Red Hat SummitChapter 18. Enabling passkey authentication in IdM environment
The Fast IDentity Online 2 (FIDO2) standard is based on public key cryptography and adds the option of a passwordless flow with PIN or biometrics. The passkey authentication in the IdM environment uses FIDO2 compatible devices supported by the libfido2 library.
The passkey authentication method provides an additional security layer to comply with regulatory standards by including passwordless and multi-factor authentication (MFA) that require a PIN or a fingerprint. It uses a combination of special hardware and software, such as passkey device and passkey enablement in an Identity Management (IdM) environment, to strengthen the security in the environment where data protection plays a key role.
If your system is connected to a network with the IdM environment, the passkey authentication method issues a Kerberos ticket automatically, which enables single sign-on (SSO) for an IdM user.
You can use passkey to authenticate through the graphical interface to your operating system. If your system allows you to authenticate with passkey and password, you can skip passkey authentication and authenticate with the password by pressing Space on your keyboard followed by the Enter key. If you use GNOME Desktop Manager (GDM), you can press Enter to bypass the passkey authentication.
Note that, currently, the passkey authentication in the IdM environment does not support FIDO2 attestation mechanism, which allows for the identification of the particular passkey device.
The following procedures provide instructions on managing and configuring passkey authentication in an IdM environment.
18.1. Prerequisites
- You have a passkey device.
Install the
fido2-toolspackage:Copy to Clipboard Copied! Toggle word wrap Toggle overflow dnf install fido2-tools
# dnf install fido2-toolsSet the PIN for the passkey device:
- Connect the passkey device to the USB port.
List the connected passkey devices:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fido2-token -L
# fido2-token -LSet the PIN for your passkey device by following the command prompts.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fido2-token -C passkey_device
# fido2-token -C passkey_device
-
You have installed the
sssd-passkeypackage.
18.2. Registering a passkey device
As a user you can configure authentication with a passkey device. A passkey device is compatible with any FIDO2 specification device, such as YubiKey 5 NFC. To configure this authentication method, follow the instructions below.
Prerequisites
- The PIN for the passkey device is set.
Passkey authentication is enabled for an IdM user:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa user-add user01 --first=user --last=01 --user-auth-type=passkey
# ipa user-add user01 --first=user --last=01 --user-auth-type=passkeyUse the
ipa user-modwith the same--user-auth-type=passkeyparameter for an existing IdM user.- Access to the physical machine to which the user wants to authenticate.
Procedure
- Insert the passkey device in the USB port.
Register the passkey for the IdM user:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa user-add-passkey user01 --register
# ipa user-add-passkey user01 --registerFollow the application prompts:
- Enter the PIN for the passkey device.
- Touch the device to verify your identity. If you are using a biometric device, ensure to use the same finger with which you registered the device.
It is good practice for users to configure multiple passkey devices as a backup that allows authentication from multiple locations or devices. To ensure the Kerberos ticket is issued during authentication, do not configure more than 12 passkey devices for a user.
Verification
Log in to the system with the username you have configured to use passkey authentication. The system prompts you to insert the passkey device:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Insert your passkey device, then press ENTER.
Insert your passkey device, then press ENTER.Insert the passkey device into the USB port and enter your PIN when prompted:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enter PIN: Creating home directory for user01@example.com.
Enter PIN: Creating home directory for user01@example.com.Confirm the Kerberos ticket is issued:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow klist
$ klist Default principal: user01@IPA.EXAMPLE.COM
Note, to skip passkey authentication, enter any character in the prompt or enter an empty PIN if user authentication is enabled. The system redirects you to password based authentication.
If you enter the PIN for your passkey device incorrectly 3 times, disconnect the physical token and reconnect it to the USB port and perform a successful authentication. If you do not complete a power cycle, you will not be able to authenticate even if you enter the PIN correctly.
18.3. Authentication policies
Use authentication policies to configure the available online and local authentication methods.
- Authentication with online connection
- Uses all online authentication methods that the service provides on the server side. For IdM, AD, or Kerberos services, the default authentication method is Kerberos.
- Authentication without online connection
-
Uses authentication methods that are available for a user. You can tune the authentication method with the
local_auth_policyoption.
Use the local_auth_policy option in the /etc/sssd/sssd.conf file to configure the available online and offline authentication methods. By default, the authentication is performed only with the methods that the server side of the service supports. You can tune the policy with the following values:
-
The
matchvalue enables the matching of offline and online states. For example, the IdM server supports online passkey authentication andmatchenables offline and online authentications for the passkey method. -
The
onlyvalue offers only offline methods and ignores the online methods. -
The
enableanddisablevalues explicitly define the methods for offline authentication. For example,enable:passkeyenables only passkey for offline authentication.
The following configuration example allows local users to authenticate locally using smart card authentication:
[domain/shadowutils] id_provider = proxy proxy_lib_name = files auth_provider = none local_auth_policy = only
[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
auth_provider = none
local_auth_policy = only
The local_auth_policy option applies to the passkey and smart card authentication methods.
18.4. Retrieving an IdM ticket-granting ticket as a passkey user
To retrieve a Kerberos ticket-granting ticket (TGT) as a passkey user, request an anonymous Kerberos ticket and enable Flexible Authentication via Secure Tunneling (FAST) channel to provide a secure connection between the Kerberos client and Kerberos Distribution Center (KDC).
Prerequisites
- Your IdM client and IdM servers use RHEL 9.1 or later.
- Your IdM client and IdM servers use SSSD 2.7.0 or later.
- You registered your passkey device and configured your authentication policies.
Procedure
Initialize the credentials cache by running the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit -n @IDM.EXAMPLE.COM -c FILE:armor.ccache
[root@client ~]# kinit -n @IDM.EXAMPLE.COM -c FILE:armor.ccacheNote that this command creates the armor.ccache file that you need to point to whenever you request a new Kerberos ticket.
Request a Kerberos ticket by running the command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit -T FILE:armor.ccache <username>@IDM.EXAMPLE.COM
[root@client ~]# kinit -T FILE:armor.ccache <username>@IDM.EXAMPLE.COM Enter your PIN:NoteIf you enter the PIN for your passkey device incorrectly 3 times, disconnect the physical token and reconnect it to the USB port and perform a successful authentication. If you do not complete a power cycle, you will not be able to authenticate even if you enter the PIN correctly.
Verification
Display your Kerberos ticket information:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow klist -C
[root@client ~]# klist -C Ticket cache: KCM:0:58420 Default principal: <username>@IDM.EXAMPLE.COM Valid starting Expires Service principal 05/09/22 07:48:23 05/10/22 07:03:07 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes 08/17/2022 20:22:45 08/18/2022 20:22:43 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 153The
pa_type = 153indicates passkey authentication.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}