WIP! login: Add passkey to users #22460
Conversation
Venefilyn
added
the
no-test
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,61 @@ | |||
| import cockpit from "cockpit"; | |||
| import React, { useState } from 'react'; | |||
Check notice
Code scanning / CodeQL
Unused variable, import, function or class Note
Work in progress and doesn't do anything at the moment. In short I wanted a test to setup sssd first with correct configuration and then make it possible to configure passkeys in the browser. After that's done I'll continue working on writing the login page itself. As the browser and terminal are slightly different I figure adding a passkey through the browser is almost a necessity before getting the login to work. Otherwise it might not work at all for the login if you use something like a FIDO2 key to register within the terminal and then try in the browser. Signed-off-by: Freya Gustavsson <[email protected]>
Venefilyn
force-pushed
the
login/passkey
branch
from
9e61b37 to
dd758b7
Compare
|
Been experimenting with sssd and FreeIPA and have gotten to a good starting point. Since it is quite FreeIPA-centric we should evaluate if we should have this in Cockpit itself or as an addon (I have some ideas for making it easier to create a login plugin, but likely missing some crucial steps). With the front-end, I've successfully been able to add passkeys from the browser to FreeIPA. After a successful registration with a hardware token on alice account on the UI front, I can go back to terminal and check There we get [alice@x0 ~]$ ipa user-show alice
....
Passkey mapping: passkey:<credentialID>,<publicKey>,
passkey:<credentialID>,<publicKey>
....Current way I've been debugging is by setting the host to localhost, as WebAuthn has localhost set as a domain for testing purposes. Whereas TEST_SHOW_BROWSER=1 TEST_BIND_GLOBAL=localhost test/verify/check-system-realms TestIPA.testPasskeyAuthentication -stvAfter it successfully validated IPA and shows the Currently it adds a passkey for alice no matter which account you are viewing. This is because alice isn't shown in the accounts page. Something to address somehow. Then just put in the pin for your hardware token and it will send it to Bitwarden doesn't work at the moment due to |
|
|
||
| # the above password login implicitly creates a persistent user ticket | ||
| alice_klist_cmd = "su -c klist alice" | ||
| persistent_ticket = m.execute(alice_klist_cmd) |
Check notice
Code scanning / CodeQL
Unused local variable Note test
1 participant
Work in progress and doesn't do anything at the moment. In short I
wanted a test to setup sssd first with correct configuration and then
make it possible to configure passkeys in the browser. After that's done
I'll continue working on writing the login page itself.
As the browser and terminal are slightly different I figure adding a
passkey through the browser is almost a necessity before getting the
login to work. Otherwise it might not work at all for the login if you
use something like a FIDO2 key to register within the terminal and then
try in the browser.
Fixes: #20389
Signed-off-by: Freya Gustavsson [email protected]