Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 01:32

    Firstyear on main

    Initial (compare)

  • Oct 22 02:45
    Firstyear opened #607
  • Oct 22 02:45

    Firstyear on 20211010-rfc7662-token-introspect

    Progress Finish (compare)

  • Oct 21 22:34

    Firstyear on master

    updating docs re oidc (#606) (compare)

  • Oct 21 22:34
    Firstyear closed #606
  • Oct 21 18:20
  • Oct 21 09:52
    yaleman labeled #606
  • Oct 21 09:52
    yaleman opened #606
  • Oct 21 09:00
    erictapen commented #603
  • Oct 21 01:45
    Firstyear commented #605
  • Oct 21 01:42
    Firstyear commented #605
  • Oct 21 01:41
    QnnOkabayashi commented #605
  • Oct 21 01:34
    Firstyear commented #605
  • Oct 21 01:10
    QnnOkabayashi commented #605
  • Oct 20 23:50
    Firstyear commented #603
  • Oct 20 23:49
    yaleman commented #603
  • Oct 20 22:45
    Firstyear commented #605
  • Oct 20 22:31
    Firstyear commented #603
  • Oct 20 22:25
    QnnOkabayashi opened #605
  • Oct 20 18:11
    QnnOkabayashi assigned #604
Firstyear
@Firstyear
it's optional
Georg
@georg.hofmann:matrix.org
[m]
Survey completed. Could you let us know if the results are available?
@trissylegs are you still struggling with Pam to login? Did not fully get it here. I had a quick look into your system-auth and think Pam_kanidm.so was missing in the session section. If you want I can share mine, also using Arch.
Best wishes
1 reply
Firstyear
@Firstyear
Thank you! The results will be out in a few weeks, I'm leaving it open for 4 weeks
just to be sure it gets plenty of time etc.
Triss Healy
@trissylegs
So today I got a new SSD and I formatted it with ZFS. ZFS has good subvolumes (named datasets). You can set an encryption key per dataset. So I made my home directory a dataset and set a passphrase key that matches my password.
Then did some PAM magic and now it will only decrypt my home directory on login.
https://blog.trifork.com/2020/05/22/linux-homedir-encryption/
They mention that you can't login with public keys because ~/.ssh/authorized_keys is missing. But for kanidm that is fine. Because it get's the key from kanidm anyway. But, it won't have a password to decrypt the drive :/. I suppose the same goes for gnome-keyring. But that doesn't decrypt via ssh anyway (Probably for the same reason)
*today is now yesturday
Georg
@georg.hofmann:matrix.org
[m]
Cool. I have zfs as well and was thinking of home encryption. But not yet dared to start it. 🤣
Same for gdm,it only shows local users. But it will show once the logged it. I did a bit of research, I think also related how sssd does it, it think this is a dbus issue or. Need to search again.
About my arch Pam. It was just a minimal change. Not as hardened as suggested by kanidm docs. Will share, once I am back at the machine.
Firstyear
@Firstyear
Honestly, I'm probably just overly opinionated here but I think that most machines are single-user, not multi-user so the concept of per-home drive or per-user encryption doesn't make sense to me because there is a 1:1 with the user and the system, so system wide encryption maps to the user anyway
Triss Healy
@trissylegs
Arch wiki simplifies the above to just home drive. Which is basically what I have set up. (And my safety user users the the same password)
The setup above to me is just a nicer version because you get the login screen before needing to decrypt anything. Which is kinda how macOS does it
Firstyear
@Firstyear
Yeah, macos does system wide encryption though.
It's just the user pw + disk pw is bound together
You could do similar with luks if you wrote a pam module for it.
But it would have issues with remote pw's
James Hodgkinson
@yaleman
it's all fine as long as your stuff's backed up somewhere so when some overly touchy random PAM thing bins your stuff you can recover
Firstyear
@Firstyear
lol yeah
But linux backup tools are a bit of a wasteland ....
Georg
@georg.hofmann:matrix.org
[m]
Yeah, backups. I have recently switched to kopia and really like it. It's worth having a look, I would say.
1 reply
Triss Healy
@trissylegs
So for now I'm just going to auto decrypt my /home on boot. It'll just have the option to change it later
My current backup is Déjà Dup to to my NAS and my NAS is using duplicacy [sic] to b2. Although I'm not happy with duplicacy
Georg
@georg.hofmann:matrix.org
[m]

I was using duplicati which is AFAIK very similar to duplicacy. But was also not super happy. Finally I tried to restore from a different machine and this failed after 4 days and 3 retries. 😵

BTW kopia also supports b2 as storage backend

Triss Healy
@trissylegs
It does look nice
Georg
@georg.hofmann:matrix.org
[m]
On home enc: yes mostly 1:1 true. But IMHO the super correct way of doing this would be per user home (i.e. zfs dataset)
I found some scripts doing this but have not tried so far.
Firstyear
@Firstyear
Yeah duplicity is really unreliable and slow, would not recommend.
@georg.hofmann:matrix.org But per-user home implies a multi-user machine, and that's really rare. These days most computers 1 to 1 map from their own to the only user on that system.
Similar to phones/tablets
Triss Healy
@trissylegs
duplicity != duplicacy. Dplicacy is a lot faster but isn't free. (Well the restore program is free and open source... which is good)
It's also kinda annoying getting things that run on arm32. (Party why I'm going to change my nas to amd64)
Main Multi-user PC I've used is was the family PCs. Now I don't think many families do that much... and they're probably not using per-user disk encryption
James Hodgkinson
@yaleman
I've been using duplicacy and it works pretty well
it's free if you don't want all the management ooling
Tasqa
@Tasqa:matrix.org
[m]
Got tired of borg needing server side stuff. Finally able to just drop chunks on B2 instead of having to deal with a remote server and upkeep
Also, hi 👋
I've been following the project for a year and half. But only now found the channel and have a working matrix client again
Firstyear
@Firstyear
@Tasqa:matrix.org Hi there! Great to have you here :
:)
quite a few of us in the channel are Australian so we may be slow to respond.
Georg
@georg.hofmann:matrix.org
[m]
Tasqa Hi, nice to have you here.
Firstyear
@Firstyear
@georg.hofmann:matrix.org Are you still doing arch packages for kani?
Next release is oct 1st, so a couple of days time as a heads up.
Georg
@georg.hofmann:matrix.org
[m]
Yes, I will do.
Firstyear
@Firstyear
Awesome! Tomorrow (29th) is Kanidm's birthday (3 yrs old!) so I'll probably start making the Oct 1st releases the "birthday" release
Georg
@georg.hofmann:matrix.org
[m]

Nice, looking forward to it.

I hope to find some time to contribute a bit again....

Firstyear
@Firstyear
All good! Whenever you get time is good :)
Tasqa
@Tasqa:matrix.org
[m]
haha, hooray timezones
might you be the firstyear that worked on 389-ds and wrote a blogpost about new ideas in 2018? 👀
Firstyear
@Firstyear
@Tasqa:matrix.org The one and the same :)
2 replies
And I still work on 389-ds today
Georg
@georg.hofmann:matrix.org
[m]
A (delayed) happy birthday kanidm! 🥳💫