Securely connecting to your server One of SSH’s key features is the use of keys to identify the server you are connecting to, meaning that you can be certain you are connecting to the correct server and not another server pretending to be that one. Unfortunately, users who connect to many servers can be accustomed to seeing the warning message that a server’s key is unknown. SSHFP presents a potential solution to this problem....
Requirements sudo apt-add-repository ppa:yubico/stable sudo apt update sudo apt install yubikey-manager Your YubiKey must have at least firmware 5.2.x. You can check this to open the YubiKey Manager app. If your YubiKey is lower than 5.2.x, then you can’t make use of this and you need to do a complete reset of your YubiKey. Procedure Type ykman fido list and enter your PIN to get a list of the credentials that are stored in your YubiKey....
What is DANE TLSA? Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain’s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. How to configure DANE TLSA View the certificate of your site by clicking the padlock in the browser....
Domains that do not send emails can still be used in email spoofing or phishing attacks, but there are specific types of DNS text (TXT) records that can be used to stifle attackers. Each of these records sets rules for how unauthorized emails should be treated by mail servers, making it harder for attackers to exploit these domains. A DNS TXT record allows domain administrators to enter text into the Domain Name System (DNS)....
Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce attacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....
Based on the one used by Grapheneos on their sites. Source: github.com/grapheneos/infrastructure # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented....