pair for SSH
  3. Copy Your Public Key to Your Neighbor's admin Account

Notes

  1. The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

1.) Munging a Document and Comparing Message Digests [Top]

To do this exercise you will need to be root.

On your machine type:

# cat /etc/motd
Look at your neighbour's machine. Is their file exactly the same as yours? Can you be sure?

Now run the file through the sha1 one-way hashing function:

# sha1sum /etc/motd
Let's do this again and save the results to a file:
# sha1sum /etc/motd > /tmp/motd-hash
Now change ONE (1) character in your /etc/motd file and repeat the sha1 test. You may want to do this using two terminals. One to have your sha1 output displayed and the other for editing the /etc/motd file.

Example:

# vi /etc/motd
One character change. Save the file and exit. Now we'll run sha1 again, save the results to the same motd-hash file and compare the hashes.
# sha1sum /etc/motd >> /tmp/motd-hash

Compare the results with your neighbor, or with your previous sha1 message digest. They should be very different.

As discused the sha1 hashing algorithm is no longer considered reliable. You can do this same exercises using sha256sum or even sha512sum instead.

Note: In UNIX the equivalent hashing functions are named sha1 and sha256, etc.


2.) Generate Public/Private Key Pair for SSH [Top]

Note: Please be sure that you are logged in and using your pacnog account for this exercise - not root.

NOTE: If you are using a laptop and you are not running Linux on your laptop, then you should do this exercise with someone who is sitting at a desktop machine.

We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following commands:

$ cd
$ ssh-keygen -t rsa -b 2048
You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Do not change the default filename or location for the key.

This command output should look like:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/pacnog/.ssh/id_rsa):   [PRESS ENTER]
Created directory '/home/pacnog/.ssh'.
Enter passphrase (empty for no passphrase):     [TYPE IN PASSPHRASE]
Enter the same passphrase again:                [TYPE IN SAME PASSPHRASE]
...
Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want and as long as you want - including spaces.

You will see something like this:

Your identification has been saved in /home/pacnog/.ssh/id_rsa.
Your public key has been saved in /home/pacnog/.ssh/id_rsa.pub.
The key fingerprint is:
d9:99:7c:ad:80:90:df:8c:1b:7e:79:a4:bb:c3:89:a1 pacnog@pc10.pacnog.bluesky.as
The key's randomart image is:
+--[ RSA 2048]----+
|      E.         |
|       ..        |
|         .       |
|        +        |
|     o oSo .     |
|      = o.o .    |
|     . o *.o.    |
|        = *o.    |
|         =**     |
+-----------------+
Your private key should now be protected by a passphrase. This means to use your public/private key combination you will need to type in your passphrase (not your afnog account's password) when prompted.


3.) Copy Your Public Key to an account we have created for on the NOC box [Top]

We have created the accounts pc1, pc2, pc3, pc4 through pc15 on the classroom noc server. For users on the desktop machines you should do this exercise using the corresponding account on the noc box. For users on laptops please ask the instructor to determine which account you should use. The password for these accounts is the same as the password for the pacnog user on your desktop machines

The first thing you will do is to copy your public key file over to the home directory of your account on the noc box.

Please remember - you must do this exercise as the pacnog user on your local machine.

$ cd
$ cd .ssh
$ scp id_rsa.pub pcX@noc:.
It is critical that you pay close attention to the command above. Be sure you include the ":" and the "." at the end of the command.

You should see something like this on your screen:

The authenticity of host 'noc (67.218.55.67)' can't be established.
RSA key fingerprint is ca:0b:74:d5:65:9a:bc:cf:1d:e3:c2:39:5f:7d:f9:07.
Are you sure you want to continue connecting (yes/no)? 
Response with "yes" to accept this public key from noc.

This is the initial exchange of the noc's ssh public key's fingerprint to your machine so that the next time you log in ssh on your machine can compare this information to what it has seen before.

Afer you say yes, type in the password for the pcX account on the noc box, then you will have copied your public ssh key to your corresponding pcX account on our classroom noc machine. Now log in to your account on the noc box to execute a few more commands:

$ ssh pcX@noc
You will no be logged in to the noc machine as the user pcX.

Now do the following:

$ cd
$ mkdir .ssh
$ cat id_rsa.pub >> .ssh/authorized_keys
$ rm id_rsa.pub
Note: You could have done this all remotely, but I wanted you to see what logging in to the noc box looks like using a password.

Now log off from the noc box:

$ exit
Now try logging back in to the noc box:
$ ssh pcX@noc
What just happened? If everything worked you should have been asked for the passphrase of the private key of your ssh key on your local machine. This is pretty cool!

You can exit from the noc machine by type:

$ exit

[Return to Top]

Hervey Allen


Last modified: Wed Jun 30 12:29:45 SST 2010