2018-06-18 21:46:35 +02:00
|
|
|
* fschl dotfiles
|
|
|
|
|
|
|
|
|
|
Things that make my linux life more comfortable, portable and secure.
|
|
|
|
|
For debian, or debian-based distros. using i3wm.org on the desktop.
|
|
|
|
|
And containers everywhere :)
|
|
|
|
|
|
|
|
|
|
inspired by https://github.com/jessfraz
|
|
|
|
|
|
|
|
|
|
** Questions this repos tries to answer
|
|
|
|
|
|
|
|
|
|
- How long does it take for you to set up a machine?
|
|
|
|
|
- Do you have backups?
|
|
|
|
|
- Are you using a password manager?
|
|
|
|
|
- How do you transport your secrets?
|
|
|
|
|
- Can you get things done without *your* computer?
|
|
|
|
|
- Rescue+Recover friends laptops/computers
|
|
|
|
|
- panic-ops using a friends laptop
|
|
|
|
|
|
|
|
|
|
*** Security
|
|
|
|
|
|
|
|
|
|
**** Hardening ssh
|
|
|
|
|
|
|
|
|
|
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
|
|
|
|
|
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
|
|
|
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
|
|
|
|
|
- see `/etc/ssh/ssh_config` and `.ssh/config`
|
|
|
|
|
|
|
|
|
|
add this to `~/.ssh/config`:
|
|
|
|
|
|
|
|
|
|
#+BEGIN_SRC bash
|
|
|
|
|
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
|
|
|
|
|
HashKnownHosts yes
|
|
|
|
|
# Host keys the client accepts - order here is honored by OpenSSH
|
|
|
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
|
|
|
|
|
|
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
|
|
|
|
|
|
#+END_SRC
|
|
|
|
|
|
|
|
|
|
*generating keys*
|
|
|
|
|
|
|
|
|
|
#+BEGIN_SRC bash
|
|
|
|
|
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
|
|
|
|
|
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
|
|
|
|
|
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
|
|
|
|
|
|
|
|
|
|
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
|
|
|
|
|
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
|
|
|
|
|
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
|
|
|
|
|
#+END_SRC
|
|
|
|
|
|
|
|
|
|
**** GnuPG
|
|
|
|
|
|
|
|
|
|
- https://wiki.mozilla.org/Security/Key_Management
|
|
|
|
|
- https://keyring.debian.org/creating-key.html
|
|
|
|
|
- https://wiki.debian.org/Subkeys
|
|
|
|
|
|
|
|
|
|
`~/.gnupg/gpg.conf`:
|
|
|
|
|
|
|
|
|
|
#+BEGIN_SRC bash
|
|
|
|
|
personal-digest-preferences SHA512 SHA384
|
|
|
|
|
cert-digest-algo SHA256
|
|
|
|
|
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
|
|
|
|
|
keyid-format 0xlong
|
|
|
|
|
#+END_SRC
|
|
|
|
|
|
|
|
|
|
**** Managing logins & passphrases
|
|
|
|
|
|
2018-11-23 18:26:40 +01:00
|
|
|
- use a secure, cross-platform, *cloudless* password manager, e.g keepass2
|
2018-06-18 21:46:35 +02:00
|
|
|
|
|
|
|
|
**** Backup Secure Keys
|
|
|
|
|
|
2018-11-12 11:48:41 +01:00
|
|
|
- get 2 USB thumb drives
|
2018-06-18 21:46:35 +02:00
|
|
|
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
|
|
|
|
|
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
|
|
|
|
|
|
2018-11-12 11:48:41 +01:00
|
|
|
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
|
|
|
|
|
Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
|
|
|
|
|
Those don't require more than a couple MB. So what to do with the remaining space?
|
2018-06-18 21:46:35 +02:00
|
|
|
|
|
|
|
|
Scenarios:
|
|
|
|
|
|
|
|
|
|
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague
|
2018-11-12 11:48:41 +01:00
|
|
|
in some network/ops emergency or just securely look up some confidential information.
|
|
|
|
|
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
|
2018-06-18 21:46:35 +02:00
|
|
|
|
|
|
|
|
Boot into a safe environment, having all your credentials available in a secure manner.
|
|
|
|
|
Have a bootable forensics toolbox around to quickly get going in a familiar setup.
|
|
|
|
|
|
|
|
|
|
Solution: multi-boot!
|
|
|
|
|
|
2018-11-23 18:26:40 +01:00
|
|
|
**** thumb drive setup
|
|
|
|
|
|
|
|
|
|
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
|
|
|
|
|
|
|
|
|
|
**** building kali linux iso [0/7]
|
|
|
|
|
|
|
|
|
|
- [ ] https://docs.kali.org/downloading/kali-linux-live-usb-install
|
|
|
|
|
- [ ] add encrypted persistence https://docs.kali.org/downloading/kali-linux-live-usb-persistence
|
|
|
|
|
- [ ] add kali meta packages https://www.kali.org/news/kali-linux-metapackages/
|
|
|
|
|
- [ ] https://docs.kali.org/development/live-build-a-custom-kali-iso
|
|
|
|
|
- [ ] customize live image contents https://live-team.pages.debian.net/live-manual/html/live-manual/customizing-contents.en.html#517
|
|
|
|
|
- [ ] add LUKS Nuke support https://www.kali.org/tutorials/nuke-kali-linux-luks/
|
|
|
|
|
- [ ] OPTIONAL add PowerShell https://www.kali.org/tutorials/installing-powershell-on-kali-linux/
|
|
|
|
|
|
|
|
|
|
** TODO [0/4]
|
2018-06-18 21:46:35 +02:00
|
|
|
|
|
|
|
|
- [ ] explain setup, ideas, practises
|
|
|
|
|
- [ ] add HOWTO
|
2018-11-12 11:48:41 +01:00
|
|
|
- [ ] seperate sources.list setup for server/desktop/laptop
|
2018-11-23 18:26:40 +01:00
|
|
|
- [ ] move to ansible for easier modularization of setup
|
