Using AuthD with Entra ID on Ubuntu 24.04

For Ubuntu 23.04, Canonical proudly announced that ‘Ubuntu Desktop 23.04 is the first and only Linux distribution to enable native user authentication’. This was using the aad-auth package, which has now been retired with authd as it’s successor. As the old aad-auth package README says ‘Moving forward, we are excited to introduce a broader and more versatile project, authd, which replaces aad-auth. This new initiative will extend the capabilities beyond Azure, supporting a wider range of platforms and services, such as OpenID Connect-based providers.’

AuthD is designed to bridge the gap between traditional system authentication and cloud identity providers, offering a seamless and secure way to manage access across Ubuntu machines. With the release of Ubuntu 24.04 LTS, both Desktop and Server editions, AuthD has become an integral tool for those looking to leverage cloud-based identity management without compromising on security or ease of use.

AuthD Installation Process on Ubuntu 24.04

Getting AuthD up and running on your Ubuntu 24.04 system involves installing two key components: the AuthD service itself and the MS Entra ID broker. Let’s walk through this process step by step.

Installing AuthD

AuthD is distributed as a Debian package. However, as it’s currently in active development, we’ll need to use a testing PPA (Personal Package Archive) to install it on Ubuntu 24.04. Here’s how to do it:

First, add the AuthD testing PPA to your system’s software sources:

sudo add-apt-repository ppa:ubuntu-enterprise-desktop/authd
sudo apt update        

Now, install AuthD along with some additional packages for desktop integration (you can skip the desktop-related packages for server installations):

AuthD Prerequisites: Ubuntu 24.04 Desktop

sudo apt install authd gnome-shell yaru-theme-gnome-shell yaru-theme-gtk yaru-theme-icon yaru-theme-sound        

Install AuthD Prerequisites, Ubuntu 24.04 Server

sudo apt install authd        

Installing the MS Entra ID Broker

The MS Entra ID broker is provided as a Snap package, making installation straightforward:

   sudo snap install authd-msentraid        

That’s it! You’ve now installed both AuthD and the MS Entra ID broker on your Ubuntu 24.04 system.

Configuring Entra for AuthD

Now that we have AuthD and the MS Entra ID broker installed, it’s time to configure them to work with your Entra ID setup. This process involves three main steps: broker discovery, Entra ID configuration, and broker configuration. Let’s dive in.

Broker Discovery

First, we need to set up broker discovery so that AuthD knows about the available identity brokers:

Create the directory for broker declaration files:

   sudo mkdir -p /etc/authd/brokers.d/        

Copy the Entra ID broker configuration file:

   sudo cp /snap/authd-msentraid/current/conf/authd/msentraid.conf /etc/authd/brokers.d/        

This file declares the Entra ID broker to AuthD. You can have multiple brokers enabled simultaneously if needed.

Entra ID Configuration

Before we can use Entra ID with AuthD, we need to register a new application in the Microsoft Azure portal. Here’s how:

1. Log in to the Azure Portal.
2. Navigate to Entra > App Registrations > New Registration
3. Give your application a name (e.g., “Ubuntu AuthD”). This name will appear when users login; you may wish to use something descriptive.
4. For “Supported account types”, choose “Accounts in this organizational directory only”.
5. Leave the “Redirect URI” blank and click “Register”.
6. Under Entra > App Registrations > YOUR NEW APP > AP Permissions > Add a Permission > Microsoft Graph > Delegated Permissions, add the following permissions:GroupMember.Read.All (requires admin consent)openid
7. In the “Authentication” menu, under “Advanced settings”, set “Allow public client flows” to “Yes”.

Broker Configuration

Now, let’s configure the Entra ID broker:

Edit the broker configuration file:

   sudo nano /var/snap/authd-msentraid/current/broker.conf        

Update the file with your Entra ID details:

[oidc]
   issuer = https://login.microsoftonline.com/<ISSUER_ID>/v2.0
   client_id = <CLIENT_ID>
[users]
# Uncomment and modify if you want to change the home directory base
# home_base_dir = /home
# Uncomment and add allowed domain suffixes for SSH login
# ssh_allowed_suffixes = @example.com,@anotherexample.com        

Replace <ISSUER_ID> with your Directory (tenant) ID, which can be found at Entra > App Registrations > YOUR NEW APP

Your <CLIENT_ID> can be found as part of your OAuth endpoint URLs at Entra > App Registrations > YOUR NEW APP and clicking the Endpoints button at the top of that section.

Save the file and exit the editor.

Restart the AuthD service:

   sudo systemctl restart authd        

Restart the Entra ID broker:

   sudo snap restart authd-msentraid        

System Configuration (Optional)

If you find that the default 60-second login timeout is too short for the device code flow authentication, you can extend it:

Edit the login configuration file:

   sudo nano /etc/login.defs        

Find the LOGIN_TIMEOUT line and increase its value. For example:

   LOGIN_TIMEOUT 120        

Save the file. The change will take effect for new login sessions.

With these configuration steps complete, your Ubuntu 24.04 system should now be set up to authenticate users via Entra ID using AuthD. In the next section, we’ll cover how to actually log in using this new setup.

Logging In with AuthD and Entra ID

Now that we have AuthD and the MS Entra ID broker installed and configured, let’s explore how to actually log in to your Ubuntu 24.04 system using this setup. We’ll cover both desktop login via GDM (GNOME Display Manager) and SSH login for remote access.

Ubuntu Desktop Entra Login

Logging in via the desktop is straightforward once everything is set up correctly:

1. At the login screen, you’ll see a new option for “Enterprise Login” or “Azure AD.” Select this option.
2. Enter your Entra ID email address (e.g., [email protected]).
3. You’ll be redirected to the Microsoft login page. Follow the prompts to authenticate, which may include multi-factor authentication if it’s enabled for your account.
4. Once authenticated, GDM will create a local account (if it doesn’t already exist) and log you in.

Note: The first login might take a bit longer as the system sets up your local account and home directory.

SSH Login to Ubuntu 24.04 Server w/Entra Authentication

Logging in via SSH requires a bit more setup on the server side, but once configured, it’s just as smooth as desktop login.

Ubuntu Server Configuration for SSH via Entra

Edit the SSH configuration file.

sudo nano /etc/ssh/sshd_config.d/authd.conf        

Add or ensure the following lines are present.

UsePAM yes
KbdInteractiveAuthentication yes        

Save the file and restart the SSH service.

bashCopysudo systemctl restart ssh        

Broker Configuration

Edit the broker configuration file:

sudo nano /var/snap/authd-msentraid/current/broker.conf        

To configure the broker edit the file?/var/snap/authd-msentraid/current/broker.conf?and set the key?ssh_allowed_suffixes?with the list of domains that you want to allow.

The CLIENT_ID can be found on the page of your application.

The ISSUER_ID can be found on the endpoints option on the page of your application.

[oidc]
issuer = https://login.microsoftonline.com/<ISSUER_ID>/v2.0
client_id = <CLIENT_ID>

[users]
# The directory where the home directory will be created for new users.
# Existing users will keep their current directory.
# The user home directory will be created in the format of {home_base_dir}/{username}
home_base_dir = /home

# The username suffixes that are allowed to login via ssh without existing previously in the system.
# The suffixes must be separated by commas.
ssh_allowed_suffixes = @example.com        

Save the file and restart the AuthD-MSEntraID service

sudo snap restart authd-msentraid        

SSH Login Process

Now, you can SSH into your server using your Entra ID credentials:

Open a terminal on your local machine and use the following command to initiate the SSH connection

ssh [email protected]@your-server-address        

Replace [email protected] with your Entra ID email and your-server-address with your server’s IP or hostname.

Once connected, you’ll be presented with an option to login with either the local broker, or the Microsoft Entra ID broker. Selecting Entra will prompt you with both a QR code, and a device login code that you can paste in your web browser at https://microsoft.com/devicelogin.

You’ll login per your normal Entra method, including MFA and/or Yubikey support and then be allowed in.

Once authenticated, you’ll be logged into the server.

Login Timeout Considerations

By default, Ubuntu has a 60-second login timeout, which might be too short for the device code flow authentication used by AuthD. If you find that your logins are timing out, you can extend this timeout:

Edit the login configuration file

sudo nano /etc/login.defs        

Find the LOGIN_TIMEOUT line and increase its value. For example: CopyLOGIN_TIMEOUT 120, save the file and the change will take effect for new login sessions.

With these configurations in place, you should now be able to seamlessly log in to your Ubuntu 24.04 system using your Entra ID credentials, whether you’re sitting at the machine or accessing it remotely via SSH.

Ubuntu Entra User and Group Management

When using AuthD with Entra ID, understanding how users and groups are managed is crucial. This integration brings cloud-based identity management to your local Ubuntu system, but it’s important to know how these cloud identities translate to local user accounts and groups.

User Account Creation

When a user logs in via AuthD for the first time, a local user account is automatically created. This account is linked to the user’s Entra ID identity but exists as a standard local account on the Ubuntu system. The username typically matches the user’s Entra ID email address (before the @ symbol).

Group Types

AuthD manages three types of groups for each user:

1. Primary Group: This is created automatically based on the username. For example, if the Entra ID username is “[email protected]”, the primary group would be “jsmith”.
2. Local Groups: These are groups local to the Ubuntu machine and are prefixed with “linux-” in Entra ID. For instance, if a user is a member of the “linux-sudo” group in Entra ID, they will be automatically added to the “sudo” group on the local machine.
3. Remote Groups: These are all other Entra ID groups the user is a member of. They are created as local groups on the Ubuntu system with the same name as in Entra ID.

Group Synchronization

When a user logs in, AuthD synchronizes their group memberships:

1. It checks the user’s group memberships in Entra ID.
2. It creates any missing groups on the local system.
3. It adds the user to the appropriate local groups based on their Entra ID group memberships.

For example, if a user belongs to the following groups in Entra ID:

• linux-sudo
• DevTeam
• ProjectX

After logging in, you might see something like this when running the groups command for that user:

$ groups jsmith
jsmith sudo DevTeam ProjectX        

Here, “jsmith” is the primary group, “sudo” comes from the “linux-sudo” Entra ID group, and “DevTeam” and “ProjectX” are remote groups.

Group Management Best Practices

1. Use “linux-” Prefix for System Groups: If you want to manage system group memberships (like sudo) via Entra ID, create groups with the “linux-” prefix in Entra ID. This allows for centralized management of system access.
2. Leverage Entra ID Groups: Create and manage groups in Entra ID for project teams, departments, or access levels. These will be automatically synchronized to the local system.
3. Regular Audits: Periodically review group memberships in Entra ID to ensure users have appropriate access levels on your Ubuntu systems.
4. Local Group Changes: Remember that changes made to group memberships locally on the Ubuntu system may be overwritten during the next AuthD synchronization. Always manage group memberships through Entra ID for consistency.

Viewing User and Group Information

To view the groups a user belongs to, you can use the following commands:

# View groups for the current user
groups

# View groups for a specific user
groups username

# View detailed group information
id username        

These commands will show you the local representation of the user’s Entra ID group memberships.

By understanding how AuthD manages users and groups, you can effectively leverage your existing Entra ID structure to control access and permissions on your Ubuntu systems, streamlining user management across your infrastructure.