nemunaire/nemunai.re
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Update and complete articles

Browse Source
This commit is contained in:
nemunaire 2018-06-07 14:56:43 +02:00
parent 656caa697d
commit c3f23337a8
4 changed files with 60 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/about.md
View File

@ -18,7 +18,7 @@ I spend most of my free time to improve system support, document and **promote A
Check out my [local gitweb](https://git.nemunai.re) or my [GitHub](https://github.com/nemunaire) account.
<span class="fa fa-thumbs-o-down about-icon"></span>
You won't find my on any social network, because I don't have time to sell my privacy for free (and I fight against most of them).
You won't find me on any social network, because I don't have time to sell my privacy for free (and I fight against most of them).
<span class="fa fa-heart about-icon"></span>
I'm crazy about any knowledge (mainly focus on sciences, typography, society, companies, faune and flora, ...) and am looking for more freedom and independence.

23
content/post/kernel_configs.md
View File

@ -1,29 +1,34 @@
---
title: Linux kernel configuration
title: Linux Kernel Configurations
date: !!timestamp '2015-04-20 00:00:00'
update: !!timestamp '2017-07-24 00:18:00'
update: !!timestamp '2018-06-07 11:33:00'
tags:
- kernel
---
My favorite distribution is [Gentoo], for 7 years now.
It allows me to have all the flexibility I need (the perfect world between stability with only legacy packages or recent ones on a constantly broken system; as in Gentoo, you always have choice) and it teaches me so many things each day.
As I'm used to control everything, here is a list of kernels' configurations I use currently.
<!--more-->
Here are some of my kernel configurations I use:
* [Dreamplug]: latest public Grsecurity kernel 4.9 (before, I used precompiled kernels from [Xilka]);
* [Cubieboard 2]: Linux 3.4 [custom branch](https://github.com/cubieboard/linux-sunxi.git) for Allwinner A20 (dual-core ARMv7 Cortex-A7 and Mali400 MP2) + upstream patches on 3.4 not merged in the Allwinner tree;
* [Odroid-C1]: Linux 3.10 [custom branch](https://github.com/hardkernel/linux.git) for the Amlogic S805 (quad-core ARMv7 Cortex-A5 and Mali450) + upstream patches on 3.10 not merged in the Hardkernel tree;
* [Mirabox]: latest public Grsecurity kernel 4.9 for the Marvell Armada 370 (with all available features for the board enabled);
* [Cubox-i 4x4]: latest mainline kernel, currently 4.12;
* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + upstream patches on 3.18 not merged in the imgtec tree.
* [Mirabox]: latest public Grsecurity kernel 4.9;
* [Cubox-i 4x4]: latest mainline kernel, currently 4.16, running OpenGL applications through etnaviv driver;
* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + [upstream patches](https://github.com/nemunaire/CI20_linux.git) on 3.18 not merged in the imgtec tree;
* [ThinkPad X250]: latest public Grsecurity patches on 4.9 kernel.
* [Orange Pi PC]: latest mainline kernel, currently 4.17 on headless server.
[Gentoo]: http://www.gentoo.org/
[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.html
[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.aspx
[Xilka]: http://www.xilka.com/sheeva/
[Odroid-C1]: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433
[Cubieboard 2]: http://cubieboard.org/model/cb2/
[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.html
[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.aspx
[Cubox-i 4x4]: http://www.solid-run.com/product/cubox-i-4x4
[Creator CI20]: http://store.imgtec.com/uk/product/mips-creator-ci20/
[ThinkPad X250]: https://wiki.gentoo.org/wiki/Lenovo_Thinkpad_X250
[Orange Pi PC]: http://www.orangepi.org/orangepipc/

41
content/post/pgp_key.md
View File

@ -1,7 +1,7 @@
---
title: PGP key
date: !!timestamp '2015-06-29 00:00:00'
update: !!timestamp '2017-07-24 00:45:00'
update: !!timestamp '2018-06-07 12:40:00'
tags:
- privacy
- cryptography
@ -9,16 +9,47 @@ tags:
My personal PGP key is the following: [0x842807a84573cc96].
pub 4096R/4573CC96 2014-06-23 [expires: 2018-07-01]
pub 4096R/4573CC96 2014-06-23 [expires: 2019-07-01]
Key fingerprint = E722 B5B7 3CA7 FA93 5FC1 AA09 8428 07A8 4573 CC96
uid Pierre-Olivier Mercier <nemunaire@nemunai.re>
sub 4096R/9D2855C3 2014-06-23 [expires: 2018-07-01]
sub 4096R/9D2855C3 2014-06-23 [expires: 2019-07-01]
<!--more-->
This key is also available through [OpenPGP DANE], generated by [this script].
I use PGP on a daily basis: each e-mail I sent is at least signed. Don't hesitate to send me encrypted or signed message.
My keyring is stored on a tamper resistant USB token (a [Nitrokey Pro]).
This is the only method I use to sign, encrypt or [authenticate](#ssh-authentication).
## DANE
My key is also available through [OpenPGP DANE].
You can retrieve it using `gpg` via:
gpg2 --auto-key-locate clear,dane -v --locate-key nemunaire@nemunai.re
I used [this script](https://gist.github.com/nemunaire/447c989e9f098c679edb) to generate the record.
With modern version of `gnupg`, it is also possible to get the DNS entry with the following command:
gpg2 --export-options export-minimal,export-dane --export 0xKEYID
## SSH Authentication
Sometimes I use my dedicated PGP key to log me on a remote SSH server. Here is its corresponding public ssh key :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnABr9AhXL9AYBQnM0GRcR9yLaKheLcxXykTSEbKP4X/R5BElSS5iF+T+MPi1ym7AtcuFcHXqNdEhb3j6zvqk3sY069sg0zio/jQzWTtKjYVtCiE4SleFrb5I012IwFhPCUArVqhHrfuj8wtg5isl1CSIYii+bpFLbrAGqBcydfcN/Z/vd7jbGEdmHR1RYwE+TzJl1aPiWpqMg9PyaJudNcuxrWjHcHtAomT0CGn2OGREUZS9rcFomCqw7JW9moaWqDSaW+aNX+xTJISo6TiAB4nNOpvTMl6BWPJ5e2eqn4xQACuTb/EVCuAJGeQ8BQudanxRXrfpdgHATsJxldTau2CCmIrZrg2We0ZfiGZ7KEwf3isAyzH9FK/gmb29XeDfvE/UpTTijaPo8xgiH3Ag0ZBk1wb3PVneN9fQGpVogOxR/HwfqOl376N6kTQIhvAFaU/wJnHQ4Z0CBekOxC9XptrihUdW7ashP6arrhYzlyNUPrRGiLmab9jsqsvP7aDRFEpWa/cd9nD2Mp1JNj51ZeqwT5Juo3ElMCfoTy5IAyc6QUTtIdYRgukLjiO8k5NBi8/Yzm1lNzf3cRZdh5ZIS0AUO2Celi97WXiHrU841OqsuMBgdCDnOuG3X8qU+pyT7836XSjglLEwABtXUSWULf06AoPVJe4+cxi3NWfxJiQ==
## Teaching PGP
Each year, I ask my students at [EPITA](https://www.epita.fr/), a French computer science school, to sign their work when they send them to me, by e-mail.
As it is not always easy for them, I developed a script to automatically check the correctness of their signature: [peret](https://git.nemunai.re/?p=lectures/peret.git).
[0x842807a84573cc96]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x842807A84573CC96
[Nitrokey Pro]: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
[OpenPGP DANE]: https://www.ietf.org/id/draft-ietf-dane-openpgpkey-06.txt
[this script]: https://gist.github.com/nemunaire/447c989e9f098c679edb

20
content/post/ssh_keys.md
View File

@ -7,24 +7,17 @@ tags:
- ssh
---
I always have a different SSH key pair per machine. The aim is to really never
copy my private key from a machine to another over network or USB stick.
I always have a different SSH key pair per machine. The aim is to really never copy my private key from a machine to another over network or USB stick.
<!--more-->
## Client keys
With this approch, if one of my host is compromised and/or my key could have
been exposed, I have only to remove granted access to this key to host or
services (OK, that can be painful to find such services), but I can continue to
use other no-compromised keys to work.
With this approach, if one of my host is compromised and/or my key could have been exposed, I have only to remove granted access to this key to host or services (OK, that can be painful to find such services), but I can continue to use other no-compromised keys to work.
As you can see on my [github](https://github.com/nemunaire.keys) account, I've
registered several keys, because I don't work from the same machine every time.
As you can see on my [github](https://github.com/nemunaire.keys) account, I've registered several keys, because I don't work from the same machine every time.
It can sometime be complicated to give me access to machine, but in most case,
I tend to centralize most of my outgoing connections from a single host, which
is in fact my home desktop: oupaout.
It can sometime be complicated to give me access to machine, but in most case, I tend to centralize most of my outgoing connections from a single host, which is in fact my home desktop: oupaout.
Here is a list of my keys' md5 fingerprints:
@ -55,6 +48,11 @@ ssh-keygen -l -E md5 -f KEY_FILE
```
### Usign PGP
Sometime, I use my authentication PGP key as SSH key. Read the [related article]({{< relref "post/pgp_key.md#ssh-authentication" >}}) to view the public key.
## Server keys
The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks: