Common Sense

Password Management #

Group Shared Passwords #

Enpass is suitable for a group of people to share passwords, for the following reasons:

  • It’s free, well-maintained.
  • Its encrypted database can be synced via Google Drive and changes to the database can be propagated to other members automatically.
  • The revision history is kept on Google Drive and can be back-uped offline.

For Personal Use #

I use Bitwarden. Generating passwords and keeping high-entropy, unique passwords for each websites is very convenient.

SSH Keys Management #

Rule of thumb #

  • Don’t share SSH keys across multiple hosts; one key per host.
  • Every SSH key should be passphrase-protected
  • Use ECDSA (on older system, use RSA at least 4096 bits)
  • SSH keys should be stored in an encrypted file-system (LUKS or cryfs).
  • On Microsoft Windows, FUSE or LUKS file-system won’t work, use GPG-encrypted tar file and extract them on a tmpfs (see the guide below).

Add keys to ssh-agent on-demand #

Manually add SSH keys to ssh-agent can be burdensome; it’s also undesirable to type passphrases of many SSH keys on boot. Instead, we desire to decrypt a SSH key only when we are about to use it. Here’s how to:

Use gnome-keyring whenever possible. It’s very user-friendly. If it’s otherwise undesirable, use keychain to re-use ssh-agent easily:

  • In ~/.bash_profile
eval $(keychain --eval --agents ssh --inherit any --nogui --nocolor --quiet)
  • Add the following line directly to ~/.ssh/config: AddKeysToAgent yes

You’re done. Whenever a key is needed, the passphrase is being prompted on-demand.

Encrypted file-system: cryfs #

This trick keeps your SSH keys encrypted on Linux when not used.

  1. Enable user_allow_other in /etc/fuse.conf
  2. Mount the FUSE:
cryfs ~/.vault/.ssh/ ~/.ssh -- -o nonempty,allow_root

When ~/.ssh is still not mounted, we still want to access ~/.ssh/authorized_keys (this file is non-confidential), so change the path of the file in /etc/ssh/sshd_config: AuthorizedKeysFile to ~/.ssh-authorized_keys

GPG-encrypted SSH keys #

This trick keeps your SSH keys encrypted on Windows (with WSL) when not used.

  • Generate GPG key at first use:
$ gpg --gen-key
  • Mount ~/.ssh as tmpfs by adding into /etc/fstab (it actually works on WSL!):
tmpfs /home/yourname/.ssh    tmpfs   defaults,uid=1000,mode=700    0   0
  • Use this script for decrypting SSH keys into the tmpfs:
#!/bin/sh
KEYSTORE=/mnt/c/Users/yourname/Documents/ssh-keys-encrypted.gpg
gpg --decrypt --output - $KEYSTORE | zstd -d | tar -xf - -C ~/.ssh"
  • Use this script for encrypting SSH keys if you update any key or .ssh/config:
#!/bin/sh
KEYSTORE=/mnt/c/Users/yourname/Documents/ssh-keys-encrypted.gpg
tar -cf - -C ~/.ssh . | zstd | gpg --encrypt -o $KEYSTORE --recipient yourname"

When starting WSL, ~/.ssh will be automatically mounted. When you are to ssh to other hosts, simply decrypt SSH keys as shown above.

Light-weight Web Proxy #

When the sole purpose of IP masquerading is browsing websites that require an academic IP, a transfer-layer-based proxy like SSH tunnel is much faster than IP-layer-based counterpart such as VPN.

I use SmartProxy on Firefox to browse ACM Digital Library and IEEE Explorer off campus. Configure a local socks as proxy server and run the following command:

ssh -D 19000 -q -x -C -c aes128-ctr [academic-host]

Reverse Proxy Setup #

Purpose: You have a PC in your home that you want to access from external network.

Prerequisite: Select a computer with public IP and no firewall restriction (you can open arbitrary port and the firewall will not block external access to the port) to serve as jumper. In the following example, we will choose linux1.csie.org provided by the CSIE department as our jumper.

Steps #

First, construct a SSH tunnel in your home PC:

# Run this command inside a `tmux` section:
ssh [My username on CSIE]@linux1.csie.org -o GatewayPorts=true -R 0.0.0.0:10022:127.0.0.1:22 -N

This will open the 10022 port on the jumper computer and all traffic destined for port 10022 will be redirected to port 22 in your home PC.

Next, on the jumper computer, open a port redirection process which redirects all external traffic destined for port 10023 to the 10022 port on localhost.

# Run this command inside a `tmux` section:
socat TCP-LISTEN:10023,fork TCP:localhost:10022

Now, you can log in from any external IP:

ssh -p 10023 [PC Username]@linux1.csie.org

Data backup #

Use Duplicity to create encrypted, compressed backup to Google drive:

GOOGLE_USER=yunchih
duplicity full -v 8 \
    --include-globbing-filelist backup-list.txt \
    --exclude "**site-packages" \
    --exclude "**/node_modules" \
    /home/yunchih
    gdocs://$GOOGLE_USER/duplicity/home-backup

Here’s backup-list.txt (the files prefixed by - will be excluded from the backup):

- /home/yunchih/.cache
- /home/yunchih/.config/google-chrome
- /home/yunchih/Downloads
- /home/yunchih/.local
- /home/yunchih/.ssh
- /home/yunchih/.mozilla
- /home/yunchih/.npm
- /home/yunchih/.oh-my-zsh
- /home/yunchih/.thunderbird
- /home/yunchih/.vagrant.d
- /home/yunchih/.vim
- /home/yunchih/dotfiles/vim/.vim
- /home/yunchih/VirtualBox\ VMs
- /home/yunchih/.wine
- /home/yunchih/.gem
- /home/yunchih/.bundle
- /home/yunchih/.atom
- /home/yunchih/.cargo
- /home/yunchih/.cabal
- /home/yunchih/.cpanm
- /home/yunchih/.stack
- /home/yunchih/.debug
- /home/yunchih/go/pkg
Calendar Last modified: August 12, 2019