nemunaire/nemunai.re
1
0
Fork 0
Code Issues Pull Requests 1 Releases Activity

Update and complete articles

Browse Source
This commit is contained in:
nemunaire 2018-06-07 14:56:43 +02:00
parent 656caa697d
commit c3f23337a8
4 changed files with 60 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/about.md
View File

@ -18,7 +18,7 @@ I spend most of my free time to improve system support, document and **promote A
Check out my [local gitweb](https://git.nemunai.re) or my [GitHub](https://github.com/nemunaire) account. Check out my [local gitweb](https://git.nemunai.re) or my [GitHub](https://github.com/nemunaire) account.
<span class="fa fa-thumbs-o-down about-icon"></span> <span class="fa fa-thumbs-o-down about-icon"></span>
You won't find my on any social network, because I don't have time to sell my privacy for free (and I fight against most of them). You won't find me on any social network, because I don't have time to sell my privacy for free (and I fight against most of them).
<span class="fa fa-heart about-icon"></span> <span class="fa fa-heart about-icon"></span>
I'm crazy about any knowledge (mainly focus on sciences, typography, society, companies, faune and flora, ...) and am looking for more freedom and independence. I'm crazy about any knowledge (mainly focus on sciences, typography, society, companies, faune and flora, ...) and am looking for more freedom and independence.

23
content/post/kernel_configs.md
View File

@ -1,29 +1,34 @@
--- ---
title: Linux kernel configuration title: Linux Kernel Configurations
date: !!timestamp '2015-04-20 00:00:00' date: !!timestamp '2015-04-20 00:00:00'
update: !!timestamp '2017-07-24 00:18:00' update: !!timestamp '2018-06-07 11:33:00'
tags: tags:
- kernel - kernel
--- ---
My favorite distribution is [Gentoo], for 7 years now. My favorite distribution is [Gentoo], for 7 years now.
It allows me to have all the flexibility I need (the perfect world between stability with only legacy packages or recent ones on a constantly broken system; as in Gentoo, you always have choice) and it teaches me so many things each day.
As I'm used to control everything, here is a list of kernels' configurations I use currently.
<!--more--> <!--more-->
Here are some of my kernel configurations I use:
* [Dreamplug]: latest public Grsecurity kernel 4.9 (before, I used precompiled kernels from [Xilka]); * [Dreamplug]: latest public Grsecurity kernel 4.9 (before, I used precompiled kernels from [Xilka]);
* [Cubieboard 2]: Linux 3.4 [custom branch](https://github.com/cubieboard/linux-sunxi.git) for Allwinner A20 (dual-core ARMv7 Cortex-A7 and Mali400 MP2) + upstream patches on 3.4 not merged in the Allwinner tree; * [Cubieboard 2]: Linux 3.4 [custom branch](https://github.com/cubieboard/linux-sunxi.git) for Allwinner A20 (dual-core ARMv7 Cortex-A7 and Mali400 MP2) + upstream patches on 3.4 not merged in the Allwinner tree;
* [Odroid-C1]: Linux 3.10 [custom branch](https://github.com/hardkernel/linux.git) for the Amlogic S805 (quad-core ARMv7 Cortex-A5 and Mali450) + upstream patches on 3.10 not merged in the Hardkernel tree; * [Odroid-C1]: Linux 3.10 [custom branch](https://github.com/hardkernel/linux.git) for the Amlogic S805 (quad-core ARMv7 Cortex-A5 and Mali450) + upstream patches on 3.10 not merged in the Hardkernel tree;
* [Mirabox]: latest public Grsecurity kernel 4.9 for the Marvell Armada 370 (with all available features for the board enabled); * [Mirabox]: latest public Grsecurity kernel 4.9;
* [Cubox-i 4x4]: latest mainline kernel, currently 4.12; * [Cubox-i 4x4]: latest mainline kernel, currently 4.16, running OpenGL applications through etnaviv driver;
* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + upstream patches on 3.18 not merged in the imgtec tree. * [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + [upstream patches](https://github.com/nemunaire/CI20_linux.git) on 3.18 not merged in the imgtec tree;
* [ThinkPad X250]: latest public Grsecurity patches on 4.9 kernel.
* [Orange Pi PC]: latest mainline kernel, currently 4.17 on headless server.
[Gentoo]: http://www.gentoo.org/ [Gentoo]: http://www.gentoo.org/
[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.html [Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.aspx
[Xilka]: http://www.xilka.com/sheeva/ [Xilka]: http://www.xilka.com/sheeva/
[Odroid-C1]: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433 [Odroid-C1]: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433
[Cubieboard 2]: http://cubieboard.org/model/cb2/ [Cubieboard 2]: http://cubieboard.org/model/cb2/
[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.html [Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.aspx
[Cubox-i 4x4]: http://www.solid-run.com/product/cubox-i-4x4 [Cubox-i 4x4]: http://www.solid-run.com/product/cubox-i-4x4
[Creator CI20]: http://store.imgtec.com/uk/product/mips-creator-ci20/ [Creator CI20]: http://store.imgtec.com/uk/product/mips-creator-ci20/
[ThinkPad X250]: https://wiki.gentoo.org/wiki/Lenovo_Thinkpad_X250
[Orange Pi PC]: http://www.orangepi.org/orangepipc/

41
content/post/pgp_key.md
View File

@ -1,7 +1,7 @@
--- ---
title: PGP key title: PGP key
date: !!timestamp '2015-06-29 00:00:00' date: !!timestamp '2015-06-29 00:00:00'
update: !!timestamp '2017-07-24 00:45:00' update: !!timestamp '2018-06-07 12:40:00'
tags: tags:
- privacy - privacy
- cryptography - cryptography
@ -9,16 +9,47 @@ tags:
My personal PGP key is the following: [0x842807a84573cc96]. My personal PGP key is the following: [0x842807a84573cc96].
pub 4096R/4573CC96 2014-06-23 [expires: 2018-07-01] pub 4096R/4573CC96 2014-06-23 [expires: 2019-07-01]
Key fingerprint = E722 B5B7 3CA7 FA93 5FC1 AA09 8428 07A8 4573 CC96 Key fingerprint = E722 B5B7 3CA7 FA93 5FC1 AA09 8428 07A8 4573 CC96
uid Pierre-Olivier Mercier <nemunaire@nemunai.re> uid Pierre-Olivier Mercier <nemunaire@nemunai.re>
sub 4096R/9D2855C3 2014-06-23 [expires: 2018-07-01] sub 4096R/9D2855C3 2014-06-23 [expires: 2019-07-01]
<!--more--> <!--more-->
This key is also available through [OpenPGP DANE], generated by [this script]. I use PGP on a daily basis: each e-mail I sent is at least signed. Don't hesitate to send me encrypted or signed message.
My keyring is stored on a tamper resistant USB token (a [Nitrokey Pro]).
This is the only method I use to sign, encrypt or [authenticate](#ssh-authentication).
## DANE
My key is also available through [OpenPGP DANE].
You can retrieve it using `gpg` via:
gpg2 --auto-key-locate clear,dane -v --locate-key nemunaire@nemunai.re
I used [this script](https://gist.github.com/nemunaire/447c989e9f098c679edb) to generate the record.
With modern version of `gnupg`, it is also possible to get the DNS entry with the following command:
gpg2 --export-options export-minimal,export-dane --export 0xKEYID
## SSH Authentication
Sometimes I use my dedicated PGP key to log me on a remote SSH server. Here is its corresponding public ssh key :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnABr9AhXL9AYBQnM0GRcR9yLaKheLcxXykTSEbKP4X/R5BElSS5iF+T+MPi1ym7AtcuFcHXqNdEhb3j6zvqk3sY069sg0zio/jQzWTtKjYVtCiE4SleFrb5I012IwFhPCUArVqhHrfuj8wtg5isl1CSIYii+bpFLbrAGqBcydfcN/Z/vd7jbGEdmHR1RYwE+TzJl1aPiWpqMg9PyaJudNcuxrWjHcHtAomT0CGn2OGREUZS9rcFomCqw7JW9moaWqDSaW+aNX+xTJISo6TiAB4nNOpvTMl6BWPJ5e2eqn4xQACuTb/EVCuAJGeQ8BQudanxRXrfpdgHATsJxldTau2CCmIrZrg2We0ZfiGZ7KEwf3isAyzH9FK/gmb29XeDfvE/UpTTijaPo8xgiH3Ag0ZBk1wb3PVneN9fQGpVogOxR/HwfqOl376N6kTQIhvAFaU/wJnHQ4Z0CBekOxC9XptrihUdW7ashP6arrhYzlyNUPrRGiLmab9jsqsvP7aDRFEpWa/cd9nD2Mp1JNj51ZeqwT5Juo3ElMCfoTy5IAyc6QUTtIdYRgukLjiO8k5NBi8/Yzm1lNzf3cRZdh5ZIS0AUO2Celi97WXiHrU841OqsuMBgdCDnOuG3X8qU+pyT7836XSjglLEwABtXUSWULf06AoPVJe4+cxi3NWfxJiQ==
## Teaching PGP
Each year, I ask my students at [EPITA](https://www.epita.fr/), a French computer science school, to sign their work when they send them to me, by e-mail.
As it is not always easy for them, I developed a script to automatically check the correctness of their signature: [peret](https://git.nemunai.re/?p=lectures/peret.git).
[0x842807a84573cc96]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x842807A84573CC96 [0x842807a84573cc96]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x842807A84573CC96
[Nitrokey Pro]: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
[OpenPGP DANE]: https://www.ietf.org/id/draft-ietf-dane-openpgpkey-06.txt [OpenPGP DANE]: https://www.ietf.org/id/draft-ietf-dane-openpgpkey-06.txt
[this script]: https://gist.github.com/nemunaire/447c989e9f098c679edb

20
content/post/ssh_keys.md
View File

@ -7,24 +7,17 @@ tags:
- ssh - ssh
--- ---
I always have a different SSH key pair per machine. The aim is to really never I always have a different SSH key pair per machine. The aim is to really never copy my private key from a machine to another over network or USB stick.
copy my private key from a machine to another over network or USB stick.
<!--more--> <!--more-->
## Client keys ## Client keys
With this approch, if one of my host is compromised and/or my key could have With this approach, if one of my host is compromised and/or my key could have been exposed, I have only to remove granted access to this key to host or services (OK, that can be painful to find such services), but I can continue to use other no-compromised keys to work.
been exposed, I have only to remove granted access to this key to host or
services (OK, that can be painful to find such services), but I can continue to
use other no-compromised keys to work.
As you can see on my [github](https://github.com/nemunaire.keys) account, I've As you can see on my [github](https://github.com/nemunaire.keys) account, I've registered several keys, because I don't work from the same machine every time.
registered several keys, because I don't work from the same machine every time.
It can sometime be complicated to give me access to machine, but in most case, It can sometime be complicated to give me access to machine, but in most case, I tend to centralize most of my outgoing connections from a single host, which is in fact my home desktop: oupaout.
I tend to centralize most of my outgoing connections from a single host, which
is in fact my home desktop: oupaout.
Here is a list of my keys' md5 fingerprints: Here is a list of my keys' md5 fingerprints:
@ -55,6 +48,11 @@ ssh-keygen -l -E md5 -f KEY_FILE
``` ```
### Usign PGP
Sometime, I use my authentication PGP key as SSH key. Read the [related article]({{< relref "post/pgp_key.md#ssh-authentication" >}}) to view the public key.
## Server keys ## Server keys
The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks: The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks: