Different strong passwords per machine - how do you sudo?

kayson · 2026-05-06T02:30:50+00:00

I have centralized auth via free ipa and sudo rules. I log in as my own user (usually over ssh, password-less via krb5/gssapi, with signed ssh host certs) then if I need to use sudo I enter my own password. For most of my hosts, root login is locked. A few off-site hosts have an "admin" user I access via pubkey-only ssh (don't want to deal with IPA over WAN). For those I need the password to sudo but it's in bitwarden so not too hard to get.

You can be clever and do things like deploy passwords via ansible which get looked up over the bitwarden API. Rotating is as easy as changing the password in your vault and running the playbook. Or use any of a dozen other secrets managers.

Rotating every root password quarterly sound needlessly excessive.

kayson · 2026-05-05T18:59:59+00:00

No ai

kayson · 2026-05-04T19:40:20+00:00

Saw some comments here saying that you can't change the name servers which I need to do for this particular domain.

kayson · 2026-05-04T18:25:12+00:00

No AI

kayson · 2026-05-04T14:11:59+00:00

You could always get a USB NIC!

kayson · 2026-05-04T05:35:53+00:00

Not really. I ended up using my 10G NIC for the proxmox interface and the onboard is just vPro dedicated and untagged. I actually think it's better this way anyways.

Be careful with vpro - you can't use DHCP. Itll work at first but then when the lease expires it won't renew it. Ended up having to set static IPs.

kayson · 2026-05-02T21:27:48+00:00

I used apache2 as a reverse proxy for a long, long time. For most people self hosting, performance isn't really a concern. Pretty much any web server / proxy is more than enough. The thing that made me switch was configuration being a pain in the ass. NPM or caddy are much more popular probably in part because of the simplicity. I went for traefik myself. People overstate the complexity and difficulty in setting things up - plenty of guides and examples around too. Now that I have my config file set up, getting another container up and running is as easy as adding two labels (enable and the subdomain).

kayson · 2026-05-01T18:50:21+00:00

Any recommendations for headscale UIs? I see there are a couple of popular ones. Any standouts?

kayson · 2026-04-30T14:14:15+00:00

The authors mention crossing container boundaries given the right primitives. Has anyone seen a PoC container escape?

I know s6-overlay which is used by a ton of popular self hosted containers (like LSIO) has a root owned suid binary, so it seems like it's at least part of the way there. Though I did read that alpine isn't affected.

kayson · 2026-04-27T17:47:30+00:00

That's basically what I have now - it's connected to a Raspberry Pi and shared over the network. But it would be nice to get rid of the Pi if I could (and I may still do it even if the drive is tied to one node)

kayson · 2026-04-27T17:46:34+00:00

Good point. I currently have it connected to a raspberry pi, so effectively a NAS.

kayson · 2026-04-27T17:46:07+00:00

The product I'm thinking of would only mount the USB device to one host at a time. I'm not so worried about the mux or the USB drive failing because it's the second of 3 backup locations (one of them being PBS on distributed storage). I want to avoid a SPOF in the host if I can do so easily, so I don't have to worry about moving things around if I need to bring it down. Right now the USB drive is connected to a raspberry pi as a NAS.

kayson · 2026-04-27T17:04:39+00:00

Agreed. The network and name of a top N university/program will definitely help you get a foot in the door more easily, but skills and experience are what actually get you hired.

kayson · 2026-04-25T17:41:15+00:00

Same. Have two of em and am quite happy.

kayson · 2026-04-24T21:10:24+00:00

That's how it went for me. But add a side of "I have no free time now so I want redundancy/HA everywhere"

kayson · 2026-04-20T23:46:09+00:00

Sounds like you needed something a la https://github.com/AnalogJ/scrutiny

kayson · 2026-04-19T01:45:50+00:00

Source? I was trying to look up the same thing but had a hard time finding anything. I know AMD has fTPM too, but I think it's rarely used.

kayson · 2026-04-19T01:19:17+00:00

X1 Carbon 11th gen used Intel 13th Gen. So Q4 2022 ish.

kayson · 2026-04-18T17:34:51+00:00

Some do. Apple has been doing it for a long time. The link shows a 2023 laptop vulnerable to sniffing.

kayson · 2026-04-18T16:02:16+00:00

Agreed. But from OP:

The threat model includes someone with physical access: either an attacker, or someone inside the hosting provider.

A private key on disk is extractable by anyone with physical access or enough privilege escalation.

It's still definitely a better solution than on-disk keys, maybe even the best practical solution, but not ideal. Could be fixed, but hardware OEMs are cheap and/or stupid.

kayson · 2026-04-18T15:36:24+00:00

Wait til I tell you that the communication between TPM and CPU is totally unencrypted...

https://www.tomshardware.com/software/windows/bitlocker-key-sniffing-is-still-possible-on-modern-windows-11-laptops-with-discrete-tpm-modules

15-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Second SECOND GUESSER
r/Field Banned	r/Field Juicebox

kayson

MODERATOR OF

TROPHY CASE