| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| infra:services:hacker-id [2025/07/14 18:41] – 404d | infra:services:hacker-id [2025/07/14 19:11] (current) – 404d |
|---|
| | ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | | | ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure | |
| | ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. | | | ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. | |
| | | ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) | |
| | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) | | | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo) | |
| |
| - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]] | - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#pam|Register the Kanidm PAM modules]] |
| - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed | - Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled ''unix-chkpwd'' AppArmor profile on Ubuntu must be disabled/fixed |
| - Fedora/CentOS/Rocky: https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html | - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/fedora.html|Fedora/CentOS/Rocky]] |
| - Note: SELinux profiles are NOT included | - Note: SELinux profiles are NOT included |
| - Others: https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html | - [[https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch/suse.html|Others]] |
| - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]] | - [[https://kanidm.github.io/kanidm/stable/integrations/ssh_key_distribution.html|Set kanidm as a global authorized keys command and apply additional SSH hardening]] |
| - Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'': <code> | |
| | Restart ''kanidm-unixd'' service, review the unit logs, and attempt login using ''kanidm-unix'': |
| | <code> |
| # kanidm-unix status | # kanidm-unix status |
| system: online | system: online |
| account success! | account success! |
| </code> | </code> |
| - Attempt login over SSH towards your Hacker-ID username | Finally, attempt login over SSH towards your Hacker-ID username |
| |
| ===== Good to know ===== | ===== Good to know ===== |
