September 29, 2018
This will be a pretty curt post, just trying to remember how this was done. The rationale for using gpg-agent as your ssh-agent is:
maintain physically separate ssh key-pairs outside of GPG, mainly because as much as gpg is trusted the gpg-agent, documentation, and associated configuration files are a little confusing. Utilize the gpg-agent for ssh-agent, providing you with the ability to have your key unlocked once per session and a consistent look and feel for the unlocking process via pinentry-curses.
...
August 1, 2018
We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It’s a beefy ZFS on Linux instance that we call “tank” in reference to Jeff Bonwick’s discussion of the humble ZFS beginnings within Sun. We run a backup strategy between it and a couple other trailing-mirrored instances that we’ve positioned around the facility. We’ve been eyeing ceph but are waiting to see how BlueStore pans out in the next major ceph releases.
...
April 11, 2018
WireGuard aims to be as easy to configure and deploy as SSH. You establish a VPN connection by simply exchanging public keys, and the rest is transparently handled by WireGuard.
There are many other technologies, however wireguard is uniquley interesting for:
cryptokey routing: the first principles simply mapping public keys and sets of allowed addreses, making wireguard easier to grok for deployments. endpoints and roaming: also initial principles that facilitate NAT traversal and utilization of dynamic addressing through keepalives.
...
March 30, 2018
pass is a simple way to manage password locally, and with git one can collaborate on a password database with friends. The two technologies; pass and gpg have a lot of resources on-line, but when I went looking to set up a team with pass I found resources in several different places that didn’t match up with practices that made sense. Notably several people were creating key-pairs for each database and sharing the actual key-pairs with collaborators, this seemed insane.
...
October 29, 2017
If you want to be truly paranoid about authentication to services, you can implement your own Public Key Infrastructure (PKI). Many large organizations that are privacy focused have developed a digital/physical PKI strategy, for example the DoD’s Common Access Card. OpenSSL is a software that can be used to setup a “simple” PKI, however it’s command complexity is easy to get lost within. In this guide we’ll set up a “simple” PKI that we’ll use to authenticate users with, while still using the legitimately issued Let’s Encrypt Domain Validation certificates.
...
May 19, 2017
With all of the nasties we are seeing about snarfing up data, there has been a concerted effort for people to get encryption in place. For the web, it has never been easier to get these things sorted because there have been significant efforts recently to reduce the barrier. Firstly the letsencrypt project broke up the cabal of certificate authorities by providing a recognized authority that could issue certificates to verified domain operators without a transaction cost.
...
May 16, 2017
ssh is an amazingly prolific tool that is used extensively by anyone who manages systems. It’s a tool that many of us trust to provide the ultimate command and control access to devices we manage, and on many commercial systems it can be marginalized by being updated infrequently. If you’re able to run modern OpenSSH you have access to a new feature named ProxyJump, which makes using a jumphost much simpler.
...