Regarding filippo.io, I can now type intelligently about why it didn't know who I was. The github project in question (whosthere) does not even check for ED25519 keys. Simply doing "grep -R ed25519" in the project's main directory revealed that. There are, however, a bunch of hits for "rsa" and "ecdsa." Obviously, support would be easy enough to add, but this guy didn't bother doing so. Security through obscurity for the win.
As for SSH hardening, the original project is here: https://github.com/NSAKEY/happy-dance The one you linked to is (As of this writing) 5 commits behind. We got distracted by the magic of sedtris and didn't go back to it, but the Cliff's Notes version is that happy-dance automates the steps laid out in stribika's Secure Secure Shell guide. A fun bit of trivia: A client config that's been hardened with happy-dance's is unable to negotiate a key exchange algos with whoami.filippo.io. Back to sedtris... On Tuesday, August 11, 2015 at 9:44:24 PM UTC-5, Andrew McElroy wrote: > > We started off with a discussion of this recent project. > > https://blog.filippo.io/ssh-whoami-filippo-io/ > <https://www.google.com/url?q=https%3A%2F%2Fblog.filippo.io%2Fssh-whoami-filippo-io%2F&sa=D&sntz=1&usg=AFQjCNGpG4qLn4-6uwKYzfs6abDDZnTQAw> > > > It can read your ssh keys you present and determine who you are. > It does this because if you have a github account the following works( > for public keys): > > https://github.com/REPLACE_WITH_YOUR_GITHUB_HANDLE.keys > > This is an article why this may be bad. > https://blog.benjojo.co.uk/post/auditing-github-users-keys > > https://github.com/FiloSottile/whosthere > > reminder that if you generated your ssh keys between 2007-2008 on > debian, consider cycling. > https://github.com/g0tmi1k/debian-ssh > > http://www.metasploit.com/ > > More ssh hardening. > https://github.com/oittaa/happy-dance > > saw a pull request for happy-dance that used awk a bit. > I pointed out that sed and awk are very powerful: > > > http://www.unix.com/shell-programming-and-scripting/174525-tetris-game-based-shell-script-new-algorithm.html > > > while we were on the topic of of obscure programming feats. > http://www.ioccc.org/years-spoiler.html > > essentially docker in bash. > https://github.com/p8952/bocker > > > We this talked about how to make NLUG better. > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
