On su, 04 syys 2022, Gary Buhrmaster wrote:
On Sun, Sep 4, 2022 at 3:52 PM Adam Williamson
<adamwill@xxxxxxxxxxxxxxxxx> wrote:
Well, not really. 2FA isn't a magic bullet. I would be in favor of
doing this, but you can't treat any security measure as solving all
your problems completely.
Nothing is a magic bullet (and most security can be bypassed
with the $10 (it was $5 before inflationary increase) wrench)
but passkeys (which can eliminate passwords entirely) do
tend to raise the bar substantially, and those services doing
authorization can require additional levels of real time identity
assurance for additional levels of access (so inserting a
usb token, or having your phone nearby, might let you login,
but you need to provide additional something (pin, biometrics,
whatever) to access things at a higher level at the time
you require that (say, for this case, using PP powers)).
However, last this was discussed, the Fedora AAA system(s)
did not (yet?) support the full fido2/webauthn/passkey
functionality, so at this time such full integration is just a
dream(*).
FreeIPA 4.9.10+ supports integration with an external OAuth2 identity
provider (IdP). It needs OAuth2 device authorization grant flow support
from IdP which Ipsilon does not support but Keycloak or any of major
public IdPs aside from Gitlab do support. Keycloak does support
FIDO2/WebAuthn too, so FreeIPA in Fedora 36 or later can be set up to
operate with WebAuthn and no passwords in your own deployments. Fedora
AAA uses RHEL IdM as a backend and there this feature is coming in next
minor RHEL releases.
It is not fully functional yet but for Fedora AAA use-case things are
there with FreeIPA side. For Fedora users it would look like similar to
the current Kerberos flow: (1) obtain an anonymous PKINIT ticket to use
as a FAST channel, and (2) attempt to authenticate to Fedora KDC. If
sssd-idp subpackage is installed and your Fedora AAA account is
configured to use external IdP for your access authorization, then you'd
be asked to visit a URL where you'd authenticate and then grant that
authorization to Fedora AAA system. This IdP can be something that
Ipsilon could federate to purely for the user authentication purposes.
This is not implemented in Fedora AAA yet.
You might want to watch our Nest with Fedora 2022 talk. More features
are coming too, we are working on a direct FIDO2 integration in SSSD and
FreeIPA, but a lot of help is needed from desktop folks as well to make
it usable for login to graphical environments. GDM login is ugly right
now as a message we push through PAM prompts is simply not fitting into
GDM input boxes and you don't know where to go for your IdP access.
See https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html
for practical workshop details on how to set and use this in FreeIPA.
Nest With Fedora's talk replay is available here:
https://app.hopin.com/events/nest-with-fedora-2022/replay/Um91bmR0YWJsZVJlY29yZGluZ0FyY2hpdmU6MTM2OTQ3
(skip to 8:55 or so to the talk's start).
Slides can be found here but the talk also has several demos:
https://vda.li/talks/2022/2022-Nest-With-Fedora-FreeIPA-and-OAuth2.pdf
(*) Given that all the major tech companies are moving towards
allowing (and will be encouraging) customers to use passkeys
I hope we will see better integrations with FreeIPA and Ipsilon
at some point.
Ipsilon is orphaned in Fedora. If not picked up, it will disappear. It
would be sad but a practical issue is that upstream seem to be less
active too. Not sure how it goes but given that Fedora AAA is deployed
or going to be eventually deployed in a containerized way, then probably
focusing on another feature rich open source IdP could be a better
option.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue