2022-07-11 22:49:26 +01:00
|
|
|
# Authentricity
|
|
|
|
## A Lightweight Distributed Authentication System
|
|
|
|
Authentricity is a lightweight authenticaton system for distributed environments.
|
|
|
|
Users and groups are stored internally in the systemd JSON
|
|
|
|
[user](https://systemd.io/USER_RECORD/) and [group](https://systemd.io/GROUP_RECORD/)
|
|
|
|
record formats
|
|
|
|
|
|
|
|
Theoretically the storage backends are pluggable, but presently only
|
|
|
|
[Hashicorp Consul](https://www.consul.io/) is supported.
|
|
|
|
|
|
|
|
This project is very much a work in progress
|
|
|
|
|
|
|
|
### Components
|
|
|
|
#### authentricity-hostagent
|
|
|
|
The hostagent should run on every machine for which you wish to use Authentricity for
|
|
|
|
Unix logins. This component implements the systemd
|
|
|
|
[User/Group Varlink API](https://systemd.io/USER_GROUP_API/) to support user and group
|
|
|
|
lookups.
|
|
|
|
|
2023-07-10 01:10:04 +01:00
|
|
|
It is intended to be deployed as a systemd service. See [module.nix](./module.nix), which
|
|
|
|
can be used to deploy this on NixOS for details
|
|
|
|
|
|
|
|
For both performance and resilience resaons, user information is cached locally:
|
|
|
|
|
|
|
|
* Information less than 60s old is considered up-to-date and Consul is not re-queried for it,
|
|
|
|
speeding up user information requests and reducing Consul load, and
|
|
|
|
* In cases where Consul is unable to service requests, then the cache will be considered valid
|
|
|
|
indefinitely
|
|
|
|
|
|
|
|
A future version may limit the amount of time locally cached information is considered valid.
|
|
|
|
|
|
|
|
TODO: Provide raw systemd unit files
|
|
|
|
|
2022-07-11 22:49:26 +01:00
|
|
|
#### authentricity-webui
|
2023-07-10 01:10:04 +01:00
|
|
|
This implements
|
|
|
|
|
|
|
|
* A login system, and single-domain shared cookie SSO system
|
|
|
|
* A portal which lets users add & remove SSH keys, change their password, etc,
|
|
|
|
and
|
|
|
|
* A UI which lets users explore other users and groups, and which lets admins manage
|
|
|
|
users and groups
|
|
|
|
* A UI which lets admins manipulate users and groups
|
|
|
|
|
|
|
|
This can be deployed as either
|
|
|
|
|
|
|
|
* A systemd service (see [module.nix](./module.nix)), or
|
|
|
|
* A [container](https://git.shinra.systems/authentricity/-/packages/container/authentricity/)
|
|
|
|
|
|
|
|
TODO: Provide raw systemd unit files
|
|
|
|
TODO: Provide example Kubernetes manifests/Kustomize chart?
|
2022-07-11 22:49:26 +01:00
|
|
|
|
|
|
|
#### authentricity-admin
|
2023-07-10 01:10:04 +01:00
|
|
|
Command line administation tool (performing direct database accesses)
|
|
|
|
|
|
|
|
### Future Components
|
|
|
|
* Radius server
|
|
|
|
* Likely minimal feature set at first (PAP, no EAP, etc)
|
|
|
|
* TACACS+ server
|
|
|
|
* For networking appliances
|
|
|
|
* Separate cookie used for the Web UI from the auth proxy
|
|
|
|
* We can then domain scope the Web UI cookie down to just the UI itself,
|
|
|
|
protecting better against Cookie theft attacks
|
|
|
|
* We can use asymmetric crypto for the domain-wide cookie and distribute the public
|
|
|
|
keys to auth proxies via Consul
|
|
|
|
* JWT/OAuth 2.0/OpenID Connect issuer
|
|
|
|
* Integration of tokens into the Unix auth flow
|
|
|
|
* Return something like a Kerberos TGT that can be exchanged for service JWTs?
|
|
|
|
* Minimal authentication proxy without the Web UI?
|