* fschl dotfiles Things that make my linux life more comfortable, portable and secure. For debian, or debian-based distros. using i3wm.org on the desktop. And containers everywhere :) inspired by https://github.com/jessfraz ** Questions this repos tries to answer - How long does it take for you to set up a machine? - Do you have backups? - Are you using a password manager? - How do you transport your secrets? - Can you get things done without *your* computer? - Rescue+Recover friends laptops/computers - panic-ops using a friends laptop *** Security **** Hardening ssh - https://blog.g3rt.nl/upgrade-your-ssh-keys.html - https://stribika.github.io/2015/01/04/secure-secure-shell.html - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client - see `/etc/ssh/ssh_config` and `.ssh/config` add this to `~/.ssh/config`: #+BEGIN_SRC bash # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. HashKnownHosts yes # Host keys the client accepts - order here is honored by OpenSSH HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr #+END_SRC *generating keys* #+BEGIN_SRC bash # RSA keys are favored over ECDSA keys when backward compatibility ''is required'', # thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA). $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" # ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. # This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" #+END_SRC **** GnuPG - https://wiki.mozilla.org/Security/Key_Management - https://keyring.debian.org/creating-key.html - https://wiki.debian.org/Subkeys `~/.gnupg/gpg.conf`: #+BEGIN_SRC bash personal-digest-preferences SHA512 SHA384 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed keyid-format 0xlong #+END_SRC **** Managing logins & passphrases - use a secure, cross-platform, _locale_ password manager, e.g keepass2 **** Backup Secure Keys - get 2 USB thumb drives - on each, create 2 partitions (ext4, you will never use them on any windows device anyway) - https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space? Scenarios: - You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information. - A family member calls: their HDD just died and you are asked to quickly help out on recovery. Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup. Solution: multi-boot! ** TODO - [ ] explain setup, ideas, practises - [ ] add HOW-TO - [ ] seperate sources.list setup for server/desktop/laptop