Security

Fingerprint

For the first time you connect to bastion via a local client, you get an fingerprint of the server. Please check this  fingerprint . If you trust the fingerprint the decision is saved. If the fingerprint changes afterwards you get a warning. Then you should check the fingerprint again, and if you are in doubt you should inform the uco@desy.de and don't enter your password.
 

SSL certificate bastion.desy.de:

MD5 6E:1B:A8:B8:28:63:9C:C2:B6:26:0F:E0:80:1A:A0:AF
SHA1 8C:69:7C:40:7F:F5:17:68:38:EF:FF:7B:15:86:8F:04:2C:77:14:EF
SHA256  6C:36:80:03:FF:B9:E4:F1:72:62:4E:FC:75:87:DE:48:5B:2A:1B:12:FA:7F:36:95:F8:4E:FB:26:B1:5C:E6:AD
 

check on your client side e.g. with 

echo |  openssl s_client -connect bastion.desy.de:443 | \
 openssl x509 -fingerprint -sha256 -noout
 

SSH RSA fingerprints & ASCII art visual host key

MD5 9f:41:fc:27:78:8e:a5:9f:64:cf:ca:38:d8:fe:19:2a
 
+---[RSA 1024]----+
|                 |
|         .       |
|          o      |
|         . o     |
|        S o = .  |
|         . O o   |
|         o= =    |
|        E oB *   |
|         o+oB.o  |
+------[MD5]------+
SHA1 4dc1cDnZoPjW22MiAB19Yu/khS4
 
+---[RSA 1024]----+
|         .. . o= |
|        . .= =+ .|
|       ...o = +. |
|       ... o * o |
|        S.. O o  |
|         ..E + o |
|           ....o.|
|            . o .|
|                 |
+-----[SHA1]------+
SHA256 WbkI/Ko+FdCbIAVn6ky2odyWxCvCL3+5XqWSZQ6PynE
                 
+---[RSA 1024]----+
|  .o+.           |
|  o+o..    .     |
|  =+ ooo  o      |
|o*ooo +o + .     |
|o++= . +S..      |
|. +   X.o        |
| . o Eo=         |
|  + =+o          |
|   ==+.          |
+----[SHA256]-----+

				

check on your client side e.g. with

ssh -o VisualHostKey=yes -o FingerprintHash=sha256 bastion.desy.de  
 

Certificate

If you plan to use DESY Webservices it is recommended to install the DESY SSL certificate chain in your browser.
 
T-TeleSec GlobalRoot Class 2
DFN-Verein Global Issuing CA
DFN-Verein Certification Authority 2
 
We configured the service in a way that you only need the "Telekom Root Certificate" which comes with all usual Webbrowsers. If this one is missing you get a warning. In this case you could check the certificate at http://www-ca.desy.de/certificates/index_eng.html  and if the computer is trustworthy. If you are in doubt you should inform the uco@desy.de and don't enter your password.
 
Normaly it should be enough to just follow the link, your browser will offer to install the certificates. It might be necessary to download the certifcates and to import them. For further information please ask the UCO