Skip to content

passwordless-GDM: smartcard and passkey #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ikerexxe merged 23 commits into from
Nov 19, 2025
Merged

passwordless-GDM: smartcard and passkey #12

ikerexxe merged 23 commits into from
Nov 19, 2025

Conversation

@ikerexxe
Copy link
Owner

@ikerexxe ikerexxe commented Sep 18, 2025
edited
Loading

Extension for the passwordless-GDM feature where the smartcard and passkey authentication methods have been added.

The design page is available at SSSD/sssd.io#79.

You can use https://copr.fedorainfracloud.org/coprs/ipedrosa/passwordles-gdm/ for testing. As a reminder you should update sssd, mutter, gdm and gnome-shell packages and you also need to include the following configuration option in /etc/sssd/sssd.conf:

[pam]
pam_json_services = gdm-switchable-auth

Known limitations:

  • If EIdP and passkey are enabled at the same time for a given user, from the two of them only EIdP will be advertised (other methods aren't affected). Changing it will affect performance, so it's been decided to leave it as it is.
  • Since PAM: Add passkey preflight operation SSSD/sssd#7983 isn't merged, SSSD is unable to propagate the PIN request and PIN attempts left information to GDM. This is temporary and once this PR or the other one are merged, I'll update the PR to make these functionality available.

@ikerexxe
Responder: check return value for json_string()
4386b5c 
It returns NULL on error, but this wasn't checked.

Fixes: ceeffa9 ("Responder: generate JSON message for GUI")

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: update JSON message format
ef98ffe 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
sss_client: modify smartcard in prompt_config structure
1c7d862 
Integration with GDM requests two prompts for smartcard so modifying the
prompt_config structure. In addition, implement all the functions needed
to manipulate the structure for these new prompts. Finally, add
unit-tests for the new functions.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Add new options to tune smartcard prompting
ffec9b2 
These new options are needed by the GDM integration, but they can be
reused for CLI prompting.

:config: New options to tune smartcard prompting: 'init_prompt' and
         'pin_prompt'.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe ikerexxe marked this pull request as ready for review September 24, 2025 13:12
justin-stephenson
justin-stephenson reviewed Oct 1, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 1, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 1, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 1, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 1, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 2, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 2, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Oct 2, 2025
View reviewed changes
justin-stephenson
justin-stephenson suggested changes Oct 2, 2025
View reviewed changes
Copy link

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a first round of review, some only minor comments are in-line. Overall it LGTM, I have 2 comments about the UX - I only tested passkey, not smart card auth:

  • Adding an IPA user with ipa user-add pkuser --user-auth-type=passkey then at the GDM login screen clicking the gear icon in the bottom right it shows Password and Passkey but I expect it would show Passkey only.

  • Adding an IPA user with ipa user-add pkuser --user-auth-type=passkey --user-auth-type=password, at the GDM login screen clicking the gear icon in the bottom right it shows only Password under login methods, while the password prompt says "Insert your passkey device...". I would expect GDM login methods to show Passkey and Password.

@ikerexxe
util: implement pam_get_response_data_all_same_type()
33b8efc 
This API gets all the elements with the selected response type data from
the response_data linked list. Includes unit tests.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@justin-stephenson
Copy link

justin-stephenson commented Oct 7, 2025 

* Adding an IPA user with `ipa user-add pkuser --user-auth-type=passkey --user-auth-type=password`, at the GDM login screen clicking the gear icon in the bottom right it shows only `Password` under login methods, while the password prompt says "Insert your passkey device...". I would expect GDM login methods to show `Passkey` and `Password`.

This was a config mistake on my part when pam_json_services = gdm-switchable-auth got removed from sssd.conf during my testing. Please disregard.

justin-stephenson
justin-stephenson approved these changes Oct 14, 2025
View reviewed changes
Copy link

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM, thank you (small note I primarily focused on the passkey part).

@justin-stephenson
Copy link

justin-stephenson commented Oct 17, 2025
edited
Loading

Hi @ikerexxe Can you please re-upload SSSD build to your COPR https://copr.fedorainfracloud.org/coprs/ipedrosa/passwordles-gdm/ again? The rpms for latest build 2.11.1-5test are no longer available.

sumit-bose
sumit-bose reviewed Oct 23, 2025
View reviewed changes
@ikerexxe
Responder: generate JSON message for smartcard
01782c9 
Implement a set of functions to retrieve the smartcard data and generate
the JSON message with it.

Implement new unit test and adapt the existing ones to take into account
the new data.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: parse reply for smartcard
65c13c7 
Parse GUI reply for smartcard and set the appropriate data in
`sss_auth_token` structure.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Add new option to tune passkey PIN prompting
0c50f77 
This new option is needed by the GDM integration, but it can be reused
for CLI prompting.

:config: New option to tune passkey prompting: 'pin_prompt'.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: refactor JSON functions to reduce args
712db7d 
Several of the functions in `pamsrv_json` had lots of arguments and I'm
about to add more for the passkey authentication mechanism. Reduce these
arguments by creating a structure that will contain all these data.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: extend smartcard JSON request message
4da0319 
Include the certificate data in the JSON messages to set it in the
authtok structure more easily.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: extend smartcard JSON reply message
2f68b85 
Include the certificate data in the JSON message to set it in the
authtok structure more easily.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: make decode_pam_passkey_msg() public
7d9cc00 
This is needed by `pamsrv_json.c`, so let's make it public.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
util: implement function to set passkey PIN
fe454bf 
`sss_authtok_set_local_passkey_pin` provides a way to set the passkey
PIN in the authtok structure for local passkey authentication.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: parse reply for passkey
df9d02b 
Parse GUI reply for passkey and set the appropriate data in
`sss_auth_token` structure.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: set hardcoded strings for prompts
805b080 
Due to the difficulty of having a single source for the prompts strings
for both CLI and GUI, it has been decided to leave them fixed and use
the strings proposed by Allan in the mockups design.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
justin-stephenson
justin-stephenson reviewed Nov 6, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Nov 6, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Nov 6, 2025
View reviewed changes
justin-stephenson
justin-stephenson reviewed Nov 6, 2025
View reviewed changes
@justin-stephenson
Copy link

justin-stephenson commented Nov 6, 2025

In my latest tests with sssd-client-2.11.1-11test.fc42.x86_64:

  • GDM login using IPA with PIN set: Success
  • GDM login using IPA with no PIN set: Success
  • GDM login using LDAP (local auth) with PIN set: Success Note: Fails with SELinux enabled (we already have a ticket open for this)
  • GDM login using LDAP (local auth) with no PIN set: Fails, but fails on the command-line also. I plan to fix this in a separate PR.

sumit-bose
sumit-bose reviewed Nov 7, 2025
View reviewed changes
@ikerexxe
Copy link
Owner Author

ikerexxe commented Nov 10, 2025

Major changes in the latest version:

  • Addition of gdm-switchable-auth to pam_p11_allowed_services defaults (Third-to-last commit)
  • Setting gdm-switchable-auth as default for pam_json_services (Penultimate commit)
  • Setting PAM response data in krb5_child.c (Last commit, and once approved I'll squash it)

Apart from that I also run the test at SSSD#8159 locally to make sure that smartcard auth is working. Finally, build is available in COPR repo.

sumit-bose
sumit-bose reviewed Nov 12, 2025
View reviewed changes
@ikerexxe
krb5_child: advertise authentication methods
1529149 
During the `preauthentication` phase krb5_child checks for the available
authentication methods for the given user, advertises them and the
process is kept alive. Once the state is change to `authentication` the
same krb5_child process processes the credentials and proceeds with the
authentication itself.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: move DEFAULT_SMARTCARD_PROMPT_INIT to header
867ac7c 
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: fix passkey auth when user-verification is off
e95351a 
When authenticating with a passkey, different PAM code paths within SSSD
can result in the `authtok` containing data even when the user did not
enter a PIN. Depending on the flow (e.g., triggered by `gdm` vs. `su`),
this data might be an empty string or non-printable characters like `^L`
(form feed).

The previous code had two issues:
1.  It only checked if the `authtok` was non-empty
    (`sss_authtok_get_type(...) != SSS_AUTHTOK_TYPE_EMPTY`). If user
    verification was disabled, this check would incorrectly pass for
    these 'junk' `authtok` values. This caused SSSD to prepare and send
    an erroneous PIN to the passkey helper.

2.  In the case where the `authtok` *was* correctly empty, the check
    would fail, `write_buf_len` would remain 0, and the `if
    (write_buf_len != 0)` block containing the `write_pipe_send` call
    would be skipped. This stalled the authentication flow, as the
    callback to continue the process was never set.

This patch fixes both issues:
1.  The `user_verification` setting is now stored in the state struct.
    The logic is updated to only prepare the PIN buffer if the `authtok`
    is non-empty *and* user verification is required
    (`state->user_verification != PAM_PASSKEY_VERIFICATION_OFF`).

2.  The `write_pipe_send` call is moved outside the conditional block so
    it always runs. This ensures that the asynchronous child
    communication (via `passkey_child_write_done`) is always triggered,
    even if the write buffer is empty (0-length).

This resolves both failure modes: junk PINs are no longer sent when
verification is off, and the auth flow no longer stalls when no PIN is
present.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: add gdm-switchable-auth to pam_p11_allowed_services
0dfc1b8 
defaults

The `pam_p11_allowed_services` option now includes `gdm-switchable-auth`
as one of the default allowed PAM services for smartcard authentication.
The service was added alongside the other GDM-related services
(gdm-smartcard and gdm-password) for logical grouping.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
sss_client: prevent JSON auth during password change preauth
cac33c0 
When a user's password expires after successful JSON authentication, the
fallback to traditional password change fails. Add
PAM_CLI_FLAGS_CHAUTHTOK_PREAUTH flag to distinguish password change
preauth from normal authentication preauth. When this flag is set, the
PAM responder skips JSON message generation and returns traditional
preauth data instead.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Responder: change authentication mechanism detection
ce6c432 
Use `pam_get_auth_types()` to detect the available mechanisms for a
user.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Copy link
Owner Author

ikerexxe commented Nov 13, 2025
edited
Loading

Major changes in the latest version:

  • Removed setting gdm-switchable-auth as default for pam_json_services. In a conversation with Sumit he mentioned that we may break 2FA by enabling this by default, so I decided to remove it.
  • Responder: change authentication mechanism detection to pam_get_auth_types()

This is ready for review again ;)

@sumit-bose
Copy link

sumit-bose commented Nov 18, 2025

Hi,

thank you for the last update, controlling the available authentication types work much better now.

I would suggest to mention the limitation of the JSON protocol with respect to two-factor authentication and the man page entry of pam_json_services. Additionally, the related man page section is not build at all because JSON_PAM_CONDS is missing in the CONDS = ... line in src/man/Makefile.am already in the older patch set.

bye,
Sumit

@ikerexxe
man: clarify and fix pam_json_services compilation
d350136 
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
@ikerexxe
Copy link
Owner Author

ikerexxe commented Nov 18, 2025

I would suggest to mention the limitation of the JSON protocol with respect to two-factor authentication and the man page entry of pam_json_services. Additionally, the related man page section is not build at all because JSON_PAM_CONDS is missing in the CONDS = ... line in src/man/Makefile.am already in the older patch set.

Updated in a new commit (last one).

You can disregard CI failures, Fedora server doesn't seem to respond to the get_matrix.py script. I guess this is cloudflare related and will rerun CI tomorrow

@sumit-bose
Copy link

sumit-bose commented Nov 19, 2025

Hi,

thanks for the updates, (so far) I have no further comments.

bye,
Sumit

@ikerexxe
Copy link
Owner Author

ikerexxe commented Nov 19, 2025

CI failures seem to be unrelated so I'm merging.

@ikerexxe ikerexxe merged commit a558679 into passwordless_gdm Nov 19, 2025
11 of 19 checks passed
@ikerexxe ikerexxe deleted the gdm-krb5-auth-sel branch November 19, 2025 11:18
@ikerexxe ikerexxe mentioned this pull request Nov 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@justin-stephenson justin-stephenson justin-stephenson approved these changes

@sumit-bose sumit-bose sumit-bose approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ikerexxe @justin-stephenson @sumit-bose