HackerTrans
TopNewTrendsCommentsPastAskShowJobs

hartmel

no profile record

comments

hartmel
·2 lata temu·discuss
I ll add that the usage "cassette" refers usually to a tape in a plastic case, like the VHS cassette, the audio cassette.

The words referred to a box where coins where stored. It s probably still used in banks, like when ATMs are refilled.

Surprisingly for "LTO tape", french mostly uses the literal translation of "LTO tape" and sometimes "LTO cartridge" too ; the use of "cassette" is uncommon.

I just discovered it's the word for a bicycle component too.

There is the word "caissette" too, which is a box, small but not necessarily extra small as the "ette" prefix usually suggests in french though. I guess it depends of the context. ("Caisse" == "box")

There is yet another word for small boxes made of wood usually used for vegetables and fruits: "cagette".

"Casse" exists too with another meaning : it s a vehicle graveyard. (It comes from the translation of "to break" wich is the verb "casser").
hartmel
·2 lata temu·discuss
Previous HN discussion: https://news.ycombinator.com/item?id=34160356
hartmel
·3 lata temu·discuss
There is SCEP (https://en.m.wikipedia.org/wiki/Simple_Certificate_Enrollmen...) which allows that and is often found on network devices. You need a PKI which exposes a SCEP endpoint (ejbca or dogtag supports this). That the certificate is used as certificate for the HTTPS is up to the device implementation of the scep client or something else in the client though.

On servers, certmonger can do scep iirc. On private infrastructure, FreeIPA provides a packaged dogtag and you can create your own certificate profiles. Clients enrolled in freeipa have certmonger installed to refresh certificates.
hartmel
·3 lata temu·discuss
HSMs allows to have key stored with the option to disable key export. This means every cryptographic operation must be done by the HSM (commonly through pkcs 11 API).

HSMs have backup features and the data cannot be restored without a secret split among multiple secret holders (like https://en.m.wikipedia.org/wiki/Shamir%27s_secret_sharing). So a backup can be done on physical media and put in a safe.

It's a lot of things about key management, HSMs, pkcs interfaces to learn though.
hartmel
·3 lata temu·discuss
Edit: my bad, +ssh-rsa refers to a signature algorithm using SHA1, which should not be used anymore. Target server host keys should be renewed, as told by riolu, thanks to him for pointing it.

On debian-like, remove host keys and run dpkg-configure openssh-server.

On redhat-like, remove host keys and restart sshd.

---------------------------------------------

Not vulnerable, not a bad practice. Newer algorithms are faster (in practice not perceptible, people usually don't need state of the art performance for SSH connections), with smaller keys and probably better algorithms (not subject to side channel attacks, which are still hard to abuse) but RSA is not broken. It may be in a few years with quantum computing but it's still far to be sure.

https://www.schneier.com/blog/archives/2021/03/no-rsa-is-not... updated last december.

No need to rekey all accounts or servers, just switch to ecdsa or ed25519 progressively.
hartmel
·4 lata temu·discuss
A few year ago I was syncing keepass over http (it's built in keepass) with a Apache httpd and webdav module. Configuration was not really tricky and worked flawlessly. I even managed to use a yubikey on sync request.