Authserver

Purpose

This system provides an OAuth2/OpenID Connect authentication server based on Ory Hydra.

Administration

System Administration

Application Administration

Application

Administrator(s)

Ory Hydra

Jan Dittberner

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internet:

213.154.225.249

IP Intranet:

172.16.2.9

IP Internal:

10.0.3.16

IPv6:

2001:7b8:616:162:3::16

MAC address:

00:ff:8f:62:0d:36 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for authserver.infra.cacert.org

external checks:

Monitoring checks for authserver.cacert.org

DNS

Todo

setup public DNS for authserver

Name

Type

Content

authserver.infra.cacert.org

IN A

10.0.3.16

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

  • Debian GNU/Linux 12 Bookworm

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

reverse proxy for Hydra

4445/tcp

http

ANY

Hydra OIDC server

5665/tcp

icinga2

monitor

remote monitoring service

Access to the internal Hydra API is restricted to IDP via firewall rules on Infra03.

Running services

Service

Usage

Start mechanism

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

Hydra

OIDC server

systemd unit hydra.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

nginx

Reverse proxy for Hydra

systemd unit nginx.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Connected Systems

Outbound network connections

  • DNS (53) resolver at 10.0.0.1 (Infra02)

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

  • PostgreSQL as PostgreSQL server for Hydra’s database

  • crl.cacert.org (rsync) for getting CRLs

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:ZgvBP7wgwMVdIoBwzXySrp1LvZ09bIHNcMFAjB76AcE, MD5:59:66:bd:4e:7a:a3:4d:7c:85:b7:e6:78:6a:19:ed:c8

DSA

-

ECDSA

SHA256:0Ytz3o1pchRp+v0jnw72uylXrW28uGsFD1zv1zxjuo4, MD5:68:52:51:40:e2:8f:95:ce:f2:e8:e5:c8:cb:68:b5:1c

ED25519

SHA256:yDV+CXVGSBIjvdsLzvbXoRAOo+oRr50UR0t/D+B/iss, MD5:75:81:b4:a9:ac:a7:6f:db:73:25:a8:36:df:fc:7b:ae

See also

SSH host key list

Non-distribution packages and modifications

ORY Hydra

ORY Hydra is installed as a binary via Puppet. Checksums and binary locations are configured in the Puppet manifest and Hiera data.

Risk assessments on critical packages

ORY Hydra is running as a separate system user with minimal privileges.

Critical Configuration items

Keys and X.509 certificates

Hydra configuration

Tasks

Changes

Planned

  • None

Additional documentation

See also

References