Passkey authentication centrally managed users | |
---|---|
Date | 2023-09-21 |
Time | all day |
Website | QA/Test Days |
Matrix | #test-day:fedoraproject.org |
IRC | #fedora-test-day (webirc) |
Mailing list | test |
What to test?
This Test Day will focus on Passkey authentication for centrally managed users
Who's available
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
- Development - ipedrosa (ipedrosa), ftrivino (ftrivino), abbra (abbra)
- Quality Assurance - Sumantro Mukherjee (sumantrom), Geoffrey Marr (coremodule), Kamil Paral (kparal), Adam Williamson (adamw)
You can chat with us on Matrix or IRC. See the infobox on top of the page to learn where to join.
Prerequisite for Test Day
- A virtual machine or a bare metal machine
- An installation of Fedora 39 (any Edition or Spin). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.
- A FreeIPA server using Fedora 39. If you don’t have one you can use the FreeIPA demo server. If that doesn’t suit you, you can also use sssd-ci-containers to set up a set of containers that can be used to test the feature. Follow the instructions in the README to set up the environment.
- USB-based FIDO2 token. We have tested Yubikeys, Token2, SoloKeys, and Google's Titan keys.
- (Some) LDAP knowledge (link to general documentation)
- The fido2-tools package (
# dnf install fido2-tools
)
How to test?
Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.
Reporting bugs
Perhaps you've found an already-reported bug. Please look at:
A less-preferred alternative is to file them into Red Hat Bugzilla, in most cases against the sssd-passkey
component.
When filing the bug, it's very helpful to include:
- exact steps you've performed (and whether you can reproduce it again)
- screenshots or videos, if applicable
- system journal (log), which you can retrieve by
journalctl -b > journal.txt
- sssd logs, follow the instructions at #How to debug section
- all output in a terminal, if started from a terminal
- your system description
If you are unsure about exactly how to file the report or what other information to include, just ask us.
Please make sure to link to the bug when submitting your test result, thanks!
Test Results
Test results will be exported here once the test day is over. See How to test? section for information how to submit results and see the live results.
Tips
How to set a PIN
When using a passkey it’s highly recommended to set a PIN (by default it’s mandatory in IPA). To achieve this, the first step is to list the FIDO2 keys connected to the system:
# fido2-token -L
Then, the PIN can be set. In the following example the device is /dev/hidraw5.
# fido2-token -C /dev/hidraw5
Enabling passkey authentication for an IPA user
Enable passkey authentication for a new IPA user:
# ipa user-add user01 --first=user --last=01 --user-auth-type=passkey
Enable passkey authentication for existing IPA user:
# ipa user-mod user01 --first=user --last=01 --user-auth-type=passkey
How to register a passkey
LDAP
The first step to use a passkey would be to register it. This is achieved by running the sssctl and providing the username and domain. Example:
# sssctl passkey-register --username=joe --domain=ldap.test
This will output the key mapping data, which includes the key handle and the public key. Example:
passkey:aEgemlnC6a/WOoEZ8qU1YMwsTW9+uwmMsJnrgOXwTID0qIBHirzHp6d+e1d3WBhcSf7t9Ji8fl3AdSPtlbdN5Q==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENwDQHwyZmnYaUEp0UNqqnw0tGOGnqOMBGdds6O3+JKbmmJGTn0vo7sKNNcDWDsFhJFU/RLWXmHXglxSo+yw9iQ==
This information needs to be included in the user’s attributes in the LDAP server. Example:
dn: uid=joe,dc=ldap,dc=test
mail: joe@ldap.test
...
passkey: passkey:aEgemlnC6a/WOoEZ8qU1YMwsTW9+uwmMsJnrgOXwTID0qIBHirzHp6d+e1d3WBhcSf7t9Ji8fl3AdSPtlbdN5Q==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENwDQHwyZmnYaUEp0UNqqnw0tGOGnqOMBGdds6O3+JKbmmJGTn0vo7sKNNcDWDsFhJFU/RLWXmHXglxSo+yw9iQ==
objectclass: passkeyUser
At this point everything is ready to login.
IPA
IPA provides a single command to register the passkey and store it in the LDAP attribute by providing the username:
# ipa user-add-passkey joe --register
Follow the application prompts:
Enter PIN for the passkey device.
Touch the device to verify it is you.
At this point everything is ready to login.
How to login
You can use your favourite login mechanism, as an example let’s try with “su”:
$ su - joe@ipa.test
Insert your passkey device, then press ENTER.
Enter PIN:
Confirm the Kerberos ticket is issued:
$ klist
Default principal: user01@IPA.EXAMPLE.COM
How to debug
sssctl
If the sssctl command fails, and you’d like to debug it, you can append the following options to print all the information in the terminal: --debug-level=9 --logger=stderr
sssd
The easiest way to debug sssd is to enable the debug levels. This can be done by tuning /etc/sssd/sssd.conf
, and setting “debug_level=9” below “[sssd]”. Example:
[sssd]
…
debug_level=9
Log files are availabe at /var/log/sssd
.
HW enablement
Most of the FIDO2 keys are supported in Fedora out of the box, but some aren’t. The reason is that, by default and for security reasons, USB dongles can't be accessed by users.
In order to enable the key in your system run lsusb
and identify your device. Then, create a file in /etc/udev/rules.d
with the following content:
ACTION!="add|change", GOTO="fido2_end"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", TAG+="uaccess", GROUP="plugdev", MODE="0660"
LABEL="fido2_end"
Replace the XXXX with the information provided by lsusb
.
Reload udev rules:
# udevadm control --reload-rules
# udevadm trigger