User Tools

Site Tools


infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
infra:services:hacker-id [2025/07/14 10:00] – [System setup] 404dinfra:services:hacker-id [2025/07/14 19:11] (current) 404d
Line 29: Line 29:
 | ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | | ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure |
 | ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. | | ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. |
 +| ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) | | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) |
  
 IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members). IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
  
 +
 +
 +===== Using Hacker-ID for SSH/Linux login =====
 +Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.
 +
 +There's relatively few steps compared to some other authentication provider solutions: 
 +
 +  - [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|Install the client tools repo]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon|Configure ''kanidm-unixd'']]
 +    - Edit config file ''/etc/kanidm/config'': Set ''uri'' to ''https://idp.hackeriet.no''
 +    - Edit config file ''/etc/kanidm/unixd'': Set ''pam_allowed_login_groups'' to ''hackeriet-members'' or other relevant groups
 +      - Optional: Add group mappings, like sudo or docker rights: <code>
 +[[kanidm.map_group]]
 +local = "sudo"
 +with = "hackeriet-members"
 +
 +[[kanidm.map_group]]
 +local = "docker"
 +with = "hackeriet-members"
 +</code>
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html|Tell Linux to proxy user and group lookups through ''kanidm-unixd'']]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]]
 +    - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]]
 +      - Note: SELinux profiles are NOT included
 +    - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]]
 +  - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]]
 +
 +Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'':
 +<code>
 +# kanidm-unix status
 +system: online
 +Kanidm: online
 +
 +# kanidm-unix auth-test --name d404d
 +Enter Unix password: [hidden]
 +auth success!
 +account success!
 +</code>
 +Finally, attempt login over SSH towards your Hacker-ID username
  
 ===== Good to know ===== ===== Good to know =====
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1752487203.txt.gz · Last modified: by 404d