Linux Tutorial – Puntata 29
di jolek78
Care/i fruitrici e fruitori del blog, in questi post – ogni domenica mattina – si parlerà del sistema operativo GNU/Linux e degli strumenti per utilizzarlo al massimo delle potenzialità. Cercheremo di spiegare come funziona, cosa è il kernel, come costruirsi una vpn, come settare un firewall e giocare col terminale, usare adb e altro. Se il capitalismo della sorveglianza ci vuole passivi consumatori-consumatrici di servizi noi si risponde con un po’ di “cultura informatica” e un MARAMEO (quasi affettuoso). Buona lettura!
Gpg – Gnu Privacy Guard – e’ la versione bella, open-standard e open-source di Pgp – Pretty Good Privacy -. jolek78, di che diavolo stai parlando? Si, avete ragione. Pgp e’ un tool di crittazione creato dal crittografo statunitense Phil Zimmermann nel 1991. L’idea era di creare uno strumento universale, semplice, che potesse essere usato a tutti i livelli, dai programmatori agli end-user. Il mio primo approccio a Pgp fu nel 1999, e lo conobbi gia’ nella sua versione open, il cosidetto openpgp, attraverso un plugin di thunderbird per inviare email crittografate. A quei tempi, nella comunita’ linux, era piuttosto uno standard inviare le mail col proprio “linux counter”, la propria “chiave pubblica gpg”, e una “quote”, o in italiano “frase celebre” che spiegasse, in poche parole, come la si pensasse sulla vita, l’universo, e tutto quanto. Ma se esiste una chiave pubbica esiste anche una chiave privata, giusto? E che cosa sono le chiavi su Gpg? E poi, una chiave per aprire quale porta? Bentornati!
Installazione
La fase di installazione, ormai dovreste averne noia, e’ piuttosto elementare:
bottega@bottegadelbarbieri ~ sudo apt install gnupg2 [sudo] password for bottega: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed gnupg2 0 to upgrade, 1 to newly install, 0 to remove and 0 not to upgrade. Need to get 4,584 B of archives. After this operation, 51.2 kB of additional disk space will be used. Get:1 http://gb.archive.ubuntu.com/ubuntu focal-updates/universe amd64 gnupg2 all 2.2.19-3ubuntu2.1 [4,584 B] Fetched 4,584 B in 0s (38.9 kB/s) Selecting previously unselected package gnupg2. (Reading database ... 214572 files and directories currently installed.) Preparing to unpack .../gnupg2_2.2.19-3ubuntu2.1_all.deb ... Unpacking gnupg2 (2.2.19-3ubuntu2.1) ... Setting up gnupg2 (2.2.19-3ubuntu2.1) ... Processing triggers for man-db (2.9.1-1) ...
# gpg2 –gen-key
Che ci volete fare, io sono affezionato all’algoritmo ed25519 per generare le chiavi. Perche’ dite voi? Beh, ma allora non avete letto la puntata su ssh. Penitenziagite!
bottega@bottegadelbarbieri ~ gpg2 --expert --full-gen-key gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
# key algorithm
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 9
# curve
Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
# details
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: bottegadelbarbieri E-mail address: bottegadelbarbieri@tutanota.com Comment: ed25519 You selected this USER-ID: "bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com>" Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
# key generation
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilise the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 3CD52975E8BE1B22 marked as ultimately trusted gpg: revocation certificate stored as '/home/bottega/.gnupg/openpgp-revocs.d/DA0650F0DE6A03584F60E93E3CD52975E8BE1B22.rev' public and secret key created and signed. pub ed25519 2021-10-06 [SC] DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 uid bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com> sub cv25519 2021-10-06 [E]
# delete rsa key
Al momento abbiamo due keyring, uno rsa creato quando abbiamo re-installato la macchina virtuale della bottega, e un altro appena generato ora con ed25519.
bottega@bottegadelbarbieri ~ gpg --list-keys /home/bottega/.gnupg/pubring.kbx -------------------------------- pub rsa3072 2021-08-27 [SC] [expires: 2023-08-27] E83C843BCAAF6385611650133E1DC8E01D3794C7 uid [ultimate] bottega <bottegadelbarbieri@tutanota.com> sub rsa3072 2021-08-27 [E] [expires: 2023-08-27] pub ed25519 2021-10-06 [SC] DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 uid [ultimate] bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com> sub cv25519 2021-10-06 [E]
Per evitare confusioni andiamo a rimuovere il vecchio. Ne potremo generare un altro in seguito se necessario:
bottega@bottegadelbarbieri ~ gpg --delete-secret-keys E83C843BCAAF6385611650133E1DC8E01D3794C7 gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec rsa3072/3E1DC8E01D3794C7 2021-08-27 bottega <bottegadelbarbieri@tutanota.com> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
# list keys
Listiamo di nuovo le chiavi:
bottega@bottegadelbarbieri ~ gpg --list-keys /home/bottega/.gnupg/pubring.kbx -------------------------------- pub ed25519 2021-10-06 [SC] DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 uid [ultimate] bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com> sub cv25519 2021-10-06 [E]
Come utilizzare GPG
Prima di fare qualsiasi operazione dobbiamo esportare la nostra chiave in un formato leggibile:
# export
bottega@bottegadelbarbieri ~/.gnupg gpg --export --armor bottegadelbarbieri@tutanota.com > bottegadelbarbieri.pub bottega@bottegadelbarbieri ~/.gnupg cat bottegadelbarbieri.pub -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEYV0rSRYJKwYBBAHaRw8BAQdALH/gyb7NjL7m1A5+BVEXdY4nMWovnrA4/hAZ FONQESW0PmJvdHRlZ2FkZWxiYXJiaWVyaSAoZWQyNTUxOSkgPGJvdHRlZ2FkZWxi YXJiaWVyaUB0dXRhbm90YS5jb20+iJAEExYIADgWIQTaBlDw3moDWE9g6T481Sl1 6L4bIgUCYV0rSQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA81Sl16L4b IrbdAQDRg7ApaI/wh3vVzrj6mWtu+eO8MEPEnDEtKu2k5MIRMwD+L+CMQRCJDSlx vKfzQqwfRvPGC7iJE6jgXFIs+rtj7gO4OARhXStJEgorBgEEAZdVAQUBAQdA4cmq zgJgmPqQVMRqdGSQLLRuxEI49RTy71fzUAXS5RoDAQgHiHgEGBYIACAWIQTaBlDw 3moDWE9g6T481Sl16L4bIgUCYV0rSQIbDAAKCRA81Sl16L4bIknkAQDrWfHGqYhC IMj5Zk4aq16A3dd6T4XNaM01kfhLctlL7AEAmdjpN/kyGp+KBiD66Z11QY8p1SvN Xgz6Y+/L+HsWjAE= =9Kb7 -----END PGP PUBLIC KEY BLOCK-----
e ora inseriamo la nostra chiave pubblica in uno dei tanti database. Il primo, e forse il piu’ famoso, e’ e resta quello del MIT:
bottega@bottegadelbarbieri ~/.gnupg gpg --keyserver pgp.mit.edu --send-keys DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 gpg: sending key 3CD52975E8BE1B22 to hkp://pgp.mit.edu
Navigando ora nel sito web del MIT https://pgp.mit.edu/ e facendo una semplice ricerca:
# retrieve
Immaginiamo ora che bottegadelbarbieri voglia inviare a jolek78 un messaggio crittato. jolek78 a questo punto dovra’ fare un’operazione fondamentale: importare la chiave pubblica che bottegadelbarbieri ha esportato sul sito del MIT. Per fare questo:
~ gpg --keyserver hkp://pgp.mit.edu/ --search-keys DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 gpg: data source: http://pgp.mit.edu:11371 (1) bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com> 256 bit EDDSA key 3CD52975E8BE1B22, created: 2021-10-06 Keys 1-1 of 1 for "DA0650F0DE6A03584F60E93E3CD52975E8BE1B22". Enter number(s), N)ext, or Q)uit > 1 gpg: key 3CD52975E8BE1B22: public key "bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Siamo pronti. O quasi.
# pinetry-tty
Su bottegadelbarbieri, facciamo prima in modo che, durante la crittazione, la richiesta di password avvenga da terminale. Per fare questo abbiamo bisogno di installare il pacchetto pinetry-tty, e settare gpg con l’opzione tty appunto:
bottega@bottegadelbarbieri ~/.gnupg sudo apt install pinentry-tty [sudo] password for bottega: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed pinentry-tty 0 to upgrade, 1 to newly install, 0 to remove and 41 not to upgrade. Need to get 32.1 kB of archives. After this operation, 91.1 kB of additional disk space will be used. Get:1 http://gb.archive.ubuntu.com/ubuntu focal/universe amd64 pinentry-tty amd64 1.1.0-3build1 [32.1 kB] Fetched 32.1 kB in 0s (264 kB/s) Selecting previously unselected package pinentry-tty. (Reading database ... 214578 files and directories currently installed.) Preparing to unpack .../pinentry-tty_1.1.0-3build1_amd64.deb ... Unpacking pinentry-tty (1.1.0-3build1) ... Setting up pinentry-tty (1.1.0-3build1) ... Processing triggers for man-db (2.9.1-1) ...
bottega@bottegadelbarbieri ~/.gnupg sudo update-alternatives --config pinentry There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/bin/pinentry-gnome3 90 auto mode 1 /usr/bin/pinentry-gnome3 90 manual mode 2 /usr/bin/pinentry-gtk-2 85 manual mode 3 /usr/bin/pinentry-tty 30 manual mode Press <enter> to keep the current choice[*], or type selection number: 3 update-alternatives: using /usr/bin/pinentry-tty to provide /usr/bin/pinentry (pinentry) in manual mode
bottega@bottegadelbarbieri ~ cp the-rhyme-of-the-ancient-mariner.txt the-rhyme-of-the-ancient-mariner--gpg.txt 'the-rhyme-of-the-ancient-mariner.txt' -> 'the-rhyme-of-the-ancient-mariner--gpg.txt'
bottega@bottegadelbarbieri ~ gpg -c the-rhyme-of-the-ancient-mariner--gpg.txt Enter passphrase Passphrase: Please re-enter this passphrase Passphrase:
Listando il contenuto della directory troveremo un file che finisce con l’estensione gpg, ed e’ esattamente quello che abbiamo appena creato:
bottega@bottegadelbarbieri ~ ls -lha |grep "mariner" -rw-rw-r-- 1 bottega bottega 23K Oct 7 05:24 the-rhyme-of-the-ancient-mariner--gpg.txt -rw-rw-r-- 1 bottega bottega 9.1K Oct 7 05:35 the-rhyme-of-the-ancient-mariner--gpg.txt.gpg <<<<<<<<<<<< -rw-rw-r-- 1 bottega bottega 23K Aug 28 09:17 the-rhyme-of-the-ancient-mariner.txt
Voila’!
# decrypt
Siamo a questo punto
– gpg e’ presente su entrambe le macchine, bottegadelbarbieri e jolek78
– bottegadelbarbieri ha creato una chiave privata e pubblica con l’algoritmo ed25519
– bottegadelbarbieri ha esportato la chiave pubblica gpg sul sito del MIT
– jolek78 ha scaricato la chiave pubblica di bottegadelbarbieri dal sito del MIT
– bottegadelbarbieri ha crittato il file the-rhyme-of-the-ancient-mariner
Ora col comando scp jolek78 copiera’ il file crittato the-rhyme-of-the-ancient-mariner da bottegadelbarbieri dentro una qualsiasi directory della sua /home:
~ scp -v bottega:/home/bottega/the-rhyme-of-the-ancient-mariner--gpg.txt.gpg Documents/ Executing: program /usr/bin/ssh host bottega, user (unspecified), command scp -v -f /home/bottega/the-rhyme-of-the-ancient-mariner--gpg.txt.gpg OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/jolek78/.ssh/config debug1: /home/jolek78/.ssh/config line 1: Applying options for bottega debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to 192.168.0.27 [192.168.0.27] port 2121. debug1: Connection established. debug1: identity file /home/jolek78/.ssh/id_ed25519 type 3 debug1: identity file /home/jolek78/.ssh/id_ed25519-cert type -1 [...] debug1: Sending environment. debug1: Sending env LANG = en_GB.UTF-8 debug1: Sending command: scp -v -f /home/bottega/the-rhyme-of-the-ancient-mariner--gpg.txt.gpg Sending file modes: C0664 9268 the-rhyme-of-the-ancient-mariner--gpg.txt.gpg Sink: C0664 9268 the-rhyme-of-the-ancient-mariner--gpg.txt.gpg the-rhyme-of-the-ancient-mariner--gpg.txt.gpg 100% 9268 13.4MB/s 00:00 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Transferred: sent 1692, received 11632 bytes, in 0.2 seconds Bytes per second: sent 7125.2, received 48983.7 debug1: Exit status 0
Verifichiamo che su jolek78 la chiave di bottegadelbarbieri esista per davvero:
~/Documents gpg --list-keys /home/jolek78/.gnupg/pubring.kbx -------------------------------- pub ed25519 2021-10-06 [SC] A845CC1340C5B5D2F5BDEAFD6C808A1739EA60B3 uid [ultimate] jolek78 (ed25519) <jolek78@tutanota.com> sub cv25519 2021-10-06 [E] pub ed25519 2021-10-06 [SC] DA0650F0DE6A03584F60E93E3CD52975E8BE1B22 uid [ unknown] bottegadelbarbieri (ed25519) <bottegadelbarbieri@tutanota.com> sub cv25519 2021-10-06 [E]
E poi, via alla decrittazione:
~/Documents gpg -d the-rhyme-of-the-ancient-mariner--gpg.txt.gpg gpg: AES256 encrypted data Enter passphrase Passphrase: gpg: encrypted with 1 passphrase PART THE FIRST. It is an ancient Mariner, And he stoppeth one of three. "By thy long grey beard and glittering eye, Now wherefore stopp'st thou me? "The Bridegroom's doors are opened wide, And I am next of kin; The guests are met, the feast is set: [...]
Bene, questo era in gpg in poche parole. Per il resto, have fun e… RTFM
Alla prossima settimana!
jolek78
>> | Indice | << |
Puntata 28 | < > | Puntata 30 |
Il logo “Tux Linux” e’ stato realizzato e distribuito dall’artista deiby-ybied su Deviantart in licenza Creative Commons BY-NC-SA 3.0