Computer is miraculous!
docker run --rm --entrypoint htpasswd httpd:2 -Bbn <user> <password>Append password into /auth/htpasswd
Restart docker container
Try not to use some special characters in password, such as $, @, etc.
Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.
This is most a simple way, just generate a pair of key,
ssh-keygenIf need more secure, generate 4096 bit RSA key
ssh-keygen -t rsa -b 4096Then inject public key in .ssh/id_rsa.pub into remote .ssh/authorized_keys
Refer to Signed SSH Certificates using Hashicorp Vault in Practice
Use free software, hashicorp vault to manage signed certificate.
Inject trusted CA key retrieved from vault into target SSH server configure,
Use authorized token and client private key to generate short life signed certificate
Use signed certificate and client private key login to target server
Note: Only need normal token to generate signed certificate
Need to save a token
Refer to Enable 2FA for Ubuntu
Instead of all servers maintain their own password, passwords are centrally managed by authentication server.
Retrieve password from authentication server, then use it to login to remote server.
Remote server will use it to verify against authentication server.
This is to create an operational task to pass it to operator. For example, SSH to host.
Vault Admin creates AppRole (role_id), pass role_id to Operator as operational task reference id
Vault Admin creates Admin Token (admin_token), pass it to App Token Admin
Now, Operator has a operational task reference id, role_id.
Task Requester submit request to Operator
Operator submit the request to App Token Admin
App Token Admin uses Admin Token against AppRole to create Secret ID (secret_id), pass it to Operator
Operator use role_id and secret_id login to retrieve App token, and retrieve credential, such as signed public key in SSH case
Operator pass credential to Task Performer
Then complete change task.
Root Token - Manage Vault
App Token - Manage App, for example, SSH App as whole
Role ID - Identify AppRole, for example, Project or Host
Secret ID - Retrieve Task Token
Task Token - Retrieve credential
Root Token should be revoken after used
App Token should be securely managed
Secret ID and Task Token should have short life
Secret ID and Task Token should be held by operator or task performer, this can be decided by how AppRole managed. If AppRole cannot restrict the task to be performed, then only can pass credential to task performer.
In order to identify the host, the Host Key Signing mentioned in following page should be considered.
There is no clear info on the machines managed.
In DSM 6, notification can only set as global value
Control Panel => Notifications => Advanced => Internal Storage
Click on Low Capacity of Volume, then define the Warning and Critical space thresholds.
In DSM 7, notification can be defined at individual volume level.
https://nextcloudpi_host:4443/After run NextCloudPi many days, got following message
Your data directory is invalid
Ensure there is a file called ".ocdata" in the root of the data directory.Go to nextcloud/data, create an empty file
cd nexcloud/data
touch .ocdataBut I don't know why it was missing.
vault.json
cat vault.json
{
"backend": {
"file": {
"path": "/vault/file"
}
},
"listener": {
"tcp":{
"address": "0.0.0.0:8200",
"tls_enable": 1,
"tls_cert_file": "/vault/config/cert.pem",
"tls_key_file": "/vault/config/privkey.pem"
}
},
"ui": true
}Copy into /vault/config folder
Open Disk Utility
View => Show All Devices
Select Disk (not partition)
Click on Erase or Partition
Select GUID Partition Map in Scheme
Select APFS in Format
As suggested, root token should not be used, and it should be revoked immediately after used.
Follow the steps in page below to create a new root token and revoke it after used.
Generate a new root token for Hashicorp Vault
For example, SSH secret engine, following admin policy can be created
vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}
# Mount the AppRole auth method
path "sys/auth/approle" {
capabilities = [ "create", "read", "update", "delete", "sudo" ]
}
# Configure the AppRole auth method
path "sys/auth/approle/*" {
capabilities = [ "create", "read", "update", "delete" ]
}
# Create and manage roles
path "auth/approle/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# Write ACL policies
path "sys/policies/acl/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOFThen create token under this policy
vault token create -field token -policy=ssh-admin-policyThe using this token follow the steps in page below:
Signed SSH Certificates using Hashicorp Vault in Practice
To get renew token before expired, run following command
vault token renewThe expire time can be view using following command
vault token lookupTo generate a new root token without old token.
$ docker exec -it vault sh$ vault operator unseal$ vault operator generate-root -init
Nonce 15565c79-cc9e-5e64b986-8506e7bd1918
...
OTP mOXx7iVimjE6LXQ2Zna6NA==
...Note: Beware of last -.
echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -Note: run vault operator generate-root only, will show nonce key.
The last person will get Encoded Token
Encoded Token IxJpyqxn3YafOGhqhvP6cQ==vault operator generate-root \ -decode=IxJpyqxn3YafOGhqhvP6cQ== \ -otp=mOXx7iVimjE6LXQ2Zna6NA==Note: The root token can be used to revoke itself.
$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248daSuccess! Revoked token (if it existed)