Cryptography Exercises: System Administration Workshop: AfNOG 2008: Rabat

May 28, 2008


Exercises

    Using SSH public/private Keys for Authentication

  1. Munging a Document and Comparing Message Digests
  2. Generate your public/private Key Pair for ssh
  3. Copy Your Public Key to Your Neighbor's admin Account

Notes

  1. The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.
  2. italics: Items that are in italics are to be replaced with something of your choice. For instance, username means choose your own username, don't literally choose the word "username".


1.) Munging a Document and Comparing Message Digests [Top]

To do this exercise you will need to be root.

On your machine type:

# cat /etc/motd
Look at your neighbour's machine. Is their file exactly the same as yours? Can you be sure?

Now run the file through the sha1 one-way hashing function:

# sha1 /etc/motd
Now change ONE (1) character in your /etc/motd file and repeat the sha1 test. You may want to do this using two terminals. One to have your sha1 output displayed and the other for editing the /etc/motd file.

Example:

# vi /etc/motd
One character change.

Compare the results with your neighbor, or with your previous sha1 message digest. They should be very different.


2.) Generate your Public/Private Key Pair [Top]

Note: Please be sure that you are logged in and using your inst account for this exercise - not root.

We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following commands.

$ cd
$ ssh-keygen -t rsa -b 2048
You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Do not change the default filename or location for the key.

This command output should look like: 

Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):   [PRESS ENTER]
Created directory '/home/inst/.ssh'.
Enter passphrase (empty for no passphrase):     [TYPE IN PASSPHRASE]
Enter the same passphrase again:                [TYPE IN SAME PASSPHRASE]
...
Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want and as long as you want - including spaces.

You will see something like this: 

Your identification has been saved in /home/inst/.ssh/id_rsa.
Your public key has been saved in /home/inst/.ssh/id_rsa.pub.
The key fingerprint is:
d9:99:7c:ad:80:90:df:8c:1b:7e:79:a4:bb:c3:89:a1 inst@pc100.sae.ws.afnog.org
Your private key should now be protected by a passphrase. This means to use your public/private key combination you will need to type in your passphrase (not your inst account's password) when prompted.


3.) Copy Your Public Key to Your Neighbor's inst Account [Top]

First connect to your neighbor's machine as the userid inst using ssh. We'll refer to your neighbor's machine as pc1xx.

NOTE:You should connect to the machine on right. If you are at pc120, then connect to pc100.

Here's what you do (as a normal user):

$ ssh inst@pc1xx
Now you'll be faced with a prompt similar to this: 
The authenticity of host 'pc1xx.sae.ws.afnog.org (196.200.218.1xx)' can't be established.
RSA2 key fingerprint is 60:f7:04:8b:f7:61:c4:41:6e:9a:6f:53:7d:95:cb:29.
Are you sure you want to continue connecting (yes/no)?
You should say yes to this prompt, but you should understand what this means. Do you?

Once you say yes, then you will see another message like this: 

Warning: Permanently added 'pc1xx.sae.ws.afnog.org' (RSA2) to the list of known hosts.
[/home/inst/known_hosts]
inst@pc1xx.sae.ws.afnog.org's password:
At this point enter in the password for the inst account on your neighbor's machine.

Now you'll be logged in and see a prompt like this:

[instn@pc1xx ~]$
Now you should logout of your neighbor's machine, and then immediately log back in:
[inst@pc1xx ~]$ exit
$ ssh inst@pc1xx.sae.ws.afnog.org
Now you should simply be prompted for the inst password on your neighbor's machine. You should not see the warning message again. Now, log out of your neighbor's machine again:
[inst@pc1xx ~]$ exit
Let's copy the public_key for your user account on your machine to the /home/inst/.ssh directory on your neighbor's machine. As usual there are several ways to do this, but here's one set of steps that should work (be sure you are on your machine):
$ cd /home/inst/.ssh
$ scp id_rsa.pub inst@pc1xx.sae.ws.afnog.org:/tmp/. [type in the inst@pc1xx password]
$ ssh inst@pc1xx
[inst@pc1xx ~]$ cd .ssh [if ".ssh" is not there do "mkdir .ssh"]
[inst@pc1xx ~]$ cat /tmp/id_rsa.pub >> authorized_keys
[inst@pc1xx ~]$ rm /tmp/id_rsa.pub
[inst@pc1xx ~]$ exit
If you don't understand what this means please ask an instructor to explain and give you a hand.

Your public key is now sitting in the file /home/inst/.ssh/authorized_keys in the inst account on your neighbor's machine. Try connecting to inst on your neighbor's machine:

$ ssh inst@pc1xx.sae.ws.afnog.org
You should now see something like: 
$ ssh inst@pc1xx.sae.ws.afnog.org
Enter passphrase for key '/home/inst/.ssh/id_rsa':
And, at this point you type in the passphrase you used when creating your public/private key pair on your machine for your account - not the password for the inst account on your neighbor's machine.

If you think about this that's pretty neat! Anywhere your public key resides you can log in using one passphrase, and it won't expire.

Now be sure that you log out of your neighbor's machine:

[inst@pc1xx ~]$ exit

[Return to Top]

Hervey Allen

Last modified: Wed May 28 02:49:22 WET 2008