Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/07/14 00:34] 404dinfra:services:hacker-id [2025/07/14 19:11] (current) 404d
Line 22: Line 22:
 ===== ACL structure ===== ===== ACL structure =====
 During the draft phase, the following groups have been configured: During the draft phase, the following groups have been configured:
-  * hackeriet-members, owned by hackeriet-styret + 
-  hackeriet-styret, owned by themselves +^ Name ^ Entry manager ^ Description ^ 
-  nettlaug-tenants, owned by nettlaug-operators +| ''hackeriet-members'' | ''hackeriet-styret'' | All currently active members | 
-  nettlaug-operators, owned by themselves +| ''hackeriet-styret'' | ''hackeriet-styret'' | Current board members | 
-  service-idp-sysops, which grants administrative privileges to Kanidm as well as SSH and sudo access to the IDP server.+| ''hackeriet-alumni'' | ''hackeriet-styret'' | Members who are no longer active | 
 +| ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | 
 +| ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking groupfor infrastructure, switches, routing etc. | 
 +| ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) | 
 +| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (KanidmSSHand sudo) |
  
 IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members). IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
 +
 +
 +
 +===== Using Hacker-ID for SSH/Linux login =====
 +Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.
 +
 +There's relatively few steps compared to some other authentication provider solutions: 
 +
 +  - [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|Install the client tools repo]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon|Configure ''kanidm-unixd'']]
 +    - Edit config file ''/etc/kanidm/config'': Set ''uri'' to ''https://idp.hackeriet.no''
 +    - Edit config file ''/etc/kanidm/unixd'': Set ''pam_allowed_login_groups'' to ''hackeriet-members'' or other relevant groups
 +      - Optional: Add group mappings, like sudo or docker rights: <code>
 +[[kanidm.map_group]]
 +local = "sudo"
 +with = "hackeriet-members"
 +
 +[[kanidm.map_group]]
 +local = "docker"
 +with = "hackeriet-members"
 +</code>
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html|Tell Linux to proxy user and group lookups through ''kanidm-unixd'']]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]]
 +    - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]]
 +      - Note: SELinux profiles are NOT included
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]]
 +
 +Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'':
 +<code>
 +# kanidm-unix status
 +system: online
 +Kanidm: online
 +
 +# kanidm-unix auth-test --name d404d
 +Enter Unix password: [hidden]
 +auth success!
 +account success!
 +</code>
 +Finally, attempt login over SSH towards your Hacker-ID username
 +
 +===== Good to know =====
 +
 +  * Some information is publicly accessible, as required by unix/posix integrations: https://kanidm.github.io/kanidm/stable/accounts/anonymous_account.html#access
 +    * Anonymous access will be removed once this draft is finalized: https://kanidm.github.io/kanidm/master/developers/designs/domain_join_machine_accounts.html
 +  * Users are allowed to change all details about their profile! **NEVER** consider anything but the user UUID to be user identifiable (see the ''sub'' claim or ''uuid'' claims re. OpenIDC)
 +    * THIS INCLUDES THE USERNAME AND EMAIL
  
  
Line 44: Line 96:
   * Kanidm includes built-in backup solution and replication   * Kanidm includes built-in backup solution and replication
     * No mirroring of the backups has been configured yet     * No mirroring of the backups has been configured yet
 +  * Set up kanidm-unixd for idp1.hackeriet.no
 +    * Installed daemon
 +    * Added to SSH config
 +    * Added to nsswitch
 +    * For Debian flavours incl. Ubuntu and Raspbian, installing ''kanidm-unixd'' and configuring the two config files in ''/etc/kanidm'' should be enough wrt. PAM
 +    * AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1752453279.txt.gz · Last modified: by 404d