Dear all,
Hello, world! I'm the new guy on tilde.club. Thank you very much for a great platform and all the hard work and time you invest into it! I have been reading the Wiki pages and I would like to suggest a few improvements:
* It may be a good idea to start grouping articles under the topics: command line, terminal multiplexers, security, text editors...
* The link to the SSHFS tutorial doesn't work. It seems the file has been deleted.
* The SSH tutorial from Ben Harri could benefit from a better colour for showing terminal commands. Currently it is dark blue. On a black background it is very hard to read.
Thank you for your attention and have a wonderful day ahead!
--
Best wishes,
Maxim
I hope everybody is faring well through the uncertainty of this COVID-19
pandemic. If you're stuck at home and looking for something fun and new
to do, try out the new tildeverse space we set up on yourworldoftext.com:
https://www.yourworldoftext.com/~tildeverse/
As with all things in the tildeverse, keep it positive!
cmccabe
Hello all,
Google auth wasn’t the highest on the poll that I ran. However I do feel 33% in favour of google auth or options like it is enough for me to implement the feature.
To use google auth you also need to enter your password for your account on login.
Information on getting google auth setup you can go on our wiki.
https://tilde.club/wiki/googleauth.html
If you’d like to see more options reply to this email with suggestions and I may look at implementing them.
Thank you to everyone that participated in our poll.
~deepend
Just looked. From what I read the phishing attack would really only work for accounts that someone would have to goto a web page for login (which could be faked) and get the details. But for ssh login there is not the same risk.
Thanks
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
I understand that. But I what way is someone phishing a code that is available for 30 seconds? That would still allow it to be useable
Sent from my iPhone
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
Would be interested in hearing more information on how someone is phishing a code that is only valid for like 30 seconds? Is there more to that story then just phishing?
Thanks
> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>
> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>
> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>
> Best,
> -sneak
>
> --
> Jeffrey Paul
> +1 312 361 0355 (voice, sms, Signal)
> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>
>
>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>
>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>> some websites say it came in 8.2. Not sure who to believe.
>>>
>>> Tilde club currently runs Fedora 30.
>>
>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>> available :/
>
Hey ~clubbers.
I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
Hello Everyone!
I will first like to welcome everyone that has joined since we brought tilde.club back from idle. As well would like to welcome back many users that have returned.
We have been working hard in the background to keep things going in a positive direction and hopefully users like the direction things are going. (Feedback is always good and welcome if any of you have thoughts on this)
This was mostly a post to let you know that for awhile now we have had a mastodon account and up to this point it has been fairly quiet. I am going to start posting more information and updates regarding the state of tilde.club and things we add or improve. If you would like to follow and keep informed please go to
https://tilde.zone/@tildeclub
Otherwise I will also try to post on the mailing list for those who don’t want mastodon.
Hope to see you all on the server and continue this journey forward.
Thanks
~deepend
