On Sun, 25 Aug 2024, Entrepreneur AJ via FreeIPA-users wrote:
Hi All,
I have setup a new instance of FreeIPA yesterday on Fedora 40 VPS, all seems to
be well.
I have reinstalled my laptop and enrolled it to the new install, all seems to
be well.
I have enrolled my Yubikey as a passkey, didn't initially work turned out
passkey support doesn't work with SDDM so no kde, tried with basic gnome
install didn't work found I had to change lightdm to gdm for it to work.
I generated a new resident SSH key on my yubikey and added it to FreeIPA which
allowed ssh to work with my key.
I then tried to run a sudo command on the remote vps which is allowed as I have
a sudo rule in place which works locally.
Issue is it then asks for my passkey and pin but can't receive the data from my
passkey because I am running over ssh.
Is there a work around so I don't need my passkey to use sudo on remote nodes
eg VPS's and servers but require it for laptops and desktops where the user is
physically in front of?
Passkey authentication requires local key presence and is supposed to be
used on the system where you have that key. In IPA environments it means
also that if you are online, you'd get a Kerberos ticket granting ticket
as a result of the successful login with a passkey.
That Kerberos ticket can then be used to request a service ticket and
authenticate against remote SSH servers. Not using your SSH key but the
actual Kerberos ticket.
You can also allow forwarding that Kerberos ticket granting ticket to
the SSH server, with ssh's option '-o GSSAPIDelegateCredentials=yes'.
This is typically not recommended but can be done. If you do so, then on
the SSH server you can use the Kerberos ticket to request a service
ticket and authenticate over PAM, with pam_sss_gss module.
On Fedora and RHEL-like systems you can use 'authselect' to enable
pam_sss_gss usage:
# authselect enable-feature with-gssapi
You also need to enable list of allowed PAM services in sssd.conf, this
is what authselect will tell you once you run that command. Man page for
pam_sss_gss(8) gives some examples for sudo.
You can also limit what kind of the initial Kerberos ticket could be
used to authenticate over the PAM with pam_sss_gss. For example, you can
force use of passkey-obtained Kerberos tickets and nothing else for sudo
access:
-----------------------------------------------
[domain/my.ipadomain.com]
pam_gssapi_services = sudo, sudo-i
[pam]
pam_gssapi_indicators_map = sudo:passkey, sudo-i:passkey
------------------------------------------------
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
