[-] jakob@lemmy.schuerz.at 2 points 7 months ago

Matrix and bridge to signal.

There is also a xmpp-server around... (runs all at the same vserver)

[-] jakob@lemmy.schuerz.at 1 points 1 year ago

really? Noooo!!!

[-] jakob@lemmy.schuerz.at 1 points 1 year ago

i don't agree.

[-] jakob@lemmy.schuerz.at 2 points 1 year ago

I run my own funkwhale. But i'm not happy with it. It has so many bugs and drawbacks. Searching for remote content does not work well. Sometimes it finds it, sometimes it needs 2, 3 or 5 tries of searching for. Sometimes it does not find it. Searching is inconsistent. The UI is also inconsistent. To find what you want to click, you have to search a lot... It's not possible to modify metadata from already uploaded music. Change mp3-tags locally an upload it again is the way... You csn not move audios between channrls and libraries. The permissions-concept is broken.

And the devs want to discuss about how to write about bigs, not about the bugs.

I will drop funkwhale. It does not make me happy.

[-] jakob@lemmy.schuerz.at 2 points 1 year ago

People who can create a yt-channel an upload videos there should be able to do the same on peertube... whats the problem?

Ok...

On youtube, your account is your channel. On Peertube, you can create more than one channel with your account.

[-] jakob@lemmy.schuerz.at 1 points 1 year ago

This belongs to your instance settings. Is your instance following other instances/channels, how is search configured and so on.

[-] jakob@lemmy.schuerz.at 1 points 1 year ago

I expect, it deletes the socket, which on which the process is listening. what if i rename the socket (for some reason). Then the socketfile should be deleted also.

[-] jakob@lemmy.schuerz.at 1 points 1 year ago

I check the pid for each process i opened, so i know which one is the older... and yes. the older has a lower pid. :)

[-] jakob@lemmy.schuerz.at 2 points 1 year ago

I start for every connection-group an own ssh-agent with different ssh-keys in it. And i connect from my laptop sometimes (regulary) to my desktop-machine and forward the agent to the desktop. This is a setup, i need.

And i have a script, which chooses from ssh config, (Match section) the ssh-agent i need for this connection-group. This script starts automatically an ssh-agent and loads the identities (private-keys, hardware-token...) into this ssh-agent and per configfile it is choosen as IdentityAgent.

When i'm connected to my desktop with my laptop and i work on my desktop, then i use the forwarded agent, because i have some keys only on my laptop, which i want to use also from my desktop. So i link the forwarded agent-socket to the IdentityAgent, which is configured in ssh-config for this connection... When there is no forwared ssh-agent, the symlink is deleted and a new agent is started with a socketfile on the same path.

It sound's a bit complicated... and yes, it is.

An i don't get it, why sometimes the socketfile is deleted and sometimes it remains. Now i tested it from home on the remote-connection. The temporary, forwarded agent-socket is a symlink to my regular socket-file. and i killed the running ssh-agent... and also the symlink is removed.

It is strange behaviour... a process unlinks a socket-file, which does not belong to him, only the name is the same... and not every time.

[-] jakob@lemmy.schuerz.at 2 points 1 year ago
[-] jakob@lemmy.schuerz.at 1 points 1 year ago

The services should be able, to talk to each other via ssh?

Or do you have groups of servers?

How many we are talking about?

They are all virtual servers?

Where is the hub located?

In our company we have many services and many servers. We are talking about hundrets of services and servers. Snd they are very secure.

So we have the servers on a big esxi (more than one) in 3 datacenters.

There is one jumphost (high available... several instances). Direct connection from our workstations to a server is not possible. We have to use this jumphost. Login on the jumphost is not possible, only for jumping (ssh option -J).

On the jumphost is for each user the publickey from a hardwaretoken. (Yubikey, etoken, nitrokey, name it) on its user in authorized-keys file. Only one pubkey.

So you are not able to jump over the jumphost to a server, without a valid hardwaretoken.

A NAT-Rule gives each user a individual source-IP...

Then you can see in auditlog on each server who did the shit... even if he made sudo su... the source-ip is individualized for each user.

And services run in different subnets and VLAN without connection to each other. So only services can talk together, who must talk.

Another server is an ansible machine. This can connect to every single server too and fo good and really bad things... so this ansible-machine and the jumphost are in a physically secured zone in the Datacenter.

You need an extra permission and an extra physical key, to come to this machines...

And if one Service gets compromized, maximum the servers in the same vlan or subnet can be affected too. And the servers, which got an extra firewall-hole.

So... if you are afraid of using ssh in your environment...

Use hardware-keys for the ssh privatekey. No softwarekeys! If machines need to talk together via ssh, make smallest possible jails with subnets or vlans around them. Think about allowed commands in ssh-config/authorized_keys file!!! Think about a jumphost and allow different users only machines which they need. Think about physically protection about the jumphost. Think about serverinitiated backups...

👍

view more: ‹ prev next ›

jakob

joined 3 years ago