| Username | Profile | reg key with sssctl | reg key with IPA | Comments |
|---|---|---|---|---|
| Enter result | Enter result | |||
| ebelko | ||||
| mpolovka | [1] |
1.
Successfully added user with passkey mapping
|
||
| mpolovka | https://accounts.fedoraproject.org/user/mpolovka/ | [1] |
1.
sssctl passkey-register --username=mpolovka --domain=ipa.test
|
|
| spoore | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM | [1] |
1.
Note, ipa user-add-passkey prompts for pin/touch before checking for kerberos ticket.
|
|
| sumenon | [1] [2] |
1.
[root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2
Enter PIN:
Please touch the
device.
passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==
2. [root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test Please touch the device. passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g== |
||
| sumenon | Registering a passkey which is not supported in the token | [1] |
1.
[root@client ~]# fido2-token -I /dev/hidraw2
algorithms: es256 (public-key), eddsa (public-key)
1. With rs256 since its not supported.
[root@client ~]# ipa user-add-passkey ipauser1 --register
--cose-type=rs256 --require-user-verification=True
Enter PIN:
Please touch the device.
A problem occurred while generating the credentials.
Error registering key.
ipa: ERROR: Failed to generate passkey
|
|
| sumenon | Registering a passkey with --cose-type=eddsa | [1] |
1.
[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True
Enter PIN:
Please touch the device.
-----------------------------------------
Added
passkey mappings to user "ipauser1"
-----------------------------------------
User login: ipauser1
Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......
|
|
| sumenon | Registering a passkey with --cose-type=es256 | [1] |
1.
[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True
Enter PIN:
Please touch the device.
-----------------------------------------
Added
passkey mappings to user "ipauser1"
-----------------------------------------
User login: ipauser1
Passkey mapping: passkey:VgkcMOncXWAg0+q.......
|
| Username | Profile | check auth | check auth deny user incorrect pin | check auth deny user incorrect mapping | check user login to server/client/replica | Comments |
|---|---|---|---|---|---|---|
| Enter result | Enter result | Enter result | Enter result | |||
| ebelko | [1] | [2] |
1.
Registration works. When trying to auth with ssh there is prompt for PIN, but no prompt for touching the device and the PIN promt gets repeated.
2. When trying to auth with ssh there is prompt for PIN, but no prompt for touching the device and the PIN promt gets repeated. |
|||
| spoore | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM | [1] | [2] | [3] | [4] |
1.
su worked after putting selinux into permissive mode. failed initially due to AVC denial:
time->Fri Sep 22 14:00:28 2023
type=AVC msg=audit(1695409228.862:565): avc: denied { execute } for
pid=4260 comm="sssd_pam" name="passkey_child" dev="vda3" ino=172502 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0
2. With selinux in permissive mode, it fails to authenticate with an incorrect pin as expected: -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: su: Authentication failure 3. First put selinux into permissive mode. Authentication failed as expected with incorrect passkey mapping data: Used passkey mapping data from a previous registration before running a "ykman fido reset". # ipa user-add-passkey testuser1 "passkey:..." -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: su: Authentication failure 4. only able to test on server and client. Remember to fix mapping data before testing. -sh-5.2$ su - testuser1 Insert your passkey device, then press ENTER. Enter PIN: Last login: Fri Sep 22 14:15:37 CDT 2023 on pts/0 -sh-5.2$ hostname ipa.passkey.test |
| sumenon | Login as ipa user with incorrect PIN | [1] |
1.
[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
(ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be
affected.
Insert your passkey device, then press ENTER.
(ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
Note: The above prompt is asked for 3 times and then it falls back to
Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures
Disconnected from 192.168.122.129 port 22
|
|||
| sumenon | Login as ipa user with passkey set and doing ssh | [1] |
1.
[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
(ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be
affected.
Insert your passkey device, then press ENTER.
(ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected.
Last login: Thu Sep 21 18:19:03 2023
Could not chdir to home directory /home/ipauser1: Permission denied
-sh: /home/ipauser1/.profile: Permission denied
-sh-5.2$ klist -l
Principal name Cache name
-------------- ----------
ipauser1@FEDORA39.TEST KCM:1866800004:43548
|
|||
| sumenon | Login as ipa user with passkey set and from GNOME desktop |
| Username | Profile | obtain kerberos ticket | handle three incorrect attempts | system key blocking | system key removal | user login replica | user removal fido2 | Comments |
|---|---|---|---|---|---|---|---|---|
| Enter result | Enter result | Enter result | Enter result | Enter result | Enter result | |||
| mpolovka | [1] [2] | [3] | [4] |
1.
Passed with SSH command, kerberos ticket issued
2. kinit mpolovka@IPA.TEST kinit: Pre-authentication failed: Invalid argument while getting initial credentials 3. After three incorrect PIN entries, the user is requested to input their password, which is, however, not set up. 4. Enter PIN: <removed the device and input in the PIN> Please touch the device. A problem occurred while generating the credentials. Error registering the key. Command '/usr/libexec/sssd/passkey_child' failed with [1] # |
||||
| spoore | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM | [1] | [2] | [3] | [4] |
1.
kerberos ticket issued with su:
k-sh-5.2$ klist
klist: Credentials cache 'KCM:169000003' not found
-sh-5.2$ su - testuser1
Insert your passkey device, then press ENTER.
Enter PIN:
Last login:
Fri Sep 22 14:19:06 CDT 2023 on pts/0
-sh-5.2$ klist
Ticket cache: KCM:169000003:93127
Default principal: testuser1@PASSKEY.TEST
Valid starting Expires Service principal
09/22/2023 14:19:29 09/23/2023 14:17:17 krbtgt/PASSKEY.TEST@PASSKEY.TEST
2. I saw no prompt/message about removing/resetting passkey device. Removing and re-inserting however did work to allow the user to authenticate with the correct pin. 3. No message was shown about resetting passkey device. PIN was blocked though and I reset device with "ykman fido reset". A proper unblock procedure should be listed in the test case to make this easier to perform. 4. for my tests, I did not see the system exit either su or ssh when the key was removed. I am using a VM though with the usb device shared. |
||
| sumenon | Unchecked 'Passkey' option for the ipauser1 and then login with ssh | [1] |
1.
/var/log/sssd/passkey_child.log
(2023-09-21 18:39:39): [passkey_child[8087]] [authenticate] (0x0400): Getting assert.
(2023-09-21 18:39:40): [passkey_child[8087]] [request_assert] (0x0040):
fido_dev_get_assert failed [52]: FIDO_ERR_PIN_AUTH_BLOCKED.
[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
(ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
Insert your passkey device, then press ENTER.
|