Selfhosted

54576 readers

793 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Why isn't using a key file the most common way to log into self-hosted servers? (pawb.social)

submitted 18 hours ago by Inkstainthebat@pawb.social to c/selfhosted@lemmy.world

29 comments fedilink hide all child comments

It's the first idea I had when it came to making sure login on my server is secure. Instead of having a small password that relies on my fallinble memory and may be also guessed in a not-completely-rodiculous amount of time.

Meanwhile a fairly small file, something like a 512 byte "user.key", to be uploaded along with your username, or even just having your username built-in, seems much safer.

I wanted to do some math but I could only find limited calculators for doing calculations with such big numbers so have the amount of possible combinations the file may have:

256^512

1,044,388,881,413,152,506,691,752,710,716,624,382,579,964,249,047,383,780,384,233,483,283,953,907,971,557,456,848,826,811,934,997,558,340,890,106,714,439,262,837,987,573,438,185,793,607,263,236,087,851,365,277,945,956,976,543,709,998,340,361,590,134,383,718,314,428,070,011,855,946,226,376,318,839,397,712,745,672,334,684,344,586,617,496,807,908,705,803,704,071,284,048,740,118,609,114,467,977,783,598,029,006,686,938,976,881,787,785,946,905,630,190,260,940,599,579,453,432,823,469,303,026,696,443,059,025,015,972,399,867,714,215,541,693,835,559,885,291,486,318,237,914,434,496,734,087,811,872,639,496,475,100,189,041,349,008,417,061,675,093,668,333,850,551,032,972,088,269,550,769,983,616,369,411,933,015,213,796,825,837,188,091,833,656,751,221,318,492,846,368,125,550,225,998,300,412,344,784,862,595,674,492,194,617,023,806,505,913,245,610,825,731,835,380,087,608,622,102,834,270,197,698,202,313,169,017,678,006,675,195,485,079,921,636,419,370,285,375,124,784,014,907,159,135,459,982,790,513,399,611,551,794,271,106,831,134,090,584,272,884,279,791,554,849,782,954,323,534,517,065,223,269,061,394,905,987,693,002,122,963,395,687,782,878,948,440,616,007,412,945,674,919,823,050,571,642,377,154,816,321,380,631,045,902,916,136,926,708,342,856,440,730,447,899,971,901,781,465,763,473,223,850,267,253,059,899,795,996,090,799,469,201,774,624,817,718,449,867,455,659,250,178,329,070,473,119,433,165,550,807,568,221,846,571,746,373,296,884,912,819,520,317,457,002,440,926,616,910,874,148,385,078,411,929,804,522,981,857,338,977,648,103,126,085,903,001,302,413,467,189,726,673,216,491,511,131,602,920,781,738,033,436,090,243,804,708,340,403,154,190,336

What am I missing? I assume I'm missing something, because the idea of something like this going over a lot of smart programmers and developers' heads does not sound right

you are viewing a single comment's thread
view the rest of the comments

[–] eksb@programming.dev 53 points 18 hours ago (1 children)

I think you are looking for SSH certificates.

[–] HelloRoot@lemy.lol 16 points 18 hours ago* (last edited 18 hours ago) (2 children)

I think OP is talking about auth in services that you selfhost.

For example elster.de forces you to sign in with one of the many passwordless methods, which includes: entering a username and uploading a cert file.

But most selfhosted services only have username/password logins (if any).

[–] jeena@piefed.jeena.net 15 points 18 hours ago* (last edited 18 hours ago) (1 children)

That sounds like a Passkey

[–] HelloRoot@lemy.lol 12 points 18 hours ago* (last edited 18 hours ago) (1 children)

It does sound like one, but it isn't. Ignoring the differences in UX:

Passkey

Per-service key pair, unique per domain, Identity bound only to that specific account on that site
Challengeresponse via WebAuthn
Trust anchored only in the target service (no external CA)
Private key sealed in OS / secure hardware keystore

Certificate login

Single global identity usable across many services
TLS client authentication with certificates
Trust established via certificate authorities and chain validation
Private key stored in exportable file or smartcard

[–] GreenCrunch@piefed.blahaj.zone 1 points 4 hours ago

Thanks for the explanation!

[–] Flipper@feddit.org 4 points 15 hours ago (1 children)

If a service doesnt offer Oidc, just dont self host it. The SSO service can then be properly secured and even if its only a password, at least its not reused.

[–] melmi@lemmy.blahaj.zone 4 points 14 hours ago

Just put everything that doesn't have OIDC behind forward auth. OIDC is overrated for selfhosting.