cis 191: linux and unix class 5 february 25, 2015
TRANSCRIPT
CIS 191: Linux and Unix
Class 5February 25, 2015
Quick Note: comments
• We never talked about this explicitly, so I’m including it for completion
• Lines beginning with # are comments in sh languages. This means that these lines will not be interpreted or run.
Quick Note: bash testing extensions
• bash provides a test syntax extension– Note that this is NOT PORTABLE; doesn’t conform to POSIX
standard
• Test extensions are specified with double square brackets and allow for a more natural test syntax– [[ $var1 = $var2 ]]– [[ $var1 < $var2 || $var1 = var2]]
• Search online for more details• Not recommended for use in this class
– Focus on portability
Quick Note: Subshells
• A block of code put inside parentheses will be executed in a subshell– i.e. a child shell will be created to run the commands, sending
output back to the parent shell (which you are using)
• For example– cd ..; pwd; pwd
• Moves back one directory and shows that directory twice• Shell “stays” in the parent directory
– (cd ..; pwd); pwd• Moves back one directory and shows that directory once, then
shows the original directory• Shell does not “stay” in parent directory
• How does this relate to the $() syntax?
Outline
SSH, Logging in Remotely, and Encryption
RSA and Public/Private Key Cryptography
RSA Key Cryptography and Unix
Other Networking Tools
So what is SSH, really?
• We’ve been using SSH for some time now– To log into eniac– To securely copy files (indirectly)
• Some (hopefully all) have been wondering what exactly is going on!
Before ssh there was plaintext
• Prior to the invention of the secure shell, information was transmitted between computers in plaintext
• One commonly used program, telnet, takes an address and establishes a connection between your machine and the target machine– Originally intended to provide command-line access to the
target machine– Communications were in plaintext!!! (And still are if you use it)
• This was all well and good before the internet got too big for its britches and everyone wanted a piece of everybody else’s data
Why is plaintext vulnerable?
Why is plaintext vulnerable?
• The structure of the internet makes it vulnerable• At a low level, you can think of the internet as a massive
network which forwards packets to the appropriate address– Packet = data with some delivery instructions on the top
• If the data isn’t encrypted…
Why is plaintext vulnerable?
• The structure of the internet makes it vulnerable• At a low level, you can think of the internet as a massive
network which forwards packets to the appropriate address– Packet = data with some delivery instructions on the top
• If the data isn’t encrypted…– Then I can just read the packet payload and see whatever I want
to see!– Imagine now that someone has identified that a telnet session
has opened up (by examining the address information).
Why is plaintext vulnerable?
• The structure of the internet makes it vulnerable• At a low level, you can think of the internet as a massive
network which forwards packets to the appropriate address– Packet = data with some delivery instructions on the top
• If the data isn’t encrypted…– Then I can just read the packet payload and see whatever I want
to see!– Imagine now that someone has identified that a telnet session
has opened up (by examining the address information).• They can just keep their eyes open for the password!
How to Hide in Plain Sight
• The issue of eavesdroppers and insecure transmission of sensitive information became quite the issue once the internet blew up and became huge, like it is today
• The question of how to hide something in plain sight became very important– How can we simultaneously transmit data so that everyone who
gets their hands on the data will be guaranteed not to read it?– And we have no idea who is going to be listening to the
message, since we are relying on the internet forwarding protocol?
Encryption
• It became necessary to rely on encryption techniques to hide the meaning of the data which is transmitted
• I send a password, but all you can see is a garbled string of terror– And that’s all you’re going to see– Unless you get my key…
Encryption
• Recall the Caeser (shift) Cipher– Given an alphabet and a shift number, shift each letter in the
given plaintext by the shift operator
• Take the english alphabet as an example, and the shift operator 3– My Secret -> Pb Vhfuhwj
• Deciphering is easy; just apply the negation of the shift operator
• Breaking is easy; vulnerable to a frequency analysis of common letters– Most common letter should be ‘e’… can we calculate the shift
from that?
ssh: The Secure Shell
• ssh invokes a secure shell between your computer and the target computer– i.e. all traffic between the two is encrypted!
• This helped to reduce the issue of nosy-bodies listening in on important communication lines
• When connecting to another computer via ssh, the network connection itself is encrypted, so you can rest (mostly) easy
Outline
SSH, Logging in Remotely, and Encryption
RSA and Public/Private Key Cryptography
RSA Key Cryptography and Unix
Other Networking Tools
How does ssh do Encryption?
• Unsurprisingly, ssh does not use a Caesar cipher to encrypt your network traffic.
• I wouldn’t be comfortable with that; would you?
RSA Encryption
• Rivest, Shamir, and Adleman announced their algorithm in 1978– Relies on the idea that multiplication is easier than factoring– We’ll generate some super large prime numbers…
• A public key for encrypting messages• A private key for decrypting messages
– Then we’ll keep our private key a secret, and give the public key out to everyone who we want to speak with• They can encrypt their messages with my public key, and then I
can decrypt it with my private key!• If I have their public key, I can send them messages in the same
way.
Aside: RSA Calculation
• The following aside uses material from S. Zdancewic and C. Gunter
Aside: RSA Calculation
• First we have to generate two huge prime numbers– Easiest way to do this is just to pick some huge number and
check to see if it’s prime– One fast way to check if a number is prime is the Rabin-Miller
Primality Test, which says with ¾ probability whether a number is prime• Iterate this at least 5 times to be as sure as possible
• Then, we follow the RSA key generation procedure
Aside: RSA Calculation
• Choose large, distinct primes p and q– Should be roughly equal length (in bits)
• Let n = p*q• Choose a random encryption exponent e, such that e and
(p-1)*(q-1) are relatively prime.– p and q are said to be relatively prime if the only number that
divides both p and q is 1.
• Next, derive the decryption exponent d– d = e-1 mod ((p-1)*(q-1))– d is e’s inverse mod ((p-1)*(q-1))
Aside: RSA Calculation
• Finally we can calculate the public and private key• Public key: K = (e,n)
– Where (e,n) is the pair of e and n
• Private key: k = (d,n)
Aside: RSA Encryption and Decryption
• Suppose we have some message m, which we consider to be a string of bits– Assume that m < n
• That is, that the number formed by considering all the bits of the message m is less than the number n
– If m is not less than n, then break up m into smaller chunks such that it is
• Forall messages m and all resulting ciphertext c• Encryption: E((e,n), m) = me mod n• Decryption: D((d,n), c) = cd mod n
Aside: RSA Explanation
• Lots of math is involved in the why of RSA encryption, but here’s the short story:
Aside: RSA Explanation
• Lots of math is involved in the why of RSA encryption, but here’s the short story:
• If we raise a number to a power, we can retrieve the original number by raising it to the inverse of that power– 53 = 125, and 1251/3 = 5
• Fermat’s little theorem tells us that we can compute a-
1 mod n = aφ(n)-1 mod n, where φ is Euler’s totient function
Aside: Euler’s Totient Function
• φ(n) is the number of positive integers less than n that are relatively prime to n– So φ(12) = 4 (Where the relative primes are {1,5,7,11})
• But for some prime number p, φ(p) = p-1. See why?• If we have two distinct primes p and q, then
– φ(p*q)=(p-1)*(q-1)– Because math
• Seem familiar?
Aside: RSA Example Calculation
• Choose p = 47 and q = 71• n = p * q = 3337• (p-1)*(q-1) = 3220• Choose e relatively prime with 3220: e = 79
– So our public key is (79, 3337)
• Find d = 79-1 mod 3220 = 1019– So our private key is (1019, 3337)
• To encrypt m = 688232687966683 – Break into chunks < 3337– 688 232 687 966 683
• Encrypt: E((79, 3337), 688) = 68879 mod 3337 = 1570• Decrypt: D((1019, 3337), 1570) = 15701019 mod 3337 =
688
Aside: RSA Summary
• A lot of math that I included, with much hand-waving, for your edification
• If you want to know more, check out the wikipedia article on RSA Encryption and the other techniques we covered in this Aside.
Outline
SSH, Logging in Remotely, and Encryption
RSA and Public/Private Key Cryptography
RSA Key Cryptography and Unix
Other Networking Tools
ssh and RSA encryption
• There are two ways to authenticate using ssh
• By using a password, as you’ve done in the past– This method actually uses an automatically generated public-
private key pair to encrypt the network connection, then prompts the user for the password for the account on the remote machine
• By using a manually generated RSA key pair!
RSA for authentication
• If you have a manually generated public/private key pair, you can prove you are who you claim without having to enter a password at all!
• Consider this scenario– I want to verify that you are who you claim.– I know your public key, so I can encrypt some message m into
some ciphertext c and send it to you over the ssh protocol– If you are the owner of the public key I used to map m -> c, then
you should be able to decrypt c to recover m!– If you can do that, then you are indeed who you claim
• As long as you did a good job of keeping your private key private!
RSA: An Ubuntu How-To
• Step One: Generate keys• Step two: Place keys in the proper location!
System Requirements (Ubuntu)
• You need an internet connection
System Requirements (Ubuntu)
• You need an internet connection (duh)
System Requirements (Ubuntu)
• You need an internet connection (duh)
• In order to connect to a remote machine which is running an ssh server daemon, you must have the openssh-client package installed (should be there by default…)
• In order to run an ssh server daemon so that others can connect to your computer, you must have the openssh-server package installed. (We shouldn’t need this one for this class…)
Manually Generating an RSA key pair
• The ssh-keygen program will generate a public/private RSA key pair– You will be asked for a location to store the keys; default is fine– You will be prompted for a password; if you enter one, the key
pair itself will be encrypted (or the private key will be, anyway), so that it can only be used if you know the password.• While a good idea, this technology interferes with some other
programs that make use of RSA key pairs for authentication• For example, I recall the egit eclipse plugin having trouble with a
password protected private key• Tradeoff between security and convenience!
Proper RSA Placement
• If you didn’t change the default location, your keys should have been placed in your ~/.ssh/ folder. The public key will be named id_rsa.pub and the private key will be named id_rsa
• Now we need to get your id_rsa.pub in its proper place on the remote machine.
id_rsa.pub management
• On a machine running the ssh daemon, in an account you would like to connect to (say, eniac):– In the ~/.ssh/ folder for that account, you must create a file
named authorized_keys if it does not exist• If it does exist, be careful not to delete the entries in it!
– On a new line, paste all the text contained in your id_rsa.pub file• How to accomplish this?
– cat ~/.ssh/id_rsa.pub and manually copy/paste the (ascii-encoded) text to the authorized_keys file on the remote host
– scp the id_rsa.pub file to the remote machine and redirect the text with cat id_rsa.pub >> ~/.ssh/authorized_keys on the remote
– What other ways?
RSA: The benefits?
• Well, you use RSA every day whether you know it or not• But why is it useful for authentication?
RSA: The benefits?
• Well, you use RSA every day whether you know it or not• But why is it useful for authentication?• Passwords can be mistyped, forgotten, and are
sometimes transmitted in plaintext!• Using this method, you transmit your public key to the
destination machine once using the password authentication method (or some other way)– As long as you keep your private key in ~/.ssh/id_rsa, you can
then ssh into the remote machine without any effort at all!– ssh [email protected]
• And that’s it!!
RSA: The drawbacks
• But what if someone gets your private key…?
Aside: Debian’s Crypto Faux Pas
• Debian accidentally released a broken version of OpenSSL which removed most of the randomness used to generate keys…– Debian now maintains a blacklist of compromised ksys, as well
as utilities to check that keys are not on the known blacklist
Aside: Debian’s Crypto Faux Pas
• Debian accidentally released a broken version of OpenSSL which removed most of the randomness used to generate keys…– Debian now maintains a blacklist of compromised ksys, as well
as utilities to check that keys are not on the known blacklist– man ssh-vulnkey
• A program to check an ssh key against the list of vulnerable keys
• Yeah, this caused a lot of problems• But most of them could be fixed by generating new keys
and replacing the old ones
Security Holes…
Configuring ssh
• To configure ssh, you should edit the ~/.ssh/config file– Recall Homework 2– See man 5 ssh_config
• The most important entries are visible in this examplehost eniac
HostName eniac.seas.upenn.eduUser lesp
• This tells ssh that eniac means eniac.seas.upenn.edu and that the user, if unspecified, should be lesp
ssh Tricked Out
• Your newly configured ssh has multiple uses– Bash can use completions from ~/.ssh/config– Bash can ssh into the remote host to allow tab completions for
scp…– If given a command as a final command-line parameter, ssh will
execute it and exit• For example, ssh eniac ‘chmod a+r html/*.pdf’
– You can run GUIs remotely by enabling X11-forwarding• $ ssh –Y eniac
– You can use ssh to mount a remote directory as part of the local file system (coming up)
Providing Limited SSH Access
• Sometimes you want to give limited access to an account– For example, to provide access to a code repository over ssh
• Adding modifiers before a key in authorized_keys tells sshd to restrict or open certain kinds of access!– no-port-forwarding diallows TCP forwarding– no-agent-forwarding disallows the server from automatically
forwarding key challenges (for key verification)– no-X11-forwarding disallows X11 (graphical) requests from
being forwarded– no-pty disallows virtual terminal allocation
• The end entry looks like– no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-
pty ssh-rsa AAAAB3NzaC1yc. . .
Outline
SSH, Logging in Remotely, and Encryption
RSA and Public/Private Key Cryptography
RSA Key Cryptography and Unix
Other Networking Tools
sshfs: Mounting A Remote Filesystem
• sshfs allows us to treat a remote resource as if it were located locally!
$ mkdir html$ sshfs eniac:public_html/ html$ vim html/index.html…
sshfs: Unmounting a Remote Filesystem
• On Ubuntu– You’ll have to use fusermount –u my_mount_directory
• On OSX– You’ll have to user umount my_mount_directory– If the directory is being stubborn and won’t unmount, then run
umount –f my_mount_directory
• If things are being really stubborn, you can always break out the ban hammer with– killall sshfs
sshfs: Uses
• Why would you want to pretend a remote resource is actually a local resource?– You can use cp instead of the more cumbersome scp
• Everything will be copied over the invisible ssh connection maintained by sshfs!
– You can keep your local editor and bash settings– Graphical programs are run locally on the remote file, rather
than remotely with graphics forwarding (faster)– You can run programs installed on your machine, provided with
data located elsewhere (also faster)
rsync: A File Copying Tool
• Rather than just doing a straightforward copy, rsync is a more powerful and clever copying mechanism
• rsync connects via ssh, just as scp does• However, rsync is smarter about what it copies
– rsync copies file differences rather than files– When copying large folders over the net, this is much faster…
• rsync preserves permissions, symbolic links, and other operating system features
• See man rsync for more details (if you have rsync installed)
nmap: Network Exploration Made Easy!
• The “Network Mapper” nmap explores a network or a host, and looks for “interesting ports”– Based on how a host responds to edge cases in the IP
specification (among other related information), nmap can guess the operating system, which ports are open, and which services are offered
• nmap is useful for examining your own computer– And other people’s computers…
Today’s Takeaways
1. The internet is useful but inherently insecure2. Encryption makes the internet safer to use3. RSA is a powerful, widely used encryption scheme
which can also be used for authentication4. ssh uses RSA to encrypt the network connection, either
with an automatically generated key or with a manually generated key the user provides
5. Other tools make use of ssh to provide interesting features!