Improve architecture with page bundles

2023-05-23 11:23:47 +02:00 · 2023-05-23 11:23:47 +02:00 · 7a638e7fbb
commit 7a638e7fbb
parent 0b1902cd1a
26 changed files with 0 additions and 0 deletions
--- a/content/en/post/ssh_keys/aton_ed25519.pub
+++ b/content/en/post/ssh_keys/aton_ed25519.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSbCCfFO1+yxogpg1DfCPSQU48oWqYM6/05TYzNhPmc nemunaire@aton
--- a/content/en/post/ssh_keys/aton_rsa.pub
+++ b/content/en/post/ssh_keys/aton_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwwJxAJ99OK0W6CPV/0aDTFlts9xzEKKc+V8r2f0zaXpxuKSGgeWVOrSFU0nTEOZGlGh5kBIBHlizaeh9Bb5Io0V8Hafljwx/yJ+51czlnyoRZ49VDnufEd+qVW8Up8Kelsro+y+hu9BAcUoPhjlj+QyeUkEO1ytJFFi7LLelXGGHNiM3cYR9ewncy4oDIQNOrSgTrjdHjP2+0Zh0QV92SfX4KAUFfgW2BMhUi5/gk8aLMJQnRNaO2dVtWQoxLf03LEW87oRcnvepZR/IfUkAdjqp2dSQiSKjNUXdKkNSoZ+ErVSm3vTSbx9ju7Rk7i53so4uYIK0gGiGj1XJX8uIH/CllteLu84+ztCX+s4ouUWz0PuZYkm9B9JJ0JpqEdYS5tf7jWagMAvaluCWbHxpCNylzOCfne3Xa9X7vv4Jo0DdDMwQpyKXqa2AxBMPLVJ+hBKSTjkQUZUezfVgNjauIBOwsqwPLifxpMLOXFp2dTD98ZlfruTCOW11Wn2XeQmrVdI12ZPIDFv8ayAxQyAxo0zMQEKU4z0xuTtC+DG9KNKsxjROSWnxT0poWrL9ZZrWduLfAgTerX2HkUZ+ihQMQbAMMVSdg2JdPafW2ZX+ikjD8J/DffOYE0t4UlqucV7Vl/jwKZpcP65nKfFMK1q5oH8QvI7azt+yUHOBIcJCBSQ== nemunaire@alarm
--- a/content/en/post/ssh_keys/index.md
+++ b/content/en/post/ssh_keys/index.md
@ -0,0 +1,75 @@
+---
+title: My private SSH keys managment
+date: !!timestamp '2015-02-19 00:00:00'
+update: !!timestamp '2017-07-23 22:45:00'
+tags:
+    - cryptography
+    - ssh
+---
+
+I always have a different SSH key pair per machine. The aim is to really never copy my private key from a machine to another over network or USB stick.
+
+<!--more-->
+
+## Client keys
+
+With this approach, if one of my host is compromised and/or my key could have been exposed, I have only to remove granted access to this key to host or services (OK, that can be painful to find such services), but I can continue to use other no-compromised keys to work.
+
+As you can see on my [github](https://github.com/nemunaire.keys) account, I've registered several keys, because I don't work from the same machine every time.
+
+It can sometime be complicated to give me access to machine, but in most case, I tend to centralize most of my outgoing connections from a single host, which is in fact my home desktop: oupaout.
+
+Here is a list of my keys' md5 fingerprints:
+
+* `assouan`
+* [`aton`](aton_ed25519.pub): 0d:89:02:4a:45:51:0c:43:e8:be:2e:99:38:5b:88:0e (ED25519)
+* [`aton`](aton_rsa.pub): ee:61:d5:bf:b0:23:93:1a:bb:32:ef:34:10:fb:aa:77 (RSA 4096)
+* `bastet` (legacy): 4a:51:80:24:b0:69:7a:59:fc:44:08:29:aa:15:42:5b (RSA 4096)
+* EPITA personal rack (legacy): 91:95:bc:4e:e7:b2:5b:9c:7f:71:4a:7d:0a:43:80:17 (RSA 4096)
+* EPITA SSH gate (legacy)
+* EPITA YACKU laboratory (legacy): 80:7c:8e:42:53:ee:0f:b5:27:d5:63:ab:b4:5a:46 (RSA 4096)
+* [`khonsou`](khonsou_ed25519.pub): 0d:89:02:4a:45:51:0c:43:e8:be:2e:99:38:5b:88:0e (ED25519)
+* khonsou_old: f5:dc:fd:db:c8:ce:ec:df:33:86:54:58:05:7e:d2:74 (ED25519)
+* `montou`: this machine can't be used as outgoing host.
+* `nout`: this machine can't be used as outgoing host.
+* `nout_old`: e8:69:71:3c:5e:cc:3c:d5:7d:a2:67:30:a9:35:df:24 (RSA 4096)
+* [`ouaset`](ouaset.pub): 5e:01:65:8c:ae:9e:6e:f3:a5:88:80:16:fa:bf:d6:ac (ED25519)
+* [`oupaout`](oupaout.pub): 30:04:ad:11:57:e0:e9:dc:a2:e0:d2:65:cd:60:9a:ab (ED25519)
+* [Rescue key](rescue.pub): 30:15:a7:3f:0b:51:7a:53:7b:47:bd:00:21:55:ee:bd (RSA 4096)
+* `satis`: this machine has no key pair yet.
+* [`seth`](seth_ed25519.pub): 6a:1f:05:60:fa:6b:32:f3:2d:ba:e3:36:e7:6b:7b:13 (ED25519)
+* [`seth`](seth_rsa.pub): 03:a9:3a:3a:e1:e0:99:24:69:15:cb:a5:58:5c:3f:6c (RSA 4096)
+* `seth_old`: 97:8c:bc:9a:ec:62:8d:b8:1a:88:b1:0d:d9:62:1a:04 (RSA 4096)
+
+### Get the fingerprint from a private or public key file
+
+```sh
+ssh-keygen -l -E md5 -f KEY_FILE
+```
+
+
+### Usign PGP
+
+Sometime, I use my authentication PGP key as SSH key. Read the [related article]({{< relref "/post/pgp_key.md#ssh-authentication" >}}) to view the public key.
+
+
+## Server keys
+
+The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks:
+
+    The authenticity of host 'nemunai.re (203.0.113.42)' can't be established.
+    RSA key fingerprint is 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff.
+    Are you sure you want to continue connecting (yes/no)?
+
+you can use the following command: `ssh -o "VerifyHostKeyDNS yes" $HOSTNAME.nemunai.re`
+
+[SSHFP]: http://tools.ietf.org/html/rfc4255
+
+
+### Generate SSHFP records
+
+SSHFP records can be generated with the following command:
+
+```sh
+ssh-keygen -r HOSTNAME
+```
--- a/content/en/post/ssh_keys/khonsou_ed25519.pub
+++ b/content/en/post/ssh_keys/khonsou_ed25519.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO/3qKhSUbGYZBVraFo68oScJahRDNQfG+uwDQlLv7g nemunaire@khonsou
--- a/content/en/post/ssh_keys/ouaset.pub
+++ b/content/en/post/ssh_keys/ouaset.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBpFOv1s7mVb6XWPOLd1U+jzt5WA04CnuJVmY5TvaMhw nemunaire@ouaset
--- a/content/en/post/ssh_keys/oupaout.pub
+++ b/content/en/post/ssh_keys/oupaout.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/Aa53VeE2XWjo/ItqtuLZ9Jd9oHfhzSjPl6KLEqkBS nemunaire@oupaout
--- a/content/en/post/ssh_keys/rescue.pub
+++ b/content/en/post/ssh_keys/rescue.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA5oAoOMAr8RrsBmOE1kyiD6C5+qbdK0NgSS3ZlNOn4dpkD1w5hmrGwGT4O2P8vCC9o95sLRzvrxkHbs+YZhsz04uxmG4zEgS+x1BZuaQBt1V1hBWk8ldqPfZfAEauPQeQZMdKJfbJKYzecRLWIh2jK1sMx0Vmd3CfU/FwEHdlJh3oTKWFsAlukSYnql2dXG3VMzRpaRyh4uu5wFA+Ya6CE5OjcM4o9/JSfGxErK4fvnSPpbplraKqpKvEqX4XC70u5JCLlWSfJ2Es0nIeQ+0QhYxQt4MsaUCBkFoU10wyaDstWfzE4TiMBmrI+JnrbJiODUxsdoKQGS1ZS2EIP7tUjl9N/Z/x6IAPS4TxMTu9dY+k2hRVvpM1h7vwsTPxINlaoPHeni7TF3M6ksR0chQXtbsKBuCAxOnKKoB13WhQcR60G0hqK/5JSTqYiAG2hwlEJTqqcWuYIlgOpWhyQ8cfbL5Xb5SaZmADp6GOoxJxGbjOrnGMLEPcUPkok6hqt1SgegCTJa1nYmpdzutPCJYy3HCd93L8Uwr/+FBJtAY5Imu6gIgmUW+scOzjZbXRYocjClemYPz/mb7ZSuMT3OfrsqaqZ3IJnXi70l7jH6I3DXY8BOgwQM2zkfPJKWHKPrQfTdhfpBq2Nf/kvQERTfqOWGm7YMa5+dP9NUBGbuCCo8E= nemunaire@ssh
--- a/content/en/post/ssh_keys/seth_ed25519.pub
+++ b/content/en/post/ssh_keys/seth_ed25519.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9udkt8V/GFYwa4TMz7XHdedBSTScXxTAdJDdriu/AC nemunaire@seth
--- a/content/en/post/ssh_keys/seth_rsa.pub
+++ b/content/en/post/ssh_keys/seth_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlU/aEbNdDHR2bAmzDY2hIowGfa9oNGyL69tzEK2cpOa+u7PwNzCzWPLytwsO9frOylNtRDiTckbVNdPxMZDkZieeZ5PqWEvWe7hbsh+xds1An2t3tEX6x3QWrxZZo2SNTgck5IqPcufBG+cFxJZlK8pZGkDwGw+x6mHJdLZL2bgMwwvutw1BSF/atF6GLZpztX/y1FM6JQpMCAsrzESoUpDD/Q7BEGb7wCYt+eq/51jUS60g0fC7ob2Xl/nhmnWUkg3U+x/DyY0foqiOMGhSaXdkerfyZMpLCURvH6sOT8EzNzzLRj66Ht8043Vqysoq+pFtj8zyTNVi76QWMkNK7avKXl+rK6dW9zAQidmZcnwPl0qAlkWQjhOgA7xe2TdTM5Yl6HXpmT6T6PHCsIggyCxgCg2ao+ptqPJ4UwvGP2bAz8uLdQp4t+q1hp825o7EtvtnJpJMTksNwOe96iCFjm90O+pmOhLTRVDtgdAknmtIovHnOrZX2zbo1XZHATRx6QOrGwIHU8drSMy878Fd9lb3HVx+595rQ7gh+2Qu87vqk1kZPTFSbn7nMB/l2ROVp4zagXzN8T7Ek3CRP/mIrzyU/3WhOGhbB+bkvWrWRRBnejxQLZkMPl9vAZ5VSNZ2K1OTHasQBy9PaMW5ucd83Jv+jl+xPoJbXsvpzbu6EHw== nemunaire@seth
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSbCCfFO1+yxogpg1DfCPSQU48oWqYM6/05TYzNhPmc nemunaire@aton`
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwwJxAJ99OK0W6CPV/0aDTFlts9xzEKKc+V8r2f0zaXpxuKSGgeWVOrSFU0nTEOZGlGh5kBIBHlizaeh9Bb5Io0V8Hafljwx/yJ+51czlnyoRZ49VDnufEd+qVW8Up8Kelsro+y+hu9BAcUoPhjlj+QyeUkEO1ytJFFi7LLelXGGHNiM3cYR9ewncy4oDIQNOrSgTrjdHjP2+0Zh0QV92SfX4KAUFfgW2BMhUi5/gk8aLMJQnRNaO2dVtWQoxLf03LEW87oRcnvepZR/IfUkAdjqp2dSQiSKjNUXdKkNSoZ+ErVSm3vTSbx9ju7Rk7i53so4uYIK0gGiGj1XJX8uIH/CllteLu84+ztCX+s4ouUWz0PuZYkm9B9JJ0JpqEdYS5tf7jWagMAvaluCWbHxpCNylzOCfne3Xa9X7vv4Jo0DdDMwQpyKXqa2AxBMPLVJ+hBKSTjkQUZUezfVgNjauIBOwsqwPLifxpMLOXFp2dTD98ZlfruTCOW11Wn2XeQmrVdI12ZPIDFv8ayAxQyAxo0zMQEKU4z0xuTtC+DG9KNKsxjROSWnxT0poWrL9ZZrWduLfAgTerX2HkUZ+ihQMQbAMMVSdg2JdPafW2ZX+ikjD8J/DffOYE0t4UlqucV7Vl/jwKZpcP65nKfFMK1q5oH8QvI7azt+yUHOBIcJCBSQ== nemunaire@alarm
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO/3qKhSUbGYZBVraFo68oScJahRDNQfG+uwDQlLv7g nemunaire@khonsou`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBpFOv1s7mVb6XWPOLd1U+jzt5WA04CnuJVmY5TvaMhw nemunaire@ouaset`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/Aa53VeE2XWjo/ItqtuLZ9Jd9oHfhzSjPl6KLEqkBS nemunaire@oupaout`
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA5oAoOMAr8RrsBmOE1kyiD6C5+qbdK0NgSS3ZlNOn4dpkD1w5hmrGwGT4O2P8vCC9o95sLRzvrxkHbs+YZhsz04uxmG4zEgS+x1BZuaQBt1V1hBWk8ldqPfZfAEauPQeQZMdKJfbJKYzecRLWIh2jK1sMx0Vmd3CfU/FwEHdlJh3oTKWFsAlukSYnql2dXG3VMzRpaRyh4uu5wFA+Ya6CE5OjcM4o9/JSfGxErK4fvnSPpbplraKqpKvEqX4XC70u5JCLlWSfJ2Es0nIeQ+0QhYxQt4MsaUCBkFoU10wyaDstWfzE4TiMBmrI+JnrbJiODUxsdoKQGS1ZS2EIP7tUjl9N/Z/x6IAPS4TxMTu9dY+k2hRVvpM1h7vwsTPxINlaoPHeni7TF3M6ksR0chQXtbsKBuCAxOnKKoB13WhQcR60G0hqK/5JSTqYiAG2hwlEJTqqcWuYIlgOpWhyQ8cfbL5Xb5SaZmADp6GOoxJxGbjOrnGMLEPcUPkok6hqt1SgegCTJa1nYmpdzutPCJYy3HCd93L8Uwr/+FBJtAY5Imu6gIgmUW+scOzjZbXRYocjClemYPz/mb7ZSuMT3OfrsqaqZ3IJnXi70l7jH6I3DXY8BOgwQM2zkfPJKWHKPrQfTdhfpBq2Nf/kvQERTfqOWGm7YMa5+dP9NUBGbuCCo8E= nemunaire@ssh
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9udkt8V/GFYwa4TMz7XHdedBSTScXxTAdJDdriu/AC nemunaire@seth`
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlU/aEbNdDHR2bAmzDY2hIowGfa9oNGyL69tzEK2cpOa+u7PwNzCzWPLytwsO9frOylNtRDiTckbVNdPxMZDkZieeZ5PqWEvWe7hbsh+xds1An2t3tEX6x3QWrxZZo2SNTgck5IqPcufBG+cFxJZlK8pZGkDwGw+x6mHJdLZL2bgMwwvutw1BSF/atF6GLZpztX/y1FM6JQpMCAsrzESoUpDD/Q7BEGb7wCYt+eq/51jUS60g0fC7ob2Xl/nhmnWUkg3U+x/DyY0foqiOMGhSaXdkerfyZMpLCURvH6sOT8EzNzzLRj66Ht8043Vqysoq+pFtj8zyTNVi76QWMkNK7avKXl+rK6dW9zAQidmZcnwPl0qAlkWQjhOgA7xe2TdTM5Yl6HXpmT6T6PHCsIggyCxgCg2ao+ptqPJ4UwvGP2bAz8uLdQp4t+q1hp825o7EtvtnJpJMTksNwOe96iCFjm90O+pmOhLTRVDtgdAknmtIovHnOrZX2zbo1XZHATRx6QOrGwIHU8drSMy878Fd9lb3HVx+595rQ7gh+2Qu87vqk1kZPTFSbn7nMB/l2ROVp4zagXzN8T7Ek3CRP/mIrzyU/3WhOGhbB+bkvWrWRRBnejxQLZkMPl9vAZ5VSNZ2K1OTHasQBy9PaMW5ucd83Jv+jl+xPoJbXsvpzbu6EHw== nemunaire@seth