Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/07/13 22:56] 404dinfra:services:hacker-id [2025/07/14 19:11] (current) 404d
Line 5: Line 5:
  
 Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet. Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.
 +
 +<WRAP center round important 60%>
 +This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts. I'm mainly testing this out as account management for a handful of projects I've planned for the space. Do not expect it to be widely used as of this moment.
 +
 +Ask if you have any questions, need help, need an account, or want to integrate something.
 +
 +Regards, 404'd
 +</WRAP>
 +
 +
 +A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
 +
 +Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service.
 +
 +
 +===== ACL structure =====
 +During the draft phase, the following groups have been configured:
 +
 +^ Name ^ Entry manager ^ Description ^
 +| ''hackeriet-members'' | ''hackeriet-styret'' | All currently active members |
 +| ''hackeriet-styret'' | ''hackeriet-styret'' | Current board members |
 +| ''hackeriet-alumni'' | ''hackeriet-styret'' | Members who are no longer active |
 +| ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure |
 +| ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. |
 +| ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
 +| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) |
 +
 +IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
 +
 +
 +
 +===== Using Hacker-ID for SSH/Linux login =====
 +Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.
 +
 +There's relatively few steps compared to some other authentication provider solutions: 
 +
 +  - [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|Install the client tools repo]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon|Configure ''kanidm-unixd'']]
 +    - Edit config file ''/etc/kanidm/config'': Set ''uri'' to ''https://idp.hackeriet.no''
 +    - Edit config file ''/etc/kanidm/unixd'': Set ''pam_allowed_login_groups'' to ''hackeriet-members'' or other relevant groups
 +      - Optional: Add group mappings, like sudo or docker rights: <code>
 +[[kanidm.map_group]]
 +local = "sudo"
 +with = "hackeriet-members"
 +
 +[[kanidm.map_group]]
 +local = "docker"
 +with = "hackeriet-members"
 +</code>
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html|Tell Linux to proxy user and group lookups through ''kanidm-unixd'']]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]]
 +    - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]]
 +      - Note: SELinux profiles are NOT included
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]]
 +
 +Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'':
 +<code>
 +# kanidm-unix status
 +system: online
 +Kanidm: online
 +
 +# kanidm-unix auth-test --name d404d
 +Enter Unix password: [hidden]
 +auth success!
 +account success!
 +</code>
 +Finally, attempt login over SSH towards your Hacker-ID username
 +
 +===== Good to know =====
 +
 +  * Some information is publicly accessible, as required by unix/posix integrations: https://kanidm.github.io/kanidm/stable/accounts/anonymous_account.html#access
 +    * Anonymous access will be removed once this draft is finalized: https://kanidm.github.io/kanidm/master/developers/designs/domain_join_machine_accounts.html
 +  * Users are allowed to change all details about their profile! **NEVER** consider anything but the user UUID to be user identifiable (see the ''sub'' claim or ''uuid'' claims re. OpenIDC)
 +    * THIS INCLUDES THE USERNAME AND EMAIL
  
  
 ===== System setup ===== ===== System setup =====
 Rough notes for the moment: Rough notes for the moment:
-  * Hosted on idp1.hackeriet.no+  * Hosted on idp1.hackeriet.no (DNS record pending, 10.10.50.52)
   * Authentication realm is ''idp.hackeriet.no''   * Authentication realm is ''idp.hackeriet.no''
   * Public portal and API on https://idp.hackeriet.no   * Public portal and API on https://idp.hackeriet.no
   * Internal services (SSH, LDAP, RADIUS etc.) will be exposed on ''int-idp.hackeriet.no''   * Internal services (SSH, LDAP, RADIUS etc.) will be exposed on ''int-idp.hackeriet.no''
-    * We won't be able to get LDAP certs for the right hostname on the internal interface... If this turns out to be a dealbreaker it might be better to solve this using NAT rather than moving the host entirely onto VLAN 130+    * We won't be able to get LDAP certs for the right hostname on the internal interface... If this turns out to be a dealbreaker it might be better to solve this using NAT rather than moving the host entirely onto VLAN 130
   * Located in ''/srv/kanidm''   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
Line 20: Line 96:
   * Kanidm includes built-in backup solution and replication   * Kanidm includes built-in backup solution and replication
     * No mirroring of the backups has been configured yet     * No mirroring of the backups has been configured yet
 +  * Set up kanidm-unixd for idp1.hackeriet.no
 +    * Installed daemon
 +    * Added to SSH config
 +    * Added to nsswitch
 +    * For Debian flavours incl. Ubuntu and Raspbian, installing ''kanidm-unixd'' and configuring the two config files in ''/etc/kanidm'' should be enough wrt. PAM
 +    * AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1752447368.txt.gz · Last modified: by 404d