Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 01:32

    Firstyear on main

    Initial (compare)

  • Oct 22 02:45
    Firstyear opened #607
  • Oct 22 02:45

    Firstyear on 20211010-rfc7662-token-introspect

    Progress Finish (compare)

  • Oct 21 22:34

    Firstyear on master

    updating docs re oidc (#606) (compare)

  • Oct 21 22:34
    Firstyear closed #606
  • Oct 21 18:20
  • Oct 21 09:52
    yaleman labeled #606
  • Oct 21 09:52
    yaleman opened #606
  • Oct 21 09:00
    erictapen commented #603
  • Oct 21 01:45
    Firstyear commented #605
  • Oct 21 01:42
    Firstyear commented #605
  • Oct 21 01:41
    QnnOkabayashi commented #605
  • Oct 21 01:34
    Firstyear commented #605
  • Oct 21 01:10
    QnnOkabayashi commented #605
  • Oct 20 23:50
    Firstyear commented #603
  • Oct 20 23:49
    yaleman commented #603
  • Oct 20 22:45
    Firstyear commented #605
  • Oct 20 22:31
    Firstyear commented #603
  • Oct 20 22:25
    QnnOkabayashi opened #605
  • Oct 20 18:11
    QnnOkabayashi assigned #604
Firstyear
@Firstyear
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.
Need to make the password/account policy stuff to handle that
IIRC there is an account policy issue already open if you want to brain dump some of your ideas there later?
James Hodgkinson
@yaleman
yeah
Triss Healy
@trissylegs
Annoying with the UID >= 1000 is some AUR packages (ie not maintained by users) make users with useradd during install (standard packages use systemd-sysusers)
A problem I was spend a while cleaning up yesturday
I wonder if I can make a hook that checks if a package I'm about to build does it so I can fix it myself first.
Firstyear
@Firstyear
You don't need the >=1000 check
it's optional
Georg
@georg.hofmann:matrix.org
[m]
Survey completed. Could you let us know if the results are available?
@trissylegs are you still struggling with Pam to login? Did not fully get it here. I had a quick look into your system-auth and think Pam_kanidm.so was missing in the session section. If you want I can share mine, also using Arch.
Best wishes
1 reply
Firstyear
@Firstyear
Thank you! The results will be out in a few weeks, I'm leaving it open for 4 weeks
just to be sure it gets plenty of time etc.
Triss Healy
@trissylegs
So today I got a new SSD and I formatted it with ZFS. ZFS has good subvolumes (named datasets). You can set an encryption key per dataset. So I made my home directory a dataset and set a passphrase key that matches my password.
Then did some PAM magic and now it will only decrypt my home directory on login.
https://blog.trifork.com/2020/05/22/linux-homedir-encryption/
They mention that you can't login with public keys because ~/.ssh/authorized_keys is missing. But for kanidm that is fine. Because it get's the key from kanidm anyway. But, it won't have a password to decrypt the drive :/. I suppose the same goes for gnome-keyring. But that doesn't decrypt via ssh anyway (Probably for the same reason)
*today is now yesturday
Georg
@georg.hofmann:matrix.org
[m]
Cool. I have zfs as well and was thinking of home encryption. But not yet dared to start it. 🤣
Same for gdm,it only shows local users. But it will show once the logged it. I did a bit of research, I think also related how sssd does it, it think this is a dbus issue or. Need to search again.
About my arch Pam. It was just a minimal change. Not as hardened as suggested by kanidm docs. Will share, once I am back at the machine.
Firstyear
@Firstyear
Honestly, I'm probably just overly opinionated here but I think that most machines are single-user, not multi-user so the concept of per-home drive or per-user encryption doesn't make sense to me because there is a 1:1 with the user and the system, so system wide encryption maps to the user anyway
Triss Healy
@trissylegs
Arch wiki simplifies the above to just home drive. Which is basically what I have set up. (And my safety user users the the same password)
The setup above to me is just a nicer version because you get the login screen before needing to decrypt anything. Which is kinda how macOS does it
Firstyear
@Firstyear
Yeah, macos does system wide encryption though.
It's just the user pw + disk pw is bound together
You could do similar with luks if you wrote a pam module for it.
But it would have issues with remote pw's
James Hodgkinson
@yaleman
it's all fine as long as your stuff's backed up somewhere so when some overly touchy random PAM thing bins your stuff you can recover
Firstyear
@Firstyear
lol yeah
But linux backup tools are a bit of a wasteland ....