FreeIPA Passkey Login

pueblo211 · April 9, 2025, 5:20pm

Hi everyone,

I have a working FreeIPA domain, including desktop login for the clients. Now I am looking to upgrade the setup using hardware tokens. Passkeys are supported since FreeIPA version 4.11.

For testing purposes I bought one NK3A.

Using ipa user-add-passkey --register, I can successfully add the passkey to the user. It will show up in the WebUI and using nitropy the new credential will be listed. This is where the issues start.

For the first one, I am unsure if it actually is an issue or just a confusing way to display the information by IPA. IPA supports discoverable and server-side passkeys. No matter if I register the key as a discoverable or a server-side key, the key will be shown as server-side in IPA.

Whenever I try to login to the desktop using the key, it will prompt me to enter the username regardless of the key type. After entering the username, the login seems to fail and it tells me below a password field to “Please (re)insert [a] (different) Smartcard”. However, I can only login after I remove the stick. This leads me to believe that it correctly recognizes the key as a/the preferred way to login.

When trying to debug the situation using pkcs11-tool --test --login I will be asked for the NK PIN. After entering the PIN, I will be presented with " error: PKCS11 function C_Login failed: rv = CKR_DATA_INVALID (0x20)". I am currently unable to find what prompted me to use this command but I think it was suggested by some other utility’s output.

The FreeIPA documentation suggests using the following command for debugging: passkey_child --authenticate --username=passkeyuser --domain=ipa.test --public-key=... --key-handle=... --debug-level=9 --logger=stderr --debug-libfido2. Unfortunately I am unaware of the way to get the correct values to use for --public-key and --key-handle.

Looking at the NK3 documentation, it suggests that Linux login requires libpam-u2f. I am unsure if this applies for me since FreeIPA uses SSSD. I still made sure that it is installed and pamu2fcfg can access the key.

Hopefully somebody can tell me what I am doing wrong or if this application is just not supported by Nitrokey.

Best,
Pueblo

pueblo211 · April 13, 2025, 10:36pm

To compose part of a reply to myself:

I just tried again using a rockylinux machine. I had the same issue with it not acknowledging the key at all while using the Plasma desktop. After switching to gnome it started noticing the key during login but the login itself is still unsuccessful.

My best guess is that IPA strictly supports nothing but FIDO2 while going by the docs, Nitrokey only supports U2F on Linux, however I don’t have any proof either way and it does create credentials that I can list using nitropy fido2 list-credentials.

Looking at guides online, the process seems quite painless with competitor’s products. This leads me to believe that my earlier guess is not too far off. Is there any chance for the NK3 to get a firmware update to support FIDO2 for desktop login on linux and if so, is there any timeframe I can expect the update to ship in?

Best,
Pueblo

daringer · April 15, 2025, 2:40pm

phew, honestly never seen openipa, looks promising, but as I (and nitrokey generally) has no experience with it I can only give you some hints what to look for.

I’d assume that pam_u2f is unneeded here, freeipa seems to implement its own pam mechanism through ldap(?)
if registering works this seems to be a good first step, although you’re right auth seems not trivial
the auth-debug command also confuses me, public-key ? keyhandle? seem also not totally clear for me where to get them, the keyhandle is usually provided by the token to be saved on the server
server side keys or discoverable should mostly behave identical so I’d assume you don’t have to care for it now
using pkcs11-tool --test --login seems not correct to me. This is solely for the smartcard functionality of the nitrokey 3 and has no connection to the fido2 component on the nitrokey 3.

My impression overall is that freeipa registration seems to be ok, just the client side doesn’t seem to work (especially if you report different behaviors for different distris) so the challenging part is most likely to properly configure freeipa and possibly ldap on the client machines.

You refer to “guides online”, do they set up a yubikey with fido2 and you tried the same approach with the Nitrokey 3? It might make sense to rely on those initially… feel free to link them

pueblo211 · April 17, 2025, 11:30pm

Hi, thank you for looking into this.

I suppose you’re right. FreeIPA uses SSSD as the desktop authentication backend so we likely don’t need pam_u2f.
1. and 3. I guess I should take another look at the data as it is saved server-side and maybe that will help with the debug command.
great thanks
Good. I still don’t remember what prompted me to use that command but II’ll just not worry about it anymore.

The difference in behavior seems to be between the login screens of Gnome and KDE (Plasma) although that is probably something I should talk to the KDE devs about.

The specific guide I referred to was this one here but I was unsure if it was okay to directly link it.

Basically just a video showcasing that the process of setting this up is trivial. After registration it should be plug and play. In this video, they use Fedora 39, GDM, FreeIPA 4.11.1, SSSD 2.9.4 and a Yubikey.

I tried with both Rocky Linux and NixOS. I am considering setting up a F39 instance just to make sure but don’t think this will get us anywhere.

The current version of FreeIPA on Rocky is 4.12.2 and sssd is 2.9.5 => more recent than the version from the video. Both the client and the server are up to date.

Now the only thing that comes to mind is that the NK3 docs suggest that FIDO2 login is a Windows-Only feature while U2F is available for Linux desktops. Meanwhile SSSD, to my understanding, only supports FIDO2 via the libfido2 library.

Hence my question about a possible firmware update.

Best,
Pueblo

daringer · April 18, 2025, 12:40pm

hey hey,

generally I’d say that most of the docs.nitrokey.com articles do not really apply, mainly because none of these take freeipa or sssd into account. But generally the Nitrokey 3 and its FIDO2 application is supported by the libfido2 library - as this is also they way you interact with the Nitrokey 3 if you use NitrokeyApp2 or pynitrokey/nitropy.

Don’t want to be too negative, but the video tutorial is sadly not really helpful, it does not explain any setup, required configuration or even packages to install. It’s a working environment where he’s adding just one additional user but nevertheless freeipa seems to be very interesting and it would be really interesting to see if we can come up with a more complete guide on how to set this up.

My understanding so far w/o really setting all of this up: FreeIPA is serving as the backend here, I suppose there is not much to setup incorrectly here. My guess is that the clients are the tricky ones, especially the fact that this works on a “heavy” distribution like Fedora tells me that there some non trivial setup required so that all relevant components can interact properly. Namely those are likely: sssd, pam?, login manager … I’d bet that these configurations are more or less available directly after the fedora installation and will for sure not be available out-of-the-box in distris like nixos or rocky. So my suggestion based on the video and our previous interactions would be that this should just work with a Nitrokey 3 if done on a Fedora system and to make it work for something like nixos you’d likely need to first understand how client and server components interact, configure the client correctly, use a login manager that supports all that and you should also reach the goal.

Admittedly this is all very vague - I’ll see if I find someone or some time by myself to dig deeper into this…

pueblo211 · April 18, 2025, 12:54pm

Great.

I would expect Rocky to work out of the box since FreeIPA is the community version of RedHat’s IDM and Rocky is one of the community couterparts to RHEL. I’ll see if I can get it to work with Fedora and report back.

Maybe I can contribute to the guide in some way.

Edit: I 100% agree that the video is not particularly helpful as a guide though I mainly went through it as a way to confirm if I skipped any additional configuration steps. Generally everything that’s necessary should be packaged with the IPA metapackage. As for NixOS, I already filed a report on git about some missing dependencies so that’s on ice in any case.

Edit 2: There is a note in the FreeIPA docs about documentation efforts being mainly directed towards the RedHat IDM docs. This should be the relevant section about enabling passkey auth.

Edit 3: On Fedora (42) it’s partially working.

Within the permutations I tried, I had the following results:

Fedora Client + Fedora Server => Login Works, Kerberos doesn’t
Fedora Client + Rocky Server => Login Works, Kerberos works
Rocky Client + Rocky Server => Login doesn’t work

One difference between the Rocky and Fedora Server is that the Fedora server was fresh, i.e. no configuration changes.

Initially, login didn’t work with the Fedora Client to the Rocky Server. This changed when I changed the global configuration to require user verification.

I’ll need to look further into this but my time for today is pretty much up.