GnuPG – The GNU Privacy Guard (modern version)

By Sture | 2017-02-27 | Comments 0 Comment

Description

GnuPG is a complete and free replacement for PGP. This is the “modern” version.

GnuPG allows encrypting and signing your data and communication, and features a versatile key management system as well as access modules for many public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications.

WWW: https://www.gnupg.org/.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Install GnuPG with;

[root@server /usr/home/user]# pkg install gnupg [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 8 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gnupg: 2.1.16
	libgpg-error: 1.26
	libassuan: 2.4.3
	npth: 1.3
	libgcrypt: 1.7.6
	pinentry: 1.0.0
	pinentry-tty: 1.0.0
	libksba: 1.3.5

Number of packages to be installed: 8

The process will require 14 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching gnupg-2.1.16.txz: 100%    2 MiB   1.8MB/s    00:01    
Fetching libgpg-error-1.26.txz: 100%  172 KiB 176.1kB/s    00:01    
Fetching libassuan-2.4.3.txz: 100%   76 KiB  77.4kB/s    00:01    
Fetching npth-1.3.txz: 100%   20 KiB  20.6kB/s    00:01    
Fetching libgcrypt-1.7.6.txz: 100%  683 KiB 699.7kB/s    00:01    
Fetching pinentry-1.0.0.txz: 100%   16 KiB  16.6kB/s    00:01    
Fetching pinentry-tty-1.0.0.txz: 100%   27 KiB  27.7kB/s    00:01    
Fetching libksba-1.3.5.txz: 100%  156 KiB 159.9kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/8] Installing libgpg-error-1.26...
[1/8] Extracting libgpg-error-1.26: 100%
[2/8] Installing libassuan-2.4.3...
[2/8] Extracting libassuan-2.4.3: 100%
[3/8] Installing pinentry-tty-1.0.0...
[3/8] Extracting pinentry-tty-1.0.0: 100%
[4/8] Installing npth-1.3...
[4/8] Extracting npth-1.3: 100%
[5/8] Installing libgcrypt-1.7.6...
[5/8] Extracting libgcrypt-1.7.6: 100%
[6/8] Installing pinentry-1.0.0...
[6/8] Extracting pinentry-1.0.0: 100%
[7/8] Installing libksba-1.3.5...
[7/8] Extracting libksba-1.3.5: 100%
[8/8] Installing gnupg-2.1.16...
[8/8] Extracting gnupg-2.1.16: 100%
Message from gnupg-2.1.16:
###############################################################################
				A T T E N T I O N

In order to use gpg-agent, you need to install a pinentry dialog.

The following ports of pinentry dialogs are available:

security/pinentry-curses	(ncurses based dialog)
security/pinentry-gtk2		(GTK 2.x based dialog)
security/pinentry-qt4		(QT4 based dialog)
security/pinentry-tty		(console based dialog)

###############################################################################
[root@server /usr/home/user]#

Configuration

Create required directories with:

[root@server /usr/home/user]# gpg --verify dummy.asc [enter]
gpg: Warning: using insecure memory!
gpg: directory '/root/.gnupg' created
gpg: new configuration file '/root/.gnupg/dirmngr.conf' created
gpg: new configuration file '/root/.gnupg/gpg.conf' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: can't open 'dummy.asc': No such file or directory
gpg: verify signatures failed: No such file or directory
[root@server /usr/home/user]#

How to Use

[root@server /usr/home/user]# gpg --help [enter]
gpg: directory '/root/.gnupg' created
gpg: new configuration file '/root/.gnupg/dirmngr.conf' created
gpg: new configuration file '/root/.gnupg/gpg.conf' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg (GnuPG) 2.1.16
libgcrypt 1.7.6
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

Commands:
 
 -s, --sign                 make a signature
     --clearsign            make a clear text signature
 -b, --detach-sign          make a detached signature
 -e, --encrypt              encrypt data
 -c, --symmetric            encryption only with symmetric cipher
 -d, --decrypt              decrypt data (default)
     --verify               verify a signature
 -k, --list-keys            list keys
     --list-sigs            list keys and signatures
     --check-sigs           list and check key signatures
     --fingerprint          list keys and fingerprints
 -K, --list-secret-keys     list secret keys
     --gen-key              generate a new key pair
     --quick-gen-key        quickly generate a new key pair
     --quick-adduid         quickly add a new user-id
     --quick-revuid         quickly revoke a user-id
     --full-gen-key         full featured key pair generation
     --gen-revoke           generate a revocation certificate
     --delete-keys          remove keys from the public keyring
     --delete-secret-keys   remove keys from the secret keyring
     --quick-sign-key       quickly sign a key
     --quick-lsign-key      quickly sign a key locally
     --sign-key             sign a key
     --lsign-key            sign a key locally
     --edit-key             sign or edit a key
     --passwd               change a passphrase
     --export               export keys
     --send-keys            export keys to a keyserver
     --recv-keys            import keys from a keyserver
     --search-keys          search for keys on a keyserver
     --refresh-keys         update all keys from a keyserver
     --import               import/merge keys
     --card-status          print the card status
     --card-edit            change data on a card
     --change-pin           change a card's PIN
     --update-trustdb       update the trust database
     --print-md             print message digests
     --server               run in server mode
     --tofu-policy VALUE    set the TOFU policy for a key

Options:
 
 -a, --armor                create ascii armored output
 -r, --recipient USER-ID    encrypt for USER-ID
 -u, --local-user USER-ID   use USER-ID to sign or decrypt
 -z N                       set compress level to N (0 disables)
     --textmode             use canonical text mode
 -o, --output FILE          write output to FILE
 -v, --verbose              verbose
 -n, --dry-run              do not make any changes
 -i, --interactive          prompt before overwriting
     --openpgp              use strict OpenPGP behavior

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clearsign [file]         make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to <https://bugs.gnupg.org>.
[root@server /usr/home/user]#

You should always verify that the signature matches the archive you have downloaded. This way you can be sure that you are using the same code that was released.

For more information see: nixCraft: UNIX / Linux: PGP TarBall File Signature Keys Verification for more information.

GNU wget

By Sture | 2017-02-27 | Comments 0 Comment

Description

GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc.

GNU wget has many features to make retrieving large files or mirroring entire web or FTP sites easy, including:

Can resume aborted downloads, using REST and RANGE
Can use filename wild cards and recursively mirror directories
NLS-based message files for many different languages
Optionally converts absolute links in downloaded documents to relative, so that downloaded documents may link to each other locally
Supports HTTP and SOCKS proxies
Supports HTTP cookies
Supports persistent HTTP connections
Unattended / background operation
Uses local file timestamps to determine whether documents need to be re-downloaded when mirroring
GNU wget is distributed under the GNU General Public License.

WWW: http://www.gnu.org/software/wget/wget.html

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Install

Install wget with:

[root@server /usr/home/user]# pkg install wget [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked)
New packages to be INSTALLED:
wget: 1.18_2

Number of packages to be installed: 1

The process will require 3 MiB more space.
578 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching wget-1.18_2.txz: 100% 578 KiB 592.0kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing wget-1.18_2...
[1/1] Extracting wget-1.18_2: 100%
[root@server /usr/home/user]#

List all installed files with:

[root@server ~]# pkg info -l wget | less [enter]

Configure

No configuration required.

How to Use

Since Wget uses GNU getopt to process command-line arguments, every option has a long form along with the short one. Long options are more convenient to remember, but take time to type. You may freely mix different option styles, or specify options after the command-line arguments. Thus you may write:

[root@server ~]#  wget -r --tries=10 http://www.example.com/ -o log [enter]

The space between the option accepting an argument and the argument may be omitted. Instead of -o log you can write -olog.

OpenSSL – Open Secure Sockets Layer

By Sture | 2017-02-27 | Comments 0 Comment

OpenSSL – Open Secure Sockets Layer

Description

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

WWW: http://www.openssl.org/.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Install the OpenSSL port with;

[root@server /usr/home/user]# pkg install openssl [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        openssl: 1.0.2l,1

Number of packages to be installed: 1

The process will require 12 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
[1/1] Fetching openssl-1.0.2l,1.txz: 100%    3 MiB   1.5MB/s    00:02
Checking integrity... done (0 conflicting)
[1/1] Installing openssl-1.0.2l,1...
Extracting openssl-1.0.2l,1: 100%
Message from openssl-1.0.2l,1:
Edit /usr/local/openssl/openssl.cnf to fit your needs.
[root@server /usr/home/user]#

Configuration

Disable use of the old version of openssl in directory /usr/bin/ with:

[root@server /usr/home/user]# mv /usr/bin/openssl /usr/bin/openssl.default [enter]
[root@server /usr/home/user]#

Create a symbolic link to enable the use the new version of openssl with:

[root@server /usr/home/user]# ln -s /usr/local/bin/openssl /usr/bin/ [enter]
[root@server /usr/home/user]#

Edit /usr/local/openssl/openssl.cnf to fit your needs with:

[root@server /usr/home/user]# ee /usr/local/openssl/openssl.cnf [enter]

.
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = SE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Example State

localityName                    = Locality Name (eg, city)
localityName_default            = Example City

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Example Company

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Example Unit

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = your.mail@example.net

# SET-ex3                       = SET extension number 3
.

CA requires some setup stuff to be done before it can be used. To makes things easier run script:

[root@server /usr/home/user]# /usr/local/openssl/misc/CA.sh -newca [enter]
[root@server /usr/home/user]#

Generating Certificates

If a signature from a CA is not required, a self-signed certificate can be created. First, generate the RSA key:

[root@server /usr/home/user]# openssl genrsa -rand -genkey -out cert.key 2048 [enter]
0 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
................................................+++
......+++
e is 65537 (0x10001)
[root@server /usr/home/user]#

Use this key to create a self-signed certificate valid for filve years. Follow the usual prompts for creating a certificate:

[root@server /usr/home/user]# openssl req -new -x509 -days 1825 -key cert.key -out cert.crt -sha256 [enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]: [enter]
State or Province Name (full name) [Example State]: [enter]
Locality Name (eg, city) [Example City]: [enter]
Organization Name (eg, company) [Example Company]: [enter]
Organizational Unit Name (eg, section) [Example Unit]: [enter]
Common Name (e.g. server FQDN or YOUR name) []:server.example.net [enter]
Email Address [your.mail@example.net]: [enter]
[root@server /usr/home/user]#

Two new files has been created in the current directory: a private key file cert.key, and the certificate itself, cert.crt. These files should be placed in a directory, preferably under /usr/local/etc/ssl/. Permissions of 0700 are appropriate for these files and can be set using chmod.

[root@server /usr/home/user]# mv cert.* /usr/local/etc/ssl/ [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chmod 0700 /usr/local/etc/ssl/cert.* [enter]
[root@server /usr/home/user]#