How to authenticate SSH servers with SSHFP

Securely connecting to your server One of SSH’s key features is the use of keys to identify the server you are connecting to, meaning that you can be certain you are connecting to the correct server and not another server pretending to be that one. Unfortunately, users who connect to many servers can be accustomed to seeing the warning message that a server’s key is unknown. SSHFP presents a potential solution to this problem....

November 20, 2022 · 3 min · soup

How to delete credentials from a Yubikey

Requirements sudo apt-add-repository ppa:yubico/stable sudo apt update sudo apt install yubikey-manager Your YubiKey must have at least firmware 5.2.x. You can check this to open the YubiKey Manager app. If your YubiKey is lower than 5.2.x, then you can’t make use of this and you need to do a complete reset of your YubiKey. Procedure Type ykman fido list and enter your PIN to get a list of the credentials that are stored in your YubiKey....

November 1, 2022 · 1 min · soup

How To Install A DANE TLSA DNS Record

What is DANE TLSA? Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain’s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. How to configure DANE TLSA View the certificate of your site by clicking the padlock in the browser....

November 19, 2022 · 1 min · soup

How to protect domains that do not send emails

Domains that do not send emails can still be used in email spoofing or phishing attacks, but there are specific types of DNS text (TXT) records that can be used to stifle attackers. Each of these records sets rules for how unauthorized emails should be treated by mail servers, making it harder for attackers to exploit these domains. A DNS TXT record allows domain administrators to enter text into the Domain Name System (DNS)....

November 21, 2022 · 5 min · Cloudflare

Securing OpenSSH keys with hardware-based authentication (FIDO2)

Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce attacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....

April 9, 2022 · 4 min · Wonderfall

sshd_config

Based on the one used by Grapheneos on their sites. Source: github.com/grapheneos/infrastructure # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented....

November 18, 2022 · 2 min · soup