en.credativ blog: Category Security tag:blog.credativ.com,2010-03-05:/en//2 2011-06-27T11:29:52Z All about Linux and Open Source Movable Type 4.34-en [Tip] Configuring SSH Jumphosts tag:blog.credativ.com,2011:/en//2.161 2011-05-16T14:27:00Z 2011-06-27T11:29:52Z The System Administrator will often come across a situation where an SSH connection to Host B is only possible by making a detour via SHH to Host A: client -> ssh A -> ssh B To shorten this two-step... Roland Wolters http://www.credativ.de tux.jpg
The System Administrator will often come across a situation where an SSH connection to Host B is only possible by making a detour via SHH to Host A:
client -> ssh A -> ssh B

To shorten this two-step process, an entry can be made in the ~/.ssh/config of Host A as "Jumphost", to ensure that this step is always followed in future.

Host Bdirekt
Hostname $IP_von_B
User rwo 
ProxyCommand ssh root@A.intern.lan nc %h %p


In the first row an alias is defined - this can be arbitrary, but some relation to B would make sense. The second row defines the host name of B - for permissions in every network thereafter, an IP is a good idea as a hostname! The option ProxyCommand defines the underlying Jump function - where access via SSH to A and the pipe of data occurs by means of numerical control.

Where SSH keys are properly allocated, there are no more queries. A simple ssh Bdirect leads directly to host B.

All tips in this blog can be found in the Tip Category. Should you need further Support for Linux, you've come to the right place at credativ.

]]> credativ Training at Munich Open Source School tag:blog.credativ.com,2010:/en//2.160 2010-05-05T14:00:12Z 2010-07-08T11:27:22Z In May, Consultants from credativ GmbH will be holding a 3 day advanced system and network administration workshop at the Open Source School in Munich. Training specifics (subject to modifications!): Kerberos: This training covers the Kerberos authentification protocol, which can... Michael Banck In May, Consultants from credativ GmbH will be holding a 3 day advanced system and network administration workshop at the Open Source School in Munich.


Training specifics (subject to modifications!):

  • Kerberos: This training covers the Kerberos authentification protocol, which can handle a range of services and operating systems transparently. The use of tickets makes single-sign-in possible; so a user can access all services with a unique log in. The training will be aimed at network and system administrators who wish to roll out Kerberos in their business or administrative network; it will also cover the installation and management of Kerberos, as well as the integration of services and client programs.


    When: 03-05/05/2010 and 13-15/09/2010

  • Spam and Virus Defense: This training will clarify the integration and fine tuning of open source based services Postfix, Amavis and SpamAssassin, which protect a network from unnecessary strain due to spam mail or malware. This training will be geared at administrators who wish to secure their company's email systems against spam and viruses.


    When: 26-28/05/2010 and 18-20/10/2010

  • Samba in heterogenous networks: This training concerns Samba as a replacement for Windows servers for smooth integration for both Windows clients in unix-based networks, and Linux servers in Windows-based networks. The training is directed at administrators wanting to migrate a Windows network completely or partly to Linux with the help of Samba. The goal of the training is the management and administration of LDAP-based primary/backup domain controller setups.


    When: 30/06-02/07/2010

The training will take place at the Open Source School in Munich city centre, Amalienstrasse 77. Applications can be made via the Open Source School website or by faxing this form. For further information contact Michael Banck.

Further dates for your diary: 21-23 April - PostgreSQL training will be carried out by credativ experts at the Linuxhotel Linuxhotel in Essen.

]]> [Talk] Single Sign On with Kerberos tag:platon.credativ.com,2010:/en//2.122 2010-02-26T13:14:47Z 2010-03-05T11:06:37Z credativ employee, Alexander Wirt, is due to give a presentation at the German Chemnitz Linux Days about Single Sign On with Kerberos. Besides an introduction into configuration of Kerberos, the talk will also focus on the configuration of its various... Roland Wolters http://www.credativ.de keyhole-heimdal.pngcredativ employee, Alexander Wirt, is due to give a presentation at the German Chemnitz Linux Days about Single Sign On with Kerberos. Besides an introduction into configuration of Kerberos, the talk will also focus on the configuration of its various services.

Kerberos is an authentication protocol which enables an admin to incorporate services and an operating system transparently into an existing setup. This makes Single Sign On possible: the user only has to enter his/her credentials once and thereafter can access any secured services and websites which support Kerberos without having to enter them again.

The Kerberos Single Sign On approach will be described by Alexander Wirt, credativ's expert on this topic, during a talk at the Chemnitz Linux Days due to take place in March. Besides the basic introduction to Kerberos based on Heimdal, he will also explain how to configure services such as SSH, Apache and IMAP. The topic of this talk will be very close to real-world usage, thus it should enable members of the audience to try it out easily themselves on their own networks.The talk will take place in German on March 13th 2010 at 15:00 in Room V4.

]]> Debian moved over to DNSSEC tag:platon.credativ.com,2010:/en//2.118 2010-02-25T11:18:08Z 2010-03-05T11:05:39Z The Debian project has announced that its internal DNS infrastructure is gradually moving over to DNSSEC. Thus from now on, all DNS answers for debian.com, amongst others, will be digitally signed to verify their authenticity. The Domain Name System (DNS)... Roland Wolters http://www.credativ.de debianlogo.pngThe Debian project has announced that its internal DNS infrastructure is gradually moving over to DNSSEC. Thus from now on, all DNS answers for debian.com, amongst others, will be digitally signed to verify their authenticity.

The Domain Name System (DNS) is one of the core components of the Internet. However, the initial design of DNS is vulnerable against some quite serious attacks, among them cache poisoning which means faking of DNS answers. To avoid this problem, DNSSEC was introduced (DNSSEC in Wikipedia, see also dnssec.net). DNSSEC is an enhancement of the default DNS protocol which makes it possible to sign and thus verify DNS answers. The introduction of DNSSEC into the existing worldwide Internet infrastructure is proving to be slow, due to the complexity and amount of work involved; there are so far only a few top level domains (TLDs) and domains of large projects and companies providing signed answers.

The Debian project has now decided to introduce DNSSEC step by step, so that all project domains will provide verified DNS answers. Firstly, all debian.net and debian.com domains will be signed, and thereafter the collected experience will be used to sign the other domains and sub-domains.

One of the problems the Debian project is facing in the use of DNSSEC is that as yet they do not have the signatures by the TLDs that Debian uses, without which there is no third party to verify the Debian keys. To get around this, Debian will publish the DNSSEC keys via the DNSSEC Look-aside Validation Registry of ISC. This will mean Debian keys can be verified even for TLDs which have not yet introduced a DNSSEC infrastructure.

Moving the Debian project to DNSSEC improves the security of the Debian part of the internet. Additionally, the experience acquired in the changing over of such a large, worldwide and multi-domain project should help other projects of a similar size - and hopefully encourage them to follow suit.

]]>