In Yubikey PIV for SSH on Macs I described the full process for setting up and using Yubikeys for SSH. This is an abbreviated version that only describes how to use the Yubikey; the assumption is that some admin has already configured your Yubikey.
Kerberos, and therefore LDAP with GSSAPI, has issues with servers behind NAT, or anywhere the forward DNS lookup does not match the reverse DNS lookup. For instance, in our lab we have an OpenLDAP LDAP server: $ dig +noall +answer ldap.itlab.stanford.edu ldap.itlab.stanford.edu. 207 IN CNAME idp.itlab.stanford.edu. idp.itlab.stanford.edu. 200 IN A 18.104.22.168 However, since it's running … Continue reading Kerberos, LDAP, SSH, and NAT/AWS
We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to … Continue reading Yubikey PIV for SSH on Macs
The 11th unconference formerly known as the Internet Identity Workshop (and now known simply as IIW) was held at the Computer History Museum, Nov 2-4. Most of the session notes or presentations are available online. The main topics for sessions I attended at this IIW were Applied user-centric identity: OAuth, OpenID, and OpenID Connect - … Continue reading IIW XI
I scheduled a one hour Analyst discussion with Trent Henry of Burton Group on the subject of trends in Hypervisor Security; with respect to getting the apprprate balance of risk mitigation (i.e. threat vs. investment in threat response using technology and practice). Specifically, my query to setup the discussion was: "The costs associated with deploying … Continue reading Burton Analyst Discussion on Hypervisor Security and Compliance Standards
I took a quick look at using SSL with MySQL, and it turns out to be reasonably simple to enable SSL for transport level encryption, while still using username and password for authentication. Read on for some links to useful articles for MySQL, Java, Perl, Ruby on Rails and some sad news about PHP.
June is "Backup Awareness Month", according to Seagate / Maxtor. They've got a site with some tips for users. Options for Stanford users include those listed on backup.stanford.edu. There's one important principal to remember: you should not keep your data and your backups in the same place. If you use a laptop and an external … Continue reading BAM! There goes your data!
This is the third of these meetings I've been to at NIST in Maryland. It's well attended this year and the debates seem even livelier this year. Here is the agenda, and the conference site. I see a clear attempt for a bunch of security, infrastructure and cryptography geeks to make their message more pedestrianÃ¢â‚¬Â¦er, … Continue reading 5th Annual PKI R&D Workshop