So guys, I will start now the presentation.
My name is Sikert Pedrosa,
and I'm a senior software engineer at Red Hat.
Well, today Erwin was supposed to come here
and present something about garage door opening
with pass keys, but apparently there's some time of curse
because, well, he couldn't come.
And I will present a topic that I was supposed
to be presenting last year about pass keys also.
So I will show you today the final results
because last year, Alexander, who is there,
kindly volunteered to present my talk,
and now I will do a kind of learning talk very fast
about the problem and the solution that we gave.
So introduction.
As you may be all aware, in January 2022,
the US government released a memorandum
where they constrained their agencies
and their, the companies working from them
to use telotrast architecture.
So if we focus just on the topics about user authentication
and authorization, we'll see that the memorandum
speaks about centrally managed users,
and more specifically about using
multifactor authentication and passwords.
On top of that, it explains that they should use
single sign-on as much as possible,
and they mentioned two specific protocols to achieve this.
One of them is PIF, or smart cards,
and the other one is Fido2.
So let's speak about Fido2 a little bit,
why users should be aware of this authentication method
and why it's important for them.
First of all, because it's passwordless,
so you don't need to remember lots of passwords.
You also don't need to, sorry.
So you don't need to be aware when there's some type of leak
in one webpage or some service that you are using,
because the private key resides in this token that is here,
and it never leaves it.
So you will not have any problem with data reaches
or any other kind of problem.
On top of that, it enables a strong authentication
by providing multifactor authentication.
So the keys that I'm using, they usually ask for the pin,
but you also have some others that ask for some fingerprint
or some other kind of biometric reading.
So the design is quite simple.
So we have a user with Fido2 key,
it goes to some computer, connects is there,
and using SSSD, they will contact the ADM server
and authenticate there and get a Kerberos ticket
to do the single sign-on.
So in this case, we are speaking out IDM server
because the best integration is achieved with it
because we will get the Kerberos ticket.
If you are using some other type of a lab server,
you will be able to authenticate,
but you won't get the Kerberos ticket.
So if you want to know more details,
the first link is the talk that I was speaking about before
that was given by Alexander here at Fosben last year.
Second one happened last year also at Defcon in June,
I think, if I remember correctly, it was me giving it
and you will have some progress in that area.
So now it's time for the demo or the demo Gorgon, who knows,
because I never was able to do this demo lively.
Yeah, you know, it's like that.
So first of all, I'm authenticated in a SSSD client
and we also have an APA server.
So I will add a new user,
which will be called Icar.
And here, the important point is that you need to set
the authentication type to Paskey.
Sorry.
So the first part, I guess you are aware of it,
if you are IPA users, but the second one is kind of
the new thing.
So I will create a user like that.
Okay, it already exists.
So let's try another one.
So that's my sister.
So this is your trust.
So we have created the user and now we need to register
the Paskey for this user.
Okay, yes, with that, I will present there.
Just again.
I guess I don't, oh yeah, I forgot the name.
Now I need to enter the pin.
And now, well, I need to touch the device.
The device is already blinking, so it's kind of obvious.
And you see there down below the Paskey mapping data.
I will show it to you.
Well, I will clear the screen and show this user.
So we have user I know.
And here we have the Paskey mapping data.
So now I will change users because you know,
if you are root, you can authenticate as any user.
And I will try to authenticate as user I know.
Okay, I need to set.
Okay, first of all, you need to insert the Paskey
and this presenter.
You are prompted for the pin that you need to input.
And finally, you don't see it on the screen,
but the LED is blinking here on the Fido 2 device
and I need to touch it.
Okay, perfect.
So we are here.
We are using I know and as we are using a free IP server,
if I saw it, okay.
We have here a server ticket.
So that at this point, we would be able to authenticate
to any other service or application
that is enrolled to this server.
One thing to notice here is that,
well, the key needs to be physically connected
to the device where you are trying to authenticate.
Okay, you cannot do it remotely with SSH
or something like that.
This is important because, well,
I heard some people asking me this question
and well, currently it's not possible at least
to do the remote authentication.
Okay, so some conclusions.
Availability of this feature.
First one is SSSD 2.9.4.
You can try with the 9.2.9.0, but it has some bugs,
so I would recommend you to go to this one.
We also have free IPA for .11.0.
And if we are speaking about specific distributions
that have this software, you can use Fedora 39
or CentOS Stream9.
Some reference links.
So we brought three design pages, two for SSSD
and one for free IPA.
The first one for SSSD is about doing the local authentication
and the second one is about doing the Kerbalos integration.
And if you would like to test this feature on your own,
I brought a Fedora Magazine article
that was kindly translated by a Chinese reader.
So you have there the demo and how to work with it.
If you don't want to mess up with your production environment
for some reason, you can use SSSD CI containers.
This project is, well, it provides a set of containers
that you can use to test SSSD IPA lab and things like that.
The only, you will find these instructions
in the GitHub page.
The only thing that changes is that you need to run,
well, you need to connect the Fido2 key first
and then you need to run MakeupPasky instead of Makeup
so that you can redirect the Fido2 device to the containers.
Okay, so that was all.
I think we have some time for questions, right, Tvenho?
Yes, we have four minutes.
Thank you.
Thank you.
Thank you.
So the system didn't ask you to touch your device,
is that some limits or was that just an implement?
No, it's a feature in reality
because you can have the Fido2 device connected
and some applications
or some malicious actor could try to sneak in
your device is already connected,
they could use it to perform the authentication.
So if you press it,
you demonstrate that it's actually you who is
trying to authenticate in this device.
Thank you.
Can you speak louder?
You indicated it will not work remote at the moment.
However, would this possibly work
with USB redirection, for instance, it's a fix.
Yeah. So the question is,
would this work with USB redirection?
The answer is yes.
Yeah, we would be able to do that.
Question here?
If we lose this key, what happens?
Okay. So somebody asked a good question here,
ask what happens if you lose your key?
You are doomed.
So my recommendation is to have at least
another authentication method,
or you could have two keys.
That's what I have.
So I have one here and I have another one at home.
If I lose one, okay,
I won't be able to do this demonstration here
or to authenticate somewhere,
but when I arrive home,
I have it there and I can use it to authenticate.
We cannot store somewhere the algorithms.
No. No, the private key.
So this uses public key algorithms,
and the private key resides in the key,
and as long as I know,
you cannot keep it out.
Yeah. So.
Do you have any plans to support
built-in platform authenticators like Windows Hello?
So yeah. So the question is,
if we have any plans to
integrate Windows Solo, you said, right?
No. The hardware now has the FIDO key in it.
Yes. You don't need a USB to extend the hardware.
Every piece of hardware now has FIDO built in.
Can we just use the platform authenticator?
Not yet. I will answer you.
Okay. Yeah.
Yeah.
Not yet. What this project supports is big FIDO 2.
So any effort to extend it to support a platform authenticator
should be against big FIDO 2 project.
And then we will inherit that one.
So the question was whether we
are supporting platform authentications,
and the answer is no.
We don't have those plans yet.
So Tveniu, how much time do you have?
I think yes. We have room for one more person.
Okay. Yeah.
So.
How do you solve the pin code?
Like, which action do you use to install the pin code?
And do you have any pin code policy?
Okay. So the question is which is the cryptographic algorithm
that we use to store the pin.
And the answer is I don't know.
This is embedded in the FIDO 2 key.
So in reality, we ask for the pin,
and we realize this information to the FIDO 2 key.
And it's them, the FIDO 2 key, who does all the decryption,
and who, well, it signs an attestation that it's you
who are doing the request and send this to the server.
It's PQCSD2.
Sorry, can you repeat?
It's PQCSD2 normally like a key derivative algorithm
which you use for the project.
Thank you.
All right, all right.
Okay.