Aka csm10495 on kbin.social

  • 1 Post
  • 27 Comments
Joined 1 year ago
cake
Cake day: June 8th, 2023

help-circle












  • This is likely a too late, but reasonable moment to say this server happens to be Windows based.

    … for backup reasons.

    (The tool used for online backup only allows home versions of Windows and local drives)

    One day if I build a new one, I might start with a Linux base, though that kind of requires this one to be on its last leg before I get to that point. It’s running a processor/mobo that are 14ish years old… so maybe I should think more about it.



  • I guess at the end of the day there is also a root of trust. In an enterprise setting a system giving out certs could be compromised and give out certs to the wrong people/machines. In a home setting, the machine being compromised has a similar affect.

    Funny enough, I thought of using a USB stick or something as a physical security key, using that for a vault, then having secrets in the vault… but then realized I’d have to leave it plugged into the server, making it so anyone with server access would get the password anyways.

    Makes me think that everything is security by obscurity at some level. The more obscure: the more ‘secure’.

    It’s kind of like how an SSH key is generally considered more secure, but if I used password authentication and had a file with a 512 character random password, it would be more/less the same thing. Either way, we have the key in a file.


  • The problem is that would be so annoying/impractical. In an optimal world, yeah a person checking a prompt and approving could make sense, but in practice that would also mean that the MFA prompt would have to ask for the password anyways. (Or the password would be on the phone with the same problem as on the computer).

    Can you imagine having to type a password on an hourly schedule or something? If the password was cached, we have the same problem again.