Language Selection

English French German Italian Portuguese Spanish

Integrity, Proprietary Software, Security, and Privacy

Filed under
  • SSH host identity certification

    Using an SSH CA to certify SSH host keys means the user’s SSH client can trust it without asking the user to verify it. The client is configured to trust any host certificate that can be verified using the SSH CA public key. The CA public key still needs to be communicated to the user in a secure way, but the CA key is only one key and rarely changes, so the tiresome risky situation happens very rarely. After the user has the CA key, an attacker can’t trick the user into accepting a false host key.

    With host certificates, the SSH client never needs to ask its user if the host key of a new host is valid, and the user never needs to try to verify it. If the host’s host key changes, the client doesn’t need to bother the user about it, as long as the new host key gets a new certificate.

    Overall, this leads to a much smoother and more secure experience for people using SSH.

  • [Old] OpenSSH/Cookbook/Certificate-based Authentication

    Two of the main advantages of certificates over keys are that they can use an expiration date, or even a date range of validity, and that they eliminate need for trust-on-first-use or complicated key verification methods. Mostly they facilitate large scale deployments by easing the processes of key approval and distribution and provide a better option than copying the same host keys across multiple destinations.

    User certificates authenticate users to their accounts on the servers. Host certificates authenticate servers to the clients, proving that the clients are connecting to the right system. The use of a principals field to designate users versus hosts is the main difference between host and user certificates. In host certificates, the principals field refers to the server names represented by the certificate. In user certificates that field refers to the accounts which are allowed to use the certificate for logging in. Additional limitations just as specific source addresses and forced commands are available for user certificates. Date and time of validity are possible for both. Host certificates and user certificates should use separate certificate authorities. For a more authoritative resource, see the "CERTIFICATES" section of ssh-keygen(1).

  • Research Shows Apple's New Do Not Track App Button Is Privacy Theater

    While Apple may be attempting to make being marginally competent at privacy a marketing advantage in recent years, that hasn't always gone particularly smoothly. Case in point: the company's new "ask app not to track" button included in iOS 14.5 is supposed to provide iOS users with some protection from apps that get a little too aggressive in hoovering up your usage, location, and other data. In short, the button functions as a more obvious opt out mechanism that's supposed to let you avoid the tangled web of privacy abuses that is the adtech behavioral ad ecosystem.

  • Portpass app may have exposed hundreds of thousands of users' personal data

    Private proof-of-vaccination app Portpass exposed personal information, including the driver’s licences, of what could be as many as hundreds of thousands of users by leaving its website unsecured.

    On Monday evening, CBC News received a tip that the user profiles on the app’s website could be accessed by members of the public.

    CBC is not sharing how to access those profiles, in order to protect users’ personal information, but has verified that email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports can easily be viewed by reviewing dozens of users’ profiles.

  • Apple AirTag Bug Enables ‘Good Samaritan’ Attack

    The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website.

  • RSF opens a new room for Swedish-Eritrean journalist Dawit on in its digital library against censorship

    To mark the 20th anniversary of Dawit Isaak’s arrest in Eritrea, RSF has opened a new room dedicated to the journalist in its digital library against censorship, a project that allows the public to access censored articles via the computer game Minecraft. Articles, texts and poems from the Swedish Eritrean journalist are now available thanks to a collaboration between RSF and the Dawit Isaak Library. The texts are part of the book “Hope: The Tale of Moses and Manna’s Love”, a translation of Isaak’s texts which was published in 2010 by an alliance of Swedish publishing houses.

  • Amazon brings global computer science education initiative to India

    Amazon is working with its global knowledge partner, a global non-profit organisation dedicated to computer science education, to bring high quality and mobile interactive CS content to Indian students.

    "We look forward to working closely with AFE's network of partners in India to provide our high-quality CS curriculum and best practices as they enable students across the country to learn this foundational 21st-century subject," Hadi Partovi, founder and CEO of, said.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.