After reading Kees Leune‘s guide to setting up a CA here, I thought it’d be handy to script a lot of the legwork involved. The end result after a day or two’s hacking about is ca-mgmt. Bug reports, feature requests, etc. are more than welcome to the usual address, or to the Github Issues page.
A recent number of attempted break-ins to a few machines I manage has had me thinking again about the overall security of the machines, and how to get a better handle on what’s going on. This isn’t something new – anyone managing internet-facing systems ought to be aware of the dangers, and how to mitigate [...]
IPv6 is nothing new – it was finally standardised back in 1998 in RFC 2460, and virtually all operating systems have supported it now for at least 5 years, so most people are in a position to give it a try. If you’re one of the lucky ones, your ISP might provide native IPv6 connectivity [...]
(Note: This was originally posted on my previous blog, but I’ve noticed that it’s being linked to, so I’ve reposted it here) I’m not a mathematician (or a cryptographer) so I’m happy to take this post‘s word for it about a recent attack against SHA-1 (short PDF here). The post goes into detail about changing [...]
Historically, if you wanted to use Active Directory to authenticate users on a UNIX box, you were pretty much limited to using LDAP. This works fine for some people, but it’s not particularly elegant – especially if you’re having to create users home directories all the time, which negates some of the point of centralising [...]
One thing that’s always bugged me about IPTables is the lack of a way to use groups when writing rules, which can complicate things if you’ve got a potentially large rulebase. One way round this is to use something like fwbuilder, which gives you a graphical interface not unlike Checkpoint‘s SmartDashboard GUI for their Firewall-1 [...]
I’m using OpenSC at the moment so that I can repurpose an otherwise unused Aladdin eToken to hold SSH keys. I could go through the process involved in setting up the token, but as this chap has already done a thorough job, I won’t go into detail. Unfortunately, the openssh-client package from Debian (and Ubuntu) [...]
