Java development 2.0: Securing Java application data for cloud computing

Data security is a serious concern for organizations considering cloud
adoption, but in many cases it needn’t be. In this installment of Java development
2.0, learn how to use private-key encryption and the Advanced Encryption Standard to
secure sensitive application data for the cloud. You’ll also get a quick tutorial on encryption strategy, which is important for maximizing the efficiency of conditional searches on distributed cloud datastores.


Security authentication mechanism in AIX

Authentication mechanism verifies which users are allowed to access a
system. Administrator can define authentication protocol; based on that
protocol, users’ credentials are verified, and users are given access to the
system. AIX provides several authentication and identification modules. A
user’s authentication and identification are done based on the user’s
attributes on AIX. This article covers the user’s authentication and
identification attributes, load modules available in AIX, and a new authentication attribute introduced AIX 6.1 Tl07 and AIX 7.1 Tl1 releases.


  • No Related Posts

SSH configuration, publickeys, Permission denied (publickey,password). error

My task: login from Mac OS Snow Leopard client to Ubuntu 10.10 server without password.


client$ mkdir ~/.ssh
client$ chmod 700 ~/.ssh 
client$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa 
Enter passphrase (empty for no passphrase): [empty]
client$ chmod go-w ~/ 
client$ chmod 700 ~/.ssh 
client$ chmod go-rwx ~/.ssh/* 
client$ scp ~/.ssh/ 
server$ mkdir ~/.ssh 
server$ chmod 700 ~/.ssh 
server$ cat ~/ >> ~/.ssh/authorized_keys 
server$ chmod 600 ~/.ssh/authorized_keys 
server$ rm ~/ 
client$ ssh -o PreferredAuthentications=publickey 


Permission denied (publickey,password).

Debug output(with -v):

XX-XX-XXX-XXX:~ lorddaedra$ ssh -o PreferredAuthentications=publickey -v
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to [XXX.XX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /Users/lorddaedra/.ssh/identity type -1
debug1: identity file /Users/lorddaedra/.ssh/id_rsa type 1
debug1: identity file /Users/lorddaedra/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the RSA host key.
debug1: Found key in /Users/lorddaedra/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/lorddaedra/.ssh/identity
debug1: Offering public key: /Users/lorddaedra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/lorddaedra/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,password).

So my question is where is my error and how to fix it? Thank you!


server$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
AllowUsers lorddaedra


server$ cat /var/log/auth.log

Feb  3 19:15:38 electra sudo: lorddaedra : TTY=pts/0 ; PWD=/home/lorddaedra ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
Feb  3 19:16:01 electra CRON[19081]: pam_unix(cron:session): session opened for user lorddaedra by (uid=0)
Feb  3 19:16:01 electra CRON[19080]: pam_unix(cron:session): session opened for user lorddaedra by (uid=0)
Feb  3 19:16:02 electra CRON[19080]: pam_unix(cron:session): session closed for user lorddaedra
Feb  3 19:16:02 electra sshd[19088]: Authentication refused: bad ownership or modes for directory /home/lorddaedra
Feb  3 19:16:02 electra sshd[19088]: Authentication refused: bad ownership or modes for directory /home/lorddaedra
Feb  3 19:16:06 electra CRON[19081]: pam_unix(cron:session): session closed for user lorddaedra
Feb  3 19:16:07 electra sudo: lorddaedra : TTY=pts/0 ; PWD=/home/lorddaedra ; USER=root ; COMMAND=/bin/cat /var/log/auth.log

client$ ls -al /Users/lorddaedra/.ssh
total 40
drwx------    6 lorddaedra  staff   204  3 фев 01:54 .
drwxr-xr-x+ 183 lorddaedra  staff  6222 31 янв 11:37 ..
-rw-------@   1 lorddaedra  staff  6148 21 ноя  2008 .DS_Store
-rw-------    1 lorddaedra  staff  1675  3 фев 01:53 id_rsa
-rw-------    1 lorddaedra  staff   427  3 фев 01:53
-rw-r--r--    1 lorddaedra  staff   414  3 фев 01:54 known_hosts

server$ ls -al /home/lorddaedra/.ssh
итого 12
drwx------  2 lorddaedra lorddaedra 4096 2011-02-03 01:55 .
drwxrwxr-x 13 lorddaedra lorddaedra 4096 2011-02-03 01:55 ..
-rw-------  1 lorddaedra lorddaedra  427 2011-02-03 01:55 authorized_keys


OpenSSL: how to setup an OCSP server for checking third-party certificates?

I am testing the Certificate Revocation functionality of a CMTS device. This requires me to setup a OCSP responder. Since it will only be used for testing I assume that the minimal implementation provided by OpenSSL should suffice.

I have extracted the a certificate from a cable modem, copied it to my PC and converted it to the PEM format. Now I want to register it in the OpenSSL OCSP database and start a server.

I have completed all these steps, but when I do a client request my server invariably responds with “unknown”. It seems to be completely unaware of my certificate’s existence.

I would greatly appreciate if anyone would be willing to have a look at my code. For your convenience, I have created a single script consisting of a sequential list of all used commands, from setting up the CA until starting the server:

You can also find the custom config file and the certificate that I am testing with:

Any help would be greatly appreciated.


Critical Infrastructure Protection Now

Recent reports of cyber attacks on Google and other American companies have raised concerns about protecting the critical infrastructure of a company or a country against a coordinated, targeted cyber attack. The recent cyber attack on Google used exploits targeting zero-day client side vulnerabilities to insert a backdoor trojan called HydraQ into the corporate networks. The attack has drawn much attention to the viability of the United States’ critical infrastructure to ward off similar attacks in the future, perhaps on a broader scale. The concern around this issue is warranted, justified and echoed throughout the industry.

It is important to bear in mind that there are steps that can be taken right now by Congress – steps that have the support and involvement of the cyber security industry and other private sectors — to address some of these concerns and further secure the United States’ critical infrastructure:

  • Pass the Federal Information Security Management Act Reform bill, authored by Sen. Tom Carper (D-DE), which updates the cyber security policies and processes for government agencies to follow that was originally passed in 2002 and is badly in need of being updated to respond to today’s threats.
  • Pass the Critical Electric Infrastructure Act – legislation that provides guidelines and policies needed to establish a base form of security to protect the nation’s electronic grid from cyber attack.
  • Pass legislation championed by Sen. Patrick Leahy, (D-VT) and Rep. Bobby Rush, (D-IL) stipulating a process for entities to notify individuals if their information has been compromised. 85 percent of the nation’s critical infrastructure is privately owned. By establishing a framework of minimum security precautions that companies must take to protect customer information — such as the use of encryption — the bill contributes to the overall security of the nation’s critical infrastructure.

Finally, with the appointment by the Obama Administration of Howard Schmidt as the nation’s cyber security coordinator, the White House should waste no time in implementing the findings of the 60-day Cyber Security Review to help secure the nation’s critical infrastructure. We support the Administration’s lead to establish a new partnership between the public and private sectors to increase coordination and improve the exchange of information on the threat landscape. The partnership between the private and public sector should also extend to more funding for the research and development of cyber security technologies and processes. The report also stipulates a greater emphasis also needs to be placed on efforts to promote better cyber security education and awareness. The report also identifies the end user is a key factor in reducing risk and protecting against threats. Better practices online as well as the use of security products like, anti-virus, anti-spam and anti- phishing can play a significant role in reducing cyber threats. Finally, the US needs to take a strong leadership position with other nations to improve cooperation on cyber crime prosecution and also improve protection against threats to the critical infrastructure.

While security is an integral step to protect networks, it must be combined with a means to organize, prioritize, and store information seamlessly for enterprises and governments to truly withstand today’s cyber attacks.

These are steps to improve the protection of critical infrastructure should be emulated around the world as cyber security is a global issue affecting the critical infrastructures of every country.

Francis deSouza Sr. Vice President, Symantec Enterprise Security Group


Secure replication in IBM Tivoli Directory Server

The article describes how to easily configure different replication topologies in IBM Tivoli Directory Server (TDS) using simple shell scripts. These scripts can be used to configure all known replication topologies (like Peer-peer, Master-Replica-Forwarder, Gateways etc) using simple bind, SSL with certificates or Kerberos authentication mechanism. The information in this article applies to TDS version 5.2 and later.


Tivoli Directory Server 6.1 password policy : enhancements, configuration and troubleshooting

A password policy is a set of rules designed to enhance security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations which ensures that users change their passwords periodically, passwords meet construction requirements, the re-use of old password is restricted, and users are locked out after a certain number of failed attempts. This article is intended to highlight the new features introduced with IBM Tivoli Directory Server(TDS) 6.1 release and describe the ways of debugging trivial password policy problems in TDS.


  • No Related Posts