Differences

This shows you the differences between two versions of the page.

--- infra:services:hacker-id [2025/07/14 09:44] – [ACL structure] 404d
+++ infra:services:hacker-id [2025/07/14 19:11] (current) – 404d
@@ Line 29: / Line 29: @@
 | ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure |
 | ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. |
+| ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) |
 IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
+===== Using Hacker-ID for SSH/Linux login =====
+Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.
+There's relatively few steps compared to some other authentication provider solutions:
+  - [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|Install the client tools repo]]
+  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon|Configure ''kanidm-unixd'']]
+    - Edit config file ''/etc/kanidm/config'': Set ''uri'' to ''https://idp.hackeriet.no''
+    - Edit config file ''/etc/kanidm/unixd'': Set ''pam_allowed_login_groups'' to ''hackeriet-members'' or other relevant groups
+      - Optional: Add group mappings, like sudo or docker rights: <code>
+[[kanidm.map_group]]
+local = "sudo"
+with = "hackeriet-members"
+[[kanidm.map_group]]
+local = "docker"
+with = "hackeriet-members"
+</code>
+  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html|Tell Linux to proxy user and group lookups through ''kanidm-unixd'']]
+  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]]
+    - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed
+    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]]
+      - Note: SELinux profiles are NOT included
+    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]]
+  - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]]
+Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'':
+<code>
+# kanidm-unix status
+system: online
+Kanidm: online
+# kanidm-unix auth-test --name d404d
+Enter Unix password: [hidden]
+auth success!
+account success!
+</code>
+Finally, attempt login over SSH towards your Hacker-ID username
 ===== Good to know =====
@@ Line 59: / Line 100: @@
     * Added to SSH config
     * Added to nsswitch
-    * <del>Instructions for PAM on OpenSUSE can be followed as-is</del> This seems to be fully redundant at least on Raspbian
+    * For Debian flavours incl. Ubuntu and Raspbian, installing ''kanidm-unixd'' and configuring the two config files in ''/etc/kanidm'' should be enough wrt. PAM
     * AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart