nemunaire/nemunai.re
1
0
Fork 0
Code Issues Pull requests 1 Releases Activity

Import (and cleanup) previous blog posts

Browse source
This commit is contained in:
nemunaire 2017-07-24 00:40:17 +02:00
commit 01b6e4bd53
11 changed files with 138 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
content/post/kernel_configs.md Normal file
View file

@ -0,0 +1,29 @@
---
title: Linux kernel configuration
date: !!timestamp '2015-04-20 00:00:00'
update: !!timestamp '2017-07-24 00:18:00'
tags:
- kernel
---
My favorite distribution is [Gentoo], for 7 years now.
<!--more-->
Here are some of my kernel configurations I use:
* [Dreamplug]: latest public Grsecurity kernel 4.9 (before, I used precompiled kernels from [Xilka]);
* [Cubieboard 2]: Linux 3.4 [custom branch](https://github.com/cubieboard/linux-sunxi.git) for Allwinner A20 (dual-core ARMv7 Cortex-A7 and Mali400 MP2) + upstream patches on 3.4 not merged in the Allwinner tree;
* [Odroid-C1]: Linux 3.10 [custom branch](https://github.com/hardkernel/linux.git) for the Amlogic S805 (quad-core ARMv7 Cortex-A5 and Mali450) + upstream patches on 3.10 not merged in the Hardkernel tree;
* [Mirabox]: latest public Grsecurity kernel 4.9 for the Marvell Armada 370 (with all available features for the board enabled);
* [Cubox-i 4x4]: latest mainline kernel, currently 4.12;
* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + upstream patches on 3.18 not merged in the imgtec tree.
[Gentoo]: http://www.gentoo.org/
[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.html
[Xilka]: http://www.xilka.com/sheeva/
[Odroid-C1]: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433
[Cubieboard 2]: http://cubieboard.org/model/cb2/
[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.html
[Cubox-i 4x4]: http://www.solid-run.com/product/cubox-i-4x4
[Creator CI20]: http://store.imgtec.com/uk/product/mips-creator-ci20/

24
content/post/pgp_key.md Normal file
View file

@ -0,0 +1,24 @@
---
title: PGP key
date: !!timestamp '2015-06-29 00:00:00'
update: !!timestamp '2017-07-24 00:45:00'
tags:
- privacy
- cryptography
---
My personal PGP key is the following: [0x842807a84573cc96].
pub 4096R/4573CC96 2014-06-23 [expires: 2018-07-01]
Key fingerprint = E722 B5B7 3CA7 FA93 5FC1 AA09 8428 07A8 4573 CC96
uid Pierre-Olivier Mercier <nemunaire@nemunai.re>
sub 4096R/9D2855C3 2014-06-23 [expires: 2018-07-01]
<!--more-->
This key is also available through [OpenPGP DANE], generated by [this script].
[0x842807a84573cc96]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x842807A84573CC96
[OpenPGP DANE]: https://www.ietf.org/id/draft-ietf-dane-openpgpkey-06.txt
[this script]: https://gist.github.com/nemunaire/447c989e9f098c679edb

77
content/post/ssh_keys.md Normal file
View file

@ -0,0 +1,77 @@
---
title: My private SSH keys managment
date: !!timestamp '2015-02-19 00:00:00'
update: !!timestamp '2017-07-23 22:45:00'
tags:
- cryptography
- ssh
---
I always have a different SSH key pair per machine. The aim is to really never
copy my private key from a machine to another over network or USB stick.
<!--more-->
## Client keys
With this approch, if one of my host is compromised and/or my key could have
been exposed, I have only to remove granted access to this key to host or
services (OK, that can be painful to find such services), but I can continue to
use other no-compromised keys to work.
As you can see on my [github](https://github.com/nemunaire.keys) account, I've
registered several keys, because I don't work from the same machine every time.
It can sometime be complicated to give me access to machine, but in most case,
I tend to centralize most of my outgoing connections from a single host, which
is in fact my home desktop: oupaout.
Here is a list of my keys' md5 fingerprints:
* `assouan`
* [`aton`](aton_ed25519.pub): 0d:89:02:4a:45:51:0c:43:e8:be:2e:99:38:5b:88:0e (ED25519)
* [`aton`](aton_rsa.pub): ee:61:d5:bf:b0:23:93:1a:bb:32:ef:34:10:fb:aa:77 (RSA 4096)
* `bastet` (legacy): 4a:51:80:24:b0:69:7a:59:fc:44:08:29:aa:15:42:5b (RSA 4096)
* EPITA personal rack (legacy): 91:95:bc:4e:e7:b2:5b:9c:7f:71:4a:7d:0a:43:80:17 (RSA 4096)
* EPITA SSH gate (legacy)
* EPITA YACKU laboratory (legacy): 80:7c:8e:42:53:ee:0f:b5:27:d5:63:ab:b4:5a:46 (RSA 4096)
* [`khonsou`](khonsou_ed25519.pub): 0d:89:02:4a:45:51:0c:43:e8:be:2e:99:38:5b:88:0e (ED25519)
* khonsou_old: f5:dc:fd:db:c8:ce:ec:df:33:86:54:58:05:7e:d2:74 (ED25519)
* `montou`: this machine can't be used as outgoing host.
* `nout`: this machine can't be used as outgoing host.
* `nout_old`: e8:69:71:3c:5e:cc:3c:d5:7d:a2:67:30:a9:35:df:24 (RSA 4096)
* [`ouaset`](ouaset.pub): 5e:01:65:8c:ae:9e:6e:f3:a5:88:80:16:fa:bf:d6:ac (ED25519)
* [`oupaout`](oupaout.pub): 30:04:ad:11:57:e0:e9:dc:a2:e0:d2:65:cd:60:9a:ab (ED25519)
* [Rescue key](rescue.pub): 30:15:a7:3f:0b:51:7a:53:7b:47:bd:00:21:55:ee:bd (RSA 4096)
* `satis`: this machine has no key pair yet.
* [`seth`](seth_ed25519.pub): 6a:1f:05:60:fa:6b:32:f3:2d:ba:e3:36:e7:6b:7b:13 (ED25519)
* [`seth`](seth_rsa.pub): 03:a9:3a:3a:e1:e0:99:24:69:15:cb:a5:58:5c:3f:6c (RSA 4096)
* `seth_old`: 97:8c:bc:9a:ec:62:8d:b8:1a:88:b1:0d:d9:62:1a:04 (RSA 4096)
### Get the fingerprint from a private or public key file
```sh
ssh-keygen -l -E md5 -f KEY_FILE
```
## Server keys
The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks:
The authenticity of host 'nemunai.re (203.0.113.42)' can't be established.
RSA key fingerprint is 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff.
Are you sure you want to continue connecting (yes/no)?
you can use the following command: `ssh -o "VerifyHostKeyDNS yes" $HOSTNAME.nemunai.re`
[SSHFP]: http://tools.ietf.org/html/rfc4255
### Generate SSHFP records
SSHFP records can be generated with the following command:
```sh
ssh-keygen -r HOSTNAME
```