Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 01:32

    Firstyear on main

    Initial (compare)

  • Oct 22 02:45
    Firstyear opened #607
  • Oct 22 02:45

    Firstyear on 20211010-rfc7662-token-introspect

    Progress Finish (compare)

  • Oct 21 22:34

    Firstyear on master

    updating docs re oidc (#606) (compare)

  • Oct 21 22:34
    Firstyear closed #606
  • Oct 21 18:20
  • Oct 21 09:52
    yaleman labeled #606
  • Oct 21 09:52
    yaleman opened #606
  • Oct 21 09:00
    erictapen commented #603
  • Oct 21 01:45
    Firstyear commented #605
  • Oct 21 01:42
    Firstyear commented #605
  • Oct 21 01:41
    QnnOkabayashi commented #605
  • Oct 21 01:34
    Firstyear commented #605
  • Oct 21 01:10
    QnnOkabayashi commented #605
  • Oct 20 23:50
    Firstyear commented #603
  • Oct 20 23:49
    yaleman commented #603
  • Oct 20 22:45
    Firstyear commented #605
  • Oct 20 22:31
    Firstyear commented #603
  • Oct 20 22:25
    QnnOkabayashi opened #605
  • Oct 20 18:11
    QnnOkabayashi assigned #604
James Hodgkinson
@yaleman
:100:
so, speaking of cursed things, I was thinking it'd be possible to add TOTP support as a minimum to login for kanidm ^_^
(ssh/console login that is)
and... I have other cursed ideas for ... other things, but that's later
Firstyear
@Firstyear
It's not
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.
Need to make the password/account policy stuff to handle that
IIRC there is an account policy issue already open if you want to brain dump some of your ideas there later?
James Hodgkinson
@yaleman
yeah
Triss Healy
@trissylegs
Annoying with the UID >= 1000 is some AUR packages (ie not maintained by users) make users with useradd during install (standard packages use systemd-sysusers)
A problem I was spend a while cleaning up yesturday
I wonder if I can make a hook that checks if a package I'm about to build does it so I can fix it myself first.
Firstyear
@Firstyear
You don't need the >=1000 check
it's optional
Georg
@georg.hofmann:matrix.org
[m]
Survey completed. Could you let us know if the results are available?
@trissylegs are you still struggling with Pam to login? Did not fully get it here. I had a quick look into your system-auth and think Pam_kanidm.so was missing in the session section. If you want I can share mine, also using Arch.
Best wishes
1 reply
Firstyear
@Firstyear
Thank you! The results will be out in a few weeks, I'm leaving it open for 4 weeks
just to be sure it gets plenty of time etc.
Triss Healy
@trissylegs
So today I got a new SSD and I formatted it with ZFS. ZFS has good subvolumes (named datasets). You can set an encryption key per dataset. So I made my home directory a dataset and set a passphrase key that matches my password.
Then did some PAM magic and now it will only decrypt my home directory on login.
https://blog.trifork.com/2020/05/22/linux-homedir-encryption/
They mention that you can't login with public keys because ~/.ssh/authorized_keys is missing. But for kanidm that is fine. Because it get's the key from kanidm anyway. But, it won't have a password to decrypt the drive :/. I suppose the same goes for gnome-keyring. But that doesn't decrypt via ssh anyway (Probably for the same reason)
*today is now yesturday
Georg
@georg.hofmann:matrix.org
[m]
Cool. I have zfs as well and was thinking of home encryption. But not yet dared to start it. 🤣
Same for gdm,it only shows local users. But it will show once the logged it. I did a bit of research, I think also related how sssd does it, it think this is a dbus issue or. Need to search again.
About my arch Pam. It was just a minimal change. Not as hardened as suggested by kanidm docs. Will share, once I am back at the machine.
Firstyear
@Firstyear
Honestly, I'm probably just overly opinionated here but I think that most machines are single-user, not multi-user so the concept of per-home drive or per-user encryption doesn't make sense to me because there is a 1:1 with the user and the system, so system wide encryption maps to the user anyway
Triss Healy
@trissylegs
Arch wiki simplifies the above to just home drive. Which is basically what I have set up. (And my safety user users the the same password)
The setup above to me is just a nicer version because you get the login screen before needing to decrypt anything. Which is kinda how macOS does it
Firstyear
@Firstyear
Yeah, macos does system wide encryption though.
It's just the user pw + disk pw is bound together