How to authenticate users with Kerberos when port 88 is not available in a DMZ? Use an HTTPS server as a proxy. IPA comes with an integrated KDC Proxy and it’s simple to make use of it. A typical use case is a cross-domain trust with AD, where the Linux clients are not allowed to directly talk to AD because of firewall and/or security policy restrictions. Another use-case is where clients in a DMZ are not allowed to directly communicate ….Read More
Category: Fedora
Using DNSSEC with (Free) IPA
The DNS infrastructure contains a growing number of critical information such as services records pointing to authentication services, TLSA records, SSH fingerprints and the like. DNSSEC signs this information, the client can trust the information DNS sends. It protects against forged information through cache poisoning. This article shows how to achieve a DNSSEC protected DNS environment with the help of FreeIPA This article was taking some time to write as I wanted to see how it behaves in the long ….Read More
Using LVM cache for storage tiering
SSDs are small, expensive but fast. HDDs are large and cheap, but slow. Let’s combine the two technologies to get the speed of SSDs with the price and size of HDDs. This can be achieved with storage tiering using LVM cache. Hardware vs. Software solutions There are so-called “Hybrid HDDs” on the market. The SSD part is relatively small and you can not tune that cache or getting any statistics about cache hits and cache misses. Further, modern SSD provides ….Read More
OpenID and SAML authentication with Keycloak and FreeIPA
Not every web application can handle Kerberos SSO, but some provide OpenID and/or SAML. There is how Keycloak comes into the game. You can use Keycloak to federate users from different sources. This guide shows how to integrate Keyclock and FreeIPA to authenticate users in WordPress. On clients that are enrolled in IPA, this even works without a password, a Kerberos ticket is good enough to log in. What is Keycloak Keycloak is the upstream project for Red Hat SSO. ….Read More
Using MTA-STS to enhance email transport security and privacy
Overview SMTP is broken by design. It comes from a time when communication partners trusted each other and the NSA was intercepting facsimiles and phone calls instead of internet traffic. To enhance privacy, in 2002 RFC 3208 was added to the SMTP protocol. Unfortunately STARTTLS is only optional, it is not allowed to only accept encrypted connections. The RFC states: A publicly-referenced SMTP server MUST NOT require the use of the STARTTLS extension in order to deliver mail locally. That ….Read More
Centrally manage SELinux user mapping with (Free)IPA
SELinux allows to confine users with SELinux user mappings. This article covers some basics about the confinement of users and shows how to manage them in central way with the help of (Free)IPA. It will greatly enhance your systems security. SELinux is available and enabled on all Red Hat based distributions such as RHEL, CentOS and Fedora. for the basics please have a look at article. Before proceeding with the examples in this article: ensure your system is running in ….Read More
Using modern Protocols like HTTP/2 and QUIC
First there was HTTP, then HTTP/2 and now HTTP/2 over the QUIC protocol. Lets have a look at the available HTTP Clients and Servers that support HTTP/2 and the experimental QUIC protocol. Introduction The Hypertext Transfer Protocol (HTTP) was invented in 1991. Up to 2015 then there was only little to no evolution. In 2015 the HTTP/2 protocol was defined as a standard. HTTP/2 is much more efficient that its ancestors. It features multiplexing, stream prioritization, binary transmission and much ….Read More
Leveraging Network-Bound Disk Encryption at Enterprise Scale
Network-Bound Disk Encryption (NBDE) adds scaling to LUKS by automated disk unlocking on system startup. Why should I encrypt disks? If you dont want to see your corporate and private data leaked, you should do so as an additional security measure. Use cases There are basically two use cases for disk encryption. The first one is to prevent data leaks when a device gets stolen or lost (mobile computers, unsecured server rooms etc.). Theft of devices is usually not a ….Read More