• 0 Posts
  • 14 Comments
Joined 1 year ago
cake
Cake day: June 22nd, 2023

help-circle


  • Do not expose Jellyfin to the general Internet. They have security issues, I would not trust that (no cloudflare does not save you by default).

    There are basically two ways: VPN, or authenticated reverse proxy. VPN is probably the easiest to setup and the most flexible, but it’s a bit of a pita to use.

    Authenticated reverse proxy will break apps, but the web app will work (and you can setup your reverse proxy to allow specific user agents from the VPN to bypass it, allowing apps on the VPN to work). I currently do this so I can look at metadata on my phone without a VPN setup.





  • Passwords will be brute forced if it can be done offline.

    Set a good high entropy password, you can even tie it to your login password with ssh-agent usually

    Private SSH keys should never leave a machine.

    If this actually matters, put your SSH key on a yubikey or something

    If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine’s lifespan is over.

    People generally don’t sit on keys, this is worthless. Also knowing people I’ve worked with… no, they won’t think to revoke it unless forced to

    and you will never revoke the access it has.

    Just replace the key in authorized_keys and resync

    And you may not want to give all systems the same access everywhere

    One of the few reasons to do this, though this tends to not match “one key per machine” and more like “one key per process that needs it”

    Like yeah, it’s decent standard advice… for corporate environments with many users. For a handful of single-user systems, it essentially doesn’t matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)