Latest revision |
Your text |
Line 19: |
Line 19: |
|
| |
|
| The following cast of characters will be available testing, workarounds, bug fixes, and general discussion: | | The following cast of characters will be available testing, workarounds, bug fixes, and general discussion: |
| * Development - [[User:ipedrosa|ipedrosa]] (ipedrosa), [[User:ftrivino|ftrivino]] (ftrivino), [[User:abbra|abbra]] (abbra), [[User:jstephen|jstephen]] (jstephen) | | * Development - [[User:ipedrosa|ipedrosa]] (ipedrosa), [[User:ftrivino|ftrivino]] (ftrivino), [[User:abbra|abbra]] (abbra) |
| * Quality Assurance - [[User:Sumantrom|Sumantro Mukherjee]] (sumantrom), [[User:coremodule|Geoffrey Marr]] (coremodule), [[User:kparal|Kamil Paral]] (kparal), [[User:adamw|Adam Williamson]] (adamw) | | * Quality Assurance - [[User:Sumantrom|Sumantro Mukherjee]] (sumantrom), [[User:coremodule|Geoffrey Marr]] (coremodule), [[User:kparal|Kamil Paral]] (kparal), [[User:adamw|Adam Williamson]] (adamw) |
|
| |
|
Line 32: |
Line 32: |
| * (Some) LDAP knowledge ([https://access.redhat.com/documentation/en-us/red_hat_directory_server/12 link] to general documentation) | | * (Some) LDAP knowledge ([https://access.redhat.com/documentation/en-us/red_hat_directory_server/12 link] to general documentation) |
| * The fido2-tools package (<code># dnf install fido2-tools</code>) | | * The fido2-tools package (<code># dnf install fido2-tools</code>) |
|
| |
| === Prepared FreeIPA demo server ===
| |
|
| |
| FreeIPA project provides a demo instance to test without installing FreeIPA server. For the purpose of the Fedora 39 Passkey authentication test day, a separate system was set up as Fedora 39 is not released yet. Please connect to the [https://ipa.demo-passkey.freeipa.org/ ipa.demo-passkey.freeipa.org server] to access the demo system, following instructions from [https://www.freeipa.org/page/Demo FreeIPA demo page].
| |
|
| |
| Since passkey authentication is done locally, the tests against FreeIPA demo instance would ideally need to run in a virtual machine that is enrolled against the FreeIPA server. Use `demo-passkey.freeipa.org` as an IPA domain to enroll into.
| |
|
| |
|
| == How to test? == | | == How to test? == |
Line 67: |
Line 61: |
| == Test Results == | | == Test Results == |
|
| |
|
| === Reg Key ===
| | Test results will be exported here once the test day is over. See [[#How_to_test?|How to test?]] section for information how to submit results and see the live results. |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_sssctl reg key with sssctl]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_IPA_command reg key with IPA]
| |
| ! References
| |
| |-
| |
| |-
| |
| | [[User:ebelko|ebelko]]
| |
| |
| |
| | {{result|pass}}
| |
| | {{result|pass}}
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| |
| |
| |
| |
| | {{result|pass}}<ref>Successfully added user with passkey mapping</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| | https://accounts.fedoraproject.org/user/mpolovka/
| |
| | {{result|pass}}<ref>sssctl passkey-register --username=mpolovka --domain=ipa.test</ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}
| |
| | {{result|pass}}<ref>Note, ipa user-add-passkey prompts for pin/touch before checking for kerberos ticket.</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2
| |
| Enter PIN:
| |
| | |
| Please touch the device.
| |
| passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==</ref>{{result|pass}}<ref>[root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test
| |
| Please touch the device.
| |
| passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g==
| |
| </ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey which is not supported in the token
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# fido2-token -I /dev/hidraw2
| |
| algorithms: es256 (public-key), eddsa (public-key)
| |
| | |
| 1. With rs256 since its not supported.
| |
| [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=rs256 --require-user-verification=True | |
| Enter PIN:
| |
| Please touch the device.
| |
| A problem occurred while generating the credentials.
| |
| Error registering key.
| |
| ipa: ERROR: Failed to generate passkey</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=eddsa
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=es256
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+q.......</ref>
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
| | |
| === Check Auth ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_IPA_AD_LDAP check auth]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_pin check auth deny user incorrect pin]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_mapping check auth deny user incorrect mapping]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_user_login_server_replica_client check user login to server/client/replica]
| |
| ! References
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}<ref>su worked after putting selinux into permissive mode. failed initially due to AVC denial:
| |
| | |
| time->Fri Sep 22 14:00:28 2023
| |
| type=AVC msg=audit(1695409228.862:565): avc: denied { execute } for pid=4260 comm="sssd_pam" name="passkey_child" dev="vda3" ino=172502 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0</ref>
| |
| | {{result|pass}}<ref>With selinux in permissive mode, it fails to authenticate with an incorrect pin as expected:
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>
| |
| First put selinux into permissive mode.
| |
| Authentication failed as expected with incorrect passkey mapping data:
| |
| Used passkey mapping data from a previous registration before running a "ykman fido reset".
| |
| # ipa user-add-passkey testuser1 "passkey:..."
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>only able to test on server and client. Remember to fix mapping data before testing.
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| Last login: Fri Sep 22 14:15:37 CDT 2023 on pts/0
| |
| -sh-5.2$ hostname
| |
| ipa.passkey.test</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with incorrect PIN
| |
| |
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| Note: The above prompt is asked for 3 times and then it falls back to
| |
| Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures
| |
| Disconnected from 192.168.122.129 port 22</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and doing ssh
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected.
| |
| Last login: Thu Sep 21 18:19:03 2023
| |
| Could not chdir to home directory /home/ipauser1: Permission denied
| |
| -sh: /home/ipauser1/.profile: Permission denied
| |
| -sh-5.2$ klist -l
| |
| Principal name Cache name
| |
| -------------- ----------
| |
| ipauser1@FEDORA39.TEST KCM:1866800004:43548</ref>
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and from GNOME desktop
| |
| | {{result|pass}}
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
| | |
| === Basic ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_obtain_kerberos_ticket obtain kerberos ticket]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_handle_wrong_attempts handle three incorrect attempts]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_blocking system key blocking]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_remove_authentication_prompt system key removal]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_login_replica_server_stopped user login replica]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_FIDO2_user_removal user removal fido2]
| |
| ! References
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| |
| |
| | {{result|pass}}<ref>Passed with SSH command, kerberos ticket issued</ref>{{result|fail}}<ref>kinit mpolovka@IPA.TEST
| |
| kinit: Pre-authentication failed: Invalid argument while getting initial credentials</ref>
| |
| | {{result|fail}}<ref>After three incorrect PIN entries, the user is requested to input their password, which is, however, not set up.</ref>
| |
| |
| |
| | {{result|pass}}<ref>Enter PIN: <removed the device and input in the PIN>
| |
| | |
| Please touch the device.
| |
| A problem occurred while generating the credentials.
| |
| Error registering the key.
| |
| Command '/usr/libexec/sssd/passkey_child' failed with [1]
| |
| #</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}<ref>kerberos ticket issued with su:
| |
| k-sh-5.2$ klist
| |
| klist: Credentials cache 'KCM:169000003' not found
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| Last login: Fri Sep 22 14:19:06 CDT 2023 on pts/0
| |
| -sh-5.2$ klist
| |
| Ticket cache: KCM:169000003:93127
| |
| Default principal: testuser1@PASSKEY.TEST
| |
| | |
| Valid starting Expires Service principal
| |
| 09/22/2023 14:19:29 09/23/2023 14:17:17 krbtgt/PASSKEY.TEST@PASSKEY.TEST
| |
| </ref>
| |
| | {{result|fail}}<ref>I saw no prompt/message about removing/resetting passkey device.
| |
| Removing and re-inserting however did work to allow the user to authenticate with the correct pin.</ref>
| |
| | {{result|fail}}<ref>No message was shown about resetting passkey device. PIN was blocked though and I reset device with "ykman fido reset". A proper unblock procedure should be listed in the test case to make this easier to perform.</ref>
| |
| | {{result|fail}}<ref>for my tests, I did not see the system exit either su or ssh when the key was removed. I am using a VM though with the usb device shared.</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Unchecked 'Passkey' option for the ipauser1 and then login with ssh
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | {{result|pass}}<ref>/var/log/sssd/passkey_child.log
| |
| (2023-09-21 18:39:39): [passkey_child[8087]] [authenticate] (0x0400): Getting assert.
| |
| (2023-09-21 18:39:40): [passkey_child[8087]] [request_assert] (0x0040): fido_dev_get_assert failed [52]: FIDO_ERR_PIN_AUTH_BLOCKED.
| |
| | |
| [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| </ref>
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
|
| |
|
| == Tips == | | == Tips == |
Line 407: |
Line 157: |
|
| |
|
| Log files are availabe at <code>/var/log/sssd</code>. | | Log files are availabe at <code>/var/log/sssd</code>. |
|
| |
| === HW enablement ===
| |
| Most of the FIDO2 keys are supported in Fedora out of the box, but some aren’t. The reason is that, by default and for security reasons, USB dongles can't be accessed by users.
| |
|
| |
| In order to enable the key in your system run <code>lsusb</code> and identify your device. Then, create a file in <code>/etc/udev/rules.d</code> with the following content:
| |
|
| |
| <code>
| |
| ACTION!="add|change", GOTO="fido2_end"
| |
|
| |
| KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", TAG+="uaccess", GROUP="plugdev", MODE="0660"
| |
|
| |
| LABEL="fido2_end"
| |
| </code>
| |
|
| |
| Replace the XXXX with the information provided by <code>lsusb</code>.
| |
|
| |
| Reload udev rules:
| |
|
| |
| <code># udevadm control --reload-rules</code>
| |
|
| |
| <code># udevadm trigger</code>
| |
|
| |
|
|
| |
|