this post was submitted on 20 Aug 2023
40 points (90.0% liked)

Selfhosted

40261 readers
923 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

For people asking for a way to run 2fa on jellyfin i have a solution. I will elaborate more if people are interested as not writing a guide for no reason. This method allows users to simply use their login credentials into the default jellyfin login page, and 1 second later your DUO app on your phone will buzz for a confirmation to sign-in. (meaning no redirects and this method 100% compatible with all clients)

install the LDAP plugin on jellyfin. install Authentik in your server with docker. create a DUO security account. in short, jellyfin query's your Authentik LDAP server for ther user login, then LDAP will query DUO.

Unfortunately, DUO only allows 10 users with the free account, then you have to pay extra. of course with this method you are not bound to only use DUO, you could you a web-auth with your phones bio-metrics to sign-in instead of DUO. there are many ways you could query the users phone through Authentik, but DUO is the most continent.

top 6 comments
sorted by: hot top controversial new old
[–] PriorProject@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (1 children)

This is a great approach, but I find myself not trusting Jellyfin's preauth security posture. I'm just too concerned about a remote unauthenticated exploit that 2fa does nothing to prevent.

As a result, I'm much happier having Jellyfin access gated behind tailscale or something similar, at which point brute force attacks against Jellyfin directly become impossible in normal operation and I don't sweat 2fa much anymore. This is also 100% client compatible as tailscale is transparent to the client, and also protects against brute force vs Jellyfin as direct network communication with Jellyfin isn't possible. And of course, Tailscale has a very tightly controlled preauth attack surface... essentially none of you use the free/commercial tailscale and even self-hosting headscale I'm much more inclined to trust their code as being security-concscious than Jellyfin's.

[–] taxon@lemmy.world 2 points 1 year ago (2 children)

Sorry, it's a bit early in my day, but I'm interested.

Could you elaborate on how tailscale acts as an access gate?

How is the balance between security and convenience when using tailscale?

(Full disclosure, I'm an idiot, but willing to learn)

[–] PriorProject@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Nutbutter sort of covered it.

  • Tailscale creates a virtual network.
  • That network can be (and is by default) private in that no one can join that you don't allow, and in that respect it's similar to your home network. You can join your laptop, desktop, and phone to your tailnet... but probably you cannot join your Chromecast or smart-television (they don't publish tsilscale clients for these devices).
  • If you configure Jellyfin to listen on your tailnet and not on the Internet... then you can access Jellyfin from anywhere using a device that is connected to your tailnet, but attackers on the Internet cannot access Jellyfin without first accessing your tailnet, which is hard to do.

The security/convenience tradeoff of tailscale is pretty good if you want to access a service from anywhere, but only from your own devices and only from supported operating systems (Linux, windows, OSX, android... not sure about iOS). It is another networking layer, which can be mind-bending... but as much as such a layer can be easy to use... tailscale is as easy as any of them.

However, Tailscale's backend is not open-source. They may not log all the data passed through, but they certainly can look at it.

This see sentence is nonsense though.

  • Tailscale is end to end encrypted, tailscale cannot quietly see your traffic.
  • Tailscale COULD, by default, surreptitiously join a node to your tailnet. If you're super paranoid, they provide a way to disable this but it makes tailscale much less convenient to use: https://tailscale.com/kb/1226/tailnet-lock/
  • Tailscale is phenomenally transparent about security and has WAY higher standards than self-hosters: https://tailscale.com/security/.
  • Tailscale clients are open source, and they employ the author of Headscale an open source implementation of the Tailscale control protocols.

There is very little to fear from Tailscale as a provider, and they support the headscale project if you want to go that route (which I do... but not because I am concerned about Tailscale's integrity or security posture).

[–] nutbutter@discuss.tchncs.de 1 points 1 year ago

Tailscale will create a personal VPN. So, only those devices where you are logged in with you Tailscale account can access that service.

For example, if I host a password manager behind Tailscale, only my laptop and phone can access it, where I am logged in to my Tailscale account and am connected to my VPN.

However, Tailscale's backend is not open-source. They may not log all the data passed through, but they certainly can look at it. Use it only if you trust them. You can look into Headscale. It is an open source implementation of Tailscsle's back end, which works with Tailscale's apps.

Tailscale is very convenient, and is as secure as WireGuard protocol is.

[–] dadrad@midwest.social 4 points 1 year ago

That’s pretty slick! I was messing around with using Authentik and Jellyfin and couldn’t get it to work. I’d be interested in the guide.

[–] FabulousAardvark@lemmy.ml 1 points 1 year ago

This has definitely been on my list of things to implement, so yeah would be interested in a guide.

Does this method work with other clients like the androidTV client and findroid etc?