- Hey folks, I'm Nate. I'm a Technical Marketing
Manager at Red Hat. I work with Red Hat Enterprise Linux and I'm here to talk to you about... Hold on, lemme get logged in. (cheerful music) All right, that's better. Oh wait, you wanna know
how I just did that? I guess we can talk about that. So what is that? What did I just do? I logged into a RHEL
machine using an account that's managed by Red
Hat Identity Manager, Red Hat IdM, using a passkey,
a YubiKey in this case, although any FIDO2
compliant key should work. Notice I didn't use a password, all I used was a pin to
unlock the YubiKey with. So this means that my account
is that much more secure because I now have a physical token that grants me access to my machine. Now this is a brand new feature so there's still some rough edges, but this is coming with RHEL 9.4. So how does this make me more secure? It makes me more secure because a key is a lot harder
to steal than a password. A password we've seen time and time again, all it really takes is a
convincing enough phish. It's happened to me, I've
been tricked by websites. So of you, I'm sure, or
you know someone that has, it's really common. So first I'm gonna walk you
through how I added a IdM user that supports passkey and
that's gonna be a combination of both the IdM user interface
and some command line. Though there are ways to
do all of these things both from the command line or the UI. I do kind of a mixture of both 'cause I think they work well. So we're going to show you that route and then I'm going to show you the login and how you register a
key and things like that. (bright music) All right, so here we
are at the IdM screen, I've already logged in. This is if you go to your IdM deployment, go to the web admin
console, you find a login... Or a page very similar
to what you're seeing here on the screen. You see I've got a couple
users here already. I'm gonna show you the Bob user that I did my login at the
beginning of this video with. Obviously, my name is not Bob
but whatever, it's a demo. So here we go, you can see Bob is here. Bob doesn't even have
a password set, right? I did not create a password for Bob when I created this account and I'm going to show you how
to create a user in a minute but you can see here that Passkey has this public key mapping for the YubiKey that I use to log in. Now, if you can get
the public key mapping, the public key from your YubiKey without using the command line tool that I'm going to show you in a minute, then you can just throw that in here. You can click on this add button here and you can add a key
based on its public key. Now you can get that outta the YubiKey, I'm just not going to show you
that in this particular demo. So you could theoretically
do the entire creation right through the web UI. Now obviously, there's
other ways to log in here. We're going to ignore those for now but here, user authentication types. You can see we have a
number of different ways you could log in with this user and I only have Passkey checked. Now you could set up more than one here, but for the sake of simplicity
and the sake of this demo, we're going to use just passkey because I want my users to
be as secure as possible. I don't want any chance they're gonna accidentally give away
their password or something. Okay, so that's the user
that already exists. Now I'm gonna show you
how to make one, right? So it's really easy
honestly within this web UI. And again, you can do
this on the command line using the ipa user-add command, and then there's another
command to enable the passkey. But I'm going to show
you those at the console once I've already created the user. So here we go, we're going to
click the Add button up here. This is dirt simple, right? We're going to put in a login name. We're going to go with a
real creative login of user02 'cause I've already got user01, and we're gonna make that
user's first name, user, and their last name, 02, 'cause
we gotta be accurate, right? We're not going to touch private group, GUID class, all those things. We're not going to give it a password, I'm going to click the Add button. Now at this point, if you wanted to, you could give this user access privileges through things like sudo by
giving them access using, let's see it's Policy up here at the top. You can see I've got sudo
rules set up already, right? And I've also got some user groups set up. So what we are going to do
I think, a sudo users group. We're going to add user02
to the sudo users group just as an additional demo here. Let's see, User Groups,
we're going to Add... Or we're going to say sudo-users. And this is a really simplistic sudo rule, it basically gives him
all access via sudo. You can get more fine grained than that. It works very similar to
sudo rules as you'd expect. But again, not the point of this demo. Okay, so we've given him an account, we've given him a group, he should already have
access to our systems because we have a policy in place that says that all systems
are accessible to all users. Again, that's a thing that
you can limit with IdM, not the point of this demo. Okay, so now that we have that, I'm going to take you over
to my laptop over here where I have an actual system that is registered to my identity domain. I have to log in as an
admin and bind a key. All right, so we're going to
attach a key to a user now. So I'm logged in to a
RHEL workstation here. It's actually a VM on my
laptop but I've got my YubiKey already attached right here, alright? Can't pull that out
'cause it'll break things 'cause of the VM pass through. So I'm already at a shell. Lemme make it a little bigger
for you so you can see better. Now, so I'm already at a shell, ignore the environment, right? This is a IdM user that
I've logged in with, with a password and so this might be, you know, an admin user but really this... I logged in with a standard
user but I need to kinit, that is initiate a Kerberos
session as an IdM admin, right? So for that I'm just gonna do kinit admin and it's going to assume what
realm I'm authenticating to, and ask me for the password. Okay, now if I did a klist, it shows me I have a
Kerberos session open. Alright, so what we're gonna
do now is we're going to modify the user that we just created, user02. Okay, so we just issue some
IPA user modification commands. First of all, we need to tell IdM that this user's going to use a passkey. So it's ipa user-mod
(Nate typing) and then user02 was the name
of the user that we added, and we need to add user-auth-type=passkey now if you remember, this is
that series of check boxes that we saw in the user
that I showed you earlier. So this will tell it... This is basically if we
were to check the box that says use a passkey,
this is what that's doing. Okay and then it's going to
do a thing, and there you go. It's going to show us
what user it modified, it's UID, GID, things like that. Now we have to actually register
the passkey to the user. So let's go ipa user-add-passkey and then we do user02 and
then --register, okay? And what this will do is
it basically tells IDM, we're going to add a
passkey to the user, user02, and we're gonna register a new one, okay? Now, at this point the IPA user command is querying my laptop to say, do you have a YubiKey connected? Oh you do, what's the pin for the YubiKey? I'm going to put in my pin,
then I'm going to hit Enter, and then it just asks
me to touch the device. And if you can see that, it's blinking, that's how you know when to hit the thing. So here we go, bink, and there you go. It's going to map in
this YubiKey for user02 with this identifier. All right and that should be it. If I log out here... Yep, log out and then
we're going to log in with a new user that's not
listed and it's user02@idm0.lab and see it's... So you can see in the
password box here it says, insert your passkey device. Now, obviously there's
more to that can't read, but it's basically
saying then press Enter. We press Enter and now
it says enter your pin, so we're gonna put in the pin, Enter, and then it doesn't ask us anything, it just starts flashing. You hit the button and we
should get a desktop session. Now you might remember... So brand new user, so it's asking me to take the tour, no thanks. You might remember we gave
that user sudo rights. So if I do a sudo ls -l / pretty simple test. Or how about let's just do sudo -l, which will tell it to list
the sudo rights that we have. "Insert your passkey device
and then press Enter." Huh, didn't even ask me for a
password, that's kinda cool. Enter your pin.
(Nate typing) And then it starts to
flash, we hit the button, and there it goes. It tells us all the things
that we can do, which is all. You can see, I can do
whatever I want here. Now this should respect
the same sudo mechanisms that you would expect. It all goes through SSSD, which if you're not familiar
with SSSD, that's a backend for the authentication mechanisms in PAM that tell it to talk to IdM, which is telling it to use the passkey. So anything that successfully uses SSSD, should be able to use this
passkey to do things right? So let's do sudo, I don't
know vim /etc/password. There we go, notice it
didn't ask me again. That's because sudo's internal mechanisms have already recognized
that I have sudo rights and it's cached that, right? So it didn't need to ask me again. If I wait long enough for
whatever the sudo timeout is on this machine, it'll
ask me for the passkey again. So good to go. Okay, one more thing we could try. What about SSH from
one machine to another? Well guess what, that'll
also use the passkey. So let's clear the screen first. I'm just gonna SSH to the directory server for this particular identity domain as the user I just created, user02@ what is it, dir0.idm0.lab and it got me right in because I've already got a
credential with Kerberos, so it passed the Kerberos
token over to the SSH session. Now, I don't have a home directory there so it just put me in slash, that's sort of one of the
downsides of remote users. You can fix that again,
not for this video. (uplifting music) So what do you think? Is that not the coolest
thing since sliced bread? (drum roll music) Am I dating myself with
that weird reference? I think I am. It's the bee's knees, what's up... Anyway...
(Nate laughs) So you might be saying an identity domain sounds like a lot of work
to set up and configure. Well, there's good news for that too. There is an Ansible role
that's included with RHEL that makes set up for IdM really simple and I'll include a link in the description of this video for links to the RHEL docs on how you use that Ansible role. I use it to set up this lab, it's... I can deploy an IdM lab, obviously a very simple configuration with a single IdM server and single client within a matter of like half an hour. Because you know I've done it a few times and the Ansible role really
makes it that simple. But you can get really
complicated with this role too. You can set up replicas, you
can register all your clients, you can even set up
active directory trusts with the dang thing, that's pretty cool. So if you want to know more
about identity manager, if you wanna know more
about RHEL and passkey, you're going to want to check out the RHEL documentation on the subject. I'll include links to those in the description of the video as well. Now you might also think, well identity manager sounds
like it's probably expensive. Well, guess what? I've got good news there too, it's included with your RHEL subscription. If you've got RHEL, you've
got identity manager and identity manager is great for more than just
registering passkeys to users. It's great for centralized identity for Linux in general, right? So whether you're running RHEL or Fedora, or some other Linux distribution, you can register it through
the identity manager system and centrally manage your
users, which is great. You can apply policy, you
can apply password policy, you can apply as I showed
you, you can apply sudo rules and host access, right? You can limit who has
access to what hosts. It's a really nice tool, you
should really look into it. If you've already got a RHEL
sub, you've already got it. I ran this thing in
production for the deployment at my old employer and
it's actually really slick. It makes user management so much easier. Why set up accounts on a thousand servers when you can set them up centrally and then when someone
leaves or changes roles, you can just change it
in the identity domain. It's just so much nicer. Alright, so thank you
for watching the video. If you liked it, please make sure to like, subscribe to the channel. If you want to see more content like this, check out our live streams. You can find me on Into
the Terminal every Friday. And you can find my counterpart
Eric doing RHEL Presents every other week on Wednesdays, where he talks about new
features coming to RHEL, interviews with engineers,
and all kinds of great stuff. A little more hands-on
stuff is Into the Terminal, so check that out as well. And again, thanks for watching,
we'll catch you next time. (inspiring music)
