_toctree

in/public/security/index.rst

@@ -0,0 +1,9 @@
+Security
+========
+
+.. toctree::
+   :maxdepth: 2
+
+   openssh-client/index
+   openssh-server/index
+   openssl/index

in/public/security/openssh-client/index.rst

@@ -0,0 +1,23 @@
+##############
+OpenSSH client
+##############
+
+*********
+Configure
+*********
+
+* /etc/ssh/ssh_config
+
+.. todo:: lines
+
+**********
+Create key
+**********
+
+* ~/.ssh/id_rsa*
+
+.. code:: shell
+
+  ssh-keygen -b 4096
+
+.. todo:: other arguments

in/public/security/openssh-server/index.rst

@@ -0,0 +1,76 @@
+##############
+OpenSSH server
+##############
+
+*********
+Configure
+*********
+
+* /etc/ssh/moduli
+
+Generate usable prime numbers pool.
+
+.. warning::
+
+  These are **VERY** long operations!
+
+.. code:: shell
+
+  ssh-keygen -b 4096 -G 4096.G
+  ssh-keygen -f 4096.G -T moduli
+
+* /etc/ssh/ssh_host_*_key
+
+types: rsa/ed25519/…?
+
+.. code:: shell
+
+  ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key
+
+* /etc/ssh/sshd_config
+
+::
+
+  # daemon
+  AllowTcpForwarding yes
+  ClientAliveInterval 30
+  Compression no
+  HostKey /etc/ssh/ssh_host_rsa_key
+  IgnoreRhosts yes
+  LogLevel INFO
+  MaxStartups 16:32:64
+  PermitTunnel no
+  Port 22
+  Protocol 2
+  Subsystem sftp internal-sftp
+  TCPKeepAlive yes
+  UseDNS no
+  UseLogin no
+  UsePAM yes
+  X11Forwarding no
+
+  # authentication
+  AuthorizedKeysFile .ssh/authorized_keys
+  ChallengeResponseAuthentication no
+  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+  HostbasedAuthentication no
+  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+  LoginGraceTime 60
+  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256
+  PasswordAuthentication no
+  PermitEmptyPasswords no
+  PermitRootLogin without-password
+  PubkeyAuthentication yes
+  StrictModes yes
+  UsePrivilegeSeparation sandbox
+
+  # prompt
+  Banner none
+  DebianBanner no
+  PrintLastLog yes
+  PrintMotd no
+  VersionAddendum none
+
+* authorized_keys
+
+.. todo:: about

in/public/security/openssl/index.rst

@@ -0,0 +1,151 @@
+#######
+OpenSSL
+#######
+
+Generate private key
+====================
+
+.. code:: shell
+
+  openssl \
+  genrsa \
+  -out "private_key.pem" \
+  4096 \
+
+Human readable:
+
+.. code:: shell
+
+  openssl \
+  rsa \
+  -in "private_key.pem" \
+  -noout \
+  -text \
+
+Generate a certificate request
+==============================
+
+* generate a private key
+
+* using . for empty fields, generate the request with:
+
+  * Country Name (2 letter code)
+  * State or Province Name (full name)
+  * Locality Name (eg, city)
+  * Organization Name (eg, company)
+  * Organizational Unit Name (eg, section)
+  * Common Name (e.g. server FQDN or YOUR name)
+  * Email Address
+  * A challenge password
+  * An optional company name
+
+.. code:: shell
+
+  echo -n "\
+  US
+  Region / County (code)
+  City / Place
+  Group / Management / Unit
+  Section
+  certificate_name
+  alias@domain.tld
+  .
+  .
+  " \
+  | \
+  openssl \
+  req \
+  -new \
+  -key "private_key.pem" \
+  -out "certificate_request.csr" \
+  -utf8 \
+
+Human readable:
+
+.. code:: shell
+
+  openssl \
+  req \
+  -in "certificate_request.csr" \
+  -noout \
+  -text \
+
+Create a Certification Authority
+================================
+
+init
+----
+
+.. code:: shell
+
+  rm --force --recursive "demoCA"
+  mkdir --parents "demoCA/newcerts"
+  echo -n "" > "demoCA/index.txt"
+  echo "00" > "demoCA/serial"
+
+request
+-------
+
+.. code:: shell
+
+  echo -n "\
+  US
+  Region / County (code)
+  City / Place
+  Decreasing / Hierarchy
+  Name
+  Name
+  alias@domain.tld
+  .
+  .
+  " \
+  | \
+  openssl \
+  req \
+  -new \
+  -key "name.pem" \
+  -out "name.csr" \
+  -utf8 \
+
+signature
+---------
+
+.. code:: shell
+
+  openssl \
+  ca \
+  -selfsign \
+  -in "name.csr" \
+  -keyfile "name.pem" \
+  -notext \
+  -out "name.crt" \
+  -startdate 20160801000000Z \
+  -enddate 20180801000000Z \
+  -batch \
+  -extensions "v3_ca" \
+
+----
+
+quick & dirty variant
+---------------------
+
+.. code:: shell
+
+  openssl \
+  ca \
+  -selfsign \
+  -keyfile "private_key.pem" \
+
+Sign request
+============
+
+.. code:: shell
+
+  openssl \
+  req \
+  -in "certificate_request.csr" \
+  -key "private_key.pem" \
+  -x509 \
+  -set_serial 0 \
+  -days 730 \
+  -out "certificate.crt" \