generating tlsa sshfp and openpgpkey records yum install
play

Generating TLSA, SSHFP and OPENPGPKEY records yum install - PowerPoint PPT Presentation

Apr 20, 2023 •102 likes •300 views

DNSSEC / DANE demo Paul Wouters Senior software engineer, Red Hat October 17, 2015 1 Paul Wouters <pwouters@redhat.com> Generating TLSA, SSHFP and OPENPGPKEY records yum install hash-slinger tlsa --create www.example.com (for

  1. DNSSEC / DANE demo Paul Wouters Senior software engineer, Red Hat October 17, 2015 1 Paul Wouters <pwouters@redhat.com>

  2. Generating TLSA, SSHFP and OPENPGPKEY records ● yum install hash-slinger ● tlsa --create www.example.com (for https) ● sshfp -a (known_hosts) ● sshfp -a -d -d nohats.ca -n ns0.nohats.ca (axfr+scan) ● openpgpkey --create pwouters@fedoraproject.org 2 Paul Wouters <pwouters@redhat.com>

  3. Verifying TLSA, SSHFP and OPENPGPKEY records ● tlsa --verify www.example.com ● openpgpkey --verify pwouters@fedoraproject.org ● openpgpkey --fetch pwouters@fedoraproject.org 3 Paul Wouters <pwouters@redhat.com>

  4. Configure postfix to use TLS ● Generate TLS key, certificate and CA-certificate ● Enable TLS in postfix: ● postconf -e "smtpd_tls_security_level = may" ● postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/server.key" ● postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/server.pem" ● postconf -e “smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem” ● postconf -e "smtpd_tls_security_level = may" ● postfix reload 4 Paul Wouters <pwouters@redhat.com>

  5. Configure postfix to use DNSSEC and DANE ● postconf -e "smtp_dns_support_level = dnssec" ● postconf -e "smtp_tls_security_level = dane" ● Ensure the server postfix runs on is configured to use a DNSSEC capable server specified in /etc/resolv.conf (you can point to 8.8.8.8 or 193.110.157.123) 5 Paul Wouters <pwouters@redhat.com>

  6. Postfix now requires TLS when a TLSA record is present 6 Paul Wouters <pwouters@redhat.com>

  7. Postfix validates the TLSA record before sending email 7 Paul Wouters <pwouters@redhat.com>

  8. Publishing an OPENPGPKEY: ● Generate a new gpg key, for example using gnupg 8 Paul Wouters <pwouters@redhat.com>

  9. Publishing an OPENPGPKEY: ● Generate a new gpg key, for example using gnupg 9 Paul Wouters <pwouters@redhat.com>

  10. Publishing an OPENPGPKEY: ● Create an OPENPGPKEY record (in generic format) 10 Paul Wouters <pwouters@redhat.com>

  11. Publishing an OPENPGPKEY: ● Create an OPENPGPKEY record (in rfc format) 11 Paul Wouters <pwouters@redhat.com>

  12. Publish your OPENPGPKEY and verify it: ● Add record to zone, re-sign and propagate zone, then: 12 Paul Wouters <pwouters@redhat.com>

  13. openpgpkey tool warns about email mismatch 13 Paul Wouters <pwouters@redhat.com>

  14. Demo of openpgpkey-milter using OPENPGPKEY 14 Paul Wouters <pwouters@redhat.com>

  15. View of email send via postfix + openpgpkey-milter 15 Paul Wouters <pwouters@redhat.com>

  16. SSHFP record: enable DNSSEC in ssh client ● Can be done in user's own ~/.ssh/ssh_config ● Can be done globally in /etc/ssh/ssh_config ● To only display extra informational text for ssh, use: VerifyHostKeyDNS ask ● To automatically accept the key when found in DNS VerifyHostKeyDNS yes 16 Paul Wouters <pwouters@redhat.com>

  17. Connecting with ssh using VerifyHostKeyDNS ask 17 Paul Wouters <pwouters@redhat.com>

  18. Connecting with ssh using VerifyHostKeyDNS yes 18 Paul Wouters <pwouters@redhat.com>

  19. ssh client detecting Man-in-the-middle attack 19 Paul Wouters <pwouters@redhat.com>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN Consortium OARC 2011 Spring

Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN Consortium OARC 2011 Spring

Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN Consortium OARC 2011 Spring Workshop V.01 1 Overview What is DANE/TLSA What a TLSA request and resource record will probably look like Expectations for timing and

139 views • 9 slides
4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND VISUALIZING KNOWLEDGE OF ARCHITECTURALLY SIGNIFICANT REQUIREMENTS IN SOURCE CODE Institute for Software Research Distinguished Speaker Series University

534 views • 25 slides
Today Goals: Install the Java JDK Compiling and debugging Java programs at the command

Today Goals: Install the Java JDK Compiling and debugging Java programs at the command

Today Goals: Install the Java JDK Compiling and debugging Java programs at the command line Reading compiler error messages Generating Javadoc at the command line Submit Lab 1 If you have time (next slides): Install

404 views • 4 slides
TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group

TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group

TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group Centre for Development of Advanced Computing No. 68, Electronics City, Bangalore 560100 ICANN 57, Hyderabad 5 th November, 2016 C-DAC Centre for

417 views • 14 slides
Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating function is an alternate representation of an infinite sequence, which allows making useful deductions about the sequence (including, possibly, a closed

865 views • 17 slides
Perl Post Install Tests April 10, 2013 Upgrading dependencies w/o fear 1. You install a module

Perl Post Install Tests April 10, 2013 Upgrading dependencies w/o fear 1. You install a module

Perl Post Install Tests April 10, 2013 Upgrading dependencies w/o fear 1. You install a module named Bear 2. You install the module Human , which depends on the availability of Bears ride() method 3. You install an new version of Bear , which

220 views • 8 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
awe@columba $ apt install apache2 awe@columba $ apt install apache2 awe@columba $ vim

awe@columba $ apt install apache2 awe@columba $ apt install apache2 awe@columba $ vim

TORTOISE : IMPERATIVE SYSTEM CONFIGURATION REPAIR Aaron Weiss, Arjun Guha, Yuriy Brun Northeastern University and University of Massachusetts awe@columba $ apt install apache2 awe@columba $ apt install apache2 awe@columba $ vim

1.14k views • 95 slides
Risk and Records at UTS Records Management Program &gt; University Records, Governance Support

Risk and Records at UTS Records Management Program &gt; University Records, Governance Support

THINK.CHANGE.DO Risk and Records at UTS Records Management Program &gt; University Records, Governance Support Unit, Registrar, DVC (Corporate Services) 6 dedicated f/t positions &gt; Devolved system 2 campuses (city campus over

325 views • 13 slides
Jewelry Box JewelryBox Install RVM JewelryBox Install RVM Google rvm Click first result

Jewelry Box JewelryBox Install RVM JewelryBox Install RVM Google rvm Click first result

Jewelry Box JewelryBox Install RVM JewelryBox Install RVM Google rvm Click first result Copy script Paste and run script in terminal JewelryBox install ruby 1.9.2.something JewelryBox install ruby 1.9.2.something rvm list

207 views • 19 slides
Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L

Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L

Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L https://www.opscode.com/chef/install.sh | bash Check ===== # chef-solo -v Chef: 11.6.2 Setup chef repository ===================== #wget

571 views • 4 slides
AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis Framework for Good Recordkeeping Records are evidence of business Records system Records system Records Records characteristics

404 views • 21 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

RM1001 Records Custodian Training May 6, 2019 A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management important? 3. What is a Public Record? 4. What is Records Management? 5. Resources 2 1. Who is a

796 views • 33 slides
Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have Open Records Laws? Sunshine concept Examples of Records Transparent &amp; Ethical Requests: Government Newspaper request for

281 views • 16 slides
0 # install nodejs # install git git clone https://github.com/loveencounterflow/CONTROLFLOW.git

0 # install nodejs # install git git clone https://github.com/loveencounterflow/CONTROLFLOW.git

Control Flow . . 0 # install nodejs # install git git clone https://github.com/loveencounterflow/CONTROLFLOW.git cd CONTROLFLOW npm install ./coffee try-catch-3.coffee Control Flow: The way we move through the elements that make up the

787 views • 51 slides
PUBLIC SECTOR INTANGIBLES (SPINTAN project) Funded by the Seventh Framework Programme of the

PUBLIC SECTOR INTANGIBLES (SPINTAN project) Funded by the Seventh Framework Programme of the

PUBLIC SECTOR INTANGIBLES (SPINTAN project) Funded by the Seventh Framework Programme of the European Union Matilde Mas University of Valencia &amp; Ivie This project has received funding from the European Unions Seventh Framework Programme

460 views • 16 slides
DRAFT EMPLOYMENT LANDS REVIEW PROFILE OF OCCUPIED EMPLOYMENT LANDS IN BWG Industrial Industrial

DRAFT EMPLOYMENT LANDS REVIEW PROFILE OF OCCUPIED EMPLOYMENT LANDS IN BWG Industrial Industrial

TOWN OF BRADFORD WEST GWILLIMBURY OFFICIAL PLAN REVIEW DRAFT EMPLOYMENT LANDS REVIEW PROFILE OF OCCUPIED EMPLOYMENT LANDS IN BWG Industrial Industrial / Ministers Total Commercial Zoning Order Artesian Industrial Park 43.6 1.5 0.0

367 views • 7 slides
Pre-Service Student Teacher Exchange in Southeast Asia (SEA- TEACHER PROJECT) Philippine

Pre-Service Student Teacher Exchange in Southeast Asia (SEA- TEACHER PROJECT) Philippine

Pre-Service Student Teacher Exchange in Southeast Asia (SEA- TEACHER PROJECT) Philippine Normal University , Philippines What is the process of selecting students from your university to join the project? Based on the interview and the

536 views • 14 slides
New Official Plan and Zoning By-law Public Meeting May 16, 2018 Project Overview Official Plan

New Official Plan and Zoning By-law Public Meeting May 16, 2018 Project Overview Official Plan

Township of Tay New Official Plan and Zoning By-law Public Meeting May 16, 2018 Project Overview Official Plan General policies for future land use, population, employment, development patterns, services and regulatory tools Current

368 views • 24 slides
Ticket to Work: Support on Your Journey to Employment Date: Wednesday, April 22, 2020 Time: 3

Ticket to Work: Support on Your Journey to Employment Date: Wednesday, April 22, 2020 Time: 3

Ticket to Work: Support on Your Journey to Employment Date: Wednesday, April 22, 2020 Time: 3 4:30 PM ET Produced at U.S. taxpayer expense. Accessing Todays Webinar (Slide 1 of 3) You can manage your audio using the audio option at

621 views • 61 slides
HB 337 Suspension and Reinstatement of Medicaid Benefits for Individuals Confined in County

HB 337 Suspension and Reinstatement of Medicaid Benefits for Individuals Confined in County

HB 337 Suspension and Reinstatement of Medicaid Benefits for Individuals Confined in County Jail County Jail Reporting Webinar Overview Purpose of HB 337 Background on bill requirements Texas Medicaid population

706 views • 37 slides
The Prevalence of Vermonters on the Social Security Disability Insurance Program Joyce

The Prevalence of Vermonters on the Social Security Disability Insurance Program Joyce

The Prevalence of Vermonters on the Social Security Disability Insurance Program Joyce Manchester Vermont Legislative Joint Fiscal Office October 2015 The Prevalence Rate Compare number of beneficiaries in an age group and state to the

771 views • 13 slides
Promoting Employment Among Social Security Beneficiaries 2020 Facilitator Disclaimer

Promoting Employment Among Social Security Beneficiaries 2020 Facilitator Disclaimer

Promoting Employment Among Social Security Beneficiaries 2020 Facilitator Disclaimer Disclaimer Information in this presentation is the sole responsibility of AHEDD and does not represent official views of any federal or state agency

445 views • 17 slides

More recommend