From Fedora Project Wiki

Passkey authentication centrally managed users

Date 2023-09-21
Time all day

Website QA/Test Days
Matrix #test-day:fedoraproject.org
IRC #fedora-test-day (webirc)
Mailing list test


Can't make the date?
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

This Test Day will focus on Passkey authentication for centrally managed users

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with us on Matrix or IRC. See the infobox on top of the page to learn where to join.

Prerequisite for Test Day[edit]

  • A virtual machine or a bare metal machine
  • An installation of Fedora 39 (any Edition or Spin). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.
  • A FreeIPA server using Fedora 39. If you don’t have one you can use the FreeIPA demo server. If that doesn’t suit you, you can also use sssd-ci-containers to set up a set of containers that can be used to test the feature. Follow the instructions in the README to set up the environment.
  • USB-based FIDO2 token. We have tested Yubikeys, Token2, SoloKeys, and Google's Titan keys.
  • (Some) LDAP knowledge (link to general documentation)
  • The fido2-tools package (# dnf install fido2-tools)

Prepared FreeIPA demo server[edit]

FreeIPA project provides a demo instance to test without installing FreeIPA server. For the purpose of the Fedora 39 Passkey authentication test day, a separate system was set up as Fedora 39 is not released yet. Please connect to the ipa.demo-passkey.freeipa.org server to access the demo system, following instructions from FreeIPA demo page.

Since passkey authentication is done locally, the tests against FreeIPA demo instance would ideally need to run in a virtual machine that is enrolled against the FreeIPA server. Use demo-passkey.freeipa.org as an IPA domain to enroll into.

How to test?[edit]

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.

Reporting bugs[edit]

Perhaps you've found an already-reported bug. Please look at:

A less-preferred alternative is to file them into Red Hat Bugzilla, in most cases against the sssd-passkey component. 
We really need bug reports!
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!

When filing the bug, it's very helpful to include:

  • exact steps you've performed (and whether you can reproduce it again)
  • screenshots or videos, if applicable
  • system journal (log), which you can retrieve by journalctl -b > journal.txt
  • sssd logs, follow the instructions at #How to debug section
  • all output in a terminal, if started from a terminal
  • your system description

If you are unsure about exactly how to file the report or what other information to include, just ask us.

Please make sure to link to the bug when submitting your test result, thanks!

Test Results[edit]

Reg Key[edit]

User Profile reg key with sssctl reg key with IPA References
ebelko
Pass pass
Pass pass
mpolovka
Pass pass
[1]
  1. Successfully added user with passkey mapping
mpolovka https://accounts.fedoraproject.org/user/mpolovka/
Pass pass
[1]
  1. sssctl passkey-register --username=mpolovka --domain=ipa.test
spoore Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
Pass pass
Pass pass
[1]
  1. Note, ipa user-add-passkey prompts for pin/touch before checking for kerberos ticket.
sumenon
Pass pass
[1]
Pass pass
[2]
  1. [root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2 Enter PIN: Please touch the device. passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==
  2. [root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test Please touch the device. passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g==
sumenon Registering a passkey which is not supported in the token
Pass pass
[1]
  1. [root@client ~]# fido2-token -I /dev/hidraw2 algorithms: es256 (public-key), eddsa (public-key) 1. With rs256 since its not supported. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=rs256 --require-user-verification=True Enter PIN: Please touch the device. A problem occurred while generating the credentials. Error registering key. ipa: ERROR: Failed to generate passkey
sumenon Registering a passkey with --cose-type=eddsa
Pass pass
[1]
  1. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True Enter PIN: Please touch the device.

    Added passkey mappings to user "ipauser1"


     User login: ipauser1
     Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......
    
sumenon Registering a passkey with --cose-type=es256
Pass pass
[1]
  1. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True Enter PIN: Please touch the device.

    Added passkey mappings to user "ipauser1"


     User login: ipauser1
     Passkey mapping: passkey:VgkcMOncXWAg0+q.......
    

Check Auth[edit]

User Profile check auth check auth deny user incorrect pin check auth deny user incorrect mapping check user login to server/client/replica References
spoore Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
Pass pass
[1]
Pass pass
[2]
Pass pass
[3]
Pass pass
[4]
  1. su worked after putting selinux into permissive mode. failed initially due to AVC denial: time->Fri Sep 22 14:00:28 2023 type=AVC msg=audit(1695409228.862:565): avc: denied { execute } for pid=4260 comm="sssd_pam" name="passkey_child" dev="vda3" ino=172502 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0
  2. With selinux in permissive mode, it fails to authenticate with an incorrect pin as expected: -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: su: Authentication failure
  3. First put selinux into permissive mode. Authentication failed as expected with incorrect passkey mapping data: Used passkey mapping data from a previous registration before running a "ykman fido reset".
    1. ipa user-add-passkey testuser1 "passkey:..."
    -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: su: Authentication failure
  4. only able to test on server and client. Remember to fix mapping data before testing. -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: Last login: Fri Sep 22 14:15:37 CDT 2023 on pts/0 -sh-5.2$ hostname ipa.passkey.test
sumenon Login as ipa user with incorrect PIN
Pass pass
[1]
  1. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER. (ipauser1@fedora39.test@client.fedora39.test) Enter PIN: Note: The above prompt is asked for 3 times and then it falls back to Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures Disconnected from 192.168.122.129 port 22
sumenon Login as ipa user with passkey set and doing ssh
Pass pass
[1]
  1. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER. (ipauser1@fedora39.test@client.fedora39.test) Enter PIN: No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected. Last login: Thu Sep 21 18:19:03 2023 Could not chdir to home directory /home/ipauser1: Permission denied -sh: /home/ipauser1/.profile: Permission denied -sh-5.2$ klist -l Principal name Cache name
    ----------

    ipauser1@FEDORA39.TEST KCM:1866800004:43548

sumenon Login as ipa user with passkey set and from GNOME desktop
Pass pass

Basic[edit]

User Profile obtain kerberos ticket handle three incorrect attempts system key blocking system key removal user login replica user removal fido2 References
mpolovka
Pass pass
[1]
Fail fail
[2]
Fail fail
[3]
Pass pass
[4]
  1. Passed with SSH command, kerberos ticket issued
  2. kinit mpolovka@IPA.TEST kinit: Pre-authentication failed: Invalid argument while getting initial credentials
  3. After three incorrect PIN entries, the user is requested to input their password, which is, however, not set up.
  4. Enter PIN: <removed the device and input in the PIN> Please touch the device. A problem occurred while generating the credentials. Error registering the key. Command '/usr/libexec/sssd/passkey_child' failed with [1]
spoore Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
Pass pass
[1]
Fail fail
[2]
Fail fail
[3]
Fail fail
[4]
  1. kerberos ticket issued with su: k-sh-5.2$ klist klist: Credentials cache 'KCM:169000003' not found -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: Last login: Fri Sep 22 14:19:06 CDT 2023 on pts/0 -sh-5.2$ klist Ticket cache: KCM:169000003:93127 Default principal: testuser1@PASSKEY.TEST Valid starting Expires Service principal 09/22/2023 14:19:29 09/23/2023 14:17:17 krbtgt/PASSKEY.TEST@PASSKEY.TEST
  2. I saw no prompt/message about removing/resetting passkey device. Removing and re-inserting however did work to allow the user to authenticate with the correct pin.
  3. No message was shown about resetting passkey device. PIN was blocked though and I reset device with "ykman fido reset". A proper unblock procedure should be listed in the test case to make this easier to perform.
  4. for my tests, I did not see the system exit either su or ssh when the key was removed. I am using a VM though with the usb device shared.
sumenon Unchecked 'Passkey' option for the ipauser1 and then login with ssh
Pass pass
[1]
  1. /var/log/sssd/passkey_child.log (2023-09-21 18:39:39): [passkey_child[8087]] [authenticate] (0x0400): Getting assert. (2023-09-21 18:39:40): [passkey_child[8087]] [request_assert] (0x0040): fido_dev_get_assert failed [52]: FIDO_ERR_PIN_AUTH_BLOCKED. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER.

Tips[edit]

How to set a PIN[edit]

When using a passkey it’s highly recommended to set a PIN (by default it’s mandatory in IPA). To achieve this, the first step is to list the FIDO2 keys connected to the system:

# fido2-token -L

Then, the PIN can be set. In the following example the device is /dev/hidraw5.

# fido2-token -C /dev/hidraw5

Enabling passkey authentication for an IPA user[edit]

Enable passkey authentication for a new IPA user:

# ipa user-add user01 --first=user --last=01 --user-auth-type=passkey

Enable passkey authentication for existing IPA user:

# ipa user-mod user01 --first=user --last=01 --user-auth-type=passkey

How to register a passkey[edit]

LDAP[edit]

The first step to use a passkey would be to register it. This is achieved by running the sssctl and providing the username and domain. Example:

# sssctl passkey-register --username=joe --domain=ldap.test

This will output the key mapping data, which includes the key handle and the public key. Example:

passkey:aEgemlnC6a/WOoEZ8qU1YMwsTW9+uwmMsJnrgOXwTID0qIBHirzHp6d+e1d3WBhcSf7t9Ji8fl3AdSPtlbdN5Q==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENwDQHwyZmnYaUEp0UNqqnw0tGOGnqOMBGdds6O3+JKbmmJGTn0vo7sKNNcDWDsFhJFU/RLWXmHXglxSo+yw9iQ==

This information needs to be included in the user’s attributes in the LDAP server. Example:

dn: uid=joe,dc=ldap,dc=test
mail: joe@ldap.test
...
passkey: passkey:aEgemlnC6a/WOoEZ8qU1YMwsTW9+uwmMsJnrgOXwTID0qIBHirzHp6d+e1d3WBhcSf7t9Ji8fl3AdSPtlbdN5Q==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENwDQHwyZmnYaUEp0UNqqnw0tGOGnqOMBGdds6O3+JKbmmJGTn0vo7sKNNcDWDsFhJFU/RLWXmHXglxSo+yw9iQ==
objectclass: passkeyUser

At this point everything is ready to login.

IPA[edit]

IPA provides a single command to register the passkey and store it in the LDAP attribute by providing the username:

# ipa user-add-passkey joe --register

Follow the application prompts:

Enter PIN for the passkey device. Touch the device to verify it is you.

At this point everything is ready to login.

How to login[edit]

You can use your favourite login mechanism, as an example let’s try with “su”:

$ su - joe@ipa.test
Insert your passkey device, then press ENTER.
Enter PIN:

Confirm the Kerberos ticket is issued: $ klist
Default principal: user01@IPA.EXAMPLE.COM

How to debug[edit]

sssctl[edit]

If the sssctl command fails, and you’d like to debug it, you can append the following options to print all the information in the terminal: --debug-level=9 --logger=stderr

sssd[edit]

The easiest way to debug sssd is to enable the debug levels. This can be done by tuning /etc/sssd/sssd.conf, and setting “debug_level=9” below “[sssd]”. Example:

[sssd]

debug_level=9

Log files are availabe at /var/log/sssd.

HW enablement[edit]

Most of the FIDO2 keys are supported in Fedora out of the box, but some aren’t. The reason is that, by default and for security reasons, USB dongles can't be accessed by users.

In order to enable the key in your system run lsusb and identify your device. Then, create a file in /etc/udev/rules.d with the following content:

ACTION!="add|change", GOTO="fido2_end"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", TAG+="uaccess", GROUP="plugdev", MODE="0660"

LABEL="fido2_end"

Replace the XXXX with the information provided by lsusb.

Reload udev rules:

# udevadm control --reload-rules

# udevadm trigger