Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 18:11
    QnnOkabayashi assigned #604
  • 18:11
    QnnOkabayashi opened #604
  • 12:25
    erictapen opened #603
  • 04:47

    github-actions[bot] on gh-pages

    deploy: c9ef4fe5dfce4173f0c13ee… (compare)

  • 04:42

    Firstyear on 20211017-webauthn-subdomain

    (compare)

  • 04:42

    Firstyear on master

    Setup for webauthn subdomain su… (compare)

  • 04:42
    Firstyear closed #598
  • 04:42
    Firstyear synchronize #598
  • 04:42

    Firstyear on 20211017-webauthn-subdomain

    Setup for testing webauthn subd… Update wasm and 1 more (compare)

  • 04:40
    Firstyear ready_for_review #598
  • 04:40
    Firstyear synchronize #598
  • 04:40

    Firstyear on 20211017-webauthn-subdomain

    Update wasm (compare)

  • 04:24

    Firstyear on main

    (cargo-release) version 0.3.0-a… (compare)

  • 04:24

    Firstyear on v0.3.0-alpha.12

    (cargo-release) version 0.3.0-a… (compare)

  • 04:21

    Firstyear on 20211017-webauthn-subdomain

    (compare)

  • 04:21

    Firstyear on main

    Support change to URL (#4) (compare)

  • 04:21
    Firstyear closed #4
  • 04:20
    Firstyear synchronize #4
  • 04:20

    Firstyear on 20211017-webauthn-subdomain

    Update webauthn-rs (compare)

  • 04:19
    Firstyear closed #73
James Hodgkinson
@yaleman
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.
Need to make the password/account policy stuff to handle that
IIRC there is an account policy issue already open if you want to brain dump some of your ideas there later?
James Hodgkinson
@yaleman
yeah
Triss Healy
@trissylegs
Annoying with the UID >= 1000 is some AUR packages (ie not maintained by users) make users with useradd during install (standard packages use systemd-sysusers)
A problem I was spend a while cleaning up yesturday
I wonder if I can make a hook that checks if a package I'm about to build does it so I can fix it myself first.
Firstyear
@Firstyear
You don't need the >=1000 check
it's optional
Georg
@georg.hofmann:matrix.org
[m]
Survey completed. Could you let us know if the results are available?
@trissylegs are you still struggling with Pam to login? Did not fully get it here. I had a quick look into your system-auth and think Pam_kanidm.so was missing in the session section. If you want I can share mine, also using Arch.
Best wishes
1 reply
Firstyear
@Firstyear
Thank you! The results will be out in a few weeks, I'm leaving it open for 4 weeks
just to be sure it gets plenty of time etc.
Triss Healy
@trissylegs
So today I got a new SSD and I formatted it with ZFS. ZFS has good subvolumes (named datasets). You can set an encryption key per dataset. So I made my home directory a dataset and set a passphrase key that matches my password.
Then did some PAM magic and now it will only decrypt my home directory on login.
https://blog.trifork.com/2020/05/22/linux-homedir-encryption/
They mention that you can't login with public keys because ~/.ssh/authorized_keys is missing. But for kanidm that is fine. Because it get's the key from kanidm anyway. But, it won't have a password to decrypt the drive :/. I suppose the same goes for gnome-keyring. But that doesn't decrypt via ssh anyway (Probably for the same reason)
*today is now yesturday
Georg
@georg.hofmann:matrix.org
[m]
Cool. I have zfs as well and was thinking of home encryption. But not yet dared to start it. 🤣
Same for gdm,it only shows local users. But it will show once the logged it. I did a bit of research, I think also related how sssd does it, it think this is a dbus issue or. Need to search again.
About my arch Pam. It was just a minimal change. Not as hardened as suggested by kanidm docs. Will share, once I am back at the machine.
Firstyear
@Firstyear
Honestly, I'm probably just overly opinionated here but I think that most machines are single-user, not multi-user so the concept of per-home drive or per-user encryption doesn't make sense to me because there is a 1:1 with the user and the system, so system wide encryption maps to the user anyway
Triss Healy
@trissylegs
Arch wiki simplifies the above to just home drive. Which is basically what I have set up. (And my safety user users the the same password)
The setup above to me is just a nicer version because you get the login screen before needing to decrypt anything. Which is kinda how macOS does it
Firstyear
@Firstyear
Yeah, macos does system wide encryption though.
It's just the user pw + disk pw is bound together
You could do similar with luks if you wrote a pam module for it.
But it would have issues with remote pw's
James Hodgkinson
@yaleman
it's all fine as long as your stuff's backed up somewhere so when some overly touchy random PAM thing bins your stuff you can recover
Firstyear
@Firstyear
lol yeah
But linux backup tools are a bit of a wasteland ....
Georg
@georg.hofmann:matrix.org
[m]
Yeah, backups. I have recently switched to kopia and really like it. It's worth having a look, I would say.
1 reply
Triss Healy
@trissylegs
So for now I'm just going to auto decrypt my /home on boot. It'll just have the option to change it later
My current backup is Déjà Dup to to my NAS and my NAS is using duplicacy [sic] to b2. Although I'm not happy with duplicacy
Georg
@georg.hofmann:matrix.org
[m]

I was using duplicati which is AFAIK very similar to duplicacy. But was also not super happy. Finally I tried to restore from a different machine and this failed after 4 days and 3 retries. 😵

BTW kopia also supports b2 as storage backend

Triss Healy
@trissylegs
It does look nice
Georg
@georg.hofmann:matrix.org
[m]
On home enc: yes mostly 1:1 true. But IMHO the super correct way of doing this would be per user home (i.e. zfs dataset)
I found some scripts doing this but have not tried so far.