Alexander Bokovoy

Passwordless authentication is making a lot noise. Use of FIDO2/WebAuthn tokens and other passwordless means to login to web services is all the rage but there isn't that much available to make the technology usable without troubles for 'traditional' Linux systems, locally and remotely.

For past several years FreeIPA and SSSD teams have been working on enabling end to end passwordless access in centralized and local environment, be it corporate or home deployment. This talk will go into details of our progress in passwordless access implementation for Linux systems.

In 2022 FreeIPA project introduced ability to authenticate users against OAuth2 identity providers (IdPs). This functionality allows to obtain Kerberos credentials after authentication and authorization has been done by the external IdP. As many OAuth2 IdPs allow passwordless authentication with WebAuthn tokens, a true passwordless transition across Linux systems is now available, from login to console, raising privileges within PAM services (e.g. sudo access), to accessing remote systems over SSH. We hope to expand this support with native FIDO2/WebAuthn integration as well.

The work is not complete yet and needs a lot of collaboration across multiple open source projects. Come to this talk to see a demo and discuss how we can improve our passwordless experience together.

Passwordless and multi-factor authentication (MFA) are becoming a trend and their usage will increase in the near future. However, most of the solutions target the web/online pattern, or the local users, thus leaving centralized identity management for console and POSIX system applications lacking those capabilities.

For the last year FreeIPA and SSSD have been working on enabling FIDO2/WebAuthn support for remotely managed users. One part of it is enabling a user stored in a LDAP server to locally authenticate in a system using a FIDO2 key. Another part is to use FIDO2 authentication to obtain a Kerberos ticket. This opens a new world to organizations to tighten their security, while maintaining strict control as to who access their systems.

This talk will focus on the progress in FIDO2/WebAuthn authentication in SSSD by providing the implementation state, the solution details and a demo. Additional information on the possible expansion of the solution will also be provided.

The talk is going to reflect on the effort Fedora development community has done to allow complex solutions like FreeIPA to be tested continuously and to ensure a working solution at any release time. FreeIPA is one of projects that would benefit from a tighter collaboration between distributions and we would also like to discuss how its cross-distribution support could be improved to provide a more consistent behavior to our users across multiple distributions.

FreeIPA is an identity management solution for POSIX environments. It is often characterized as an 'Active Directory for Linux systems' which, while not exactly right description, helps to visualize a level of complexity FreeIPA has to deal with. FreeIPA as a solution is built on a number of existing and proven technologies implemented as a free and open source software. As result, a FreeIPA deployment has to deal with coordination between a lot of packages. In Fedora, for example, a fully-functioning FreeIPA deployment requires to install several hundred binary packages, including but not limited to SSSD, MIT Kerberos, 389-ds LDAP server, Samba, Apache, OpenSSH, database libraries, Java components for Dogtag Certificate Authority server, and many Python libraries.

It is not a surprise that coordinating these components often leads to complications in an operating system distribution release management. Packages need to be at right versions at right time with knowledge about that not always shared across multiple groups of developers and maintainers. Regressions need to be tracked and fixed. Security updates and cross-platform protocol compatibility issues are adding their own flavor.

Enterprise environment means a lot of integration to work together. Single sign-on, VPNs, access controls, boring user experience, multiple third-party applications which may not be playing well with each other. FreeIPA is a project providing an integrated and secure setup of complete free software stack that makes up a typical enterprise environment.

As remote work spreads wider, 'an enterprise' becomes a home environment as well: more applications are moved to cloud hosting, both on premises and at third parties' clouds, and more people have to balance their home and work identities and data at the same time. This talk will explain our work together with GNOME community to produce a desktop environment friendly to enterprise and how it makes our home environments more secure without compromising on usability.