Skip to content

Instantly share code, notes, and snippets.

leonklingele

Block or report user

Report or block leonklingele

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@leonklingele
leonklingele / 0001-apple-keychain-integration-other-changes.patch
Last active Apr 18, 2019
openssh-{7.7,7.8,7.9,8.0}p1 patches for storing SSH passphrases in the OS X keychain. https://github.com/leonklingele/homebrew-dupes
View 0001-apple-keychain-integration-other-changes.patch
From 16ac7f14a1491650c345542098faaf60dad568e0 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Thu, 18 Apr 2019 01:51:43 +0200
Subject: [PATCH 1/2] apple-keychain-integration-other-changes
---
Makefile.in | 18 +-
audit-bsm.c | 7 +-
auth.c | 2 +-
authfd.c | 25 ++
View 0001-apple-keychain-integration-other-changes.patch
From acb5bb89c0c6ebbf2b8b0b7978a5006189c04944 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 4 Oct 2017 03:33:36 +0200
Subject: [PATCH 1/3] 0001-apple-keychain-integration-other-changes.patch
---
Makefile.in | 18 +-
audit-bsm.c | 7 +-
auth-pam.c | 5 +-
auth.c | 2 +-
@leonklingele
leonklingele / gist:2179552e891acec458a9bf786b5076db
Created Jun 21, 2017
openvpn-2.4.3-different-revisions.patch
View gist:2179552e891acec458a9bf786b5076db
Apparently, OpenVPN 2.4.3 was released in two different revisions:
- Revision 1 (openvpn-2.4.3-r1) which was available on Wed Jun 21 14:00:36 2017 +0200
- Revision 2 (openvpn-2.4.3-r2) which was and is still available after r1
---
diff -Naur openvpn-2.4.3-r1/Makefile.in openvpn-2.4.3-r2/Makefile.in
--- openvpn-2.4.3-r1/Makefile.in 2017-06-20 15:10:10.000000000 +0200
+++ openvpn-2.4.3-r2/Makefile.in 2017-06-20 13:07:43.000000000 +0200
@@ -1,7 +1,7 @@
View netcup-easter-offers-2017.txt
- .de-Domain 14 Cent Eine .de-Domain für nur 14 Cent/Monat bei 2 Euro Einrichtungsgebühr
https://www.netcup.de/bestellen/produkt.php?produkt=1810&hiddenkey=e6a58f069b28d04cd1e332be2684be77
- .at-Domain 9,90 € pro Jahr! Zu Ostern bekommen Sie eine .at-Domain um 17,5% reduziert - Normalpreis 12€/Jahr!
https://www.netcup.de/bestellen/produkt.php?produkt=1811&hiddenkey=73d67dbaefe7222f61bf694e5d65e793
- VPS A Ostern 2017 + Intel Dual-Core + 1 GB DDR3 RAM + 200 GB SATA + Fernwartungskonsole + und vieles mehr Nur 1,44€ / Monat
https://www.netcup.de/bestellen/produkt.php?produkt=1812&hiddenkey=9a1ef3d6ff803c6cae52bd8be3f36118
- Root-Server Ostern 2017 + 2 dedizierte Kerne + Intel Xeon E5-2660V3 + 2 GB DDR4 RAM + 4 x 100 GB SAS + RAID10 + und vieles mehr Nur 4,66€ / Monat
https://www.netcup.de/bestellen/produkt.php?produkt=1813&hiddenkey=552b395c8acb1c4016fc93fd6a3c8f1d
- RS 4000 SSD 3 Monate kostenlos + 8 dedizierte Kerne + Intel Xeon E5-2680V4 + 24 GB DDR4 RAM + 120 GB SSD + RAID10 + und vieles mehr die ers
View 0001-apple-keychain-integration-other-changes.patch
From 32a85e260f85fc820fd026637ad38e2230d2887f Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Tue, 21 Mar 2017 22:37:56 +0100
Subject: [PATCH 1/3] 0001-apple-keychain-integration-other-changes.patch
---
Makefile.in | 18 +-
audit-bsm.c | 7 +-
auth-pam.c | 5 +-
auth.c | 2 +-
@leonklingele
leonklingele / key-bindings.bash
Last active Aug 10, 2018
fzf key-bindings.bash: ignore duplicates
View key-bindings.bash
# ..
# Requires https://st.aticpan.org/source/PERLANCAR/App-nauniq-0.10/script/nauniq
# SHA256: 046d69b8b1ed74aaff38565f08acc9781e7404fa240b2d091601043a5838f9f0
# gsed -i 's?#!perl?#!/usr/bin/env perl?' nauniq
# patch -p1 nauniq < nauniq-ignore-pattern.patch
__fzf_history__() (
local line
shopt -u nocaseglob nocasematch
@leonklingele
leonklingele / nginx__dynamic_tls_records.patch
Created Oct 11, 2016
A refreshed 'nginx__dynamic_tls_records.patch' patch for nginx 1.11.5
View nginx__dynamic_tls_records.patch
What we do now:
We use a static record size of 4K. This gives a good balance of latency and
throughput.
Optimize latency:
By initialy sending small (1 TCP segment) sized records, we are able to avoid
HoL blocking of the first byte. This means TTFB is sometime lower by a whole
RTT.
Optimizing throughput:
View gist:6470baad564b754f025628d69727de7d

Encrypting data (Was: AES-CTR with HMAC): Use, in order of preference: (1) The Nacl/libsodium default, (2) Chacha20-Poly1305, or (3) AES-GCM.

You care about this if: you're hiding information from users or the network.

All three options get you "AEAD", which is the only way you want to encrypt in 2015. Options (2) and (3) are morally the same thing: a stream cipher with a polynomial ("thermonuclear CRC") MAC. Option (2) gets there with a native stream cipher and a MAC optimized for general purpose CPUs; Poly1305 is also easier than GCM for library designers to implement safely. Option (3)'s AES-GCM is the industry standard; it's fast and usually hardware accelerated on modern processors, but has implementation safety pitfalls on platforms that aren't accelerated.

Avoid: AES-CBC, AES-CTR by itself, block ciphers with 64-bit blocks --- most especially Blowfish, which is inexplicably popular, OFB mode. Don't ever use RC4, which is comically broken.

Symmetric key length (Was: Use 256 bit keys

@leonklingele
leonklingele / x509_pitfalls.md
Created Sep 23, 2016 — forked from mimoo/x509_pitfalls.md
Common x509 creation and verification pitfalls
View x509_pitfalls.md

Certificate validation/creation pitfalls

A x509 certificate, and in particular the latest version 3, is the standard for authentication in Public Key Infrastructures (PKIs). Think about Google proving that he's Google before you can communicate with him.

So. Heh. This x509 thing is a tad complicated. Trying to parse such a thing usually end up in the creation of a lot of different vulnerabilities. I won't talk about that here. I will talk about the other complicated thing about them: using them correctly!

So here's a list of pitfalls in the creation of such certificates, but also in the validation and use of them when encountering them in the wild wild web (or in your favorite infrastructure).

  1. KeyUsage
  2. Validity Dates
@leonklingele
leonklingele / client.sh
Last active May 25, 2019
netcat – encrypt transfer with openssl
View client.sh
IP="127.0.0.1"
PORT="8877"
SHARED_SECRET="shared secret"
OPENSSL="/usr/local/opt/libressl/bin/openssl"
OPENSSL_CMD="$OPENSSL enc -a -A -aes-256-gcm"
while IFS= read -r MSG; do
echo "$MSG" | $OPENSSL_CMD -e -k "$SHARED_SECRET"
echo
You can’t perform that action at this time.