I am trying to figure out how I can retain personal SSH keys (probably the most important part, or at least important to have an alternative connection method) while also having modern tools like SSO or at least SAML, some way to federate to different ADs.
I know there are a few things out there like Authentik and Authelia, but not 100% sure Authentik covers those needs above. Does anyone have experience with these or other modern LDAP alternatives that work well with Linux?
The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:
oauth2
ssh key distribution
RADIUS
PAM/SSSD
LDAP
I just noticed they have a beta for multimaster replication, which is nice.
I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.
Maybe I'm just nostalgic but I think a classic IPA doesn't need a modern twist. I'm all for IPA open sourcing their beer; heck, free beer is good enough for me.
In all seriousness though, I already saw a user recommend kanidm. I can vouch for kanidm; written in Rust, it allows offline authentication and offline caching of user info, which is really handy if you're in a situation with poor internet connectivity. kanidm is feature rich:@[email protected] already mentioned OAuth2 support, LDAP, RADIUS; etc. It even supports TOTP!! Kanidm doesn't support SAML IIRC, But SSO can be achieved through OAuth2 with OIDC.
From kanidm's Github:
Kanidm aims to have the features richness of FreeIPA, but without the resource and administration overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for search operations and 5 times faster for modification and addition of entries (your results may differ however, but generally Kanidm is much faster than FreeIPA).
It's my understanding that FreeIPA can federate with Active Directory, but personally I haven't tried that myself. As for Authentik, it looks interesting but it's the first I've heard of it. I also rely on FreeIPA's certmonger implementation, so I wonder if Authentik could replace that?
Just to understand your use case, you have users in Active Directory where you want to manage SSH keys and be able to login via SSH to linux machines?
You could enroll all your servers into a pam, and let that manage your keys. https://goteleport.com/ for instance has open source core and is quite easy to get started with.
IPA beer is good for sure. freeIPA is a central way to manage Linux devices. manage users ssh keys and even limiting sudo commands with sudo rules. and some other things. It can not do everything active directory does but their sure are a load of similarities.