This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
For centrally managed users on Fedora systems enrolled into Active
Directory, FreeIPA, or LDAP, enable capability to log-in to desktop or
a console terminal with a FIDO2-compatible device supported by the
libfido2 library. For FreeIPA, additionally, once user has been
authenticated with the FIDO2-compatible device, allow to issue a
Note: for the purpose of this feature, passkey is a FIDO2 compatible
device supported by the libfido2 library. If a hardware token
implements other authentication mechanisms aside from FIDO2, these
aren't considered by this feature.
== Owner ==
* Name: [[User:ipedrosa| Iker Pedrosa]], [[User:Abbra| Alexander Bokovoy]]
* Email: <ipedrosa(a)redhat.com>, <abokovoy(a)redhat.com>
== Detailed Description ==
Passwordless authentication methods to log into Linux systems became a
hot topic in the past few years. Various organizations started to
mandate more secure methods of authentication, including governments
and regulated industries. FIDO2 tokens, along with smartcards,
represent two passwordless authentication methods mandated by the US
government in their Zero Trust architecture, for example.
While Fedora Project already provides a smartcard-based authentication
method for all centrally-managed user accounts (LDAP, Active
Directory, FreeIPA), support for FIDO2 tokens is rudimentary: only
`pam_u2f` method is provided which currently only allows to define
FIDO2 tokens associated with the users locally on the machine. No
centralized storage of enrolled tokens is provided.
SSSD and FreeIPA upstream projects have already implemented a way to
authenticate a user with the help of the passkey and issue a Kerberos
ticket. This change will make sure that this feature is enabled in
Fedora, and that it works.
== Feedback ==
== Benefit to Fedora ==
Integration of a passkey support in SSSD and FreeIPA to Fedora enables
the possibility to configure a fully passwordless login experience in
Fedora. While this will require few iterations to enable a complete
passwordless deployment, allowing admins to start with centralized
user accounts with passkeys will give a wider base to iterate from.
The passkey authentication is in line with the modernization of the
technology and security practices, as it enables stronger identity and
access controls, including multi-factor authentication (MFA). This
method of authentication protects the user and the organization
against phishing attacks by providing a strong cryptography tied to an
external hardware authenticator. In the future we expect to add
support for increasingly popular passkey implementations on mobile
devices. This, however, is not a focus of the initial release.
FreeIPA extension to issue Kerberos tickets based on the passkey
authentication allows to solve usability issues in accessing network
resources in a passwordless way. This extension also provides Kerberos
authentication indicator support, making passkey authentication
visible to Kerberos services. This can be used, for example, for
passwordless SUDO access with `pam_sss_gss` module when a Kerberos
ticket was obtained with a specific (passkey) authentication
== Scope ==
* Proposal owners:
# Enable passkey feature in SSSD
# Enable passkey feature in FreeIPA
# Adjust SELinux policies to allow access to USB-enabled passkeys
* Other developers: N/A
* Release engineering: N/A
* Policies and guidelines: N/A
* Trademark approval: N/A
* Alignment with Community Initiatives: N/A
== Upgrade/compatibility impact ==
No impact is expected. sssd provides a new subpackage (`sssd-passkey`)
that includes the new functionality.
For FreeIPA environments the new subpackage will be automatically
pulled in by the `freeipa-client` package as a dependency.
== How To Test ==
The following instructions assume that you are using a SSSD and
FreeIPA to manage users.
# Install the `sssd-passkey` subpackage, and update the FreeIPA client
# Enable passkey authentication for the user, remember to replace the
username where applicable.
$ ipa user-mod USERNAME --user-auth-type=passkey
# Connect the passkey to the system and register it.
$ ipa user-add-passkey USERNAME --register
# Log in.
$ su - USERNAME@DOMAIN
Insert your passkey device, then press ENTER.
If you are able to log in, then everything worked correctly. If it
didn't work and you'd like to debug it, or you'd like to use another
LDAP-like server, or you'd like to know more, then check
the blog post] I wrote about how to test this feature.
== User Experience ==
A centrally managed user will be able to log in using the passkey
authentication mechanism, and if they are using FreeIPA they will get
a Kerberos ticket alongside the authentication.
For those using the graphical interface and passkeys for log-in you
will notice that the messages aren't completely visible.
We are working with GNOME developers to improve overall login
experience with passwordless authentication methods. This work is
expected to land in Fedora once ready.
== Dependencies ==
== Contingency Plan ==
* Contingency mechanism: N/A
* Contingency deadline: N/A
* Blocks release? No
== Documentation ==
design page for local passkey authentication]
SSSD design page
for passkey Kerberos integration]
FreeIPA design page for passkey authentication]
== Release Notes ==
Passkey authentication for centrally managed users. For FreeIPA users
a Kerberos ticket is also issued.
Community Platform Engineering Team
Red Hat EMEA