pavinjosdev

Install packages

sudo zypper install yubikey-manager pam_u2f

Insert Yubikey and test

ykman info
ykman fido info

eldadfux

_APP_ENV=production
_APP_LOCALE=en
_APP_OPTIONS_ABUSE=enabled
_APP_OPTIONS_FORCE_HTTPS=disabled
_APP_OPENSSL_KEY_V1=your-secret-key
_APP_DOMAIN=localhost
_APP_DOMAIN_TARGET=localhost
_APP_CONSOLE_WHITELIST_ROOT=enabled
_APP_CONSOLE_WHITELIST_EMAILS=
_APP_CONSOLE_WHITELIST_IPS=

Jiab77

Bridged Networking on Wireless Interface with KVM and more...

So I needed to upgrade my home "web hosting" server from a Raspberry Pi 3b to something more flexible where I could even simulate a Raspberry Pi 3b given power. The new server hardware is now an Intel NUC i7 16GB / 250Gb SSD NVME. 😁

I order to accomplish this task I had to find a way to bridge the wireless interface which is the faster one on my actual home network setup.

I've also tried to mix the functionnality from another Rapsberry Pi (3b+ this time) who's acting as WLAN to LAN bridge. More details on this setup. But this was finally a bad idea and I was not able to make it work along the virtual network bridge created by libvirt or manually created... (I will explain why later)

The main difficulty was to use the DMZ IP address given by the router and route the traffic to the guest VM's.

Server / Desktop

artizirk

NB: This document describles a 'Old-School' way of using Yubikey with SSH

Modern OpenSSH has native support for FIDO Authentication. Its much simpler and should also be more stable with less moving parts. OpenSSH also now has support for signing arbitary files witch can be used as replacement of gnupg. Git also supports signing commits/tags with ssh keys.

Pros of FIDO

• Simpler stack / less moving parts
• Works directly with ssh, ssh-add and ssh-keygen on most computers
• Simpler
• Private key can never leave the FIDO device

Cons of FIDO

rigelk

# requires WebSocket support with `a2enmod proxy_wstunnel`
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security

<VirtualHost *:80 [::]:80>
        ServerName peertube.example.com
        ServerAdmin [email protected]
        Protocols h2c http/1.1

        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/

mrbar42

#!/usr/bin/env bash

graceful_exit() {
    # include this line: trap graceful_exit TERM INT HUP
    echo "Exit requested..."
    local timeout=${1:-4}
    local list=""
    for c in $(ps -o pid= --ppid $$); do
        # request children shutdown
        kill -0 ${c} 2>/dev/null && kill -TERM ${c} && list="$list $c" || true

deluvas

Notable parameters

• FcgidMaxProcessesPerClass
  • Default: 100
  • Maximum amount of processes per application/website/wrapper.
• FcgidProcessLifeTime
  • Default: 3600 seconds (0 disables check)
  • Idle processes which have existed for greater than this time will be terminated, if the number of processses for the class exceeds FcgidMinProcessesPerClass.
  • Working processes shall not be terminated.
• This process lifetime check is performed at the frequency of the configured FcgidIdleScanInterval.

jboner

Latency Comparison Numbers (~2012)
----------------------------------
L1 cache reference                           0.5 ns
Branch mispredict                            5   ns
L2 cache reference                           7   ns                      14x L1 cache
Mutex lock/unlock                           25   ns
Main memory reference                      100   ns                      20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy             3,000   ns        3 us
Send 1K bytes over 1 Gbps network       10,000   ns       10 us
Read 4K randomly from SSD*             150,000   ns      150 us          ~1GB/sec SSD