PAM: Add passkey preflight operation#7983
PAM: Add passkey preflight operation#7983justin-stephenson wants to merge 6 commits intoSSSD:masterfrom
Conversation
ec79320 to
4b46d79
Compare
496c4e9 to
ee7e765
Compare
|
I did not check the code, but went straight to testing. There is one thing that caught my attention. When the number of attempts remaining is less than 3 the user is supposed to get that number before asking for the PIN, so that they are aware that they are in a risky situation. Something like: In general terms, passkey preflight should be run during preauth stage. I don't know how hard it would be to implement it this way but it would make more sense. |
ee7e765 to
49fe0bd
Compare
It is run during preauth stage, I just had to move around the pam_sss code which sends the message to the console. Please try again. |
ikerexxe
left a comment
There was a problem hiding this comment.
Ok, now the testing worked as expected:
su - iker@ipa.test
Insert your passkey device, then press ENTER.
You have 3 PIN attempts remaining
Enter PIN:
su: Authentication failure
I didn't check all the code, but there is something that caught my eye. See inline.
49fe0bd to
03396a0
Compare
2bd3a7e to
65beeac
Compare
|
@ikerexxe Please confirm these are the appropriate backport labels to use also |
What RHEL versions do you target? |
|
This PR supersedes #7631 |
65beeac to
810da7b
Compare
ikerexxe
left a comment
There was a problem hiding this comment.
Just some minor comments. By the way, I forgot to mention that I tested it and it works as expected
810da7b to
927859b
Compare
2c2de0a to
966e36b
Compare
Account both for time consumed by `fido_dev_info_manifest()` and `sleep()`, which can return in no time if interrupted. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Expand the passkey_child to detect whether a FIDO2 device needs a PIN
and the number of attempts left for the PIN. This is needed to improve
the overall user experience by providing a way for SSSD to detect these
features before the user is requested to interact with them.
Expected input to run passkey_child: `--preflight`, `--domain` and
`--key-handle`.
Output: whether PIN is needed (boolean) and number of PIN attempts left
(integer) in JSON. Example:
{"pin_required": true, "attempts": 8}
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
When performing a passkey authentication and the PIN is entered 3 times incorrectly the FIDO2 device requires a power cycle (disconnect and reconnect the device to the USB port). libfido2 recognizes this with a special error code and the passkey child should return it so that the SSSD responder is aware of it. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Also refactor PAM passkey child related operations
966e36b to
2b2bd2a
Compare
|
I've updated the code to address Alexey's concerns |
|
@ikerexxe, thanks for updates.
What about this ^^? |
Unless you plan to provide a way for this to be configurable I don't see any difference between the actual implementation and your proposal. Thus, I'd prefer to keep it as it is. |
It is already configurable via
The issue is that 'passkey_child' doesn't use it. |
|
There are two distinct timeouts happening here: the timeout you're referring to controls how long the PAM responder will wait for the |
They should be related. At the very least 2nd can't be greater than 1st. |
|
Agreed to tackle the timeout topic on a different PR. |
|
@ikerexxe @madhuriupadhye @alexey-tikhonov Hi, can you approve the PR if you have no further comments/concerns? |
|
CI, and more specifically the system tests, are in the red, and I believe this is due to our changes. I have asked Madhuri to review them. |
2b2bd2a to
1135643
Compare
IIUC, we need tests to be updated alongside with this PR. |
1135643 to
2b2bd2a
Compare
f5d64b3 to
b854636
Compare
|
Closing this for now. I will open a new PR once this PR is ready, I will work with QE to have passkey tests updated alongside these changes also. |
PIN attempts message is only shown when <= 3
In addition, refactored a lot of PAM passkey child related code