Hubba's Blog

Category Archives | Automation | HowTo | Packaging (RPM) | Shell Scripting | System - AIX | System - Apple / OSX | System - Linux | System - Solaris | System - Windows | Toys and Gadgets | Virtualization |

Date Archives | March 2026 | December 2025 | September 2025 | August 2025 | June 2025 | February 2025 | December 2024 | March 2024 | February 2024 | December 2023 | August 2023 | June 2023 | March 2023 | October 2022 | June 2022 | November 2020 | March 2012 | December 2011 | October 2011 | September 2011 | December 2010 | July 2010 | June 2010 |

RSS Feed

EXIT

Archive for March 2026

What version of SSL/TLS does my openssl support?

Posted on Mon, Mar 23, 2026 at 10:39 by Hubertus A. Haniel

This one I always have to look up as I don't use openssl very often and some people say that this is the solution:

                openssl ciphers -v | awk '{print $2}' | sort -u

This is not actually correct as the second column list the minimum version for a cipher. - The way you can get it from the command line is using the help section from s_client with something like:

               openssl s_client -help 2>&1  > /dev/null | egrep "\-(ssl|tls)[^a-z]"
  

Now the client can also be used to explore a remote web server to see what versions it supports with:

               openssl s_client -connect {domain}:443 -servername {domain} -tls{version}






  

Edited on: Mon, Mar 23, 2026 11:44

Posted in HowTo (RSS), System - Linux (RSS)

Extracting a user keytab for krb5 authentication without passwords.

Posted on Thu, Mar 05, 2026 at 16:15 by Hubertus A. Haniel

WARNING - The keytab must be kept safe as it can be used as a key on other systems!

So the problem at hand is for users that do not authenticate against AD and use an SSH key for like an SFTP job or for applications that run in the background and the kerberos ticket expires they will no longer be able to access the NFS filesystem but I have the need to encrypt the filesystem. How can we keep them authenticated.

For this we use ktutil to create our own keytab (ktutil is like a shell):

Run ktutil to enter the shell

In the shell we run "addent -password -p <user>@<REALM> -k 2 -e aes256-cts-hmac-sha1-96 -f" which will prompt you for the user password.

The "-f" flag may not be required but it will make sure that the "salt" is the same as kinit will use.

We can use "list -e" to view the result and then write it to a file with "wkt <filename.keytab>"

With "q" we can gracefully exit ktutil.

You should now be able to do a "kinit -kt <path to above created keytab> <user>@<REALM>"

If that works the keytab can be placed as <user>.keytab in /var/lib/gssproxy/clients/ and gssproxy will attempt to use it when that UID accesses the filesystem. - ONLY root should be able to read that keytab!

On RHEL8 /etc/gssproxy/99-nfs-client.conf actually looks for the keytab as <numerical UID>.keytab in /var/lib/gssproxy/clients/.

Edited on: Fri, Mar 06, 2026 14:06

Posted in HowTo (RSS), System - Linux (RSS)