Auth / ID
The CCCDA uses Kanidm for authentication to all its services.
Kanidm is available on https://id.cccda.de.
Not all services are migrated to id.cccda.de yet! If you notice a service you require access, but is still using LDAP, please raise the issue in one of the available channels
All available services a listed on the frontpage.
Most services use OpenID Connect (OIDC), so that the login flow is routed via https://id.cccda.de.
Profile configuration and setup
You are required to setup a 2nd factor. Preferribly a passkey. See the list of recommended passkeys below.
The use of webauthn (passkeys) is recommended if you have a compatible token or a modern cell phone. With a passkey registered, you use FIDO2 passwordless login. A login therefore does no longer need a passphrase but only your (PIN protected) passkey and presence check (pushing the button on the key). In this case, password-based access can be disabled completely by clicking the "Delete generated credentials" button.
Some services (e.g. Mail) do not support OIDC, so they are still connected via LDAP. The so-called “UNIX password” must be configured in Kanidm's credentials section so that these services can continue to be used. The UNIX password is not set by default and must be configured manually in order to continue using these services. The UNIX password is independent of the account password, as no MFA can be used here.
Note that you cannot save any changes to your profile page unless you first register a 2FA.
If the unix password section is missing an administrator forgot to assign your account a POSIX group number 🤡
Door
SSH keys for door can also be configured in the credentials section. SSH keys are synced to door.cccda.de every 15 minutes.
Note that you cannot save any changes to your profile page unless you first register a 2FA.
shells
Shells is not conncted to id.cccda.de yet. Use your existing (old) OpenLDAP password or your existing (old) SSH keys.
Recommended Passkey-compatible Tokens
These should come with modern authentication features (currently FIDO2 Webauthn aka Passkeys). Their packaging and case should make tampering attempts immediately evdient
✔️ Hardware Tokens
- Yubikey 5 series
- Manipulationssichere Verpackung
- Gehäuseöffnung ist immer destruktiv
- FIDO Level 2 zertifiziert
- verifiziert via https://fidoalliance.org/certification/fido-certified-products/
- Token2 Pin+ Release 3
- FIDO Level 2 zertifiziert
- verifiziert via https://fidoalliance.org/certification/fido-certified-products/
- günstig (~23 EUR)
- FIDO Level 2 zertifiziert
✔️ Software Token
Some password managers feature support for storing Passkeys alongside your usual credentials.
🛑 Don't buy these tokens!
The following keys have all some issue that makes them inferior to the recommended products.
- Titan
- Rebranded Feitian usw., nicht mit den in Android integrierten Titan Keys vergleichbar
- Nitro Key 2
- Über vendorspezifische CTAP Befehle kompromittierbar (https://fy.blackhats.net.au/blog/2023-12-02-attestation-and-opensource/#nitrokey-2)
- Nitro Key 3
- Trussted Firmware Stack
- Gehäuse kann vermutlich zerstörungsfrei geöffnet werden
- https://fy.blackhats.net.au/blog/2023-12-02-attestation-and-opensource/#nitrokey-3-nfc
- Solokey 2
- Hardware wurde gedroppt, Firmware ist aber unvollständig und wird nicht weiterentwickelt
- Button (User Presence) ist häufig schwierig auszulösen
- https://fy.blackhats.net.au/blog/2023-12-02-attestation-and-opensource/#solokey