this post was submitted on 26 Apr 2024
44 points (97.8% liked)

Linux

48044 readers
820 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I am trying to figure out how I can retain personal SSH keys (probably the most important part, or at least important to have an alternative connection method) while also having modern tools like SSO or at least SAML, some way to federate to different ADs.

I know there are a few things out there like Authentik and Authelia, but not 100% sure Authentik covers those needs above. Does anyone have experience with these or other modern LDAP alternatives that work well with Linux?

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 6 months ago (1 children)

The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:

  • oauth2
  • ssh key distribution
  • RADIUS
  • PAM/SSSD
  • LDAP

I just noticed they have a beta for multimaster replication, which is nice.

I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.

[–] [email protected] 3 points 6 months ago

You also could add Samba Active Directory to the list. It isn't necessarily better but it is good for mixed environments

[–] [email protected] 7 points 6 months ago

Maybe I'm just nostalgic but I think a classic IPA doesn't need a modern twist. I'm all for IPA open sourcing their beer; heck, free beer is good enough for me.

In all seriousness though, I already saw a user recommend kanidm. I can vouch for kanidm; written in Rust, it allows offline authentication and offline caching of user info, which is really handy if you're in a situation with poor internet connectivity. kanidm is feature rich:@[email protected] already mentioned OAuth2 support, LDAP, RADIUS; etc. It even supports TOTP!! Kanidm doesn't support SAML IIRC, But SSO can be achieved through OAuth2 with OIDC.

From kanidm's Github:

Kanidm aims to have the features richness of FreeIPA, but without the resource and administration overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for search operations and 5 times faster for modification and addition of entries (your results may differ however, but generally Kanidm is much faster than FreeIPA).

https://github.com/kanidm/kanidm

[–] [email protected] 5 points 6 months ago (1 children)

It's my understanding that FreeIPA can federate with Active Directory, but personally I haven't tried that myself. As for Authentik, it looks interesting but it's the first I've heard of it. I also rely on FreeIPA's certmonger implementation, so I wonder if Authentik could replace that?

Just to understand your use case, you have users in Active Directory where you want to manage SSH keys and be able to login via SSH to linux machines?

[–] [email protected] 2 points 6 months ago (1 children)

Yeah, users in AD and the FreeIPA replacement essentially handles the SSH key management + middle-man the auth to Linux servers.

[–] [email protected] 2 points 6 months ago (1 children)

This is what I've read about where users in AD can be federated to FreeIPA: https://www.freeipa.org/page/V4/One-way_trust. Not sure if this covers your use case

[–] [email protected] 1 points 6 months ago

I think my main concern is FreeIPA’s longevity. As a tool, it’s rather outdated even in its latest version. It works, but the upkeep on it is not quite robust. Its implementation of AD standards are also limited. This is why I’m looking for an alternative to FreeIPA.

[–] [email protected] 3 points 6 months ago

Free as in free beer?

[–] [email protected] 2 points 6 months ago (1 children)

I'm sorry for worthless comment in advance. I've never heard of FreeIPA, but I'd definitely get free IPA ;-)

[–] [email protected] 2 points 6 months ago

IPA beer is good for sure. freeIPA is a central way to manage Linux devices. manage users ssh keys and even limiting sudo commands with sudo rules. and some other things. It can not do everything active directory does but their sure are a load of similarities.

[–] [email protected] 2 points 6 months ago

You could enroll all your servers into a pam, and let that manage your keys. https://goteleport.com/ for instance has open source core and is quite easy to get started with.

[–] [email protected] 1 points 6 months ago

What are you using freeIPA for?

[–] [email protected] 1 points 6 months ago

I prefer FreeLager myself.