Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/07/13 23:31] 404dinfra:services:hacker-id [2025/07/14 19:11] (current) 404d
Line 22: Line 22:
 ===== ACL structure ===== ===== ACL structure =====
 During the draft phase, the following groups have been configured: During the draft phase, the following groups have been configured:
-  * hackeriet-members, owned by hackeriet-styret + 
-  hackeriet-styret, owned by themselves +^ Name ^ Entry manager ^ Description ^ 
-  nettlaug-tenants, owned by nettlaug-operators +| ''hackeriet-members'' | ''hackeriet-styret'' | All currently active members | 
-  nettlaug-operators, owned by themselves +| ''hackeriet-styret'' | ''hackeriet-styret'' | Current board members | 
-  service-idp-sysops, which grants administrative privileges to Kanidm as well as SSH access to the IDP server.+| ''hackeriet-alumni'' | ''hackeriet-styret'' | Members who are no longer active | 
 +| ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | 
 +| ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking groupfor infrastructure, switches, routing etc. | 
 +| ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) | 
 +| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) | 
 + 
 +IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members). 
 + 
 + 
 + 
 +===== Using Hacker-ID for SSH/Linux login ===== 
 +Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is. 
 + 
 +There's relatively few steps compared to some other authentication provider solutions:  
 + 
 +  - [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|Install the client tools repo]] 
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon|Configure ''kanidm-unixd'']] 
 +    - Edit config file ''/etc/kanidm/config'': Set ''uri'' to ''https://idp.hackeriet.no'' 
 +    - Edit config file ''/etc/kanidm/unixd'': Set ''pam_allowed_login_groups'' to ''hackeriet-members'' or other relevant groups 
 +      - Optional: Add group mappings, like sudo or docker rights: <code> 
 +[[kanidm.map_group]] 
 +local = "sudo" 
 +with = "hackeriet-members" 
 + 
 +[[kanidm.map_group]] 
 +local = "docker" 
 +with = "hackeriet-members" 
 +</code> 
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html|Tell Linux to proxy user and group lookups through ''kanidm-unixd'']] 
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]] 
 +    - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed 
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]] 
 +      - Note: SELinux profiles are NOT included 
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]] 
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]] 
 + 
 +Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'': 
 +<code> 
 +# kanidm-unix status 
 +system: online 
 +Kanidm: online 
 + 
 +# kanidm-unix auth-test --name d404d 
 +Enter Unix password: [hidden] 
 +auth success! 
 +account success! 
 +</code> 
 +Finally, attempt login over SSH towards your Hacker-ID username 
 + 
 +===== Good to know ===== 
 + 
 +  * Some information is publicly accessible, as required by unix/posix integrations: https://kanidm.github.io/kanidm/stable/accounts/anonymous_account.html#access 
 +    * Anonymous access will be removed once this draft is finalized: https://kanidm.github.io/kanidm/master/developers/designs/domain_join_machine_accounts.html 
 +  * Users are allowed to change all details about their profile! **NEVER** consider anything but the user UUID to be user identifiable (see the ''sub'' claim or ''uuid'' claims reOpenIDC) 
 +    * THIS INCLUDES THE USERNAME AND EMAIL
  
  
Line 42: Line 96:
   * Kanidm includes built-in backup solution and replication   * Kanidm includes built-in backup solution and replication
     * No mirroring of the backups has been configured yet     * No mirroring of the backups has been configured yet
 +  * Set up kanidm-unixd for idp1.hackeriet.no
 +    * Installed daemon
 +    * Added to SSH config
 +    * Added to nsswitch
 +    * For Debian flavours incl. Ubuntu and Raspbian, installing ''kanidm-unixd'' and configuring the two config files in ''/etc/kanidm'' should be enough wrt. PAM
 +    * AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1752449480.txt.gz · Last modified: by 404d