Passwordless Linux - Passkey and External IdP support in FreeIPA

Transcript

1. Passwordless Linux Passkey and External IdP login with FreeIPA Fraser

   Tweedale @hackuador[@functional.cafe]

2. About me • 10 years at Red Hat working on

   PKI and identity management • >15 years working software engineer • Love functional programming and especially Haskell

3. Acknowledgements • I didn't work on any of the cool

   stuff I'm demoing today • Alexander Bokovoy, Iker Pedrosa, and many others (FreeIPA / SSSD) • Ray Strode (GNOME)

4. Outline • Why NOT passwords • Alternatives to passwords •

   FreeIPA overview • Demo • Boring technical stuff • Resources
5. None
6. None

7. Passwords • We're all tired of passwords, aren't we? •

   Many users are not diligent (weak; reuse) • Many users are not technically proficient (what's a password manager?) • Using passwords securely imposes friction and cognitive load • Complexity and rotation policies DO NOT HELP! • Phishing risk, even for technical users

8. M-22-09 https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

9. M-22-09 https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

10. Objectives • Reduce password risks (weak, reused, …) • Reduce

    phishing risks • Reduce friction for users (make it quick and easy) • Reduce frequency of explicit user authentication (single sign-on) • Through a combination of the above, improve security posture

11. Alternatives to (only) passwords • Two-factor authentication • Smartcards •

    Passkeys / WebAuthn • Web SSO providers

12. Two-factor authentication • a.k.a. 2FA, multi-factor authentication (MFA) • Password

    plus a one-time code • HOTP / TOTP / SMS / hardware token • Phishable

13. Smart cards • Cryptographic token with (optional) PIN • Private

    key + X.509 certificate • Sign a challenge to prove identity • Phishing-resistant • Issuance, renewal and revocation complexities • USB, NFC, "SIM-esque", …

14. Passkeys / WebAuthn • Cryptographic token with (optional) PIN •

    Optional physical presence check (touch the token) • Optional token attestation • Unique private keys bound to websites (or other RPs) • Sign a challenge to prove identity • Phishing-resistant • "Passkey" ≅ FIDO2 ≅ W3C WebAuthn + CTAP

15. Web SSO • SAML / OAuth 2.0 / OpenID Connect

    • Use an existing account to authenticate • For public sites: offered by many popular public services (privacy concern) • For organisations: Keycloak, Red Hat SSO, many SaaS offerings • Works great for web; can work for other scenarios
16. None

17. Workstation login

18. Workstation login - standalone • Password ✅ pam_unix • 2FA

    ✅ pam_2fa, pam_oath, pam_yubico, ... • Smartcard ✅ pam_pkcs11 • Passkey ✅ pam_u2f • Web SSO ❓

19. Workstation login - domain member • Password ✅ pam_sss •

    2FA ✅ pam_sss • Smartcard ✅ pam_sss • Passkey ✅ pam_sss • Web SSO ✅ pam_sss

20. FreeIPA / Red Hat Identity Management • Centralised identity management

    for Linux/UNIX environments • Authentication: Kerberos, password, 2FA, Smartcard, Passkey, OIDC IdPs • Policy: HBAC, Sudo rules, SELinux maps, PKI, … • Cross-realm trusts with Active Directory • Fedora + RHEL (server) ; most distros (client) • Public demo instance: https://www.freeipa.org/page/Demo • Ansible roles: https://github.com/freeipa/ansible-freeipa

21. FreeIPA - architecture

22. Demo

23. How does this even work?

24. None

25. Smart card Diagram from RHEL guide ‘Configuring and managing Identity

    Management’: 8.3. Data flow when authenticating as a user with SSSD in IdM

26. External IdP (Web SSO) From FreeIPA external IdP design document:

    https://freeipa.readthedocs.io/en/latest/designs/external-idp/external-idp.html

27. External IdP - GitHub example

28. External IdP - GitHub example This is important!

29. External IdP - GitHub example

30. External IdP - authentication example F 1 F C D

    A 8 C

31. Passkeys Diagram from RHEL guide ‘Configuring and managing Identity Management’:

    8.3. Data flow when authenticating as a user with SSSD in IdM passkey_ child

32. Passkeys • $ ipa user-add-passkey alice --register • ipapasskey: passkey:9S87qLk8/RxYJ3skwwYduomAM+/HDtz...

    • Article: FIDO2 for centrally managed users - Fedora Magazine • FreeIPA design page (link) • SSSD design page (link)

33. GDM - mechanism selection

34. GDM - mechanism selection - External IdP

35. GDM - mechanism selection - UX • GNOME UX research

    and mockups (link) • SSSD design document (link) • Development builds: COPR ipedrosa/passwordles-gdm • To enable ◦ Add to /etc/sssd/sssd.conf: [pam] pam_json_services = gdm-switchable-auth ◦ setenforce 0 (temporary workaround) ◦ systemctl restart sssd gdm
36. None

37. GDM - mechanism selection { "auth-selection": { "mechanisms": { "password":

    { "name": "Password", "role": "password", "selectable": true, "prompt": "Password:" }, "eidp": { "name": "Web Login", "role": "eidp", "selectable": true, "init_prompt": "Login", "link_prompt": "Login online with another device", "uri": "https://short.url.com/tmp", "code": "1234" }, "smartcard:1": { "name": "smartcard ID1", "role": "smartcard", "selectable": true, "prompt": "Enter PIN:" } }, "priority": ["eidp", "smartcard:1", "password"] } }

38. Availability • FIDO2 passkeys since SSSD 2.9.0 + FreeIPA 4.11.0

    ◦ Fedora 39; RHEL 9.4 Beta (Technology Preview) • External IDP since SSSD 2.7.0 + FreeIPA 4.10.1 ◦ Fedora 38; RHEL 9.1 (Technology Preview); RHEL 9.4 Beta (full support) • GDM enhancements: not earlier than Fedora 41

39. Future • ipa-tuura SCIM bridge - automatically CRUD external users/groups

    in IPA ◦ https://github.com/freeipa/ipa-tuura ◦ FOSDEM 2024 - ipa-tuura: FreeIPA connector for Keycloak • Stable POSIX attributes for external IdPs ◦ FOSDEM 2024 - POSIX identities out of OAuth2 identity providers: how to redesign SSSD and Samba? • Direct enrolment to external IdPs ◦ Cut out the middle man and run a local KDC: Web Login without FreeIPA ◦ Drop-in configuration for pre-defined realms • Automatic domain join in cloud environments ◦ github.com/podengo-project What I'm working on!

40. Resources • FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop.html ◦ Unit 12: External IdP

    (no passkey module… yet!) • WebauthN talk: "Webauthn, Passkeys, and You - The Future of Authentication" - William Brown (EO 2023) • Smart cards talk: "Kerberos PKINIT: what, why, and how (to break it)" - Fraser Tweedale (EO 2023) / slides • OIDC talk: Identity 2.0: the what, why and how of social and federated login" - Fraser Tweedale (PyConAU 2017) / slides • GDM+SSSD development builds: ipedrosa/passwordles-gdm COPR

41. Questions? this slide deck: is.gd/passwordsmustdie @hackuador[@functional.cafe]