Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 17. Enabling passkey authentication in IdM environment

The Fast IDentity Online 2 (FIDO2) standard is based on public key cryptography and adds the option of a passwordless flow with PIN or biometrics. The passkey authentication in the IdM environment uses FIDO2 compatible devices supported by the libfido2 library.

The passkey authentication method provides an additional security layer to comply with regulatory standards by including passwordless and multi-factor authentication (MFA) that require a PIN or a fingerprint. It uses a combination of special hardware and software, such as passkey device and passkey enablement in an Identity Management (IdM) environment, to strengthen the security in the environment where data protection plays a key role.

If your system is connected to a network with the IdM environment, the passkey authentication method issues a Kerberos ticket automatically, which enables single sign-on (SSO) for an IdM user.

You can use passkey to authenticate through the graphical interface to your operating system. If your system allows you to authenticate with passkey and password, you can skip passkey authentication and authenticate with the password by pressing Space on your keyboard followed by the Enter key. If you use GNOME Desktop Manager (GDM), you can press Enter to bypass the passkey authentication.

Note that, currently, the passkey authentication in the IdM environment does not support FIDO2 attestation mechanism, which allows for the identification of the particular passkey device.

The following procedures provide instructions on managing and configuring passkey authentication in an IdM environment.

17.1. Prerequisites
Copiar o link

  • You have a passkey device.

  • Install the fido2-tools package: 

    # dnf install fido2-tools
    Copy to Clipboard Toggle word wrap

  • Set the PIN for the passkey device:

    1. Connect the passkey device to the USB port.

    2. List the connected passkey devices: 

      # fido2-token -L
      Copy to Clipboard Toggle word wrap

    3. Set the PIN for your passkey device by following the command prompts. 

      # fido2-token -C passkey_device
      Copy to Clipboard Toggle word wrap
  • You have installed the sssd-passkey package.

17.2. Registering a passkey device
Copiar o link

As a user you can configure authentication with a passkey device. A passkey device is compatible with any FIDO2 specification device, such as YubiKey 5 NFC. To configure this authentication method, follow the instructions below.

Prerequisites

  • The PIN for the passkey device is set.

  • Passkey authentication is enabled for an IdM user: 

    # ipa user-add user01 --first=user --last=01 --user-auth-type=passkey
    Copy to Clipboard Toggle word wrap

    Use the ipa user-mod with the same --user-auth-type=passkey parameter for an existing IdM user.

  • Access to the physical machine to which the user wants to authenticate.

Procedure

  1. Insert the passkey device in the USB port.

  2. Register the passkey for the IdM user: 

    # ipa user-add-passkey user01 --register
    Copy to Clipboard Toggle word wrap

    Follow the application prompts:

    1. Enter the PIN for the passkey device.

    2. Touch the device to verify your identity. If you are using a biometric device, ensure to use the same finger with which you registered the device.

      Tip

      It is good practice for users to configure multiple passkey devices as a backup that allows authentication from multiple locations or devices. To ensure the Kerberos ticket is issued during authentication, do not configure more than 12 passkey devices for a user.

Verification

  1. Log in to the system with the username you have configured to use passkey authentication. The system prompts you to insert the passkey device: 

    Insert your passkey device, then press ENTER.
    Copy to Clipboard Toggle word wrap

  2. Insert the passkey device into the USB port and enter your PIN when prompted: 

    Enter PIN:
Creating home directory for user01@example.com.
    Copy to Clipboard Toggle word wrap

  3. Confirm the Kerberos ticket is issued: 

    $ klist
Default principal: user01@IPA.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

Note, to skip passkey authentication, enter any character in the prompt or enter an empty PIN if user authentication is enabled. The system redirects you to password based authentication.

Note

If you enter the PIN for your passkey device incorrectly 3 times, disconnect the physical token and reconnect it to the USB port and perform a successful authentication. If you do not complete a power cycle, you will not be able to authenticate even if you enter the PIN correctly.

17.3. Authentication policies
Copiar o link

Use authentication policies to configure the available online and local authentication methods.

Authentication with online connection
Uses all online authentication methods that the service provides on the server side. For IdM, AD, or Kerberos services, the default authentication method is Kerberos.
Authentication without online connection
Uses authentication methods that are available for a user. You can tune the authentication method with the local_auth_policy option.

Use the local_auth_policy option in the /etc/sssd/sssd.conf file to configure the available online and offline authentication methods. By default, the authentication is performed only with the methods that the server side of the service supports. You can tune the policy with the following values:

  • The match value enables the matching of offline and online states. For example, the IdM server supports online passkey authentication and match enables offline and online authentications for the passkey method.
  • The only value offers only offline methods and ignores the online methods.
  • The enable and disable values explicitly define the methods for offline authentication. For example, enable:passkey enables only passkey for offline authentication.

The following configuration example allows local users to authenticate locally using smart card authentication: 

[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
auth_provider = none
local_auth_policy = only
Copy to Clipboard Toggle word wrap

The local_auth_policy option applies to the passkey and smart card authentication methods.

17.4. Retrieving an IdM ticket-granting ticket as a passkey user
Copiar o link

To retrieve a Kerberos ticket-granting ticket (TGT) as a passkey user, request an anonymous Kerberos ticket and enable Flexible Authentication via Secure Tunneling (FAST) channel to provide a secure connection between the Kerberos client and Kerberos Distribution Center (KDC).

Prerequisites

  • You registered your passkey device and configured your authentication policies.

Procedure

  1. Initialize the credentials cache by running the following command: 

    [root@client ~]# kinit -n @IDM.EXAMPLE.COM -c FILE:armor.ccache
    Copy to Clipboard Toggle word wrap

    Note that this command creates the armor.ccache file that you need to point to whenever you request a new Kerberos ticket.

  2. Request a Kerberos ticket by running the command: 

    [root@client ~]# kinit -T FILE:armor.ccache <username>@IDM.EXAMPLE.COM
Enter your PIN:
    Copy to Clipboard Toggle word wrap
    Note

    If you enter the PIN for your passkey device incorrectly 3 times, disconnect the physical token and reconnect it to the USB port and perform a successful authentication. If you do not complete a power cycle, you will not be able to authenticate even if you enter the PIN correctly.

Verification

  • Display your Kerberos ticket information: 

    [root@client ~]# klist -C
Ticket cache: KCM:0:58420
Default principal: <username>@IDM.EXAMPLE.COM

Valid starting     Expires            Service principal
05/09/22 07:48:23  05/10/22 07:03:07  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes
08/17/2022 20:22:45  08/18/2022 20:22:43  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 153
    Copy to Clipboard Toggle word wrap

    The pa_type = 153 indicates passkey authentication.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat