Latest revision |
Your text |
Line 32: |
Line 32: |
| * (Some) LDAP knowledge ([https://access.redhat.com/documentation/en-us/red_hat_directory_server/12 link] to general documentation) | | * (Some) LDAP knowledge ([https://access.redhat.com/documentation/en-us/red_hat_directory_server/12 link] to general documentation) |
| * The fido2-tools package (<code># dnf install fido2-tools</code>) | | * The fido2-tools package (<code># dnf install fido2-tools</code>) |
|
| |
| === Prepared FreeIPA demo server ===
| |
|
| |
| FreeIPA project provides a demo instance to test without installing FreeIPA server. For the purpose of the Fedora 39 Passkey authentication test day, a separate system was set up as Fedora 39 is not released yet. Please connect to the [https://ipa.demo-passkey.freeipa.org/ ipa.demo-passkey.freeipa.org server] to access the demo system, following instructions from [https://www.freeipa.org/page/Demo FreeIPA demo page].
| |
|
| |
| Since passkey authentication is done locally, the tests against FreeIPA demo instance would ideally need to run in a virtual machine that is enrolled against the FreeIPA server. Use `demo-passkey.freeipa.org` as an IPA domain to enroll into.
| |
|
| |
|
| == How to test? == | | == How to test? == |
Line 67: |
Line 61: |
| == Test Results == | | == Test Results == |
|
| |
|
| === Reg Key ===
| | Test results will be exported here once the test day is over. See [[#How_to_test?|How to test?]] section for information how to submit results and see the live results. |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_sssctl reg key with sssctl]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_IPA_command reg key with IPA]
| |
| ! References
| |
| |-
| |
| |-
| |
| | [[User:ebelko|ebelko]]
| |
| |
| |
| | {{result|pass}}
| |
| | {{result|pass}}
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| |
| |
| |
| |
| | {{result|pass}}<ref>Successfully added user with passkey mapping</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| | https://accounts.fedoraproject.org/user/mpolovka/
| |
| | {{result|pass}}<ref>sssctl passkey-register --username=mpolovka --domain=ipa.test</ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}
| |
| | {{result|pass}}<ref>Note, ipa user-add-passkey prompts for pin/touch before checking for kerberos ticket.</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2
| |
| Enter PIN:
| |
| | |
| Please touch the device.
| |
| passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==</ref>{{result|pass}}<ref>[root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test
| |
| Please touch the device.
| |
| passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g==
| |
| </ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey which is not supported in the token
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# fido2-token -I /dev/hidraw2
| |
| algorithms: es256 (public-key), eddsa (public-key)
| |
| | |
| 1. With rs256 since its not supported.
| |
| [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=rs256 --require-user-verification=True | |
| Enter PIN:
| |
| Please touch the device.
| |
| A problem occurred while generating the credentials.
| |
| Error registering key.
| |
| ipa: ERROR: Failed to generate passkey</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=eddsa
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=es256
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+q.......</ref>
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
| | |
| === Check Auth ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_IPA_AD_LDAP check auth]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_pin check auth deny user incorrect pin]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_mapping check auth deny user incorrect mapping]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_user_login_server_replica_client check user login to server/client/replica]
| |
| ! References
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}<ref>su worked after putting selinux into permissive mode. failed initially due to AVC denial:
| |
| | |
| time->Fri Sep 22 14:00:28 2023
| |
| type=AVC msg=audit(1695409228.862:565): avc: denied { execute } for pid=4260 comm="sssd_pam" name="passkey_child" dev="vda3" ino=172502 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0</ref>
| |
| | {{result|pass}}<ref>With selinux in permissive mode, it fails to authenticate with an incorrect pin as expected:
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>
| |
| First put selinux into permissive mode.
| |
| Authentication failed as expected with incorrect passkey mapping data:
| |
| Used passkey mapping data from a previous registration before running a "ykman fido reset".
| |
| # ipa user-add-passkey testuser1 "passkey:..."
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>only able to test on server and client. Remember to fix mapping data before testing.
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| Last login: Fri Sep 22 14:15:37 CDT 2023 on pts/0
| |
| -sh-5.2$ hostname
| |
| ipa.passkey.test</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with incorrect PIN
| |
| |
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| Note: The above prompt is asked for 3 times and then it falls back to
| |
| Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures
| |
| Disconnected from 192.168.122.129 port 22</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and doing ssh
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected.
| |
| Last login: Thu Sep 21 18:19:03 2023
| |
| Could not chdir to home directory /home/ipauser1: Permission denied
| |
| -sh: /home/ipauser1/.profile: Permission denied
| |
| -sh-5.2$ klist -l
| |
| Principal name Cache name
| |
| -------------- ----------
| |
| ipauser1@FEDORA39.TEST KCM:1866800004:43548</ref>
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and from GNOME desktop
| |
| | {{result|pass}}
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
| | |
| === Basic ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_obtain_kerberos_ticket obtain kerberos ticket]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_handle_wrong_attempts handle three incorrect attempts]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_blocking system key blocking]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_remove_authentication_prompt system key removal]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_login_replica_server_stopped user login replica]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_FIDO2_user_removal user removal fido2]
| |
| ! References
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| |
| |
| | {{result|pass}}<ref>Passed with SSH command, kerberos ticket issued</ref>{{result|fail}}<ref>kinit mpolovka@IPA.TEST
| |
| kinit: Pre-authentication failed: Invalid argument while getting initial credentials</ref>
| |
| | {{result|fail}}<ref>After three incorrect PIN entries, the user is requested to input their password, which is, however, not set up.</ref>
| |
| |
| |
| | {{result|pass}}<ref>Enter PIN: <removed the device and input in the PIN>
| |
| | |
| Please touch the device.
| |
| A problem occurred while generating the credentials.
| |
| Error registering the key.
| |
| Command '/usr/libexec/sssd/passkey_child' failed with [1]
| |
| #</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}<ref>kerberos ticket issued with su:
| |
| k-sh-5.2$ klist
| |
| klist: Credentials cache 'KCM:169000003' not found
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| Last login: Fri Sep 22 14:19:06 CDT 2023 on pts/0
| |
| -sh-5.2$ klist
| |
| Ticket cache: KCM:169000003:93127
| |
| Default principal: testuser1@PASSKEY.TEST
| |
| | |
| Valid starting Expires Service principal
| |
| 09/22/2023 14:19:29 09/23/2023 14:17:17 krbtgt/PASSKEY.TEST@PASSKEY.TEST
| |
| </ref>
| |
| | {{result|fail}}<ref>I saw no prompt/message about removing/resetting passkey device.
| |
| Removing and re-inserting however did work to allow the user to authenticate with the correct pin.</ref>
| |
| | {{result|fail}}<ref>No message was shown about resetting passkey device. PIN was blocked though and I reset device with "ykman fido reset". A proper unblock procedure should be listed in the test case to make this easier to perform.</ref>
| |
| | {{result|fail}}<ref>for my tests, I did not see the system exit either su or ssh when the key was removed. I am using a VM though with the usb device shared.</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Unchecked 'Passkey' option for the ipauser1 and then login with ssh
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | {{result|pass}}<ref>/var/log/sssd/passkey_child.log
| |
| (2023-09-21 18:39:39): [passkey_child[8087]] [authenticate] (0x0400): Getting assert.
| |
| (2023-09-21 18:39:40): [passkey_child[8087]] [request_assert] (0x0040): fido_dev_get_assert failed [52]: FIDO_ERR_PIN_AUTH_BLOCKED.
| |
| | |
| [sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| </ref>
| |
| | <references/>
| |
| | |
| |-
| |
| |}
| |
|
| |
|
| == Tips == | | == Tips == |