TIL that the name of the PEM block of encoded public keys matters. I had a key that was using a block name
PUBLIC KEY, where it should’ve been
RSA PUBLIC KEY. Therefore, the client was rejecting the key as it was decoding it using the incorrect format. Here’s a very nice post about this.
GitHub now supports SSH commit signing, which is quite nice. I have been trying to use less and less GPG. I just tried pushing a commit signed this way and it works quite nicely.
Today I noticed my VPS did not have any firewall installed. Since I use Alpine, I decided to try out awall, which led to 15 minutes of down time for this website and all the remaining services. Besides, it seems that Docker messes with the IP tables by default, which can be troublesome with firewalls. In the end, I ended up using Hetzner’s own firewall which is completely decoupled from the OS and easier to manage.
I finally stopped using GPG keys for SSH authentication. Now I purely use SSH keys protected by 2FA via security keys. Now I have to get used to “touching” for authentication!
It also looks like Git allows to use SSH keys for signing. Unfortunately GitHub doesn’t support such signatures yet. Once they do, I may change to that method.
In my last post, I mentioned that I was “investigating the possibility to use Tailscale to simply block the access from the “outside world” and make it more secure”. Well, it is now implemented and it works. Basically, my blog system can listen on two different ports: the regular one where you’re navigating, and the one inside a Tailscale network.
If I specify
exclusiveDashboard: true on my Tailscale section of the configuration, the dashboard will only be added to the Tailscale router. This way, the dashboard won’t be available at
hacdias.com, but only inside the Tailscale network. I’ve tried it and it works. However, it is not how it is not enabled on the live version yet!
I also mentioned that I was trying to “inject” and admin bar while logged in. I can say that it is working via some response writer wrapping magic. I have a few more plans to make Eagle more self-contained, but we’re not there yet!
Have a fantastic day!
YubiKeys are hardware authentication devices that can be used with many applications, such as GPG, SSH and for 2 factor authentication. I have owned quite a few over the past years and recently I decided to upgrade them to the NFC version so I can use them with my mobile devices.
A few days ago I saw a blog post by GitHub announcing their support for security keys in SSH operations. After a bit of search, I discovered that OpenSSL 8.2, released last year, lets us use our FIDO2 devices (such as Yubikeys) to “unlock” our SSH private keys. This way, we don’t need the cumbersome GPG <-> SSH relation.
I tried it, and it was nice. I don’t know if I’m going to start using it right away because not every place uses OpenSSL 8.2+ yet, but soon, very soon.
For quite some time, I have been setting up systems to backup my data of my computer, as well as fetching data from services, such as Trakt, Last.fm or GoodReads. There’s always one kind of service that has been on the back of my mind for a while to backup, but I’ve never got the time, nor the will to do so: email!