CS78 Secure Server Installation & Administration

This Website (http://homepage.smc.edu/morgan_david/cs78/) will be used to communicate with you. Announcements, grade reports, and assignments will be posted here. The site can be viewed from an internet-connected browser anywhere. You are responsible for awareness of the information posted here.

GPG community signed documents are ready - Tonight on sputnik I find 12 "studentXXkey" public keys and 10 "gettysburg.studentXX" signed copies of the gettysburg address. I renamed the latter with suffixed letters of the alphabet like "gettysburg.W" and you'll find those 10 suffixed, signed files in the home directory of user common on sputnik. The question for you: who signed them? As posed by the assignment instructions. If they were paper signed documents you would answer by signature recognition. Do the same here, but electronically. (Everybody's public keys are in common's home directory, where you put them, too. For you to use.) Have fun. (5/7)

Homework - due 5/10
Do - part 1 only (not part 2) of the assignment at the link entitled "GPG, community." Obtain gettysburg.txt by anonymous ftp from sputnik.smc.edu, in the pub directory. As a commonly accessible file-exchange mechanism among class members, use sputnik's account "common" whose password is "CS78Password" and non-anonymous ftp as user "common" to up- and download files from common's home directory on sputnik. No later than the end of Tuesday 5/6, upload your gpg-created key for this assignment to this repository. Separately, supply your signed copy of gettysburg.txt to the instructor. Do so by using anonymous ftp to sputnik and noting there is a folder named "incoming". Put it in there. The assignment is to be turned in electronically on sputnik. You can perform the GPG operations on your own computer, or use your assigned remote virtual linux machine (below) whose gateway address for reachability is/will be "dmorgan.us". After renaming all the signed files you give me, I'll put them into common's home directory for you. (4/30)

Homework - due 5/3
Do - the assignment at the link entitled "Using RSA". Obtain the "decr" shell script by anonymous ftp to sputnik.smc.edu where it's in the pub directory. Get the encrypted data you're required to decrypt, also in that directory, in a file named "ciphermessage-<yourlastname>". If your name is John Smith, get ciphermessage-smith. Each student who supplies me with a public key during class will find such a file after I've had time to apply his public key to my random string. The file will be in the format expected by the decr script. After you've decrypted, you will know what my random string was. Use an editor to create a file named "randomstring", put the random string in the file, and drop the file into the assignments subdirectory of your home directory on sputnik.
Strings encrypted for you with the public keys you gave me yesterday have been uploaded and are available, as above. Students who were not in class can email me a public key (developed in doing the "RSA Encryption 2" exercise) and I will proceed to provide you too with an encrypted string. (4/27)

Read - something about GPG and ssh.

ssh sources:

textbook's coverage of ssh, pp 341-346

Getting Started with SSH

GPG sources:

GPG (GNU Privacy Guard) official page

GPG Mini HowTo

GNU Privacy Handbook

RFC2440 - OpenPGP message format

Enigmail

Read - any portions of Chapter 7 "Cryptography Basics" not so far covered. Have the main understandings in this chapter all under your belt.

Anticipate - near-future in-class and homework exercises at links "ssh key setup," "ssh file access," "GNU Privacy guard." (4/27)

Please see - newly posted in-class exercise at the link entitled "RSA Encryption 2" at right. We'll do it in class on Saturday. (4/24)

Homework - due 4/26
Read - textbook on public key algorithms pp. 180-87
Read - the section entitled "RSA: The Most Used Asymmetric Algorithm" at http://www.informit.com/articles/printerfriendly.aspx?p=102212
Do - the assignment at the link entitled "RSA encryption" (4/18)

Student internship - at Sun Microsystems El Segundo. (4/16)

Spring break April 12 - no class that day. (3/28)

Homework - due 4/19
Listen - to this discussion about message digests (cryptographic hashes).. It's is a 34 minute conversation, of which you can skip the last 14 minutes for our purposes. Just listen to the first 20 minutes.
Do - the assignment at the link entitled "primitive roots." For understanding of workings of the Diffie-Hellman key exchange see the slides at the link entitled "key exchange," or the articles under the heading entitled "Diffie-Hellman key exchange."
Listen - to this discussion about Diffie-Hellman key exchange.. The conversation is 37 minutes. The first 14 minutes concerns Diffie-Hellman. The rest is about public-key cryptography. Listen to the Diffie-Hellman segment. Optionally, to the rest. (4/4)

Homework - due 4/5
1. DES encryption algorithm - on paper
listen - to the two audio clips (see the icon) "1. SDES - Simplified DES" and "3. SDES Mangler Function." Optionally, also hear "8. Cipher Block Chaining."
do - the assignment at link entitled "S-DES algorithm". Please turn in on the printouts called for in the assignment.
2. steganography - by email
do -use s-tools in Windows to create an image file containing an embedded text file. Get s-tools here. Be guided closely but not completely by the instructions at the link entitled "steganography" in the assignments column at right. Assuming your name is John Smith (substitute your own real name), please name your files
smith.bmp and
smith.txt
In the txt file, put the sentence, naming you, like "my name is John Smith". The image file itself should be sunset.bmp, produced from sunset.jpg. Embed the text file into the image file, using password "password" and encryption algorithm triple-DES. email to me the resultant file attached to a message entitled "steganography" (I will use an email filter based on that title, if you name it something else I won't get it). You get credit if I can extract your text file and read your name. (In the assignment as written up at the "steganography" link, ignore the 2nd portion about covert channels. That assignment was written for use in a slightly different setting. Follow it in terms of its step-by-step for using s-tools but not in terms of the assignment administration. Those just described here are the ones that apply for this class. In particular ignore the questions at the end.) (3/30)

Serious extra credit - strictly extracurricular, but if somebody hands me the code that extends my "polyalph" script to reverse the substitutions it performs, they are a star. The task posed is to be able to recall, so as to reapply, the many ("poly") alphabets that were used in the encrypt. These would have to be recalled in the reverse order they were originally used, and applied to the same letters to which originally applied, and applied in reverse. This is shell script. I don't particularly expect anybody to do this but if somebody did they'd be riding toward an A on a white horse. (3/24)

Homework -
do - assignment at link entitled "permissions" at right. Name the file you create and submit "permissions" (not permissions.txt or variant please). My grading script wants to find it in /home/<your username>/assignments/ (create that directory if it doesn't exist) on sputnik.smc.edu. However please actually perform this assignment on dmorgan.us (not sputnik, as I suggested in class, I was wrong). You will have to use ssh (not telnet) with which to perform your various logins to that machine, dmorgan.us doesn't support telnet. (See comments below about ssh, and installing it if for some reason you haven't.)
pre-read - material about DES, per 3/14 "Homework" post below. (3/23)

Polyalphabetic substitution and character frequency statistics demo program is available by anonymous ftp from sputnik.smc.edu in the pub directory (so is gettysburg.txt). For you to optionally play with. It's a shell script. If you download it to a linux system make it executable-- chmod +x polyalph" -- then run it -- ./polyalph. Edit it and alter the input text and/or the way it evolves the alphabet mapping it uses for determining letter substitutions. Cut and paste its output to

http://www.mtholyoke.edu/courses/quenell/s2002/crypto/js/count.html

to tally the letters and make a bar graph, like we did in class. (3/22)

Grades - posted. Please see link at left entitled "Grade reports" (3/17)

Homework - for next 3 upcoming topics
file permissions
read - the link entitled "File permissions" at left,
read - textbook's chapter 6 "Filesystems and Security"
read - the link entitled "permissions" at right (next week's homework)
pluggable authentication modules (PAM)
review - the brief textbook coverage, in previously assigned Chapter 4
anticipate - "PAM" link in right column
data encryption standard (DES)
read - link entitled "Simplified S-DES" at left
read - "Assignment S-DES" at right, including the encryption/decryption sample it contains; think about how you will go about doing the assignment. The procedure will be demonstrated in class to clarify the approach.
read - the article at the link entitled "Encryption article" at left. (3/14)

Server status - running on 6GB without memory problems but with little usage for close to a week. I plan to give you an assignment using it soon to put a little stress on it. (3/14)

Article related to the unix process mechanism "fork/exec." This article reinforces our coverage. The article has its own examples, distinct from ours but similar. (3/14)

Server status - removed suspect memory, now running on less memory but (we think) stable. Ran continuously for 2-3 days with full complement of 8GB but crashed again last night. Watchdogging it today, was unmistakably unstable. Removed the 4GB new memory and running now on the 4GB old memory, with stable history, so far so good. Will it stay stable? Think so. Will it perform? You'll tell. Do something with it if you can (anything!) so as to have input Saturday. (3/6)

Homework -
research - the June 1942 Battle of Midway between the American and Japanese navies in the central Pacific. Find out enough about it to satisfy yourself why I'm asking for this, in the context of this course. Once you know what it was about the battle that is relevant to the course, you needn't know further military or strategic details. So why am I asking?? Read up a little about the relevant, motivating aspect. (3/5)

Server - please email me for gateway address - has been running 20 VMs here, stable, for a day and a half. It's set up for use exactly as described in class, and below, except the gateway address is different than it was at SMC. Please email me for that address and I'll send it to you. Experiment with the machine, make sure you can make contact with it and it works. I'll be interested to see what happens the rest of the week both at my end and students' end. (3/4)

Homework -
read - textbook pp. 600-610 in the section of Chapter 19 "Defending Accounts" entitled " Administrative Techniques for Conventional Passwords."
read - Part 1 and part2 of an article from IBM about passwords. Don't worry about the parts where specific code examples are analyzed (unless particularly interested). Note the article's suggestion to utilize dice for composing passwords in order to achieve "a completely random distribution of passwords of a given length." Randomness is a virtue, and dice achieve it better than any computer.
read - a discussion of the importance of randomness for producing "perfect passwords" at Gibson Research Corporation.
visit - the site for Password Safe, a product where you put a password your collection of passwords. (3/3)

Request - please don't change the root account passwords on the lab computers, as 3 different classes use them. (3/2)

Server - has been removed, to where I can take a closer look at it. I might later ask you to start/test using it from its new location (my home) in the course of "looking at it." (3/3)

Server appears down - it went down Saturday night and I went in and kicked it up today. Tonight it is again unresponsive. Please stay tuned... (2/24)

Accounts on sputnik.smc.edu were created today - see "Remote Unix system accounts" paragraph below. (Don't confuse these "accounts" with the "virtual machines" you have been allocated elsewhere. They're separate.) (2/24)

Slides we are studying if you wish to preview/review them, are the ones at links (in the "Slide Presentations" section at left) entitled
- User administration
- Processes
- Homemade shell
- ProcessUID control (2/24)

Remote linux virtual machines (not accounts, but whole virtual-machine installations with root access) - have been prepared, one for each student.

hostname	IP address	gateway port	student

host101	192.168.1.201	201	ALTMAN
host102	192.168.1.202	202	BURSTROM
host103	192.168.1.203	203	DONAHUE
host104	192.168.1.204	204	DRANDELL
host105	192.168.1.205	205	ELENES
host106	192.168.1.206	206	FORTE
host107	192.168.1.207	207	KHATAM
host108	192.168.1.208	208	LEE
host109	192.168.1.209	209	LIN
host110	192.168.1.210	210	LIN
host111	192.168.1.211	211	LOPEZ
host112	192.168.1.212	212	PAREDES
host113	192.168.1.213	213	PRESS
host114	192.168.1.214	214	QUIROZ
host115	192.168.1.215	215	RUTTENBURG
host116	192.168.1.216	216	ZOZULKA
host117	192.168.1.217	217	wright
host118	192.168.1.218	218	palanca
host119	192.168.1.219	219	mardini
host120	192.168.1.220	220

Your VM's IP address is 192.168.1.2xx where x is the number from 1-20 that was individually assigned to you in class. You know the gateway's address (or email me for it). Add xx to 200 and use the result as a port number in an ssh command-line command like:

ssh -p 2xx root@<gateway's address>

Or enter the address and port number in the main screen of puTTY (if will ask for a username). The gateway will forward your ssh packet stream to your machine's port 22 where sshd will receive it and respond back to you. So your ssh client's formula for making sshd-contact with your machine is to make port-2xx-contact with the gateway. Use Windows for a client if you want. In that case, depending if you prefer command lines or GUI dialogs, get OpenSSH for Windows or PuTTY. (2/24)

SSH tunneling/port-forwarding - you feed stuff to your (127.0.0.1's) port 3000. You want to be able to push it through to 192.168.1.99's port 80, where192.168.1.99 is a machine you can't directly reach but the ssh server you'll connect to can. Then use the syntax below.

Command line:

ssh -L 3000:192.168.1.99:80 <server IP or domain name>

PuTTY:

If a web server runs on 192.168.1.99's port 80, you would have your browser feed its requests to your port 3000. They would reach that web server. For most graphical browsers the syntax for specifying your local 3000 would be "127.0.0.1:3000" which you would type in the URL window. (2/24)

Download portaputty. It's a version of puTTY that eschews the registry so as to be portable. Like, you can carry it around to different computers on a USB flash drive and have your accustomed configuration right there with you instead of in the registry back at the ranch.

Unzip it. It produces a subdirectory named portaputty, in which is putty.exe. Run it. Load the "b261gate" saved session. Change the port number from 200 to your assigned port number. Press the open button. This method does not work in an environment where your port number is blocked by a firewall (like our classroom). There, you would have to use ssh port forwarding. To do that you need to be able to log in to the gateway/router box that's running ssh server (sshd) and will forward your stuff for you. In our case you can do that using account cs78 with password cs78password. (2/24)

ssh alternatives for windows - command line implementation openSSH for Windows delivers ssh to Windows in the same form as it's found in linux, is openSSH. Then there are puTTY andthers. (2/24)

Remote Unix system accounts
Your username - your last name as it appears on my class list, all lowercase.
Your password - is 5 digits extracted from your phone number. If your phone number is 123-456-9876, then your password will be 56987 (final 2 digits from the 3-digit exchange, plus first 3 digits of the 4-digit number).
The target computer - is sputnik.smc.edu
Log in method - the assignment asks you to "log in." Translation: use telnet as discussed in class and described in the "Remote Unix access with Telnet" link at left. (2/15)

VMware networking article

Homework - by 3/1
read - textbook chapter 4 "Users, Passwords, and Authentication" and chapter 5 "Users, Groups, and the Superuser." Scan the introductory 3 chapters as well.
set up - a linux environment for you to work in outside of class
- install linux on a machine
- install VMware on a Windows machine and linux in VMware
- use a live CD and a persistent storage device (distinctly unpreferred option)

Knoppix CD - http://www.knoppix.org/ and other "live CDs" that are bootable directly to linux (without using or messing with your hard disk), http://www.frozentech.com/content/livecd.php (2/15)

Textbook to get - please see the "Syllabus" link, left column. (2/15)

Welcome - you may view most of the slide presentations used in class at the links under the "Slide presentations" heading in the column at left. See also the brief class syllabus, at the link entitled "Syllabus," upper left. The textbook is identified there.

Eniac - 1946