From Fedora Project Wiki
(Created page with "= Passkey authentication for centrally managed users = {{Change_Proposal_Banner}} == Summary == Enable passkey log in (desktop and/or terminal) for centrally managed users (i.e. AD, LDAP). Moreover, for the FreeIPA use case, issue a Kerberos ticket to identify the user to other services. Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside fro...")
 
 
(15 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Passkey authentication for centrally managed users =
= Passkey authentication for centrally managed users =


{{Change_Proposal_Banner}}
 


== Summary ==
== Summary ==
Enable passkey log in (desktop and/or terminal) for centrally managed users (i.e. AD, LDAP). Moreover, for the FreeIPA use case, issue a Kerberos ticket to identify the user to other services.
For centrally managed users on Fedora systems enrolled into Active Directory, FreeIPA, or LDAP, enable capability to log-in to desktop or a console terminal with a FIDO2-compatible device supported by the libfido2 library. For FreeIPA, additionally, once user has been authenticated with the FIDO2-compatible device, allow to issue a Kerberos ticket.


Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside from FIDO2, these aren't considered by this feature.
Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside from FIDO2, these aren't considered by this feature.
Line 15: Line 15:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF39]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 31: Line 31:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/BMCTHWNPBT6CYWJMMV64FIMQMMSJEJ4K/ devel-list thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3021 #3021]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2233246 #2233246]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/1022 #1022]




== Detailed Description ==
== Detailed Description ==
The use of new tools to authenticate users, such as 2FA, U2F and FIDO2, is becoming increasingly popular and currently Fedora doesn’t provide any way to use the latter in centralized environments. This diminishes the value provided by Fedora in some environments like big organizations, where the usage of these authentication
mechanisms is becoming a common pattern.


SSSD and FreeIPA have already implemented a way to authenticate a user and issue a Kerberos ticket. This change will make sure that this feature is enabled in Fedora, and that it works.
Passwordless authentication methods to log into Linux systems became a hot topic in the past few years. Various organizations started to mandate more secure methods of authentication, including governments and regulated industries. FIDO2 tokens, along with smartcards, represent two passwordless authentication methods mandated by the US government in their Zero Trust architecture, for example.
 
While Fedora Project already provides a smartcard-based authentication method  for all centrally-managed user accounts (LDAP, Active Directory, FreeIPA), support for FIDO2 tokens is rudimentary: only `pam_u2f` method is provided which currently only allows to define FIDO2 tokens associated with the users locally on the machine. No centralized storage of enrolled tokens is provided.
 
SSSD and FreeIPA upstream projects have already implemented a way to authenticate a user with the help of the passkey and issue a Kerberos ticket. This change will make sure that this feature is enabled in Fedora, and that it works.




Line 48: Line 51:


== Benefit to Fedora ==
== Benefit to Fedora ==
This changes enables a new way of authentication for centrally managed users. The passkey authentication is in line with the modernization of the technology and security practices, as it enables stronger identity and access controls, including multi-factor authentication (MFA). Moreover, it protects the user and the organization against phishing attacks by providing strong cryptography tied to an external authenticator.
Integration of a passkey support in SSSD and FreeIPA to Fedora enables the possibility to configure a fully passwordless login experience in Fedora. While this will require few iterations to enable a complete passwordless deployment, allowing admins to start with centralized user accounts with passkeys will give a wider base to iterate from.


On top of that, the FreeIPA extension to issue a Kerberos tickets allows to align with a zero trust principles, where the network isn't considered as trusted, and the user has to identify itself to access other services.
The passkey authentication is in line with the modernization of the technology and security practices, as it enables stronger identity and access controls, including multi-factor authentication (MFA). This method of authentication protects the user and the organization against phishing attacks by providing a strong cryptography tied to an external hardware authenticator. In the future we expect to add support for increasingly popular passkey implementations on mobile devices. This, however, is not a focus of the initial release.


FreeIPA extension to issue Kerberos tickets based on the passkey authentication allows to solve usability issues in accessing network resources in a passwordless way. This extension also provides Kerberos authentication indicator support, making passkey authentication visible to Kerberos services. This can be used, for example, for passwordless SUDO access with `pam_sss_gss` module when a Kerberos ticket was obtained with a specific (passkey) authentication mechanism.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
1. Enable passkey feature in SSSD
 
2. Enable passkey feature in FreeIPA
# Enable passkey feature in SSSD
# Enable passkey feature in FreeIPA
# Adjust SELinux policies to allow access to USB-enabled passkeys through libfido2


* Other developers: N/A
* Other developers: N/A
Line 69: Line 75:


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
No impact is expected.
No impact is expected. sssd provides a new subpackage (`sssd-passkey`) that includes the new functionality.


For FreeIPA environments the new subpackage will be automatically pulled in by the `freeipa-client` package as a dependency.


== How To Test ==
== How To Test ==
The following instructions assume that you are using a SSSD and FreeIPA to manage users.
The following instructions assume that you are using a SSSD and FreeIPA to manage users.


1. Install the sssd-passkey subpackage, and update the FreeIPA client and server.
# Install the `sssd-passkey` subpackage, and update the FreeIPA client and server.
 
# Enable passkey authentication for the user, remember to replace the username where applicable.<BR><code>$ ipa user-mod USERNAME --user-auth-type=passkey</code>
2. Enable passkey authentication for the user, remember to replace the username where applicable.
# Connect the passkey to the system and register it.<BR><code>$ ipa user-add-passkey USERNAME --register</code>
<pre>
# Log in.<BR><code>$ su - USERNAME@DOMAIN<BR>Insert your passkey device, then press ENTER.<BR>Enter PIN:<BR>...</code>
$ ipa user-mod USERNAME --user-auth-type=passkey
</pre>
 
3. Connect the passkey to the system and register it.
<pre>
$ ipa user-add-passkey USERNAME --register
</pre>
 
4. Log in.
<pre>
$ su - USERNAME@DOMAIN
Insert your passkey device, then press ENTER.
Enter PIN:
...
</pre>
 
If you are able to log in, then everything worked correctly. If it didn't work and you'd like to debug it, or you'd like to use another LDAP-like server, or you'd like to know more, then check [https://ikerexxe.github.io/idm/2022/12/19/passkey-central-auth.html| the blog post] I wrote about how to test this feature.


If you are able to log in, then everything worked correctly. If it didn't work and you'd like to debug it, or you'd like to use another LDAP-like server, or you'd like to know more, then check [https://ikerexxe.github.io/idm/2022/12/19/passkey-central-auth.html the blog post] I wrote about how to test this feature.


== User Experience ==
== User Experience ==
A centrally managed user will be able to log in using the passkey authentication mechanism, and if they are using FreeIPA they will get a Kerberos ticket alongside the authentication.
A centrally managed user will be able to log in using the passkey authentication mechanism, and if they are using FreeIPA they will get a Kerberos ticket alongside the authentication.


For those using the graphical interface and passkeys for log in you will notice that the messages aren't completely visible. We recommend to use [https://help.gnome.org/admin/system-admin-guide/stable/login-banner.html.en| the GDM text banner] to improve the user experience.
For those using the graphical interface and passkeys for log-in you will notice that the messages aren't completely visible.
 
We are working with GNOME developers to improve overall login experience with passwordless authentication methods. This work is expected to land in Fedora once ready.


== Dependencies ==
== Dependencies ==
Line 115: Line 106:


== Documentation ==
== Documentation ==
# [https://sssd.io/design-pages/passkey_authentication.html| SSSD design page for local passkey authentication]
# [https://sssd.io/design-pages/passkey_authentication.html SSSD design page for local passkey authentication]
# [TODO: include web page| SSSD design page for Kerberos authentication]
# [https://sssd.io/design-pages/passkey_kerberos.html SSSD design page for passkey Kerberos integration]
# [TODO: include web page| FreeIPA design page]
# [https://freeipa.readthedocs.io/en/latest/designs/passkeys.html FreeIPA design page for passkey authentication]


== Release Notes ==
== Release Notes ==
Passkey authentication for centrally managed users. For FreeIPA users a Kerberos ticket is also issued.
Passkey authentication for centrally managed users. For FreeIPA users a Kerberos ticket is also issued.

Latest revision as of 23:49, 7 November 2023

Passkey authentication for centrally managed users

Summary

For centrally managed users on Fedora systems enrolled into Active Directory, FreeIPA, or LDAP, enable capability to log-in to desktop or a console terminal with a FIDO2-compatible device supported by the libfido2 library. For FreeIPA, additionally, once user has been authenticated with the FIDO2-compatible device, allow to issue a Kerberos ticket.

Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside from FIDO2, these aren't considered by this feature.


Owner


Current status


Detailed Description

Passwordless authentication methods to log into Linux systems became a hot topic in the past few years. Various organizations started to mandate more secure methods of authentication, including governments and regulated industries. FIDO2 tokens, along with smartcards, represent two passwordless authentication methods mandated by the US government in their Zero Trust architecture, for example.

While Fedora Project already provides a smartcard-based authentication method for all centrally-managed user accounts (LDAP, Active Directory, FreeIPA), support for FIDO2 tokens is rudimentary: only pam_u2f method is provided which currently only allows to define FIDO2 tokens associated with the users locally on the machine. No centralized storage of enrolled tokens is provided.

SSSD and FreeIPA upstream projects have already implemented a way to authenticate a user with the help of the passkey and issue a Kerberos ticket. This change will make sure that this feature is enabled in Fedora, and that it works.


Feedback

Benefit to Fedora

Integration of a passkey support in SSSD and FreeIPA to Fedora enables the possibility to configure a fully passwordless login experience in Fedora. While this will require few iterations to enable a complete passwordless deployment, allowing admins to start with centralized user accounts with passkeys will give a wider base to iterate from.

The passkey authentication is in line with the modernization of the technology and security practices, as it enables stronger identity and access controls, including multi-factor authentication (MFA). This method of authentication protects the user and the organization against phishing attacks by providing a strong cryptography tied to an external hardware authenticator. In the future we expect to add support for increasingly popular passkey implementations on mobile devices. This, however, is not a focus of the initial release.

FreeIPA extension to issue Kerberos tickets based on the passkey authentication allows to solve usability issues in accessing network resources in a passwordless way. This extension also provides Kerberos authentication indicator support, making passkey authentication visible to Kerberos services. This can be used, for example, for passwordless SUDO access with pam_sss_gss module when a Kerberos ticket was obtained with a specific (passkey) authentication mechanism.

Scope

  • Proposal owners:
  1. Enable passkey feature in SSSD
  2. Enable passkey feature in FreeIPA
  3. Adjust SELinux policies to allow access to USB-enabled passkeys through libfido2
  • Other developers: N/A
  • Release engineering: N/A
  • Policies and guidelines: N/A
  • Trademark approval: N/A
  • Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

No impact is expected. sssd provides a new subpackage (sssd-passkey) that includes the new functionality.

For FreeIPA environments the new subpackage will be automatically pulled in by the freeipa-client package as a dependency.

How To Test

The following instructions assume that you are using a SSSD and FreeIPA to manage users.

  1. Install the sssd-passkey subpackage, and update the FreeIPA client and server.
  2. Enable passkey authentication for the user, remember to replace the username where applicable.
    $ ipa user-mod USERNAME --user-auth-type=passkey
  3. Connect the passkey to the system and register it.
    $ ipa user-add-passkey USERNAME --register
  4. Log in.
    $ su - USERNAME@DOMAIN
    Insert your passkey device, then press ENTER.
    Enter PIN:
    ...

If you are able to log in, then everything worked correctly. If it didn't work and you'd like to debug it, or you'd like to use another LDAP-like server, or you'd like to know more, then check the blog post I wrote about how to test this feature.

User Experience

A centrally managed user will be able to log in using the passkey authentication mechanism, and if they are using FreeIPA they will get a Kerberos ticket alongside the authentication.

For those using the graphical interface and passkeys for log-in you will notice that the messages aren't completely visible. We are working with GNOME developers to improve overall login experience with passwordless authentication methods. This work is expected to land in Fedora once ready.

Dependencies

N/A


Contingency Plan

  • Contingency mechanism: N/A
  • Contingency deadline: N/A
  • Blocks release? No


Documentation

  1. SSSD design page for local passkey authentication
  2. SSSD design page for passkey Kerberos integration
  3. FreeIPA design page for passkey authentication

Release Notes

Passkey authentication for centrally managed users. For FreeIPA users a Kerberos ticket is also issued.