User Tools

Site Tools


infra:services:hacker-id

This is an old revision of the document!


Hacker-ID

Identity provider for all things Hackeriet

Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.

This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts. I'm mainly testing this out as account management for a handful of projects I've planned for the space. Do not expect it to be widely used as of this moment.

Ask if you have any questions, need help, need an account, or want to integrate something.

Regards, 404'd

A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.

Access control is currently managed through the Kanidm CLI. See the official docs for further details. Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service.

ACL structure

During the draft phase, the following groups have been configured:

Name Entry manager Description
hackeriet-members hackeriet-styret All currently active members
hackeriet-styret hackeriet-styret Current board members
hackeriet-alumni hackeriet-styret Members who are no longer active
nettlaug-tenants nettlaug-operators People renting space/resources within nettlauget's infrastructure
nettlaug-operators nettlaug-operators Core networking group, for infrastructure, switches, routing etc.
service-idp-sysops d404d@idp.hackeriet.no Administrative privileges to Hacker-ID (Kanidm, SSH, and sudo)
project-hackradio d404d@idp.hackeriet.no SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast)

IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).

Using Hacker-ID for SSH/Linux login

Kanidm can be used as a resolve-through locally caching authentication handler, resilient to network failures and transparently allowing existing local credentials to be used as-is.

There's relatively few steps compared to some other authentication provider solutions:

    1. Edit config file /etc/kanidm/config: Set uri to https://idp.hackeriet.no
    2. Edit config file /etc/kanidm/unixd: Set pam_allowed_login_groups to hackeriet-members or other relevant groups
      1. Optional: Add group mappings, like sudo or docker rights:
        [[kanidm.map_group]]
        local = "sudo"
        with = "hackeriet-members"
        
        [[kanidm.map_group]]
        local = "docker"
        with = "hackeriet-members"
    1. Debian/Ubuntu/Raspbian: This step can be skipped, although the bundled unix-chkpwd AppArmor profile on Ubuntu must be disabled/fixed
      1. Note: SELinux profiles are NOT included

Restart kanidm-unixd service, review the unit logs, and attempt login using kanidm-unix:

# kanidm-unix status
system: online
Kanidm: online

# kanidm-unix auth-test --name d404d
Enter Unix password: [hidden]
auth success!
account success!
Finally, attempt login over SSH towards your Hacker-ID username

Good to know

System setup

Rough notes for the moment:

  • Hosted on idp1.hackeriet.no (DNS record pending, 10.10.50.52)
  • Authentication realm is idp.hackeriet.no
  • Public portal and API on https://idp.hackeriet.no
  • Internal services (SSH, LDAP, RADIUS etc.) will be exposed on int-idp.hackeriet.no
    • We won't be able to get LDAP certs for the right hostname on the internal interface… If this turns out to be a dealbreaker it might be better to solve this using NAT rather than moving the host entirely onto VLAN 130.
  • Located in /srv/kanidm
    • One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
    • Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
    • Created user and group “kanidm” in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
  • Kanidm includes built-in backup solution and replication
    • No mirroring of the backups has been configured yet
  • Set up kanidm-unixd for idp1.hackeriet.no
    • Installed daemon
    • Added to SSH config
    • Added to nsswitch
    • For Debian flavours incl. Ubuntu and Raspbian, installing kanidm-unixd and configuring the two config files in /etc/kanidm should be enough wrt. PAM
    • AppArmor default profiles blocks access to the service socket used, need to amend the profile with the correct paths then reload & restart
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1752520263.txt.gz · Last modified: by 404d