@mwlucas largely agree. Have you seen orville? Especially seasons 2 and 3. Especially season 3

@phessler That's all I got then. There is one additional caveat, the redis security is tripped by accessing via remote hosts; I got tripped up by it because freebsd jails make act a bit weird, so it thought local was remote... so if it is a different host its possible host 1 (local) has access and host 2 (remote) does not... but that's all I got ☹️

@phessler new versions of redis require authentication. I just ran into this on my instance. You can disable auth in the config (shame!!) or you can configure it; I don’t remember the steps off of the top of my head, but google 🙂

Hmm... latest mastodon server seems to crash (reliably) amaroq. Guess it is the official iOS app then... it was a good run amaroq! @eurasierboy

yeah.. and sidekiq is working again too 🤦‍♂️ .. self inflicted injury

@cynicalsecurity @kurtm

That was definitely my first impression of kerberos too.. Like 'things need to VOLUNTARILY check this..that isn't security!' And that is true-ish for local things, like emacs isn't going to check this before it opens a file.

What it does for me though is means I can SSH (and not need to manage host keys even!), or GIT, or email, or webpages and NOT need to store my plaintext equivalent password all of those places. Is it overkill for me? almost certainly yes!

@kurtm @cynicalsecurity

Disclosure: I wrote the MIT Kerberos implementation of the RC4-HMAC windows interoperability crypto system... so I am huge fanboi of Kerberos, and MIT Kerberos specifically ;)

@kurtm @cynicalsecurity

Honestly, that felt like a knee-jerk reaction (libressl).. and even more-so with Heimdal. Both of those projects get EXTENSIVE scrutiny by being used so many places and looked at by security researchers and even government agencies.. which yes.. that last group definitely has a complicated history with disclosure.

There's this bit too with keeping the GSSAPI KeyExchange code out of openssh... but at least this is consistent if they yoinked Heimdal.


3. lots of things just expect LDAP for this and natively integrate. Things like redmine, trac, etc (see also account adjacent information). Without LDAP each one of these winds up having its own separate user db that then needs to be managed separately.

That's it, I promise!


2. There's an ever-growing amount of 'account adjacent' information that needs to be coordinated; I use it for the kerberos keys themselves (so I actually don't have a separate KDC database, the KDC uses LDAP), the KDC then throws a bunch of other information onto the account that it actually cannot even do with its native DB


@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.

LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.

1. There really isn't anything else to securely distribute this information.


@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️

This is worth sharing.

It's an animated GIF where every frame is a valid QR code that leads to the "Never Gonna Give You Up" rickroll.

That's kind of amazing.


Show older
Cross Family's Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!