Passkey Auth

More information about the event can be found here: http://fedoraproject.org/wiki/Test_Day:2023-09-21_Passkey_authentication_centrally_managed_users
Go back to List of Events.

Results

Clicking on the testcase name will show you the appropriate "how to test" page.
Click on the Enter result button, to enter result.
Note: results are cached and realoaded from the database each 10 seconds.

Reg Key

Username Profile reg key with sssctl reg key with IPA Comments
Enter result Enter result
ebelko
mpolovka [1] 1. Successfully added user with passkey mapping
mpolovka https://accounts.fedoraproject.org/user/mpolovka/ [1] 1. sssctl passkey-register --username=mpolovka --domain=ipa.test
sumenon [1] [2] 1. [root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2 Enter PIN: Please touch the device. passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==
2. [root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test Please touch the device. passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g==
sumenon Registering a passkey which is not supported in the token [1] 1. [root@client ~]# fido2-token -I /dev/hidraw2 algorithms: es256 (public-key), eddsa (public-key) 1. With rs256 since its not supported. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=rs256 --require-user-verification=True Enter PIN: Please touch the device. A problem occurred while generating the credentials. Error registering key. ipa: ERROR: Failed to generate passkey
sumenon Registering a passkey with --cose-type=eddsa [1] 1. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True Enter PIN: Please touch the device. ----------------------------------------- Added passkey mappings to user "ipauser1" ----------------------------------------- User login: ipauser1 Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......
sumenon Registering a passkey with --cose-type=es256 [1] 1. [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True Enter PIN: Please touch the device. ----------------------------------------- Added passkey mappings to user "ipauser1" ----------------------------------------- User login: ipauser1 Passkey mapping: passkey:VgkcMOncXWAg0+q.......

Check Auth

Username Profile check auth check auth deny user incorrect pin check auth deny user incorrect mapping check user login to server/client/replica Comments
Enter result Enter result Enter result Enter result
ebelko [1] [2] 1. Registration works. When trying to auth with ssh there is prompt for PIN, but no prompt for touching the device and the PIN promt gets repeated.
2. When trying to auth with ssh there is prompt for PIN, but no prompt for touching the device and the PIN promt gets repeated.
sumenon Login as ipa user with incorrect PIN [1] 1. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER. (ipauser1@fedora39.test@client.fedora39.test) Enter PIN: Note: The above prompt is asked for 3 times and then it falls back to Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures Disconnected from 192.168.122.129 port 22
sumenon Login as ipa user with passkey set and doing ssh [1] 1. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER. (ipauser1@fedora39.test@client.fedora39.test) Enter PIN: No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected. Last login: Thu Sep 21 18:19:03 2023 Could not chdir to home directory /home/ipauser1: Permission denied -sh: /home/ipauser1/.profile: Permission denied -sh-5.2$ klist -l Principal name Cache name -------------- ---------- ipauser1@FEDORA39.TEST KCM:1866800004:43548
sumenon Login as ipa user with passkey set and from GNOME desktop

Basic

Username Profile obtain kerberos ticket handle three incorrect attempts system key blocking system key removal user login replica user removal fido2 Comments
Enter result Enter result Enter result Enter result Enter result Enter result
mpolovka [1] [2] [3] [4] 1. Passed with SSH command, kerberos ticket issued
2. kinit mpolovka@IPA.TEST kinit: Pre-authentication failed: Invalid argument while getting initial credentials
3. After three incorrect PIN entries, the user is requested to input their password, which is, however, not set up.
4. Enter PIN: <removed the device and input in the PIN> Please touch the device. A problem occurred while generating the credentials. Error registering the key. Command '/usr/libexec/sssd/passkey_child' failed with [1] #
sumenon Unchecked 'Passkey' option for the ipauser1 and then login with ssh [1] 1. /var/log/sssd/passkey_child.log (2023-09-21 18:39:39): [passkey_child[8087]] [authenticate] (0x0400): Getting assert. (2023-09-21 18:39:40): [passkey_child[8087]] [request_assert] (0x0040): fido_dev_get_assert failed [52]: FIDO_ERR_PIN_AUTH_BLOCKED. [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER.
Wiki Metadata

Copyright © 2015-2020 Red Hat, Inc. and others.

Testdays and  ResultsDB (results back-end) are Free Software under GPL.

Please file issues and PRs if you have ideas.

 Legal   Privacy policy