Skip to content

Passkey local fix and improvements #8185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Passkey local fix and improvements #8185

wants to merge 5 commits into from
+53 −631

Conversation

@justin-stephenson
Copy link
Contributor

@justin-stephenson justin-stephenson commented Nov 12, 2025
edited
Loading

This fixes local passkey auth (LDAP/AD) on the command-line when no PIN is set, it also addresses some improvements and small fixes that were found during recent passkey testing

gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 12, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces several fixes and improvements for passkey authentication. The most significant change is the removal of server-side configuration for passkey user verification, simplifying the logic to rely solely on client-side settings. This is a major refactoring that removes a considerable amount of code. Additionally, the pull request includes several important bug fixes, such as preventing a potential hang in the PAM responder, fixing a buffer over-read in authtok handling, and avoiding unnecessary PIN prompts. The changes are well-reasoned and improve the robustness of the passkey authentication feature. I have not found any high or critical severity issues in this pull request.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Nov 12, 2025

Please remove (cherry picked from commit f5c7b35) reference from the commit message of a first patch.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Nov 12, 2025

A set of 'backport-to' labels is questionable, imo.

@justin-stephenson justin-stephenson force-pushed the passkey_misc_improvements branch from c838a72 to 028f657 Compare November 12, 2025 19:58
@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Nov 12, 2025

Please remove (cherry picked from commit f5c7b35) reference from the commit message of a first patch.

Done.

@ikerexxe ikerexxe self-requested a review November 13, 2025 08:15
@ikerexxe ikerexxe self-assigned this Nov 13, 2025
ikerexxe
ikerexxe reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have one question/concern with commit passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION. In the passkey kerberos case, the user-verification is still used but instead of reading it from the IPA server we now read it from ipa-otpd. Is my understanding correct?

@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Nov 19, 2025

I have one question/concern with commit passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION. In the passkey kerberos case, the user-verification is still used but instead of reading it from the IPA server we now read it from ipa-otpd. Is my understanding correct?

That's correct. It is sent to the SSSD krb5 passkey plugin from ipa-otpd https://github.com/freeipa/freeipa/blob/master/daemons/ipa-otpd/passkey.c#L43

@alexey-tikhonov alexey-tikhonov mentioned this pull request Nov 19, 2025
Open
@ikerexxe ikerexxe requested a review from thalman November 20, 2025 13:41
thalman
thalman requested changes Nov 24, 2025
View reviewed changes
ikerexxe and others added 5 commits November 25, 2025 15:38
@ikerexxe @justin-stephenson
Responder: fix passkey auth when user-verification is off
8624b68 
When authenticating with a passkey, different PAM code paths within SSSD
can result in the `authtok` containing data even when the user did not
enter a PIN. Depending on the flow (e.g., triggered by `gdm` vs. `su`),
this data might be an empty string or non-printable characters like `^L`
(form feed).

The previous code had two issues:
1.  It only checked if the `authtok` was non-empty
    (`sss_authtok_get_type(...) != SSS_AUTHTOK_TYPE_EMPTY`). If user
    verification was disabled, this check would incorrectly pass for
    these 'junk' `authtok` values. This caused SSSD to prepare and send
    an erroneous PIN to the passkey helper.

2.  In the case where the `authtok` *was* correctly empty, the check
    would fail, `write_buf_len` would remain 0, and the `if
    (write_buf_len != 0)` block containing the `write_pipe_send` call
    would be skipped. This stalled the authentication flow, as the
    callback to continue the process was never set.

This patch fixes both issues:
1.  The `user_verification` setting is now stored in the state struct.
    The logic is updated to only prepare the PIN buffer if the `authtok`
    is non-empty *and* user verification is required
    (`state->user_verification != PAM_PASSKEY_VERIFICATION_OFF`).

2.  The `write_pipe_send` call is moved outside the conditional block so
    it always runs. This ensures that the asynchronous child
    communication (via `passkey_child_write_done`) is always triggered,
    even if the write buffer is empty (0-length).

This resolves both failure modes: junk PINs are no longer sent when
verification is off, and the auth flow no longer stalls when no PIN is
present.

Signed-off-by: Iker Pedrosa <[email protected]>
@justin-stephenson
pam: Remove PAM_PASSKEY_VERIFICATION_OMIT mode
8448658 
Remove support of ambiguous "unset" state of passkey user verification.
pam_sss prompting is binary, either on or off. The use of 'unset' passkey
user verification state allows for ambiguous behavior in SSSD. For
example, passkey_child may perform undefined behavior when '--user-verification'
argument is not set, now SSSD will always send '--user-verification=false/true'
to passkey_child.
@justin-stephenson
pam: Skip passkey_local() in Kerberos auth flow
1a36cf6 
Local auth functions should only be reached in AD/LDAP auth flows.
@justin-stephenson
passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION
c804df6 
Remove SYSDB_PASSKEY_USER_VERIFICATION and related functions. In
phase 1 of passkey implementation we read passkey user verification
from IPA LDAP tree, however now user verification is sent to the
SSSD krb5 plugin from ipa-otpd.
@justin-stephenson
authtok: Set Kerberos passkey PIN to NULL when UV is false
c06768a
@justin-stephenson justin-stephenson force-pushed the passkey_misc_improvements branch from 028f657 to c06768a Compare November 25, 2025 20:38
@ikerexxe
Copy link
Contributor

ikerexxe commented Nov 27, 2025
edited
Loading

LGTM, but I will refrain from approving until #8212 is merged. They both share one commit that I'd like to be merged in #8212 and not from this PR

thalman
thalman approved these changes Dec 4, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikerexxe ikerexxe ikerexxe left review comments

@thalman thalman thalman approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thalman thalman

@ikerexxe ikerexxe

Labels

backport-to-sssd-2-9 Changes requested Waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@justin-stephenson @alexey-tikhonov @ikerexxe @thalman