Comment on Why isn't using a key file the most common way to log into self-hosted servers?

eksb@programming.dev ⁨3⁩ ⁨weeks⁩ ago

• HelloRoot@lemy.lol ⁨3⁩ ⁨weeks⁩ ago

  I think OP is talking about auth in services that you selfhost.

  For example elster.de forces you to sign in by entering a username and uploading a cert file.

  But mostbselfhosted services only have username/password logins.

  source

  • jeena@piefed.jeena.net ⁨3⁩ ⁨weeks⁩ ago

    That sounds like aPasskey

    source

    • HelloRoot@lemy.lol ⁨3⁩ ⁨weeks⁩ ago

      It does sound like one, but it isn’t.

      Passkey

      • Per-service key pair, unique per domain, Identity bound only to that specific account on that site
      • Challengeresponse via WebAuthn
      • Trust anchored only in the target service (no external CA)
      • Private key sealed in OS / secure hardware keystore

      Certificate login

      • Single global identity usable across many services
      • TLS client authentication with certificates
      • Trust established via certificate authorities and chain validation
      • Private key stored in exportable file or smartcard

      source

      • GreenCrunch@piefed.blahaj.zone ⁨3⁩ ⁨weeks⁩ ago

        Thanks for the explanation!

        source
    • Appoxo@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago

      Nope it’s a P12 certificate

      source
  • Flipper@feddit.org ⁨3⁩ ⁨weeks⁩ ago

    If a service doesnt offer Oidc, just dont self host it. The SSO service can then be properly secured and even if its only a password, at least its not reused.

    source

    • melmi@lemmy.blahaj.zone ⁨3⁩ ⁨weeks⁩ ago

      Just put everything that doesn’t have OIDC behind forward auth. OIDC is overrated for selfhosting.

      source
  • northernlights@lemmy.today ⁨3⁩ ⁨weeks⁩ ago

    Yep which is why I use oauth2-proxy between these services and casdoor.

    source
  • Appoxo@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago

    That is certificate based

    source