Authserver

Purpose

This system will provide an OAuth2/OpenID Connect authentication server based on Ory Hydra.

Application Links

The public API is available at https://authserver.cacert.org/

The internal API is available to the IDP at https://authserver.infra.cacert.org:4445/

Administration

System Administration

• Primary: Jan Dittberner

Application Administration

Application	Administrator(s)
Ory Hydra	Jan Dittberner

Contact

• authserver-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internet:

213.154.225.249

IP Intranet:

172.16.2.9

IP Internal:

10.0.3.16

IPv6:

2001:7b8:616:162:3::16

MAC address:

00:ff:8f:62:0d:36 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for authserver.infra.cacert.org

external checks:

Monitoring checks for authserver.cacert.org

DNS

Todo

setup public DNS for authserver

Name	Type	Content
authserver.infra.cacert.org	IN A	10.0.3.16

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 11 Bullseye

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
5665/tcp	icinga2	monitor	remote monitoring service

Todo

setup Hydra and add ports

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Todo

setup and document Hydra service

Connected Systems

• Monitor

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

• crl.cacert.org (rsync) for getting CRLs

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:ZgvBP7wgwMVdIoBwzXySrp1LvZ09bIHNcMFAjB76AcE, MD5:59:66:bd:4e:7a:a3:4d:7c:85:b7:e6:78:6a:19:ed:c8
DSA	-
ECDSA	SHA256:0Ytz3o1pchRp+v0jnw72uylXrW28uGsFD1zv1zxjuo4, MD5:68:52:51:40:e2:8f:95:ce:f2:e8:e5:c8:cb:68:b5:1c
ED25519	SHA256:yDV+CXVGSBIjvdsLzvbXoRAOo+oRr50UR0t/D+B/iss, MD5:75:81:b4:a9:ac:a7:6f:db:73:25:a8:36:df:fc:7b:ae

See also

SSH host key list

Non-distribution packages and modifications

Todo

document Hydra installation

Risk assessments on critical packages

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Critical Configuration items

Keys and X.509 certificates

Hydra configuration

Tasks

Changes

Planned

,, todo:: install Hydra

Additional documentation

See also

• Wiki page Exim4Configuration

References

• https://ory.sh/hydra

• https://www.ory.sh/docs/hydra/self-hosted/install