| # List plugged in Yubikeys and get the serial from the list | |
| ykman list | |
| # Generate new FIDO2 resident key on the Yubikey plugged in (keep on plugged in, only) and saving the attestation certificate | |
| # Without speficing the '-O user="..."' there is going to be a 32x ascii 0 filled into the user part and would overwrites exisiting keys without asking | |
| # Complex user="..." part creates a 31 char long string adding random values to the end (max length is 31 as 32nd must be 0) | |
| # Parameter -Z <cipher> can be different, valid values can be checked with 'ssh -Q cipher' command, default is aes256-ctr when omitting | |
| ssh-keygen -t ed25519-sk -a 64 -O resident -O user="$(echo -n <user>@<FQDN>_$(date +'%Y%m%d')_$(uuidgen | tr -d '-') | cut -c 1-31)" -O write-attestation=id_ed25519_sk_<yubikey serial>_attest -f id_ed25519_sk_<yubikey serial> -C "<user>@<FQDN>-$(date +'%Y%m%d')-<yubikey serial>" -Z sha256-gcm@openssh.com | |
| # parameter '-O attestation=<filename>' part can be omitted as more likely the Yubico general attestation c |
| Create private key: | |
| openssl ecparam -genkey -name prime256v1 -noout -out ecdsa256.pem | |
| Create public key: | |
| openssl ec -in ecdsa256.pem -pubout -out ecdsa256.pub | |
| Sign something | |
| openssl dgst -sha256 -sign ecdsa256.pem -out youranyfile.sig256 youranyfile | |
| To verify: |
| socat TCP-LISTEN:12345 UNIX-CONNECT:/var/lib/socket.sock |
| #!/bin/bash | |
| while true; do | |
| SKT_PATH=/var/run/mysock.sock | |
| rm $SKT_PATH | |
| INPUT=$(mktemp -u) | |
| mkfifo -m 600 "$INPUT" | |
| OUTPUT=$(mktemp -u) | |
| mkfifo -m 600 "$OUTPUT" |
| #!/bin/bash | |
| # | |
| # Bash must have been compiled with this ability: --enable-net-redirections | |
| # The device files below do not actually exist. | |
| # Use /dev/udp for UDP sockets | |
| exec 3<>/dev/tcp/host/port | |
| # Write to the socket as with any file descriptor | |
| echo "Write this to the socket" >&3 |
My objective is to have some production files ignored on specific branches. Git doesn't allow to do it.
My solution is to make a general .gitignore file and add .gitignore.branch_name files for the branches I want to add specific file exclusion.
I'll use post-checkout hook to copy those .gitignore.branch_name in place of .git/info/exclude each time I go to the branch with git checkout branch_name.
| (printf \\x30\\x2e\\x02\\x01\\x00\\x30\\x05\\x06\\x03\\x2b\\x65\\x70\\x04\\x22\\x04\\x20;egrep -v "^-" | tr -d '\n' | base64 -d | dd bs=161 skip=1 2>/dev/null | dd bs=32 count=1 2>/dev/null) | openssl pkey -inform der -outform pem |
| copied from http://www.lorier.net/docs/ssh-ca - all credit there. | |
| ## Using a CA with SSH | |
| Using a CA with ssh means you can sign a key for a user, and everywhere that the user trusts the CA you can login, without having to copy your SSH key everywhere again. This allows for things like fast rollover of keys (eg: daily), or trusting the fingerprint of a machine that you're logging into, which can be very useful when you're managing large numbers of machines, or machines that get new host keys (eg by reinstalling) regularly. | |
| You'll probably want at least openssh 5.6, although some of the functionality is available in 5.3. | |
| Creating the CA key | |
| ssh-keygen -f /etc/ssh/ca |
| package main | |
| import ( | |
| "crypto" | |
| "fmt" | |
| "os" | |
| "os/signal" | |
| "syscall" | |
| "github.com/ThalesIgnite/crypto11" |
| package main | |
| import ( | |
| "crypto" | |
| "fmt" | |
| "os" | |
| "os/signal" | |
| "syscall" | |
| "github.com/ThalesIgnite/crypto11" |
