Latest revision |
Your text |
Line 73: |
Line 73: |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_sssctl reg key with sssctl] | | ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_sssctl reg key with sssctl] |
| ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_IPA_command reg key with IPA] | | ! [http://fedoraproject.org/wiki/QA:Testcase_reg_key_IPA_command reg key with IPA] |
| ! References
| |
| |-
| |
| |-
| |
| | [[User:ebelko|ebelko]]
| |
| |
| |
| | {{result|pass}}
| |
| | {{result|pass}}
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| |
| |
| |
| |
| | {{result|pass}}<ref>Successfully added user with passkey mapping</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:mpolovka|mpolovka]]
| |
| | https://accounts.fedoraproject.org/user/mpolovka/
| |
| | {{result|pass}}<ref>sssctl passkey-register --username=mpolovka --domain=ipa.test</ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}
| |
| | {{result|pass}}<ref>Note, ipa user-add-passkey prompts for pin/touch before checking for kerberos ticket.</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# sssctl passkey-register --username=ipauser1 --domain fedora39.test --debug-libfido2
| |
| Enter PIN:
| |
|
| |
| Please touch the device.
| |
| passkey:XGUdEagmOgqCrWWxHc7kpJDEC8d2BI3AlO+A3Kf6PYevtwZP/K630JrDAMeHBpLFnud/ZixV5exDz+0EJLzVNg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErga/rSEj9yGiFLx4CRnNnGJMUJgdMGrQOTjw5JZmSYVptq9hpIEoIACUXGPMRKTfy46158BB7bWH5GU7L+/ttQ==</ref>{{result|pass}}<ref>[root@server ~]# sssctl passkey-register --username=ipauser1 --domain=fedora39.test
| |
| Please touch the device.
| |
| passkey:vhvyRShtXlG/jnyF+Tr9Itexuvxvt6SbiIc5o+m11XfGP/eV0BVDXp1BDq80VFcuZXv55+jLnotyTvnU4TeSHg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNHXRkgZx7FtDWQxMmtB2gcj/ZAQA4OE2SRfeGZqHIkTCGE5/zSKhgx4gaSLwJaJSkFXIeqlxSuSW7gCwdAQ4g==
| |
| </ref>
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey which is not supported in the token
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# fido2-token -I /dev/hidraw2
| |
| algorithms: es256 (public-key), eddsa (public-key)
| |
|
| |
| 1. With rs256 since its not supported.
| |
| [root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=rs256 --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| A problem occurred while generating the credentials.
| |
| Error registering key.
| |
| ipa: ERROR: Failed to generate passkey</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=eddsa
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=eddsa --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+qkt528ioI119SluNX......</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Registering a passkey with --cose-type=es256
| |
| |
| |
| | {{result|pass}}<ref>[root@client ~]# ipa user-add-passkey ipauser1 --register --cose-type=es256 --require-user-verification=True
| |
| Enter PIN:
| |
| Please touch the device.
| |
| -----------------------------------------
| |
| Added passkey mappings to user "ipauser1"
| |
| -----------------------------------------
| |
| User login: ipauser1
| |
| Passkey mapping: passkey:VgkcMOncXWAg0+q.......</ref>
| |
| | <references/>
| |
|
| |
| |-
| |
| |}
| |
|
| |
| === Check Auth ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_IPA_AD_LDAP check auth]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_pin check auth deny user incorrect pin]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_auth_deny_user_incorrect_mapping check auth deny user incorrect mapping]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_check_user_login_server_replica_client check user login to server/client/replica]
| |
| ! References
| |
| |-
| |
| | [[User:spoore|spoore]]
| |
| | Fedora-Everything-netinst-x86_64-39-20230920.n.0.iso VM
| |
| | {{result|pass}}<ref>su worked after putting selinux into permissive mode. failed initially due to AVC denial:
| |
|
| |
| time->Fri Sep 22 14:00:28 2023
| |
| type=AVC msg=audit(1695409228.862:565): avc: denied { execute } for pid=4260 comm="sssd_pam" name="passkey_child" dev="vda3" ino=172502 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0</ref>
| |
| | {{result|pass}}<ref>With selinux in permissive mode, it fails to authenticate with an incorrect pin as expected:
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>
| |
| First put selinux into permissive mode.
| |
| Authentication failed as expected with incorrect passkey mapping data:
| |
| Used passkey mapping data from a previous registration before running a "ykman fido reset".
| |
| # ipa user-add-passkey testuser1 "passkey:..."
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| su: Authentication failure</ref>
| |
| | {{result|pass}}<ref>only able to test on server and client. Remember to fix mapping data before testing.
| |
| -sh-5.2$ su - testuser1
| |
| Insert your passkey device, then press ENTER.
| |
| Enter PIN:
| |
| Last login: Fri Sep 22 14:15:37 CDT 2023 on pts/0
| |
| -sh-5.2$ hostname
| |
| ipa.passkey.test</ref>
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with incorrect PIN
| |
| |
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| Note: The above prompt is asked for 3 times and then it falls back to
| |
| Received disconnect from 192.168.122.129 port 22:2: Too many authentication failures
| |
| Disconnected from 192.168.122.129 port 22</ref>
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and doing ssh
| |
| | {{result|pass}}<ref>[sumenon@fedora ~]$ ssh -l ipauser1@fedora39.test client.fedora39.test
| |
| (ipauser1@fedora39.test@client.fedora39.test) Kerberos TGT will not be granted upon login, user experience will be affected.
| |
| Insert your passkey device, then press ENTER.
| |
| (ipauser1@fedora39.test@client.fedora39.test) Enter PIN:
| |
| No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected.
| |
| Last login: Thu Sep 21 18:19:03 2023
| |
| Could not chdir to home directory /home/ipauser1: Permission denied
| |
| -sh: /home/ipauser1/.profile: Permission denied
| |
| -sh-5.2$ klist -l
| |
| Principal name Cache name
| |
| -------------- ----------
| |
| ipauser1@FEDORA39.TEST KCM:1866800004:43548</ref>
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
| |-
| |
| | [[User:sumenon|sumenon]]
| |
| | Login as ipa user with passkey set and from GNOME desktop
| |
| | {{result|pass}}
| |
| |
| |
| |
| |
| |
| |
| | <references/>
| |
|
| |
| |-
| |
| |}
| |
|
| |
| === Basic ===
| |
| {| class="wikitable" width=100%
| |
| ! User
| |
| ! Profile
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_obtain_kerberos_ticket obtain kerberos ticket]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_handle_wrong_attempts handle three incorrect attempts]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_blocking system key blocking]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_system_key_remove_authentication_prompt system key removal]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_user_login_replica_server_stopped user login replica]
| |
| ! [http://fedoraproject.org/wiki/QA:Testcase_FIDO2_user_removal user removal fido2]
| |
| ! References | | ! References |
| |- | | |- |