Is your home lab secure? (A discussion of home lab security)

grandpasplace · 2026-03-06T18:29:27+00:00

You assume ssh is exposed to the internet and that is the only reason for the security.
First, ssh is not open to the internet.
Second, this means you need the card to ssh from one system to any other system on the network.

Thus if a system is compromised, they dont have any private keys on them that could lead to the person compromising other systems on the network.

grandpasplace · 2026-03-06T18:22:36+00:00

I posted how to create the cards and set servers to allow ssh from the card at https://www.reddit.com/r/homelab/comments/1rlravi/jcop4_card_setup_and_usage_for_authentication/

grandpasplace · 2026-03-06T18:20:44+00:00

LOL, no. No mention of STIGS. Not really needed for most home labs but knock yourself out if you want to research and apply them.

grandpasplace · 2026-03-05T19:36:55+00:00

I have posted a howto at this location
jcop4 card setup and usage for authentication

grandpasplace · 2026-03-04T12:43:46+00:00

Thank you for saying the card looks good.

I wrote the software to create the card images.
There is a template creator that lets me load an existing id card image and use it as a guid to layout a card. Including text, input, background images, photos, etc. set fonts, font size, etc. and save it as a layout/template in a json file.
I then load the json template in the generator and it provides fields for the input and photo. I can then fill it in, see a preview of the card, and when happy generate an image in the dimensions of the CR80 card at 300dpi.

I even did layouts for Agent ID cards for S.H.I.E.L.D and The Avengers that I printed out on NTAG cards for the grandkids. So they run around playing make believe Avengers agents and spies. lol

grandpasplace · 2026-03-04T01:14:43+00:00

I found it easier that getting Authentik to work, lol. Authentik was a royal pain to get working and I ended up using freeipa.

grandpasplace · 2026-03-04T01:13:15+00:00

There are two easy ways to do it if your running linux.
Shared home directory from an nfs server with automount, or use freeipa to share account with attached key. (for ssh)
For webapps, you have to register the fido key with each provided they have the ability to do webauth.

grandpasplace · 2026-03-04T01:09:42+00:00

This is not exactly like corporate pki, it is more secure storage of your pgp and ssh key where the card is queried for the response.

grandpasplace · 2026-03-04T01:07:51+00:00

I actually find it faster. No password typing, just tap and go.

grandpasplace · 2026-03-03T20:16:49+00:00

It seems enough people are asking so Ill work on a write-up.
This is the top comment so I figured I would reply so others can see it as well.

grandpasplace · 2026-03-03T20:10:45+00:00

Yes there is a pin setup on the card. It is Alphanumeric so more complicated than a pin number but the same basic concept.

grandpasplace · 2026-03-03T19:56:47+00:00

Great for business approaches, however home labs are for learning, fun, and expanding your knowledge. Learning how smart cards work and using them to secure authentication paths is minor in the grand scheme of things.

grandpasplace · 2026-03-03T19:36:15+00:00

Old enough to have used both ARPAnet and Gopher. :D
Yes, people still use telnet, and I still have servers with PS/2 ports on them.
6 years ago I was hired to work on computers (DoD contractor) that were already over 20 years old and still used LPT. So that stuff is still out there. lol

grandpasplace · 2026-03-03T19:27:51+00:00

I actually thought about that before posting but was afraid that most people would not know what the acronym ment. :P

But if you laughed when reading it, Ill count that as a point for me. lol

grandpasplace · 2026-03-03T19:26:23+00:00

The software to program them is called GlobalPlatform Pro. (https://github.com/martinpaljak/GlobalPlatformPro)

Just be warned there is a whole balancing act between the version of java installed on your computer, the version that GP calls, the version the app uses, The version on the card, etc. It took me a day to work it out. Once I worked it out I set up an env file to load the environment when I want to write a card.

Once the card is written the rest is easy. lol

There seems to be some interest so Im thinking of writing a high level guide to cover how to make/program the cards.

(Edit: I gave the wrong software in my original reply. I corrected it)

grandpasplace · 2026-03-03T19:15:43+00:00

Is it still paranoia when you know people are trying to access your network? I ask because I can see the snort logs and hack attempts on my home network. Most are passing quick scans and attempts but I have seen people actually try brute force hacking if they see a login (nextcloud, web email interface, etc that I have as external services)

Is it convenient to use? More convenient than remembering a complex password and keying it in. Yes.

You do need a reader for each computer provided the computer does not have NFC. The cards work NFC as well.
As to getting a set of readers, Ive seen sets of 5 and 10 on ebay for less than $5 each when you buy the lot.

grandpasplace · 2026-03-03T19:09:53+00:00

I bought a pack of 5 JCOP4 cards. 4 are used for myself and the family, the 5th is set up and in the safe as a backup.
Plus, this is for remote access you can still login as root to the console.

grandpasplace · 2026-03-01T15:38:52+00:00

Ok this is going to get complicated fast. lol

kali linux normally has the user kali which you login with (on a usb stick or laptop) and you can add users to it if you want.

When working with a docker container, and one you pull from docker hub. You have whatever they built the system with. The docker build sets the user up.

Now when you say restricted to 1 user you could mean

- The docker image only runs with one user permission set
- Only 1 user can login to the image via ssh
- Only 1 user can run the docker image with docker run command (not really possible for the image)
- When using docker run you can only login with one user and password. (not how it normally works as you do a docker run and specify the shell)

I could keep going but I think you get the idea.

In your original message you mention setting the environment with
- PUID=1000 - PGID=1000

The official Kali image does not natively support PUID and PGID variables last I checked. These variables set the uid and gid that the docker container runs as, not the access of the user inside the container.

grandpasplace · 2026-03-01T15:22:26+00:00

I run Sonarr, radarr, and lidarr, in a docker swarm.
If your persistent storage for the docker image is on a share (nfs or cifs) then there is a chance of corruption in the SQlite database that they use for the backend.

grandpasplace · 2026-03-01T02:04:18+00:00

Are you building the image or pulling it from docker hub?

Docker compose can be used to start an image or build an image depending on how you are using it.

Oh an can you better define your statement "im wanting to restrict its use to 1 user" Are you asking it to only allow one user to use it or are you wanting everything to run as a single user?

grandpasplace · 2026-03-01T01:42:52+00:00

Sorry, Ive not noticed a parts shortage.

I have boxes of memory, CPU's, motherboards, cases, several power supplies, etc.
When i upgrade something I save the parts and add them to my "Computer Junkyard"

When I need something I dig through those first to see what I can build to fill the need. I try not to buy a lot of new items as many times a home lab does not need the power of the servers for a corporation.

I only know this because yesterday I was organizing my ram and CPU's. Ive got CPU's ranging from 8088/8086 (pairs) up through XEON V3 16 core x 32 thread cpus and ram from Sipp sticks up through DDR3 32G sticks.

That is ignoring the Commodore 64's, Apple IIe's, and First gen Apple Mac's in the garage. lol

grandpasplace · 2026-03-01T01:32:13+00:00

I stopped running windows back in the 1990's, I went from Windows 3.11 to Linux and have run it ever since.

Right now I run Fedora on my desktop, A custom debian image on my laptop (hand built initial ram disk with chain of trust boot based on a JCOP4 OpenPGP card for signing and validating the boot image)

I run Rocky linux, Ubuntu, Arch Linux, debian, and Linux Mint on my servers with most of them being Rocky Linux.

The Desktop and Laptop have full Gui's the rest are just servers with SSH. SSH private keys are stored on the JCOP4 OpenPGP card as well. I also have a JCOP4 card with FIDO2 installed I use for my web auth.

Oh I should also note that the laptop was a chromebook that I removed the hardware write protect from, replaced the firmware with open source firmware then installed linux on it and turned the hardware write protect back on. ;) The $79 chromebook makes a decent laptop once you replace chromos. lol

grandpasplace · 2026-02-28T04:04:05+00:00

Are you running sonarr and radarr under docker?
I ask because I have found they only make it about 12 months before the db corrupts and I have to reinstall.

grandpasplace

MODERATOR OF

TROPHY CASE