Red Hat Summit17.2. Registering a passkey device
As a user you can configure authentication with a passkey device. A passkey device is compatible with any FIDO2 specification device, such as YubiKey 5 NFC. To configure this authentication method, follow the instructions below.
Prerequisites
- The PIN for the passkey device is set.
Passkey authentication is enabled for an IdM user:
# ipa user-add user01 --first=user --last=01 --user-auth-type=passkeyUse the
ipa user-modwith the same--user-auth-type=passkeyparameter for an existing IdM user.- Access to the physical machine to which the user wants to authenticate.
Procedure
- Insert the passkey device in the USB port.
Register the passkey for the IdM user:
# ipa user-add-passkey user01 --registerFollow the application prompts:
- Enter the PIN for the passkey device.
Touch the device to verify your identity. If you are using a biometric device, ensure to use the same finger with which you registered the device.
ヒントIt is good practice for users to configure multiple passkey devices as a backup that allows authentication from multiple locations or devices. To ensure the Kerberos ticket is issued during authentication, do not configure more than 12 passkey devices for a user.
Verification
Log in to the system with the username you have configured to use passkey authentication. The system prompts you to insert the passkey device:
Insert your passkey device, then press ENTER.Insert the passkey device into the USB port and enter your PIN when prompted:
Enter PIN: Creating home directory for user01@example.com.Confirm the Kerberos ticket is issued:
$ klist Default principal: user01@IPA.EXAMPLE.COM
Note, to skip passkey authentication, enter any character in the prompt or enter an empty PIN if user authentication is enabled. The system redirects you to password based authentication.
If you enter the PIN for your passkey device incorrectly 3 times, disconnect the physical token and reconnect it to the USB port and perform a successful authentication. If you do not complete a power cycle, you will not be able to authenticate even if you enter the PIN correctly.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}