This is a tracking bug for Change: Passkey authentication for centrally managed users For more details, see: https://fedoraproject.org/wiki/Changes/Passkey_authentication_centrally_managed_users For centrally managed users on Fedora systems enrolled into Active Directory, FreeIPA, or LDAP, enable capability to log-in to desktop or a console terminal with a FIDO2-compatible device supported by the libfido2 library. For FreeIPA, additionally, once user has been authenticated with the FIDO2-compatible device, allow to issue a Kerberos ticket. If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
FreeIPA 4.11.0 beta1 is merged to F39 and Rawhide. Basic passkey functionality is now available.
well, I don't think it is, because it's failing gating tests. :D I'm trying to fix that ATM.
I waived the tests because it is clearly a problem in the OpenQA usage of that particular scenario, as I commented on the rawhide OpenQA investigation. FreeIPA uninstaller behavior is exactly as designed. The packages were pushed to F39 and Rawhide. Let me know if you want a help with that master removal scenario.
Ah. I'd rather you avoid waiving tests in general: the problem is that you can't waive them for *every subsequent update*, which will all fail in the same way once the update that triggers the failure goes stable. I probably need to explain this harder, somewhere. Waiving CI tests that are specific to your package is one thing, waiving openQA tests that run on every update is...another thing. I've dealt with the issue in the tests now, though, so hopefully it won't be a big problem (some tests which had already started may fail, though). This took longer than usual because I spent all day attempting to deal with the landing of anaconda webUI. back on topic: the Change page also says "Enable passkey feature in SSSD" and "Adjust SELinux policies to allow access to USB-enabled passkeys through libfido2". Are those done? To what extent is the Change complete and testable at this point, what does "basic functionality" really mean?
SSSD part is present in Rawhide since June. Most SELinux policy changes came with the FreeIPA 4.11 beta1 update. There are few more changes to be added upstream (that work is not done yet) but they aren't required for basic functionality. Bug rhbz#2223989 tracks remaining USB-related updates to the main SELinux policy which are required to allow SSSD to perform operations with the FIDO2 tokens with the help of libfido2. I have added this bug as a dependency here. 'Basic functionality' is: - add a FIDO2 token to IPA user using 'ipa user-add-passkey' CLI when running as root on a Fedora system - authenticate with the FIDO2 token on a Fedora system as IPA user Access to FIDO2 token needs udev rules to grant access permissions. If your token is not recognized by existing udev configuration, an additional configuration is needed. For example, Token2 (token2.eu) token I have, needs the following udev rule: ----------------------- $ cat /etc/udev/rules.d/70-token2-access.rules # this udev file should be used with udev 188 and newer ACTION!="add|change", GOTO="u2f_end" # Key-ID FIDO U2F KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="349e", ATTRS{idProduct}=="0022", TAG+="uaccess", GROUP="usb-access" LABEL="u2f_end" ----------------------- The group for access is specific to your deployment. 'usb-access' is what I use in my FreeIPA environment. My Fedora Silverblue configuration is based on UBlue and Ublue ships https://github.com/ublue-os/config/tree/main/files/etc/udev/rules.d rules for various U2F and FIDO2 tokens all using 'plugdev' group.
FEDORA-2023-e714c51e35 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e714c51e35
Please don't mark updates as fixing Change tracker bugs, that's not how the process is supposed to work. The bugs should be closed later in the cycle after a review that the Change has been fully implemented and no problems have been observed.
FEDORA-2023-e714c51e35 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e714c51e35` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e714c51e35 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This bug got ON_QA state via Bodhi, which isn't really correct, but I *think* it's actually appropriate, we can consider the bug 100% code complete now (which is what ON_QA indicates for Change tracker bugs). Alexander, can you confirm that? Thanks!
Correct. Test day results are not showing anything we didn't know about (failed reports are mistakes of a tester).
The only issue I've found that can be workarounded with a custom udev ruleset is reported to systemd upstream: https://github.com/systemd/systemd/issues/29278
One more SELinux bit missing for a new policy for passkey support added as bug 2240193
FEDORA-2023-e714c51e35 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
F39 was released on November 7th, so I am closing this tracker. If this Change was not completed, please notify me ASAP.