Please do not drop the mailing list discussion.
On Sun, 25 Aug 2024, Entrepreneur AJ wrote:
How would this effect FreeIPA as it was that server I was connecting
to via SSH?
As I said, you'd use Kerberos authentication to authenticate to that
server, not your SSH key or a passkey on the server. And for
authentication once you logged into that server, you'd use your Kerberos
ticket as well, through pam_sss_gss use.
I'd recommend you to read through both SSSD and FreeIPA design pages for
passkey authentication.
https://sssd.io/design-pages/passkey_authentication.html
https://sssd.io/design-pages/passkey_kerberos.html
https://freeipa.readthedocs.io/en/latest/designs/passkeys.html
On 25/08/2024 15:22, Alexander Bokovoy wrote:
On Sun, 25 Aug 2024, Entrepreneur AJ via FreeIPA-users wrote:
Hi All,
I have setup a new instance of FreeIPA yesterday on Fedora 40
VPS, all seems to be well.
I have reinstalled my laptop and enrolled it to the new install,
all seems to be well.
I have enrolled my Yubikey as a passkey, didn't initially work
turned out passkey support doesn't work with SDDM so no kde,
tried with basic gnome install didn't work found I had to change
lightdm to gdm for it to work.
I generated a new resident SSH key on my yubikey and added it to
FreeIPA which allowed ssh to work with my key.
I then tried to run a sudo command on the remote vps which is
allowed as I have a sudo rule in place which works locally.
Issue is it then asks for my passkey and pin but can't receive
the data from my passkey because I am running over ssh.
Is there a work around so I don't need my passkey to use sudo on
remote nodes eg VPS's and servers but require it for laptops and
desktops where the user is physically in front of?
Passkey authentication requires local key presence and is supposed to be
used on the system where you have that key. In IPA environments it means
also that if you are online, you'd get a Kerberos ticket granting ticket
as a result of the successful login with a passkey.
That Kerberos ticket can then be used to request a service ticket and
authenticate against remote SSH servers. Not using your SSH key but the
actual Kerberos ticket.
You can also allow forwarding that Kerberos ticket granting ticket to
the SSH server, with ssh's option '-o GSSAPIDelegateCredentials=yes'.
This is typically not recommended but can be done. If you do so, then on
the SSH server you can use the Kerberos ticket to request a service
ticket and authenticate over PAM, with pam_sss_gss module.
On Fedora and RHEL-like systems you can use 'authselect' to enable
pam_sss_gss usage:
# authselect enable-feature with-gssapi
You also need to enable list of allowed PAM services in sssd.conf, this
is what authselect will tell you once you run that command. Man page for
pam_sss_gss(8) gives some examples for sudo.
You can also limit what kind of the initial Kerberos ticket could be
used to authenticate over the PAM with pam_sss_gss. For example, you can
force use of passkey-obtained Kerberos tickets and nothing else for sudo
access:
-----------------------------------------------
[domain/my.ipadomain.com]
pam_gssapi_services = sudo, sudo-i
[pam]
pam_gssapi_indicators_map = sudo:passkey, sudo-i:passkey
------------------------------------------------
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
