Cryptography Exercises: System Administration Workshop

AfNOG 2009: Cairo

May 13, 2008

Exercises

    Using SSH public/private Keys for Authentication

  1. Munging a Document and Comparing Message Digests
  2. Generate a public/private Key Pair for SSH
  3. Copy Your Public Key to Your Neighbor's admin Account

Notes

  1. The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

1.) Munging a Document and Comparing Message Digests [Top]

To do this exercise you will need to be root.

On your machine type:

# cat /etc/motd
Look at your neighbour's machine. Is their file exactly the same as yours? Can you be sure?

Now run the file through the sha1 one-way hashing function:

# sha1 /etc/motd
Let's do this again and save the results to a file:
# sha1 /etc/motd > /tmp/motd-hash
Now change ONE (1) character in your /etc/motd file and repeat the sha1 test. You may want to do this using two terminals. One to have your sha1 output displayed and the other for editing the /etc/motd file.

Example:

# vi /etc/motd
One character change. Save the file and exit. Now we'll run sha1 again, save the results to the same motd-hash file and compare the hashes.
# sha1 /etc/motd >> /tmp/motd-hash

Compare the results with your neighbor, or with your previous sha1 message digest. They should be very different.

As discused the sha1 hashing algorithm is no longer considered reliable. You can do this same exercises using sha256 instead.

Note: In Linux the equivalent hashing functions are named sha1sum and sha256sum.


2.) Generate Public/Private Key Pair for SSH [Top]

Note: Please be sure that you are logged in and using your inst account for this exercise - not root.

We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following commands.

$ cd
$ ssh-keygen -t rsa -b 2048
You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Do not change the default filename or location for the key.

This command output should look like:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):   [PRESS ENTER]
Created directory '/home/inst/.ssh'.
Enter passphrase (empty for no passphrase):     [TYPE IN PASSPHRASE]
Enter the same passphrase again:                [TYPE IN SAME PASSPHRASE]
...
Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want and as long as you want - including spaces.

You will see something like this:

Your identification has been saved in /home/inst/.ssh/id_rsa.
Your public key has been saved in /home/inst/.ssh/id_rsa.pub.
The key fingerprint is:
d9:99:7c:ad:80:90:df:8c:1b:7e:79:a4:bb:c3:89:a1 inst@pc10.sae.mtg.afnog.org
The key's randomart image is:
+--[ RSA 2048]----+
|      E.         |
|       ..        |
|         .       |
|        +        |
|     o oSo .     |
|      = o.o .    |
|     . o *.o.    |
|        = *o.    |
|         =**     |
+-----------------+
Your private key should now be protected by a passphrase. This means to use your public/private key combination you will need to type in your passphrase (not your inst account's password) when prompted.


3.) Copy Your Public Key to Your Neighbor's inst Account [Top]

To avoid problems please use this neighbor list for this exercise:

Neighbor List

pc5  <==> pc6
pc7  <==> pc8
pc11 <==> pc12
pc13 <==> pc13

Note: "pcX" refers to your neighbor's machine. If your neighbor is pc10, then pcX would be pc10, etc.

This exercise can be confusing. To make thing easier open two terminal windows on your desktop. In one window make sure you are the inst user on your machine. We will call this your local window. In another window type:

$ ssh inst@pcX
This will be your remote window.

You have already generated your public/private ssh key pair. In your local window do the following:

$ cd ~/.ssh
$ scp id_rsa.pub inst@pcX:/tmp/.
In your remote window do:
$ cd ~/.ssh
$ cat /tmp/id_rsa.pub >> authorized_keys
$ rm /tmp/id_rsa.pub
You now have your public key for the inst user in the authorized_keys file for the inst on your neighbor's machine.

In your local window connect to your neighbor's machine as instusing ssh:

$ ssh inst@pcX
You should have been prompted for the passphrase of your private key instead of the password for inst on your neighbor's machine. If this is what happened, then you are done. Your public/private key pair is now in use between your machine and your neighbor's machine.

If you remember our discussion in the presentation this is cool.

Remember to log out of your neighbor's machine in both your local window and your remote window by doing:

# exit

[Return to Top]

Hervey Allen


Last modified: Wed May 13 23:34:14 EEST 2009