From 11f3c305279c26179ba0d727c3cba8551869cc02 Mon Sep 17 00:00:00 2001 From: Frieder Schlesier Date: Mon, 18 Jun 2018 21:46:35 +0200 Subject: [PATCH] why wasnt that a org-file in the first place? :D --- README.md | 99 ------------------------------------------------------ README.org | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 99 deletions(-) delete mode 100755 README.md create mode 100644 README.org diff --git a/README.md b/README.md deleted file mode 100755 index 67f8893..0000000 --- a/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# fschl dotfiles - -Things that make my linux life more comfortable, portable and secure. -For debian, or debian-based distros. using i3wm.org on the desktop. -And containers everywhere :) - -inspired by https://github.com/jessfraz - -## Questions this repos tries to answer - -- How long does it take for you to set up a machine? -- Do you have backups? -- Are you using a password manager? -- How do you transport your secrets? -- Can you get things done without *your* computer? - - Rescue+Recover friends laptops/computers - - panic-ops using a friends laptop - - -### Security - - -#### Hardening ssh - -- https://blog.g3rt.nl/upgrade-your-ssh-keys.html -- https://stribika.github.io/2015/01/04/secure-secure-shell.html -- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client -- see `/etc/ssh/ssh_config` and `.ssh/config` - -add this to `~/.ssh/config`: - -```bash -# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. -HashKnownHosts yes -# Host keys the client accepts - order here is honored by OpenSSH -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 - -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -``` - -*generating keys* - -```bash -# RSA keys are favored over ECDSA keys when backward compatibility ''is required'', -# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA). -$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" - -# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. -# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). -$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" -``` - -#### GnuPG - -- https://wiki.mozilla.org/Security/Key_Management -- https://keyring.debian.org/creating-key.html -- https://wiki.debian.org/Subkeys - -`~/.gnupg/gpg.conf`: - -``` -personal-digest-preferences SHA512 SHA384 -cert-digest-algo SHA256 -default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed -keyid-format 0xlong -``` - -#### Managing logins & passphrases - -- use keepass2 - -#### Backup Secure Keys - -- get 2 USB Thumb drives -- on each, create 2 partitions (ext4, you will never use them on any windows device anyway) -- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption - -Nowadays it's mere chance to find a USB Thumb Drive with less than 4GB storage. -Though, you want a dedicated Drive to transport your password database, ssh keys and GPG keys. -Those dont require more than a couple MB. So what to do with the remaining space? - -Scenarios: - - - You visit friends, only have your keys with you and you have to check your mails, assist a colleague - in some network/ops emergency or just securely look up some important information. - - A family member calls, their HDD just died and you are asked to quickly help out on recovery. - -Boot into a safe environment, having all your credentials available in a secure manner. -Have a bootable forensics toolbox around to quickly get going in a familiar setup. - -Solution: multi-boot! - -## TODO - -- [ ] explain setup, ideas, practises -- [ ] add HOWTO -- [ ] seperate sources.list setup for server/desktop diff --git a/README.org b/README.org new file mode 100644 index 0000000..aeb5a7e --- /dev/null +++ b/README.org @@ -0,0 +1,98 @@ +* fschl dotfiles + + Things that make my linux life more comfortable, portable and secure. + For debian, or debian-based distros. using i3wm.org on the desktop. + And containers everywhere :) + + inspired by https://github.com/jessfraz + +** Questions this repos tries to answer + + - How long does it take for you to set up a machine? + - Do you have backups? + - Are you using a password manager? + - How do you transport your secrets? + - Can you get things done without *your* computer? + - Rescue+Recover friends laptops/computers + - panic-ops using a friends laptop + +*** Security + +**** Hardening ssh + + - https://blog.g3rt.nl/upgrade-your-ssh-keys.html + - https://stribika.github.io/2015/01/04/secure-secure-shell.html + - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client + - see `/etc/ssh/ssh_config` and `.ssh/config` + + add this to `~/.ssh/config`: + + #+BEGIN_SRC bash + # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. + HashKnownHosts yes + # Host keys the client accepts - order here is honored by OpenSSH + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + + #+END_SRC + + *generating keys* + + #+BEGIN_SRC bash + # RSA keys are favored over ECDSA keys when backward compatibility ''is required'', + # thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA). + $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" + + # ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. + # This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). + $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" + #+END_SRC + +**** GnuPG + + - https://wiki.mozilla.org/Security/Key_Management + - https://keyring.debian.org/creating-key.html + - https://wiki.debian.org/Subkeys + + `~/.gnupg/gpg.conf`: + + #+BEGIN_SRC bash + personal-digest-preferences SHA512 SHA384 + cert-digest-algo SHA256 + default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed + keyid-format 0xlong + #+END_SRC + +**** Managing logins & passphrases + + - use a secure, cross-platform, _locale_ password manager, e.g keepass2 + +**** Backup Secure Keys + + - get 2 USB Thumb drives + - on each, create 2 partitions (ext4, you will never use them on any windows device anyway) + - https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption + + Nowadays it's mere chance to find a USB Thumb Drive with less than 4GB storage. + Though, you want a dedicated Drive to transport your password database, ssh keys and GPG keys. + Those dont require more than a couple MB. So what to do with the remaining space? + + Scenarios: + + - You visit friends, only have your keys with you and you have to check your mails, assist a colleague + in some network/ops emergency or just securely look up some important information. + - A family member calls, their HDD just died and you are asked to quickly help out on recovery. + + Boot into a safe environment, having all your credentials available in a secure manner. + Have a bootable forensics toolbox around to quickly get going in a familiar setup. + + Solution: multi-boot! + +** TODO + + - [ ] explain setup, ideas, practises + - [ ] add HOWTO + - [ ] seperate sources.list setup for server/desktop