noggin icon indicating copy to clipboard operation
noggin copied to clipboard

Published 20 hours ago verified publisher icon fedora-infra

yubikey support

Open pypingou opened this issue 4 years ago • 9 comments

The current code base supports FreeOTP which works fine and is great but the Fedora infrastructure has a number of yubikeys that they have been using for some time.

Is there a possibility to have support for yubikey as well?

In general, we may want to see if we can get the code dealing with 2 factor auth tokens be sort of plugin-based as more 2FA methods/tokens appear on a regular basis and we may end up wanting to support new ones in the future

pypingou avatar Apr 06 '20 08:04 pypingou

That mostly depends on whether FreeIPA supports it or not. @tiran , do you know about that?

abompard avatar Apr 06 '20 08:04 abompard

What kind of yubikey integration are you looking for? HOTP slot? U2F? PIV smart card? YubiCloud validation server?

IPA has the ipa otptoken-add-yubikey client-side command to enrol an yubikey. This will take up one of two slot on the YubiKey and configure it as HOTP.

Fraser wrote a blog post about X.509 / PIV smart card the more expensive yubikeys, https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html

YubiRADIUS is no longer supported by Yubico.

I'm not aware of any solution for FreeIPA that integrates with YubiCloud validation service.

FreeIPA does not yet support U2F.

tiran avatar Apr 06 '20 09:04 tiran

U2F support ticket is tracked in https://pagure.io/freeipa/issue/6632. You may want to read disussion details there. For browser part, there is now Ipsilon ticket https://pagure.io/ipsilon/issue/315 as well.

abbra avatar Apr 06 '20 09:04 abbra

I would love u2f/webauthn support, it's vastly more user friendly for users, and just better all around.

Even if we can't implement it now in noggin, we should definitely try and do so as soon as support lands in ipa.

Other than that we currently have HOTP slot support for yubikeys in fas2. I guess we could try and keep that in noggin, but if u2f/webauthn is going to come soon I would personally be ok not bothering with HOTP and just doing that.

nirik avatar Apr 06 '20 18:04 nirik

Marking this as unconfirmed, as we aren't 100% sure how to proceed on this one.

ryanlerch avatar Apr 17 '20 05:04 ryanlerch

So, IMHO:

  1. We should try and support yubikey HOTP since U2F is likely to take a while. To do this we need to look at what ipa otptoken-add-yubikey does and needs and emulate / get noggin to do that. I'm not sure whats involved, but it should be possible.

  2. Longer term as soon as U2F is supported we should add that support to noggin too.

nirik avatar Sep 27 '21 15:09 nirik

Does this issue include passkeys as a part of webauthn? I rediscovered this issue by the latter keyword as they were mentioned in https://github.com/fedora-infra/noggin/issues/579#issuecomment-2083757877 and I would like to use them for login (especially on computer and iPhone where Bitwarden supports them well, my Android is too old for now).

Mikaela avatar Apr 30 '24 12:04 Mikaela

On FreeIPA side we now have support of FIDO2 USB/NFC tokens through libfido2 in Kerberos. This does not include webauthn through the web browser yet, thus one cannot use the tokens defined for FreeIPA users through the browsers. We will get to that 'soon'. So to answer to @Mikaela, no those aren't supported yet.

abbra avatar Apr 30 '24 13:04 abbra

Passkeys seem to be rolling out quite quickly at the moment, with major password managers, browsers and operating systems all introducing compatibility (if it wasn't already there). In light of that, WebAuthn support is likely something that will be in higher demand in the near future.

iSaluki avatar Apr 30 '24 15:04 iSaluki