David Cross @david@mastodon.crossfamilyweb.com
- OS
- FreeBSD
- Database
- PostgreSQL
FreeBSD enthusiast and regular contributor. I have opinions!
Joined Apr 2017
Every so often mastodon federation seems to stop, and I need to make a post to see certain servers again...
@a2_4am Hello, huge fan of your efforts. Just learned you moved over to mastodon (yes, I am behind the times, but I don't use twitter much anymore either!) anyway, welcome and thank you!
@mwlucas largely agree. Have you seen orville? Especially seasons 2 and 3. Especially season 3
@phessler That's all I got then. There is one additional caveat, the redis security is tripped by accessing via remote hosts; I got tripped up by it because freebsd jails make 127.0.0.1 act a bit weird, so it thought local was remote... so if it is a different host its possible host 1 (local) has access and host 2 (remote) does not... but that's all I got ☹️
@phessler new versions of redis require authentication. I just ran into this on my instance. You can disable auth in the config (shame!!) or you can configure it; I don’t remember the steps off of the top of my head, but google 🙂
Hmm... latest mastodon server seems to crash (reliably) amaroq. Guess it is the official iOS app then... it was a good run amaroq! @eurasierboy
yeah.. and sidekiq is working again too 🤦♂️ .. self inflicted injury
omg... upgrade successful!
That was definitely my first impression of kerberos too.. Like 'things need to VOLUNTARILY check this..that isn't security!' And that is true-ish for local things, like emacs isn't going to check this before it opens a file.
What it does for me though is means I can SSH (and not need to manage host keys even!), or GIT, or email, or webpages and NOT need to store my plaintext equivalent password all of those places. Is it overkill for me? almost certainly yes!
Disclosure: I wrote the MIT Kerberos implementation of the RC4-HMAC windows interoperability crypto system... so I am huge fanboi of Kerberos, and MIT Kerberos specifically ;)
Honestly, that felt like a knee-jerk reaction (libressl).. and even more-so with Heimdal. Both of those projects get EXTENSIVE scrutiny by being used so many places and looked at by security researchers and even government agencies.. which yes.. that last group definitely has a complicated history with disclosure.
There's this bit too with keeping the GSSAPI KeyExchange code out of openssh... but at least this is consistent if they yoinked Heimdal.
3. lots of things just expect LDAP for this and natively integrate. Things like redmine, trac, etc (see also account adjacent information). Without LDAP each one of these winds up having its own separate user db that then needs to be managed separately.
That's it, I promise!
2. There's an ever-growing amount of 'account adjacent' information that needs to be coordinated; I use it for the kerberos keys themselves (so I actually don't have a separate KDC database, the KDC uses LDAP), the KDC then throws a bunch of other information onto the account that it actually cannot even do with its native DB
2/3
@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.
LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.
1. There really isn't anything else to securely distribute this information.
1/2
@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️
David Cross
boosted
This is worth sharing.
It's an animated GIF where every frame is a valid QR code that leads to the "Never Gonna Give You Up" rickroll.
That's kind of amazing.
- OS
- FreeBSD
- Database
- PostgreSQL
FreeBSD enthusiast and regular contributor. I have opinions!
Joined Apr 2017
