docs: refactor generator guides (#4244)

pull/4246/head
James Elliott 2022-10-23 18:09:19 +11:00 committed by GitHub
parent 296dc9ecc5
commit 12e3cd56b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 165 additions and 91 deletions

View File

@ -289,7 +289,7 @@ especially for containerized deployments.*
The password paired with the [user](#user) used to bind to the LDAP server for lookup and password change operations. The password paired with the [user](#user) used to bind to the LDAP server for lookup and password change operations.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
## Refresh Interval ## Refresh Interval

View File

@ -157,7 +157,7 @@ The HMAC secret used to sign the [JWT]'s. The provided string is hashed to a SHA
purpose of meeting the required format. purpose of meeting the required format.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters. characters.
### issuer_certificate_chain ### issuer_certificate_chain
@ -185,7 +185,7 @@ certificate immediately following it if present.
especially for containerized deployments.* especially for containerized deployments.*
The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator
and can be done by following the [Generating an RSA Keypair](../miscellaneous/guides.md#generating-an-rsa-keypair) guide. and can be done by following the [Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide.
The private key *__MUST__*: The private key *__MUST__*:
* Be a PEM block encoded in the DER base64 format ([RFC4648]). * Be a PEM block encoded in the DER base64 format ([RFC4648]).

View File

@ -1,77 +0,0 @@
---
title: "Guides"
description: "Miscellaneous Guides for Configuration."
lead: "This section contains miscellaneous guides used in the configuration."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
configuration:
parent: "miscellaneous"
weight: 199500
toc: true
---
## Generating a Random Alphanumeric String
Some sections of the configuration recommend generating a random string. There are many ways to accomplish this, one
possible way on Linux is utilizing the following command which prints a string with a length in characters of
`${LENGTH}` to `stdout`. The string will only contain alphanumeric characters.
```bash
LENGTH=64
tr -cd '[:alnum:]' < /dev/urandom | fold -w "${LENGTH}" | head -n 1 | tr -d '\n' ; echo
```
## Generating an RSA Keypair
Some sections of the configuration need an RSA keypair. There are many ways to achieve this, this section explains two
such ways.
### openssl
The `openssl` command on Linux can be used to generate a RSA 4096 bit keypair:
```bash
openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
```
### authelia
The __Authelia__ docker container or CLI binary can be used to generate a RSA 4096 bit keypair:
```bash
docker run -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:latest authelia crypto pair rsa generate --bits 4096 --directory /keys
```
```bash
authelia crypto pair rsa generate --directory /path/to/keys
```
## Generating an RSA Self-Signed Certificate
Some sections of the configuration need a certificate and it may be possible to use a self-signed certificate. There are
many ways to achieve this, this section explains two such ways.
### openssl
The `openssl` command on Linux can be used to generate a RSA 4096 bit self-signed certificate for the domain
`example.com`:
```bash
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=example.com'
```
### authelia
The __Authelia__ docker container or binary can be used to generate a RSA 4096 bit self-signed certificate for the
domain `example.com`:
```bash
docker run -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia authelia crypto certificate rsa generate --common-name example.com --directory /keys
```
```bash
authelia crypto certificate rsa generate --common-name example.com --directory /path/to/keys
```

View File

@ -130,7 +130,7 @@ security on lower areas of the OSI model. However it required, if you specify bo
[tls certificate](#certificate) options, Authelia will listen for TLS connections. [tls certificate](#certificate) options, Authelia will listen for TLS connections.
The key must be generated by the administrator and can be done by following the The key must be generated by the administrator and can be done by following the
[Generating an RSA Self Signed Certificate](../miscellaneous/guides.md#generating-an-rsa-self-signed-certificate) [Generating an RSA Self Signed Certificate](../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate)
guide provided a self-signed certificate is fit for purpose. If a self-signed certificate is fit for purpose is beyond guide provided a self-signed certificate is fit for purpose. If a self-signed certificate is fit for purpose is beyond
the scope of the documentation and if it is not fit for purpose we instead recommend generating a certificate signing the scope of the documentation and if it is not fit for purpose we instead recommend generating a certificate signing
request or obtaining a certificate signed by one of the many ACME certificate providers. Methods to achieve this are request or obtaining a certificate signed by one of the many ACME certificate providers. Methods to achieve this are

View File

@ -156,7 +156,7 @@ especially for containerized deployments.*
The password paired with the [username](#username) sent for authentication with the SMTP server. The password paired with the [username](#username) sent for authentication with the SMTP server.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
### sender ### sender

View File

@ -88,7 +88,7 @@ especially for containerized deployments.*
The secret key used to encrypt session data in Redis. The secret key used to encrypt session data in Redis.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters. characters.
### expiration ### expiration

View File

@ -154,7 +154,7 @@ especially for containerized deployments.*
The password for [redis authentication](https://redis.io/commands/auth). The password for [redis authentication](https://redis.io/commands/auth).
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
### database_index ### database_index
@ -213,7 +213,7 @@ authenticate to the Redis Sentinel with ACL-based authentication. Otherwise, thi
authentication. authentication.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
#### nodes #### nodes

View File

@ -44,7 +44,7 @@ value, and use that to encrypt the data with the AES-GCM 256bit algorithm.
The minimum length of this key is 20 characters. The minimum length of this key is 20 characters.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters. characters.
See [security measures](../../overview/security/measures.md#storage-security-measures) for more information. See [security measures](../../overview/security/measures.md#storage-security-measures) for more information.

View File

@ -174,7 +174,7 @@ especially for containerized deployments.*
The password paired with the [username](#username) used to connect to the database. The password paired with the [username](#username) used to connect to the database.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
### timeout ### timeout

View File

@ -178,7 +178,7 @@ especially for containerized deployments.*
The password paired with the [username](#username) used to connect to the database. The password paired with the [username](#username) used to connect to the database.
It's __strongly recommended__ this is a It's __strongly recommended__ this is a
[Random Alphanumeric String](../miscellaneous/guides.md#generating-a-random-alphanumeric-string) with 64 or more [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters and the user password is changed to this value. characters and the user password is changed to this value.
### timeout ### timeout

View File

@ -25,12 +25,12 @@ We strongly recommend the following guidelines for generating client secrets:
5. Secrets should only have alphanumeric characters as some implementations do not appropriately encode the secret 5. Secrets should only have alphanumeric characters as some implementations do not appropriately encode the secret
when using it to access the token endpoint. when using it to access the token endpoint.
Authelia provides an easy way to perform such actions via the [authelia crypto hash generate] command. Users can Authelia provides an easy way to perform such actions via the [Generating a Random Password Hash] guide. Users can
perform a command such as `authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72` command to perform a command such as `authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72` command to
both generate a client secret with 72 characters which is printed and is to be used with the relying party and hash it both generate a client secret with 72 characters which is printed and is to be used with the relying party and hash it
using PBKDF2 which can be stored in the Authelia configuration. using PBKDF2 which can be stored in the Authelia configuration.
[authelia crypto hash generate]: ../../reference/cli/authelia/authelia_crypto_hash_generate.md [Generating a Random Password Hash]: ../../reference/guides/generating-secure-values.md#generating-a-random-password-hash
### Plaintext ### Plaintext

View File

@ -54,5 +54,5 @@ connections. Please note that it has been decided that we won't support websites
risk due to misconfiguration (see [#590](https://github.com/authelia/authelia/issues/590)). risk due to misconfiguration (see [#590](https://github.com/authelia/authelia/issues/590)).
If a self-signed certificate is required, the If a self-signed certificate is required, the
[Generating an RSA Self-Signed Certificate](../../../configuration/miscellaneous/guides.md#generating-an-rsa-self-signed-certificate) [Generating an RSA Self-Signed Certificate](../../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate)
guide should be followed. guide should be followed.

View File

@ -0,0 +1,151 @@
---
title: "Generating Secure Values"
description: "A reference guide on generating secure values such as password hashes, password strings, and cryptography keys"
lead: "This section contains reference documentation for generating secure values such as password hashes, password strings, and cryptography keys."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "guides"
weight: 220
toc: true
---
## Generating a Random Password Hash
Often times it's required that a random password is generated. While you could randomly generate a string then hash it,
we provide a convenience layer for this purpose.
### authelia
The __Authelia__ docker container or CLI binary can be used to generate a random alphanumeric string and output the
the string and the hash at the same time.
Use the `authelia crypto hash generate --help` command or see the [authelia crypto hash generate] reference guide for
more information on all available options and algorithms.
##### Using Docker
```bash
docker run authelia/authelia:latest authelia crypto hash generate argon2 --random --random.length 64 --random.charset alphanumeric
```
##### Using the Binary
```bash
authelia crypto hash generate argon2 --random --random.length 64 --random.charset alphanumeric
```
## Generating a Random Alphanumeric String
Some sections of the configuration recommend generating a random string. There are many ways to accomplish this and the
following methods are merely suggestions.
### authelia
The __Authelia__ docker container or CLI binary can be used to generate a random alphanumeric string.
Use the `authelia crypto rand --help` command or see the [authelia crypto rand] reference guide for more information on
all available options.
##### Using Docker
```bash
docker run authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
```
##### Using the Binary
```bash
authelia crypto rand --length 64 --charset alphanumeric
```
### openssl
The `openssl` command on Linux can be used to generate a random alphanumeric string:
```bash
openssl rand -hex 64
```
### Linux
Basic Linux commands can be used to generate a random alphanumeric string:
```bash
LENGTH=64
tr -cd '[:alnum:]' < /dev/urandom | fold -w "${LENGTH}" | head -n 1 | tr -d '\n' ; echo
```
## Generating an RSA Keypair
Some sections of the configuration need an RSA keypair. There are many ways to achieve this, this section explains two
such ways.
### authelia
The __Authelia__ docker container or CLI binary can be used to generate a RSA 4096 bit keypair.
Use the `authelia crypto pair --help` command or see the [authelia crypto pair] reference guide for more
information on all available options.
##### Using Docker
```bash
docker run -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:latest authelia crypto pair rsa generate --bits 4096 --directory /keys
```
##### Using the Binary
```bash
authelia crypto pair rsa generate --directory /path/to/keys
```
### openssl
The `openssl` command on Linux can be used to generate a RSA 4096 bit keypair:
```bash
openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
```
## Generating an RSA Self-Signed Certificate
Some sections of the configuration need a certificate and it may be possible to use a self-signed certificate. There are
many ways to achieve this, this section explains two such ways.
### authelia
The __Authelia__ docker container or binary can be used to generate a RSA 4096 bit self-signed certificate for the
domain `example.com`.
Use the `authelia crypto certificate --help` command or see the [authelia crypto certificate] reference guide for more
information on all available options.
##### Using Docker
```bash
docker run -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia authelia crypto certificate rsa generate --common-name example.com --directory /keys
```
##### Using the Binary
```bash
authelia crypto certificate rsa generate --common-name example.com --directory /path/to/keys
```
### openssl
The `openssl` command on Linux can be used to generate a RSA 4096 bit self-signed certificate for the domain
`example.com`:
```bash
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=example.com'
```
[authelia crypto hash generate]: ../cli/authelia/authelia_crypto_hash_generate.md
[authelia crypto rand]: ../cli/authelia/authelia_crypto_rand.md
[authelia crypto pair]: ../cli/authelia/authelia_crypto_pair.md
[authelia crypto certificate]: ../cli/authelia/authelia_crypto_certificate.md