passkey: implement preflight option #7631
Conversation
ikerexxe
added
Waiting for review
passkey
ikerexxe
force-pushed
the
passkey_pin
branch
2 times, most recently
from
ad8168c to
fdb0520
Compare
|
Isn't this ("whether PIN is needed and number of PIN attempts left") security sensitive information? |
|
Yes, but there's nothing an attacker can do that they couldn't do before knowing that information. Moreover, this information can be obtained by other tools already present in the system. Generally speaking, if an attacker wants to block a given FIDO2 key, then they just need to enter the PIN at most 8 times incorrectly, as that's the maximum number. As for the PIN request, they can always try to authenticate once and enter an empty PIN to see whether that's accepted. |
| && (data->domain == NULL || data->public_key_list == NULL | ||
| || data->key_handle_list == NULL)) { | ||
| DEBUG(SSSDBG_OP_FAILURE, | ||
| "Too few arguments for preflight action.\n"); |
There was a problem hiding this comment.
AFAIK there is no way to tell what arguments should be provided to passkey_child --preflight
/usr/libexec/sssd/passkey_child --preflight --help does not say and /usr/libexec/sssd/passkey_child only prints Invalid argument(s).
There was a problem hiding this comment.
Same as with other options. In this particular case this option is going to be executed by SSSD and not by the user, so I don't see a reason why we should indicate which options are missing.
There was a problem hiding this comment.
To me this seems like we are hiding how to actually use passkey_child inside SSSD codebase. At least for troubleshooting some users may end up wanting to execute passkey_child directly outside of SSSD. I don't insist about it, maybe we can create a separate ticket to improve this.
For comparison I noticed p11_child provides some hints about which arguments are missing.
justin@fedora:~$ /usr/libexec/sssd/p11_child --auth
Missing CA DB path: --ca_db must be specified.
Usage: p11_child [-?] [-?|--help] [--usage] [-d|--debug-level=INT] [--debug-timestamps=INT] [--debug-microseconds=INT] [--dumpable=INT] [--debug-fd=INT] [--logger=stderr|files|journald] [--auth] [--pre] [--wait_for_card]
[--verification] [--pin] [--keypad] [--verify=STRING] [--ca_db=STRING] [--module_name=STRING] [--token_name=STRING] [--key_id=STRING] [--label=STRING] [--certificate=STRING] [--uri=STRING] [--chain-id=LONG]
justin@fedora:~$ /usr/libexec/sssd/p11_child --ca_db test --auth
Missing PIN mode for authentication, either --pin or --keypad must be specified.
Usage: p11_child [-?] [-?|--help] [--usage] [-d|--debug-level=INT] [--debug-timestamps=INT] [--debug-microseconds=INT] [--dumpable=INT] [--debug-fd=INT] [--logger=stderr|files|journald] [--auth] [--pre] [--wait_for_card]
[--verification] [--pin] [--keypad] [--verify=STRING] [--ca_db=STRING] [--module_name=STRING] [--token_name=STRING] [--key_id=STRING] [--label=STRING] [--certificate=STRING] [--uri=STRING] [--chain-id=LONG]
There was a problem hiding this comment.
Added some comments/concerns. I'm not sure but perhaps a sssctl wrapper for the --preflight operation would be useful if we anticipate admins to request this information?
I also see some compiler warnings,:
../src/passkey_child/passkey_child_devices.c: In function ‘list_devices’:
../src/passkey_child/passkey_child_devices.c:54:12: warning: ‘ret’ may be used uninitialized [-Wmaybe-uninitialized]
passkey_child/passkey_child_devices.c: In function ‘get_device_pin_retries’:
../src/passkey_child/passkey_child_devices.c:267:12: warning: ‘ret’ may be used uninitialized [-Wmaybe-uninitialized]
I don't think this is specially useful for them. In fact, it is possible that at some point we will need to add options to look at these kinds of parameters, but not in this way. For now, let's be happy that there are already other tools that allow you to check these options.
Fixed, and thanks for reporting them. |
|
This is blocked by #7637 |
alexey-tikhonov
added
backport-to-sssd-2-9
backport-to-sssd-2-10
and removed
backport-to-stable
labels
|
Although #7637 was clarified Justin still has to implement his part to make this PR meaningful, so for the moment I am moving to draft. |
ikerexxe
force-pushed
the
passkey_pin
branch
2 times, most recently
from
58f1672 to
e8f233d
Compare
|
Hi @ikerexxe I found that passkey_child returns FIDO_ERR_PIN_AUTH_BLOCKED after 3 consecutive PIN failure attempts during passkey kerberos authentication then FIDO_ERR_PIN_BLOCKED after 8 total PIN attempt failures. https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
Can this |
I think the idea is good, but is it doable? I don't see any API providing this information. |
Maybe not, I don't know. The GUI Yubikey manager program shows this information but only after attempting a change PIN operation.
|
|
I have opened Yubico/libfido2#871 to discuss this topic with libfido2 community. |
|
Yubico answered and there isn't any method in their API to manage whether a power cycle is required (this is the name of this functionality). Recent versions of CTAP (2.1) added an (optional) way of communicating whether a power cycle is required, but it isn't implemented neither in libfido2 nor in the devices themselves. Seeing that in addition YubiKey firmware is not upgradable I don't see any viable option in the near term to implement such a thing. I opened https://issues.redhat.com/browse/RHELDOCS-20197 to update the documentation to take into account this scenario. |
|
Hi, @justin-stephenson mentioned earlier
bye, |
|
The logic Justin is referring to triggers after an authentication attempt. We need this specific step to occur before the attempt starts. Putting this into the preflight would mean calling |
Thank you for investigating this.
Putting the 'preflight' operation part aside, should we send some message to the terminal if passkey_child returns FIDO_ERR_PIN_AUTH_BLOCKED during authentication? Is something similar done for smartcard ? |
AFAIK, child processes return binary values (OK/ERROR) not the actual error codes. @sumit-bose can you confirm? |
Hi, I think we currently only use HTH bye, |
@ikerexxe For consistency, can this output be provided in JSON? Something like...
|
|
I have updated the code to return a special error code (
Yes, but the final result is |
Include a new man page for passkey to explain the behaviour of `user_verification` option in the different scenarios. It is a complex option, so it has been decided to add a table to simplify its understanding. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Timeout to search for a device should be imposed by the action that wants to be performed. Thus, refactor the high level functions and list_devices() to take it as an argument. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Expand the passkey_child to detect whether a FIDO2 device needs a PIN
and the number of attempts left for the PIN. This is needed to improve
the overall user experience by providing a way for SSSD to detect these
features before the user is requested to interact with them.
Expected input to run passkey_child: `--preflight`, `--domain` and
`--key-handle`.
Output: whether PIN is needed (boolean) and number of PIN attempts left
(integer) in JSON. Example:
{"pin_required": true, "attempts": 8}
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
When performing a passkey authentication and the PIN is entered 3 times incorrectly the FIDO2 device requires a power cycle (disconnect and reconnect the device to the USB port). libfido2 recognizes this with a special error code and the passkey child should return it so that the SSSD responder is aware of it. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
This PR was superseded by #7983 so I'm closing it |
5 participants
Expand the passkey_child to detect whether a FIDO2 device needs a PIN
and the number of attempts left for the PIN. This is needed to improve
the overall user experience by providing a way for SSSD to detect these
features before the user is requested to interact with them.
Expected input to run passkey_child:
--preflight,--domainand--key-handle.Output: whether PIN is needed (boolean) and number of PIN attempts left
(integer) in JSON. Example:
{"pin_required": true, "attempts": 8}