Hi everyone

I posted before here. I’ll try once more but don’t want to get over bearing.

I’m trying to self host all my contacts and my calendar.

I’ve managed to install radicale but there very little ui and I’m not actually sure how to import my contacts and calendar, or how to start using it with a client.

This is all I see

I’ve set up the calendar and contacts server but I can’t find any security settings to password protect it

Any guidance would be awesome, thank you

  • Ooops@feddit.orgEnglish
    31·
    20 hours ago

    The options to password protect it are in the (usually /etc/radicale/)config file und [auth].

    For proper security you could use

    type = htpasswd

    htpasswd_filename = /etc/radicale/users

    htpasswd_encryption = bcrypt

    then create a users file with apache tools (htpasswd -c -B users User1) or one of the million online htpasswd file creators.

    • lemmyvore@feddit.nlEnglish
      1·
      4 hours ago

      Please note that to use “bcrypt” for htpasswd_encryption you need the bcrypt python module installed. Some distributions of radicale (eg. some docker images) don’t have it.

      It’s fairly safe to set it to “md5” instead. It does not mean plain MD5 (one iteration), it does several hundred rounds of MD5 plus a salt.

      For the curious, the advantage of bcrypt over a single-iteration, fast hash like MD5 is that bcrypt lets you set the hashing effort, while MD5’s goal is to do it as fast as possible.

      This becomes relevant when someone steals your password file and tries to brute force it by hashing a bunch of dictionary words and random strings (plus a bunch of salts) until something matches. A fast single-iteration hash like MD5 will let them do that much faster than a bcrypt hash set to a higher effort; it can mean the difference between finding a password in one week vs finding one in 100 years. That’s what the hundreds-of-iterations MD5 is trying to achieve, it’s a “poor man’s bcrypt”.

        • nomad@infosec.pubEnglish
          2·
          12 hours ago

          Because if I wanted to harvest a bunch of passwords I would offer a online password generator.

          Do use apache utils locally.

          • Ooops@feddit.orgEnglish
            31·
            11 hours ago

            While you are right in general, you are just creating a file with a <user>:<hashed password> line without any identifying context. So have fun searching the world for where I might have actually used it. Sounds like a really bad use of ressources to create list of passwords.

            PS: Yes, as an Arch user I am still pissed that this tool is not available in the repos beside installing the complete Apache server…