Authserver¶
Purpose¶
This system provides an OAuth2/OpenID Connect authentication server based on Ory Hydra.
Application Links¶
The public API is available at https://authserver.cacert.org/
The internal API is available to the IDP at https://authserver.infra.cacert.org:4445/
Administration¶
System Administration¶
Primary: Jan Dittberner
Application Administration¶
Application |
Administrator(s) |
---|---|
Ory Hydra |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra03.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:8f:62:0d:36
(eth0)
See also
See Network
Monitoring¶
- internal checks:
- external checks:
DNS¶
Todo
setup public DNS for authserver
Name |
Type |
Content |
---|---|---|
authserver.infra.cacert.org |
IN A |
10.0.3.16 |
See also
Operating System¶
Debian GNU/Linux 12 Bookworm
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
reverse proxy for Hydra |
4445/tcp |
http |
ANY |
Hydra OIDC server |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Access to the internal Hydra API is restricted to IDP via firewall rules on Infra03.
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
Hydra |
OIDC server |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
nginx |
Reverse proxy for Hydra |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Connected Systems¶
Outbound network connections¶
DNS (53) resolver at 10.0.0.1 (Infra02)
Emailout as SMTP relay
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
PostgreSQL as PostgreSQL server for Hydra’s database
crl.cacert.org (rsync) for getting CRLs
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
ORY Hydra¶
ORY Hydra is installed as a binary via Puppet. Checksums and binary locations are configured in the Puppet manifest and Hiera data.
Risk assessments on critical packages¶
ORY Hydra is running as a separate system user with minimal privileges.
Critical Configuration items¶
Keys and X.509 certificates¶
Hydra configuration¶
Tasks¶
Changes¶
Planned¶
None
Additional documentation¶
See also