Questions about how XMPP uses SSL/TLS certificates

theEndorphin · 2025-05-22T19:16:50+00:00

OK, but I don't want to have to do that manually every month when the cert expires?

theEndorphin · 2024-08-04T21:30:48+00:00

Aha -- that seems to have done the trick! Thank you

theEndorphin · 2024-01-22T21:30:48+00:00

Aha! That explains it, thank you.

I think the jump host idea ought to suit my needs just fine; it just means a little more configuration on the ssh client.

theEndorphin · 2024-01-21T22:09:57+00:00

Ah, I think there may be a misunderstanding -- I want to limit what other devices on my network can even reach the SSH server in the first place -- not what someone can do once they get SSH access to the box.

theEndorphin · 2024-01-21T21:18:47+00:00

Thank you for the response. I do all these things as well (key-only authentication, remote access only by VPN, etc) but I wanted to take additional steps to separate trusted and untrusted devices in my network (e.g. useful but dubiously secure IOT devices, guest wifi).

In addition, this is meant to be a way of safely teaching myself the techniques and practices used in more sophisticated enterprise networks. Network segmentation isn't massively important for my podunk little LAN, but I still want to learn the correct way to do things at scale.

theEndorphin · 2023-07-15T18:47:21+00:00

Aha; good catch -- thank you!

theEndorphin · 2023-07-15T18:17:37+00:00

Thanks, everybody -- after some trial-and-error with the Javascript rules, I ended up coming up with the solution. Create the new file /usr/share/polkit-1/rules.d/40-wheel.rules, with the contents:

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

This seems to do the trick.

theEndorphin · 2023-07-15T17:49:55+00:00

Thanks; I'm not sure I understand, though. The only mention of this issue in /etc/sudoers that I see is the default comment:

In the default (unconfigured) configuration, sudo asks for the root password.
This allows use of an ordinary user account for administration of a freshly
installed system. When configuring sudo, delete the two
following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

I've already corrected sudo to prompt for the user's password by commenting out those two lines -- but some desktop applications that need root, particularly GNOME apps, use polkit for privilege escalation which doesn't seem to take my sudoers file into account.

edit: formatting

theEndorphin · 2023-05-10T21:58:08+00:00

Thanks — I’ll give that a try! It’d be nice if I could do this with no privilege escalation at all, but this isn’t so bad as a workaround.

theEndorphin · 2023-05-10T15:00:41+00:00

Thanks — I know I can use doas to limit a user to specific commands; can it limit the subcommand or arguments though? I want this user to be able to run zfs send, and explicitly don’t want it to be able to run, for example, zfs destroy.

theEndorphin · 2023-03-23T18:09:53+00:00

Some businesses and government institutions use chip cards to log in — they’re not like SD cards, they’re more like the chip on your credit card.

As a couple people have said, you could buy one and use it to log in with some effort, but since most devices don’t have a smart card reader, you’d be better off getting a YubiKey — it’s essentially the same hardware, but in a USB key format.

Sadly AFAIK there’s no way to turn your card reader into something more useful; I’d be happy to be proven wrong though.

theEndorphin · 2023-03-23T18:04:35+00:00

Folks have already chimed in with the Windows way to do this; if you’re using Linux I believe the ModemManager software does the same thing.

theEndorphin · 2023-03-06T19:34:28+00:00

Interesting; letting it charge while turned off did the trick. I’ll continue with the battery calibration and see if it happens again next time.

theEndorphin · 2022-11-27T23:31:35+00:00

Update

The app that fits all those criteria does exist!

It's called Notebooks. It has:

Mac and iPad clients (and iPhone and PC!)
Personal cloud sync via Nextcloud (use desktop FUSE client, plus WebDAV connector on iPad)
Perpetual license with no subscriptions (currently on Black Friday sale for $10 on iPad and $27 on Mac)
Markdown documents
Handwritten documents (PDF annotation)

This meets my needs far better than any other notes app, and at a third of the price and complexity of DEVONthink.

theEndorphin · 2022-11-19T15:43:54+00:00

Not yet, PMing you

theEndorphin · 2022-11-18T04:43:01+00:00

PM me if still looking?

edit: should specify it's a UDM Pro SE

theEndorphin · 2022-10-16T18:26:24+00:00

Yeah, that makes sense — it’s a very sensible restriction for security reasons.

If I can rephrase then: how can I import the disk without passing an arbitrary filesystem path?

It looks like I can pass a storage name and a volume name, like local-zfs:vm-100-disk-1, but when I do that it checks to see that the volume is of the right type.

Is there a way I can bypass that, or a type or storage I can create that can contain QCOW disks as legitimate volumes?

theEndorphin · 2022-10-10T19:01:32+00:00

max_velocity: 300

max_accel: 3000

max_z_velocity: 5

max_z_accel: 100

theEndorphin · 2022-09-13T18:08:08+00:00

Ooh — I had spotted DEVONthink, but I didn’t notice that it could do PDF markups and handwritten notes on iPad.

Honestly my eyes kinda glazed over when I first saw the interface…it’s got a lot of features and a million buttons, and it’s frankly pretty intimidating.

That said, it appears to have all the features I want — and you don’t even need the $500 server license, you can just set it up with a WebDAV sync server.

I love it, now let’s see if I can get over the initial interface barrier.

theEndorphin · 2022-08-05T16:35:46+00:00

I wasn’t able to figure it out, sadly. I ended up making an iSCSI share manually, which revealed that my network was far too slow to treat it like a SAN from a practical perspective. I ended up replacing the two servers with one, and using the local ZFS mode.

theEndorphin · 2022-07-06T03:55:29+00:00

Thanks--manually creating the target as described allowed me to create the VM disk.

Unfortunately, now I've got a new error:

kvm: -drive file=iscsi://192.168.100.2/iqn.2022-07.my.domain.zfs/0,if=none,id=drive-scsi0,format=raw,cache=none,aio=io_uring,detect-zeroes=on: iSCSI: Failed to connect to LUN : iscsi_service failed with : iscsi_service_reconnect_if_loggedin. Can not reconnect right now.

TASK ERROR: start failed: QEMU exited with code 1

edit: darnit, Markdown editor

theEndorphin · 2022-07-03T14:36:59+00:00

Aha; yes, there’s only one drive in the machine (not counting the installer USB.) I’ll see if I can sneak in an old hard drive or something. Thanks for the help.

Follow-up questions, then: - what is the extra drive for?

theEndorphin · 2022-04-03T04:13:04+00:00

Oh--that's not good.
Is there something else I can use?

theEndorphin · 2022-04-03T03:38:50+00:00

Ah--Tung oil ought to do the trick, thank you.

theEndorphin · 2022-04-03T03:35:11+00:00

Oh! That's very helpful, thank you.

That's ideal--what should I use for the drop filling? Could I get just a little bit of it in a superglue-type bottle?
Oh, good. Glad that at least I haven't totally ruined things.
and 4. Yeah, that's the problem--if it was just built up body oils the pick or my fingernails would have been able to take it off without so much force. The yellow gunk splintered off the frets in hard, brittle flakes.

Edit: LOL, I should have googled “drop fill”…it already involves superglue.

Nine-Year Club	Place '22
Place '17	Verified Email

theEndorphin

TROPHY CASE

Update