From 99e95474bcee6aa0e5158fff8e2c5933f3fac0b5 Mon Sep 17 00:00:00 2001 From: Frieder Schlesier Date: Sun, 2 Oct 2016 23:52:09 +0200 Subject: [PATCH] add some notes --- LICENSE.md | 2 +- README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 62 insertions(+), 3 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 0c435b8..f360385 100755 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015 Frieder Schlesier +Copyright (c) 2016 Frieder Schlesier Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in diff --git a/README.md b/README.md index 02c92c5..34245bf 100755 --- a/README.md +++ b/README.md @@ -1,4 +1,63 @@ -# dotfiles +# fschl dotfiles -some stuff that makes my linux life more portable and comfortable. uses containers. strongly inspired by awesome work by https://github.com/jfrazelle +some stuff that makes my linux life more portable and comfortable. +for debian, or debian-based distros. using i3wm.org on the desktop. +also uses containers. +strongly inspired by awesome work by https://github.com/jessfraz + +## Notes + + +### Security + +#### Hardening ssh + +- https://blog.g3rt.nl/upgrade-your-ssh-keys.html +- https://stribika.github.io/2015/01/04/secure-secure-shell.html +- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client + +add this to `~/.ssh/config`: + +``` +# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. +HashKnownHosts yes +# Host keys the client accepts - order here is honored by OpenSSH +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +``` + +*generating keys* + +```bash +# RSA keys are favored over ECDSA keys when backward compatibility ''is required'', +# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA). +$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" + +# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. +# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). +$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" +``` + +#### GnuPG + +- https://wiki.mozilla.org/Security/Key_Management + +`~/.gnupg/gpg.conf`: + +``` +# from https://wiki.mozilla.org/Security/Key_Management +personal-digest-preferences SHA512 SHA384 +cert-digest-algo SHA256 +default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed +keyid-format 0xlong +``` + +## TODO + +- explain setup, ideas, practises +- add HOWTO +- seperate sources.list setup for server/desktop