Ability to add webauthn/passkey authentication for the web interface

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.

http://www.cockpit-project.org/

GNU Lesser General Public License v2.1

11.19k stars 1.11k forks source link

Ability to add webauthn/passkey authentication for the web interface #20389

Open ThatOneCalculator opened 6 months ago

ThatOneCalculator commented 6 months ago

Since right now all it takes to get in through the web interface is a username & password, being able to enforce the use of something like a Yubikey (like I do with my ssh keys) would be great.

jelly commented 6 months ago

We use PAM for authentication so if you configure totp with Yubikey you should be able to get 2fa in Cockpit. This is a duplicate of https://github.com/cockpit-project/cockpit/issues/15860

ThatOneCalculator commented 6 months ago

2FA/TOTP with a YubiKey isn't the same as using Webauthn with a Yubikey.

jelly commented 6 months ago

Overlooked that, but regardless implementing passkey/webauthn is a lot of work afaik there are no off the shelve solutions for this.

ThatOneCalculator commented 6 months ago

Modern browsers provide a built in API https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API

ThatOneCalculator commented 6 months ago

As for the backend, webauthn data is commonly sent as a JSON Web Token (JTW), and most modern backend web frameworks have a single-line solution to verify JWTs. https://jwt.io/libraries

JanZerebecki commented 2 months ago

duplicate of https://github.com/cockpit-project/cockpit/issues/18566