Table of Contents
Hacker-ID
Identity provider for all things Hackeriet
Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.
This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts. Ask if you have any questions, need help, need an account, or want to integrate something.
Regards, 404'd
A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
Access control is currently managed through the Kanidm CLI. See the official docs for further details. Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula).
Onboarding
Hackeriet members can begin onboarding by visiting the Hacker-ID section in Hula:
Hacker-ID capable services
All services enrolled into Hacker-ID are documented using tags in Netbox:
- Hacker-ID: LDAP – Not currently implemented
- Hacker-ID: RADIUS – Not currently implemented
- Hacker-ID: SSH – SSH daemon reads authorized keys from Hacker-ID
- Hacker-ID: SSO – OpenID/OAuth2 authentication flow
- Hacker-ID: Unix – Integrated into the user database for the host (UIDs/GIDs, sudo, passwd, VTY consoles…)
Managing your account
Onboarding
All members with an active Hackerhula account can initiate onboarding into Hacker-ID by visiting the Hacker-ID page. Following instructions in Hula for more details, or ask an IDP admin for help.
https://hackeriet.no/hula/idp/
Implementation of Hacker-ID onboarding is discussed in this Github ticket: https://github.com/hackeriet/hackerhula/pull/43
Changing account name/display name/email
All users are able to change their personal information.
This includes the login name used for both the web portal, and any Unix accounts used on servers. This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile
Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes.
Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
You can also rename and update your account profile using the CLI:
- Account name:
kanidm person update d404d --newname testlmao
- Display name:
kanidm person update d404d --displayname "Epic New Hacker Name"
- Email:
kanidm person update d404d --email "<somehandle>@hackeriet.no"
ACL structure
During the draft phase, the following groups have been configured:
| Name | Entry manager | Description |
|---|---|---|
hackeriet-members | svc-hackerhula | All currently active members |
hackeriet-styret | svc-hackerhula | Current board members |
hackeriet-alumni | svc-hackerhula | Members who are no longer active |
nettlaug-tenants | svc-hackerhula | People renting space/resources within nettlauget's infrastructure |
nettlaug-operators | svc-hackerhula | Core networking group, for infrastructure, switches, routing etc. |
project-hackradio | d404d@idp.hackeriet.no | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
service-apphost-sysops | kfh@idp.hackeriet.no | SSH + sudo + docker for app-01 |
service-dokuwiki-admins | hackeriet-styret | Administrative access to Dokuwiki |
service-dokuwiki-users | hackeriet-styret | Login as regular users to Dokuwiki |
service-idp-sysops | d404d@idp.hackeriet.no | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
service-hedgedoc-users | nettlaug-operators | Logon rights to pad2.hackeriet.no |
service-netbox-staff | nettlaug-operators | Django staff rights in Netbox |
service-netbox-superusers | nettlaug-operators | Django superuser rights in Netbox |
service-netbox-users | nettlaug-operators | Login, view and edit data in Netbox |
service-webingress-sysops | kfh@idp.hackeriet.no | SSH + sudo + docker for ingress |
IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
Using Hacker-ID for SSH/Linux login
Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.
There's relatively few steps compared to some other authentication provider solutions:
-
- Edit config file
/etc/kanidm/unixd: Setpam_allowed_login_groupstohackeriet-membersor other relevant groups- Optional: Add group mappings, like sudo or docker rights:
[[kanidm.map_group]] local = "sudo" with = "hackeriet-members" [[kanidm.map_group]] local = "docker" with = "hackeriet-members"
-
- Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled
unix-chkpwdAppArmor profile on Ubuntu must be disabled/fixed -
- Note: SELinux profiles are NOT included
Restart kanidm-unixd service, review the unit logs, and attempt login using kanidm-unix:
# kanidm-unix status system: online Kanidm: online # kanidm-unix auth-test --name d404d Enter Unix password: [hidden] auth success! account success!Finally, attempt login over SSH towards your Hacker-ID username
Administrative actions
Onboarding users through the CLI
If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands:
kanidm person create "<username>" "<display name>" kanidm person update "<username>" --mail "<mail>" kanidm person posix set kanidm group add-members hackeriet-members "<username>" kanidm person credential create-reset-token "<username>" "<expiry in seconds>"
Good to know
- Some information is publicly accessible, as required by unix/posix integrations: https://kanidm.github.io/kanidm/stable/accounts/anonymous_account.html#access
- Anonymous access will be removed once this draft is finalized: https://kanidm.github.io/kanidm/master/developers/designs/domain_join_machine_accounts.html
- Users are allowed to change all details about their profile! NEVER consider anything but the user UUID to be user identifiable (see the
subclaim oruuidclaims re. OpenIDC)- THIS INCLUDES THE USERNAME AND EMAIL
System setup
Rough notes for the moment:
- Hosted on idp1.hackeriet.no
- Authentication realm is
idp.hackeriet.no - Public portal and API on https://idp.hackeriet.no
- Internal services (SSH, LDAP, RADIUS etc.) will be exposed on
int-idp.hackeriet.no- We won't be able to get LDAP certs for the right hostname on the internal interface… If this turns out to be a dealbreaker it might be better to solve this using NAT rather than moving the host entirely onto VLAN 130.
- Located in
/srv/kanidm- One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
- Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
- Created user and group “kanidm” in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
- Kanidm includes built-in backup solution and replication
- No mirroring of the backups has been configured yet
- Set up kanidm-unixd for idp1.hackeriet.no
- Installed daemon
- Added to SSH config
- Added to nsswitch
- For Debian flavours incl. Ubuntu and Raspbian, installing
kanidm-unixdand configuring the two config files in/etc/kanidmshould be enough wrt. PAM - AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart