From Fedora Project Wiki

Revision as of 09:54, 16 May 2023 by Ipedrosa (talk | contribs) (Created page with "= Passkey authentication for centrally managed users = {{Change_Proposal_Banner}} == Summary == Enable passkey log in (desktop and/or terminal) for centrally managed users (i.e. AD, LDAP). Moreover, for the FreeIPA use case, issue a Kerberos ticket to identify the user to other services. Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside fro...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Passkey authentication for centrally managed users

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Enable passkey log in (desktop and/or terminal) for centrally managed users (i.e. AD, LDAP). Moreover, for the FreeIPA use case, issue a Kerberos ticket to identify the user to other services.

Note: for the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. If a hardware token implements other authentication mechanisms aside from FIDO2, these aren't considered by this feature.


Owner


Current status

  • Targeted release: Fedora Linux 39
  • Last updated: 2023-05-16
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>


Detailed Description

The use of new tools to authenticate users, such as 2FA, U2F and FIDO2, is becoming increasingly popular and currently Fedora doesn’t provide any way to use the latter in centralized environments. This diminishes the value provided by Fedora in some environments like big organizations, where the usage of these authentication mechanisms is becoming a common pattern.

SSSD and FreeIPA have already implemented a way to authenticate a user and issue a Kerberos ticket. This change will make sure that this feature is enabled in Fedora, and that it works.


Feedback

Benefit to Fedora

This changes enables a new way of authentication for centrally managed users. The passkey authentication is in line with the modernization of the technology and security practices, as it enables stronger identity and access controls, including multi-factor authentication (MFA). Moreover, it protects the user and the organization against phishing attacks by providing strong cryptography tied to an external authenticator.

On top of that, the FreeIPA extension to issue a Kerberos tickets allows to align with a zero trust principles, where the network isn't considered as trusted, and the user has to identify itself to access other services.


Scope

  • Proposal owners:

1. Enable passkey feature in SSSD 2. Enable passkey feature in FreeIPA

  • Other developers: N/A
  • Release engineering: N/A
  • Policies and guidelines: N/A
  • Trademark approval: N/A
  • Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

No impact is expected.


How To Test

The following instructions assume that you are using a SSSD and FreeIPA to manage users.

1. Install the sssd-passkey subpackage, and update the FreeIPA client and server.

2. Enable passkey authentication for the user, remember to replace the username where applicable.

$ ipa user-mod USERNAME --user-auth-type=passkey

3. Connect the passkey to the system and register it.

$ ipa user-add-passkey USERNAME --register

4. Log in.

$ su - USERNAME@DOMAIN
Insert your passkey device, then press ENTER.
Enter PIN:
...

If you are able to log in, then everything worked correctly. If it didn't work and you'd like to debug it, or you'd like to use another LDAP-like server, or you'd like to know more, then check the blog post I wrote about how to test this feature.


User Experience

A centrally managed user will be able to log in using the passkey authentication mechanism, and if they are using FreeIPA they will get a Kerberos ticket alongside the authentication.

For those using the graphical interface and passkeys for log in you will notice that the messages aren't completely visible. We recommend to use the GDM text banner to improve the user experience.


Dependencies

N/A


Contingency Plan

  • Contingency mechanism: N/A
  • Contingency deadline: N/A
  • Blocks release? No


Documentation

  1. SSSD design page for local passkey authentication
  2. [TODO: include web page| SSSD design page for Kerberos authentication]
  3. [TODO: include web page| FreeIPA design page]

Release Notes

Passkey authentication for centrally managed users. For FreeIPA users a Kerberos ticket is also issued.