Basically every local service is accessed via a web interface, and every interface wants a username and password. Assuming none of these services are exposed to the internet, how much effort do you put into security here?
Personally, I didn’t really think about it when I started. I make a half-assed effort at security where I don’t use “admin” or anything obvious as the username, and I use a decent-but-not-industrial password - but I started reusing the u/p as the number of services I’m running grew. I have my browsers remember the u/ps.
Should one go farther than this? And if so, what’s the threat model? Is there an easier way?

  • @cm0002English
    123 days ago

    Your confusion is confusing me lol

    I don’t see how this would work as it relies upon every single device on the network supporting a particular authentication mechanism.

    Wdym? That’s not a thing, you can have some devices on LDAP some with local logins and some with OIDC or any other combination. Authentication is generally an application layer thing and switches operate at layer 2 maybe 3 if it’s doing some routing. As long as your network has a functioning DHCP server the web UI of the switch will be able to communicate with the LDAP server that you configure it to

    • @corrodedEnglish
      123 days ago

      I think I’m misunderstanding how LDAP works. It’s probably obvious, but I’ve never used it.

      If my switch is expecting a username and password for login, how does it go from expecting a web login to “the LDAP server recognizes this person, and they have permissions to access network devices, so I’ll let them in.”?

      Also, to be clear, I’m referring to the process of logging in and configuring the switch itself, not L2 switching or L3 routing.

      • @cm0002English
        223 days ago

        If the switch supports it, you login with local credentials first, navigate to its config page and configure LDAP under there. You’ll tell it the IP address of the LDAP server as well as give it its client side configuration. You give it a bind account credentials (a dedicated service account with as minimal permissions as needed) that it uses to lookup the users on the server as well as Organization Unit paths and such

        When a user goes to login the switch will query the provided credentials against the LDAP server, if it’s valid the LDAP server will respond with a success and the switch will log the user in

        Generally there is always a local account fallback in the event that the LDAP server is unavailable for whatever reason