Luc de Louw, Author at Luc de Louw's Blog

Using KDC Proxy to authenticate users

Posted on 2021-03-292021-03-29 by Luc de Louw

How to authenticate users with Kerberos when port 88 is not available in a DMZ? Use an HTTPS server as a proxy. IPA comes with an integrated KDC Proxy and it’s simple to make use of it. A typical use case is a cross-domain trust with AD, where the Linux clients are not allowed to ….Read More

Using DNSSEC with (Free) IPA

Posted on 2021-01-11 by Luc de Louw

The DNS infrastructure contains a growing number of critical information such as services records pointing to authentication services, TLSA records, SSH fingerprints and the like. DNSSEC signs this information, the client can trust the information DNS sends. It protects against forged information through cache poisoning. This article shows how to achieve a DNSSEC protected DNS ….Read More

Installing Red Hat Satellite 6 with Letsencrypt certificates

Posted on 2018-12-302021-09-26 by Luc de Louw

Red Hat Satellite 6 is a nice tool for system life cycle management. It can get complex and even installation is sometimes tricky. This article is about how to install Satellite, it does not explain the principals and concepts behind it. Requirements A valid subscription for the Satellite (and optional for the capsule). The system ….Read More

Using Data Deduplication and Compression with VDO on RHEL 7 and 8

Posted on 2018-12-172020-05-07 by Luc de Louw

Storage deduplication technology has been on the market for quite some time now. Unfortunately all of the implementations have been vendor-specific proprietary software. With VDO, there is now an open-source Linux native solution available. Red hat has introduced VDO (Virtual Data Optimizer) in RHEL 7.5, a storage deduplication technology bough with Permabit in 2017. Of ….Read More

Using MTA-STS to enhance email transport security and privacy

Posted on 2018-12-162020-05-07 by Luc de Louw

Overview SMTP is broken by design. It comes from a time when communication partners trusted each other and the NSA was intercepting facsimiles and phone calls instead of internet traffic. To enhance privacy, in 2002 RFC 3208 was added to the SMTP protocol. Unfortunately STARTTLS is only optional, it is not allowed to only accept ….Read More

Centrally manage SELinux user mapping with (Free)IPA

Posted on 2018-07-022020-05-07 by Luc de Louw

SELinux allows to confine users with SELinux user mappings. This article covers some basics about the confinement of users and shows how to manage them in central way with the help of (Free)IPA. It will greatly enhance your systems security. SELinux is available and enabled on all Red Hat based distributions such as RHEL, CentOS ….Read More

Using modern Protocols like HTTP/2 and QUIC

Posted on 2018-03-022018-09-30 by Luc de Louw

First there was HTTP, then HTTP/2 and now HTTP/2 over the QUIC protocol. Lets have a look at the available HTTP Clients and Servers that support HTTP/2 and the experimental QUIC protocol. Introduction The Hypertext Transfer Protocol (HTTP) was invented in 1991. Up to 2015 then there was only little to no evolution. In 2015 ….Read More

Leveraging Network-Bound Disk Encryption at Enterprise Scale

Posted on 2017-10-012017-10-02 by Luc de Louw

Network-Bound Disk Encryption (NBDE) adds scaling to LUKS by automated disk unlocking on system startup. Why should I encrypt disks? If you dont want to see your corporate and private data leaked, you should do so as an additional security measure. Use cases There are basically two use cases for disk encryption. The first one ….Read More