vincentkong.com

“GnuPG uses public-key cryptography so that users can communicate securely. In a public-key system, each user has a pair of keys consisting of a private and public key. A user’s private key is kept secret; it need never to be revealed. The public-key maybe given to anyone with whom the user wants to communicate.” – The GNU Privacy Handbook

GnuPGP or GPG (Gnu Privacy Guard) is a computer program that implements the OpenGPG standard; an open source alternative to the PGP commercial product.

The core package for GnuPGP gnupg is installed by default on Ubuntu.  This quick start guide will discuss about performing file encryption with GPG.

Generating a Key

Type the following command:

$ gpg --gen-key

After executing the command you will be prompt with the following:

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

Enter option 1 to allow encryption and decryption.

What keysize do you want? (2048)

Enter 2048 which is the default recommended by GnuPGP

Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years

Enter 0 so that there is no expiration date for the key.

Next you will need to enter your user information.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Enter your “Real name”, “Email address”, and “Comment” is optional.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Confirm your information by entering O, and the key generation will begin.

Enter passphrase:

Next you will need to enter a passphrase; remember that if you forget your passphase then your key will be useless.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++.++++++++++.+++++++++++++++++++++++++.+++++++++++++++.+++++++++++++++...+++++.+++++++++++++++++++++++++++++++++++++++++++++>++++++++++>.+++++............................................................................+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 283 more bytes)

During the key generation follow the instruction mentioned above and wait patiently for your key to complete generating.

When the key has completed generating the following summary will be prompted:

gpg: key 2DFD492E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/2DFD492E 2009-10-14
Key fingerprint = FCAC 0686 401B A333 546E  F081 0459 61E9 2DED 490C
uid                  Vincent Kong <vkong@myemail.com>
sub   2048g/457534BF 2009-10-14

The new generated key ID is 2DFD492E

Listing the keys

$ gpg --list-keys

Importing a Public Key

$ gpg --import KEYFILE

Encrypting a File

To encrypt a file for another user, the encryption must be done with their public key, which needs to be imported first.

$ gpg --output ENCRYPTED_FILE.gpg --encrypt --recipient USER_PUBLIC_KEY_ID ORIGINAL_FILE

Decrypting a File

If a user sent you a file that has been encrypted with your public key, it can be decrypted with the following:

$ gpg --decrypt ENCRYPTED_FILE.gpg

Exporting Your Public Key

$ gpg --armor --export KEY_ID

Signing a Public Key

In GnuPG, if you get an error saying There is no assurance this key belongs to the named user when trying to encrypt, you need to sign the public key.

$ gpg --sign-key PUBLIC_KEY_ID

Edit a Key

$ gpg --edit-key KEY_ID

Information associated to KEY_ID will be displayed followed by the Command> prompt; type help to display the list of command which can be used to modify the key

A detailed how-to guide about GnuPGP can be found here.

The “easiest way” to lock down users to their home directory is to switch their shell account to rbash (restricted bash).  The rbash shell behaves like the bash shell, but some functions are disallowed e.g. change directory with cd.

For more information refer to the man pages for rbash.

$ man rbash

To change the user’s shell modify the file /etc/passwd

$ nano /etc/passwd

and replace /bin/bash with /bin/rbash e.g.

guest:x:100:100::/home/guest:/bin/rbash

If you have a server, but only want to allow users to copy files via sFTP without providing shell access. This can be done with rssh, a restricted shell for use with OpenSSH that allows only scp and/or sftp.

To install rssh

$ apt-get install rssh

By default rssh doesn’t allow anything, to allow only sftp modify the rssh.conf file.

$ nano /etc/rssh.conf

Uncomment the line for allowsftp and other transfer protocols you want to enable.

#allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

To restrict a user to only allow sftp access, modify the /etc/passwd file

$ nano /etc/passwd

For example

ftp:x:100:100::/home/ftp:/usr/bin/rssh

To provide my computer with even more protection against security threats such as viruses, spywares, and rootkits, I recently installed WinPatrol an intrusion prevention system. Unlike traditional security programs which scans your hard drive to search for threats that has already been installed on your system, WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Sometimes, you are connected to an internet which is unknown/insecure such as public WiFi hotspots or you are just surfing the internet at work.  In these type of scenarios you might want to secure your connection so no one can sniff at what or where you’re surfing. One way to create a secure connection is to create an SSH tunnel, and have your web browser use it as a SOCKS proxy.

The first requirement is to have a remote host running an SSH server. e.g. a box at home running OpenSSH. Then, you need to have an SSH client installed on your local machine, for Windows you can use PuTTY.

Establish an SSH tunnel using PuTTY:

Create a new PuTTY session

Run PuTTY and create a new session to connect to the remote host. Fill in the hostname, the port (usually 22), make sure SSH is checked.

Configure the Secure Tunnel

Click on “Tunnels” on the left panel to set up dynamic fowarding for a local port. Under “Add new forwarded port” type in the port number (e.g. 4080) for the source port, leave the destination blank, and check Auto and Dynamic. Then click the “Add” button. You should see D4080 listed in the “Forwarded Ports” box.

Establish an SSH tunnel on Linux:

Use the following command:

$ ssh -D 4080 username@remote_host_server

The tunnel is created when you login to the SSH server.

Configuring Your Web Browser:

To use the SSH tunnel as a SOCKS proxy you need to change the connection settings in the browser.

In the Firefox Connection Settings:

• Check “Manual Proxy Configuration:”
• Fill in 127.0.0.1 for the “SOCKS Host:” and 4080 for “Port:”
• Check “SOCKS v5″

Once everything is done you are now surfing the web securely.