Skip to content

Passkey local fix and improvements#8185

Merged
justin-stephenson merged 4 commits intoSSSD:masterfrom
justin-stephenson:passkey_misc_improvements
Dec 5, 2025
Merged

Passkey local fix and improvements#8185
justin-stephenson merged 4 commits intoSSSD:masterfrom
justin-stephenson:passkey_misc_improvements

Conversation

@justin-stephenson
Copy link
Contributor

@justin-stephenson justin-stephenson commented Nov 12, 2025
edited
Loading

This fixes local passkey auth (LDAP/AD) on the command-line when no PIN is set, it also addresses some improvements and small fixes that were found during recent passkey testing

gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 12, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces several fixes and improvements for passkey authentication. The most significant change is the removal of server-side configuration for passkey user verification, simplifying the logic to rely solely on client-side settings. This is a major refactoring that removes a considerable amount of code. Additionally, the pull request includes several important bug fixes, such as preventing a potential hang in the PAM responder, fixing a buffer over-read in authtok handling, and avoiding unnecessary PIN prompts. The changes are well-reasoned and improve the robustness of the passkey authentication feature. I have not found any high or critical severity issues in this pull request.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Nov 12, 2025

Please remove (cherry picked from commit f5c7b35) reference from the commit message of a first patch.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Nov 12, 2025

A set of 'backport-to' labels is questionable, imo.

@justin-stephenson justin-stephenson force-pushed the passkey_misc_improvements branch from c838a72 to 028f657 Compare November 12, 2025 19:58
@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Nov 12, 2025

Please remove (cherry picked from commit f5c7b35) reference from the commit message of a first patch.

Done.

@ikerexxe ikerexxe self-requested a review November 13, 2025 08:15
@ikerexxe ikerexxe self-assigned this Nov 13, 2025
ikerexxe
ikerexxe reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have one question/concern with commit passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION. In the passkey kerberos case, the user-verification is still used but instead of reading it from the IPA server we now read it from ipa-otpd. Is my understanding correct?

@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Nov 19, 2025

I have one question/concern with commit passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION. In the passkey kerberos case, the user-verification is still used but instead of reading it from the IPA server we now read it from ipa-otpd. Is my understanding correct?

That's correct. It is sent to the SSSD krb5 passkey plugin from ipa-otpd https://github.com/freeipa/freeipa/blob/master/daemons/ipa-otpd/passkey.c#L43

@alexey-tikhonov alexey-tikhonov mentioned this pull request Nov 19, 2025
Merged
@ikerexxe ikerexxe requested a review from thalman November 20, 2025 13:41
thalman
thalman requested changes Nov 24, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the passkey_misc_improvements branch from 028f657 to c06768a Compare November 25, 2025 20:38
@ikerexxe
Copy link
Contributor

ikerexxe commented Nov 27, 2025
edited
Loading

LGTM, but I will refrain from approving until #8212 is merged. They both share one commit that I'd like to be merged in #8212 and not from this PR

thalman
thalman approved these changes Dec 4, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the passkey_misc_improvements branch from c06768a to 7a46611 Compare December 4, 2025 14:44
@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Dec 4, 2025

I rebased to include #8212 - it was a clean rebase.

@alexey-tikhonov alexey-tikhonov added no-backport This should go to target branch only. and removed backport-to-sssd-2-9 labels Dec 4, 2025
ikerexxe
ikerexxe approved these changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you for fixing this

@ikerexxe
Copy link
Contributor

ikerexxe commented Dec 5, 2025

@alexey-tikhonov why did you remove sssd-2-9 backport label? This is a fix for passkey issue

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Dec 5, 2025
edited
Loading

@alexey-tikhonov why did you remove sssd-2-9 backport label? This is a fix for passkey issue

There would be a conflict in sssd-2-9 because #8212 was merged only in 'master'.
It's easier to cherry-pick additional patch and open a backport PR "manually".

@alexey-tikhonov alexey-tikhonov added the coverity Trigger a coverity scan label Dec 5, 2025
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Dec 5, 2025

Note: Covscan is green.

@alexey-tikhonov alexey-tikhonov removed coverity Trigger a coverity scan Waiting for review labels Dec 5, 2025
@justin-stephenson @sssd-bot
pam: Remove PAM_PASSKEY_VERIFICATION_OMIT mode
512c156 
Remove support of ambiguous "unset" state of passkey user verification.
pam_sss prompting is binary, either on or off. The use of 'unset' passkey
user verification state allows for ambiguous behavior in SSSD. For
example, passkey_child may perform undefined behavior when '--user-verification'
argument is not set, now SSSD will always send '--user-verification=false/true'
to passkey_child.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@justin-stephenson @sssd-bot
pam: Skip passkey_local() in Kerberos auth flow
8f8947c 
Local auth functions should only be reached in AD/LDAP auth flows.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@justin-stephenson @sssd-bot
passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION
f63fc18 
Remove SYSDB_PASSKEY_USER_VERIFICATION and related functions. In
phase 1 of passkey implementation we read passkey user verification
from IPA LDAP tree, however now user verification is sent to the
SSSD krb5 plugin from ipa-otpd.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@justin-stephenson @sssd-bot
authtok: Set Kerberos passkey PIN to NULL when UV is false
9a1841e 
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
@sssd-bot
Copy link
Contributor

sssd-bot commented Dec 5, 2025

The pull request was accepted by @justin-stephenson with the following PR CI status:

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟡 ci / intgcheck (fedora-41) (in_progress)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the passkey_misc_improvements branch from 7a46611 to 9a1841e Compare December 5, 2025 16:24
@justin-stephenson justin-stephenson merged commit be5df34 into SSSD:master Dec 5, 2025
11 of 16 checks passed
@justin-stephenson justin-stephenson deleted the passkey_misc_improvements branch December 5, 2025 16:34
@justin-stephenson justin-stephenson mentioned this pull request Dec 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thalman thalman thalman approved these changes

@ikerexxe ikerexxe ikerexxe approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thalman thalman

@ikerexxe ikerexxe

Labels

Accepted no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@justin-stephenson @alexey-tikhonov @ikerexxe @sssd-bot @thalman