freeipa/doc/designs/passkeys.md
Iker Pedrosa 105b03370c Passkey design: add second sssd design page
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00

274 lines
12 KiB
Markdown

# Passkey authentication
## Overview
Traditional authentication with a password is not considered secure enough
by many companies or government agencies. Alternate and more secure
solutions exist, among which the use of passkeys, where the private
key is stored on the device and the server only needs to know the public
key.
For the purpose of this feature, passkey is a FIDO2 compatible device supported
by the libfido2 library. For more details, refer to
https://fidoalliance.org/fido2/
The goal of this feature is to use a passkey to authenticate a user
against IPA.
The project will be jointly developed by SSSD and IPA:
- IPA provides the interface to store the user's public credentials
- IPA provides the interface to configure passkey settings
- SSSD performs the actual authentication
SSSD has defined the implementation in two design pages:
- [Local passkey authentication](https://sssd.io/design-pages/passkey_authentication.html).
- [Passkey Kerberos integration](https://sssd.io/design-pages/passkey_kerberos.html)
## Use Cases
- The administrator or the user registers a passkey into IPA, associated
to a user account. The registration process stores a description of the passkey
bound to IPA deployment and requires a direct communication with the passkey
device. Alternatively the description string can be obtained through the SSSD
registration tool and added without the presence of the passkey device.
- The user is then able to authenticate to any IPA enrolled host using the
passkey. The first round of passkey integration is targeting a login to
services implementing login with the help of PAM library locally on the host.
This includes direct console or graphical desktop login and authentication
to PAM-protected shell services like 'su' or 'sudo'. To access remote services
a Kerberos ticket can be obtained and used against those services later.
## How to Use
### Configuration of the passkey settings by the administrator
The administrator is able to specify common settings that will apply:
- require user verification during authentication (True/False):
- True: require user verification during authentication (PIN for instance).
- False: do not require user verification during authentication.
The default value is True.
### Registration of credentials
The user can register credentials for himself, or the admin (or any user with
the permission "System: Manage User passkeys") can register
credentials for another user.
During the registration process, it is possible to specify
- a COSE type: `es256`, `rs256` or `eddsa`
- request user verification: true or false
the authentication will force to execute the user verification check even if
the passkey settings do not set this flag. If credentials are registered without
the flag, the global passkey settings apply.
- credential type: `server-side` or `discoverable`
Discoverable credentials do not require to first identify the user.
When the passkey credential is registered, a relaying party (RP) is set to be
the IPA domain (e.g. ipa.test). While using a domain-wide relaying party
reduces access control capabilities for individual application's use of the
registered passkey, IPA provides own access control mechanisms to be layered
on top. We choose to combine existing authorization features of IPA with an
ease of use for the passkeys.
### Authentication
#### Console or desktop authentication
The user has a passkey in his possession that was already registered to IPA
and has physical access to a machine enrolled in IPA.
At Gnome login, he types his username and inserts the device.
At console login, he types his username and inserts the device.
If user verification is enabled, then the PIN is prompted. SSSD validates the
credentials and checks that the passkey allows authentication.
#### PAM-protected service access
The following example is using the su command, but would apply to any other
PAM-protected service.
The user passkeyuser has a passkey in his possession that was already
registered to IPA and has physical access to a machine enrolled in IPA. He
is already logged into the machine as a different user and wants to perform
su to authenticate as passkeyuser.
Inside a terminal, he inserts his device and enters the `su - passkeyuser`
command.
SSSD validates the credentials and checks that the passkey allows
authentication.
## Design
### Configuration of the passkey settings
A new LDAP entry stores the passkey configuration and needs a new objectclass
and a new attributetype:
```
dn: cn=passkeyconfig,cn=etc,$BASEDN
objectclass: top
objectclass: nsContainer
objectclass: ipapasskeyconfigObject
cn: passkeyconfig
ipaRequireUserVerification: True
```
The object class allows a single attribute, require user verification,
which is mandatory, single valued, and stores a boolean (TRUE, FALSE).
The LDAP entry is added when IPA server is installed or when the server is
upgraded to a version supporting passkeys, with a default value = TRUE.
### Storage of the passkey mapping
The passkey mapping is stored directly in the user entry. It needs a
new auxiliary objectclass and a new attributetype.
Note: a first proposal intended to store the value in the ipasshpubkey
attribute, but this attribute has a special handling (a new fingerprint is
calculated for each public key and added into the attribute sshpubkeyfp)
which makes it unsuitable for storing values that are not keys.
The attribute is multi valued, optional.
```
dn: uid=idmuser,cn=users,cn=accounts,dc=ipa,dc=test
uid: idmuser
...
objectClass: top
objectClass: person
...
objectClass: ipapasskeyuser
ipapasskey: passkey:9S87qLk8/RxYJ3skwwYduomAM+/HDtz41N0+w/vRL6aGKJkLMsg+2OhO0E8pK5DuO1KmdK61K8PmH7jiYuOqbg==,9YE1s/f7J47h2A/DXCVFWulqoBXFzCSxcbGEBadkpSUFjwUudhPLnPUTv2qNamakXJgRYCZQ7vpS/t5zXMLnkw==
```
The passkey mapping has the format `passkey:credentialid,pubkey`. credential
ID and public key are obtained during the registration phase, for instance
by calling SSSD helper process `sssctl passkey-exec --register` or the IPA Command
`ipa user-add-passkey LOGIN --register`.
### Access control
#### Permissions
- New permission created for writing the passkey configuration:
`System: Modify Passkey Configuration`. Granted to the Privilege `Passkey Administrators`
- New permission created for reading the passkey configuration:
`System: Read Passkey configuration`. Granted to all authenticated users.
- New permission for managing passkey mapping:
`System: Manage Passkey Mappings`. Granted to the Privilege: `Passkey Administrators`
- Extend existing permission" `System: Read User IPA Attributes`:
allow read access to the ipapasskey attribute (granted to all authenticated
users). This attribute is not sensitive as it contains only public data.
#### Self-service Permission
- New self-service permission for managing their own passkey mapping:
`Users can manage their own passkey mappings`
#### Privilege
- New privilege `Passkey Administrators` with the permissions `System: Modify Passkey Configuration` and `System: Manage Passkey Mappings`.
By default only members of the admins group are allowed to modify the passkey
settings or another user's passkeys.
## Implementation
### LDAP schema
New objectclass and attribute for the passkey configuration object:
```
attributeTypes: ( 2.16.840.1.113730.3.8.23.26 NAME 'ipaRequireUserVerification' DESC 'require passkey user verification' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.10')
objectclasses: ( 2.16.840.1.113730.3.8.24.8 NAME 'ipaPasskeyConfigObject' DESC 'IPA passkey global config options' AUXILIARY MUST ipaRequireUserVerification X-ORIGIN 'IPA v4.10')
```
New objectclass and attribute for the passkey mapping:
```
attributeTypes: ( 2.16.840.1.113730.3.8.23.27 NAME 'ipapasskey' DESC 'Passkey mapping' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.10' )
objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'ipaPasskeyUser' DESC 'IPA passkey user' AUXILIARY MAY ipapasskey X-ORIGIN 'IPA v4.10')
```
### Indices
No need to add a new index for ipapasskey as the search performed by SSSD
will use a filter based on the user uid.
## Feature Management
### UI
- A new tab will be added below "Policy", at the same level as `Host-Based Access Control`, `Sudo`, `SELInux User Maps`, `Password Policies` and `Kerberos Ticket Policy`, with the label `Passkey Configuration`.
It will allow to configure the attribute `Require User Verification`, with a check box: `on` or `off`.
- In the `User` facet, a new field will be added, below `SSH public keys`, with the label `Passkey mappings`, and will display the values, or allow to add a new value.
Note: since the Web browser may be running on a non-enrolled host without
the required packages, the WebUI will probably need specific javascript code
to register a key by inserting it on the machine where the browser is
running.
Investigations TBD regarding the possible solutions. The key registration
using the WebUI will not be part of the original implementation.
### CLI
| Command | Options | Description |
| --- | ----- | --- |
| **Passkey configuration** | | |
| passkeyconfig-show | | This command displays the Passkey settings |
| passkeyconfig-mod | --require-user-verification=BOOL | This command modifies the Passkey settings |
| **User Mapping** | | |
| user-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| user-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the device, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| user-remove-passkey | LOGIN PASSKEY... | |
| user-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
| stageuser-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| stageuser-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the passkey, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| stageuser-remove-passkey | LOGIN PASSKEY... | |
| stageuser-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
### Configuration
The global settings can be read or modified using `ipa passkeyconfig-[show|mod]`.
## Upgrade
During upgrade, the new LDAP schema is automatically added and replicated to the replicas.
The upgrade must create the Passkey configuration entry if it does not already exist, with value='true' for the 'require user verification' setting.
## Test plan
XMLRPC tests must validate the new CLI.
## Troubleshooting and debugging
SSSD provides 2 new commands that can be used for debugging:
* `/usr/sbin/sssctl passkey-exec --register`: documented and supported. This command can be run as root only.
* `/usr/libexec/sssd/passkey_child --register`: internally called by `sssctl passkey-exec --register`. This command does not require root access.
IPA command `ipa user-add-passkey --register` internally calls `passkey_child`.
SSSD's helper `passkey_child` provides debugging options:
`passkey_child --register --username=passkeyuser --domain=ipa.test --debug-level=9 --logger=stderr --debug-libfido2`
SSSD's helper can also be used to test the authentication:
`passkey_child --authenticate --username=passkeyuser --domain=ipa.test --public-key=... --key-handle=... --debug-level=9 --logger=stderr --debug-libfido2`
SSSD logs are available in `/var/log/sssd/`.