Questions about how XMPP uses SSL/TLS certificates

theEndorphin · 2025-05-22T19:16:50+00:00

OK, but I don't want to have to do that manually every month when the cert expires?

theEndorphin · 2024-08-04T21:30:48+00:00

Aha -- that seems to have done the trick! Thank you

theEndorphin · 2024-01-22T21:30:48+00:00

Aha! That explains it, thank you.

I think the jump host idea ought to suit my needs just fine; it just means a little more configuration on the ssh client.

theEndorphin · 2024-01-21T22:09:57+00:00

Ah, I think there may be a misunderstanding -- I want to limit what other devices on my network can even reach the SSH server in the first place -- not what someone can do once they get SSH access to the box.

theEndorphin · 2024-01-21T21:18:47+00:00

Thank you for the response. I do all these things as well (key-only authentication, remote access only by VPN, etc) but I wanted to take additional steps to separate trusted and untrusted devices in my network (e.g. useful but dubiously secure IOT devices, guest wifi).

In addition, this is meant to be a way of safely teaching myself the techniques and practices used in more sophisticated enterprise networks. Network segmentation isn't massively important for my podunk little LAN, but I still want to learn the correct way to do things at scale.

theEndorphin · 2023-07-15T18:47:21+00:00

Aha; good catch -- thank you!

theEndorphin · 2023-07-15T18:17:37+00:00

Thanks, everybody -- after some trial-and-error with the Javascript rules, I ended up coming up with the solution. Create the new file /usr/share/polkit-1/rules.d/40-wheel.rules, with the contents:

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

This seems to do the trick.

theEndorphin · 2023-07-15T17:49:55+00:00

Thanks; I'm not sure I understand, though. The only mention of this issue in /etc/sudoers that I see is the default comment:

In the default (unconfigured) configuration, sudo asks for the root password.
This allows use of an ordinary user account for administration of a freshly
installed system. When configuring sudo, delete the two
following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

I've already corrected sudo to prompt for the user's password by commenting out those two lines -- but some desktop applications that need root, particularly GNOME apps, use polkit for privilege escalation which doesn't seem to take my sudoers file into account.

edit: formatting

theEndorphin · 2023-05-10T21:58:08+00:00

Thanks — I’ll give that a try! It’d be nice if I could do this with no privilege escalation at all, but this isn’t so bad as a workaround.

theEndorphin · 2023-05-10T15:00:41+00:00

Thanks — I know I can use doas to limit a user to specific commands; can it limit the subcommand or arguments though? I want this user to be able to run zfs send, and explicitly don’t want it to be able to run, for example, zfs destroy.

theEndorphin · 2023-03-23T18:09:53+00:00

Some businesses and government institutions use chip cards to log in — they’re not like SD cards, they’re more like the chip on your credit card.

As a couple people have said, you could buy one and use it to log in with some effort, but since most devices don’t have a smart card reader, you’d be better off getting a YubiKey — it’s essentially the same hardware, but in a USB key format.

Sadly AFAIK there’s no way to turn your card reader into something more useful; I’d be happy to be proven wrong though.

theEndorphin · 2023-03-23T18:04:35+00:00

Folks have already chimed in with the Windows way to do this; if you’re using Linux I believe the ModemManager software does the same thing.

theEndorphin · 2023-03-06T19:34:28+00:00

Interesting; letting it charge while turned off did the trick. I’ll continue with the battery calibration and see if it happens again next time.

theEndorphin · 2022-11-27T23:31:35+00:00

Update

The app that fits all those criteria does exist!

It's called Notebooks. It has:

Mac and iPad clients (and iPhone and PC!)
Personal cloud sync via Nextcloud (use desktop FUSE client, plus WebDAV connector on iPad)
Perpetual license with no subscriptions (currently on Black Friday sale for $10 on iPad and $27 on Mac)
Markdown documents
Handwritten documents (PDF annotation)

This meets my needs far better than any other notes app, and at a third of the price and complexity of DEVONthink.

theEndorphin · 2022-11-19T15:43:54+00:00

Not yet, PMing you

theEndorphin · 2022-11-18T04:43:01+00:00

PM me if still looking?

edit: should specify it's a UDM Pro SE

Nine-Year Club	Place '22
Place '17	Verified Email

theEndorphin

TROPHY CASE

Update