Spring 2005 CSCI 173 lab 1

Using SSH under Windows

SSH (Secure Shell) is becoming a widely used method for transfering files and remote login. Many universities have even banned all remote file transfer except those using SSH. The Department of Computer Science at UNCA also requires SSH for its transfer.

Most people use the "open" implementations of SSH. Linux users generally use the OpenSSH tools, and Windows users use PuTTY for remote login and SSH-aware FTP programs, such as WinSCP, for file transfer.

SSH is pretty simple to use. In it most common usage, a remote file server generates a public key that is held by client programs, such as home PC's. On the first connection to the server, the home PC is asked to accept the remote key in an exchange similar to the following:

The authenticity of host 'candler.cs.unca.edu (' can't be established.
RSA key fingerprint is c5:a5:92:94:6c:e1:9b:7d:cb:4d:a1:6e:24:00:45:37.
Are you sure you want to continue connecting (yes/no)? 

Once a key is accepted, all communication between the home PC and the server is encrypted. This makes it possible to transmit passwords to the remote server without fear that those passwords will be intercepted and used maliciously.

Go ahead and start up PuTTY and use it to connect to UNCA's mail server for its students. That computer is bulldog.unca.edu. All you have to do it type the name of computer in the Host Name box.

It's also possible to generate your own public/private key pair for use with SSH. Start the program PuTTYgen and then press the Generate button.
First screen of PuTTYgen

Now's the (only) fun part. Move your mouse around in the box to generate a random key for SSH.
Random mousing

Soon you'll have your own random key. Use the Key comment: field to give your key a useful name and use the Key passphrase: to specify a key to unlock your password. By locking your password with these phrase, you make sure that the person who steals your home PC won't be able to also use your private key.
Setting the passphrase

Next save your private and public keys. Remember, the private key is protected by your passphrase.
Saving the private key

You might also want to look at your public key. It's just a sequence of strange letters.

Comment: "CSCI173"

Using the key on bulldog.unca.edu is a bit harder. I'm going to outline the procedure here and let those who are interested ask question. First, you need to create a directory called .ssh2 on bulldog.unca. and make sure that the directory cannot be read by anyone other than yourself. The easiest way to do this is to log into bulldog and then connect to candler.cs.unca.edu using ssh. This will create the right directories with the right rights.

bulldog% ssh candler.cs.unca.edu

Now you need to copy your public key into your .ssh2 directory. Let's say you call it CSCI173.pub. Now you must add a file called authorization to your .ssh directory that contains the line "key CSCI173.pub".

Now you must navigate to the Auth panel of PuTTY and set the private file for SSH authentication
Setting SSH authentication options
and then to the Connection panel to set the Auto-login username
Setting SSH connection options

With luck you'll be able to connect without typing your bulldog password. However, you will have to type the private key passphrase, so you won't save much work.

Using GPG under Linux

gpg (GNU Privary Guard) is a patent-free encryption system that is similar to the very famous PGP (Pretty Good Privacy) system created by Philip Zimmermann.

To use gpg, you must first generate a public and private key. Do this with the gpg program. Here's an example of its use.

[yourid@machname yourid]$ gpg --gen-key
gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: /home/brock/.gnupg: directory created
gpg: new configuration file `/home/brock/.gnupg/gpg.conf' created
gpg: keyblock resource `/home/brock/.gnupg/secring.gpg': file open error
gpg: keyring `/home/brock/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Mon 18 Jan 2010 10:13:51 PM EST
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: J. Dean Brock
Email address: brock@cs.unca.edu

You selected this USER-ID:
    "J. Dean Brock <brock@cs.unca.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

You might want to list your keys now.

[yourid@machname yourid]$ gpg --list-keys
pub  1024D/B2086B06 2005-01-20 J. Dean Brock <brock@cs.unca.edu>
sub  1024g/221A28F6 2005-01-20 [expires: 2010-01-19]

Now you must export your public key so that others may use it.

[yourid@machname yourid]$ gpg --output "PUBKEY.asc" --export --armor "J. Dean Brock <brock@cs.unca.edu>"

Go ahead and take a look at your key.

[yourid@machname yourid]$ cat PUBPGP.asc 
Version: GnuPG v1.2.1 (GNU/Linux)


Now you want to import someone's public key into your key ring

[yourid@machname yourid]$ gpg --import ~anothercsci173student/PUBKEY.asc
gpg: key EEC79E96: public key "CSCI 201 test <yourid@cs.unca.edu>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[yourid@machname yourid]$ gpg --list-keys
pub  1024D/B2086B06 2005-01-20 J. Dean Brock <brock@cs.unca.edu>
sub  1024g/221A28F6 2005-01-20 [expires: 2010-01-19]

pub  1024D/EEC79E96 2005-01-20 CSCI 201 test <yourid@cs.unca.edu>
sub  1024g/193A046D 2005-01-20 [expires: 2010-01-19]

In the real world, you'd use your public and private keys to exchange important documents; but here's we'll just create a short and silly file. Type anything you wish between the double quotes to put your message within a file called secret.stuff.

[yourid@machname yourid]$ echo "Your secret message does here" > secret.stuff

Now you can encrypt and sign your message. The user id's that you enter are the folks to whom you are intending to send your message. Their public keys will be used in the ecryption of the message.

[yourid@candler .gnupg]$ gpg --armor --sign --encrypt ~/secret.stuff

You need a passphrase to unlock the secret key for
user: "CSCI 201 test <yourid@cs.unca.edu>"
1024-bit DSA key, ID EEC79E96, created 2005-01-20

Enter passphrase: csciisfun
You did not specify a user ID. (you may use "-r")

Enter the user ID.  End with an empty line: brock
gpg: 221A28F6: There is no indication that this key really belongs to the owner
1024g/221A28F6 2005-01-20 "J. Dean Brock <brock@cs.unca.edu>"
 Primary key fingerprint: 03AF 92AE 032C CD24 BDEA  AAA7 9A33 7849 B208 6B06
      Subkey fingerprint: 7179 D684 458F 8DCD 0DDB  3DBD C61C C3E7 221A 28F6

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes

Use this key anyway? yes
Added 1024g/221A28F6 2005-01-20 "J. Dean Brock <brock@cs.unca.edu>"

Enter the user ID.  End with an empty line: 
[yourid@candler .gnupg]$ 

Now exchange your secret message with that of someone else.

[yourid@machname yourid]$ cp ~anothercsci173student/secret.stuff.asc secret.msg.asc

Now try to decrypt their secret message

[yourid@machname yourid]$ gpg --decrypt secret.stuff.asc 
You need a passphrase to unlock the secret key for
user: "J. Dean Brock <brock@cs.unca.edu>"
1024-bit ELG-E key, ID 221A28F6, created 2005-01-20 (main key ID B2086B06)

gpg: encrypted with 1024-bit ELG-E key, ID 221A28F6, created 2005-01-20
      "J. Dean Brock <brock@cs.unca.edu>"
This is so much fun
gpg: Signature made Wed 19 Jan 2005 10:36:39 PM EST using DSA key ID EEC79E96
gpg: Good signature from "CSCI 201 test >yourid@cs.unca.edu<"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: next trustdb check due at 2010-01-19
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0FB4 D58C A1DA 6A35 CF70  D853 A4E0 8555 EEC7 9E96
[yourid@machname yourid]$