Skip to content

Commit 5147c95

Browse files
ikerexxejustin-stephenson
ikerexxe
authored and
justin-stephenson
committed
man: add sssd-passkey.5
Include a new man page for passkey to explain the behaviour of `user_verification` option in the different scenarios. It is a complex option, so it has been decided to add a table to simplify its understanding. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
1 parent e98a777 commit 5147c95

File tree

5 files changed

+145
-7
lines changed

5 files changed

+145
-7
lines changed

contrib/sssd.spec.in

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -703,6 +703,9 @@ do
703703
sss-certmap*)
704704
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
705705
;;
706+
sssd-passkey*)
707+
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_passkey.lang
708+
;;
706709
*)
707710
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
708711
;;
@@ -1034,6 +1037,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
10341037
%{_udevrulesdir}/90-sssd-token-access.rules
10351038
%endif
10361039
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
1040+
%{_mandir}/man5/sssd-passkey.5*
10371041
%endif
10381042

10391043
%if %{use_sssd_user}

src/man/Makefile.am

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,10 @@ if BUILD_ID_PROVIDER_IDP
120120
man_MANS += sssd-idp.5
121121
endif
122122

123+
if BUILD_PASSKEY
124+
man_MANS += sssd-passkey.5
125+
endif
126+
123127
$(builddir)/src/man/sssd_user_name.include:
124128
@mkdir -p $(builddir)/src/man
125129
@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include

src/man/po/po4a.cfg

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
[type:docbook] sssd-systemtap.5.xml $lang:$(builddir)/$lang/sssd-systemtap.5.xml
3030
[type:docbook] sssd-ldap-attributes.5.xml $lang:$(builddir)/$lang/sssd-ldap-attributes.5.xml
3131
[type:docbook] sssd_krb5_localauth_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_localauth_plugin.8.xml
32+
[type:docbook] sssd-passkey.5.xml $lang:$(builddir)/$lang/sssd-passkey.5.xml
3233
[type:docbook] include/autofs_attributes.xml $lang:$(builddir)/$lang/include/autofs_attributes.xml opt:"-k 0"
3334
[type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
3435
[type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"

src/man/sssd-passkey.5.xml

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
3+
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4+
<reference>
5+
<title>SSSD Manual pages</title>
6+
<refentry>
7+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
8+
9+
<refmeta>
10+
<refentrytitle>sssd-passkey</refentrytitle>
11+
<manvolnum>5</manvolnum>
12+
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
13+
</refmeta>
14+
15+
<refnamediv id='name'>
16+
<refname>sssd-passkey</refname>
17+
<refpurpose>SSSD passkey options</refpurpose>
18+
</refnamediv>
19+
20+
<refsect1 id='description'>
21+
<title>DESCRIPTION</title>
22+
<para>
23+
This manual page describes the specifics for configuration of
24+
passkey for
25+
<citerefentry>
26+
<refentrytitle>sssd</refentrytitle>
27+
<manvolnum>8</manvolnum>
28+
</citerefentry>.
29+
Refer to the <quote>FILE FORMAT</quote> section of the
30+
<citerefentry>
31+
<refentrytitle>sssd.conf</refentrytitle>
32+
<manvolnum>5</manvolnum>
33+
</citerefentry> manual page for detailed syntax information.</para>
34+
</refsect1>
35+
36+
<refsect1 id='configuration-options'>
37+
<title>CONFIGURATION OPTIONS</title>
38+
<para>
39+
<variablelist>
40+
<varlistentry>
41+
<term>user_verification (boolean)</term>
42+
<listitem>
43+
<para>
44+
Enable or disable the requirement for user
45+
verification (i.e. PIN, fingerprint) on the passkey
46+
device during authentication.
47+
</para>
48+
<para>
49+
Three different actors come into play when deciding
50+
whether to request user verification: LDAP server,
51+
<citerefentry><refentrytitle>sssd.conf
52+
</refentrytitle><manvolnum>5</manvolnum></citerefentry>
53+
option and the passkey device itself.
54+
</para>
55+
<para>
56+
If the IPA provider is used and online, Kerberos
57+
based passkey authentication is available, the
58+
server-side settings are applied for all passkey
59+
usages. For other cases the settings in
60+
<filename>sssd.conf</filename> are used. This
61+
includes passkey authentication with any other
62+
provider; and the IPA provider in case online
63+
authentication is not available and local passkey
64+
is allowed by the option
65+
<emphasis>local_auth_policy = enable:passkey</emphasis>.
66+
</para>
67+
<para>
68+
The interaction of the
69+
<emphasis>user_verification</emphasis> option and
70+
the passkey device option is explained in the
71+
following table:
72+
</para>
73+
<informaltable frame='all'>
74+
<tgroup cols='3'>
75+
<colspec colname='c1' align='center'/>
76+
<colspec colname='c2' align='center'/>
77+
<colspec colname='c3' align='center'/>
78+
79+
<thead>
80+
<row><entry>user_verification</entry><entry>Device</entry>
81+
<entry>Result</entry></row>
82+
</thead>
83+
<tbody>
84+
<row>
85+
<entry>True</entry>
86+
<entry>User verification is configured</entry>
87+
<entry>User verification is requested</entry>
88+
</row>
89+
<row>
90+
<entry>True</entry>
91+
<entry>User verification is not configured</entry>
92+
<entry><para>
93+
User verification is requested; however, the
94+
authentication is expected to fail if the device is
95+
not replaced with a device where user verification
96+
is configured during the authentication process.
97+
</para></entry>
98+
</row>
99+
<row>
100+
<entry>False</entry>
101+
<entry>User verification is configured</entry>
102+
<entry><para>
103+
sssd automatically detects it during device query
104+
and user verification is requested
105+
</para></entry>
106+
</row>
107+
<row>
108+
<entry>False</entry>
109+
<entry>User verification is not configured</entry>
110+
<entry>User verification is not requested</entry>
111+
</row>
112+
</tbody></tgroup></informaltable>
113+
<para>
114+
If 'enter' is pressed at the PIN prompt for user
115+
verification without typing any characters, then
116+
SSSD falls back from passkey to password
117+
authentication.
118+
</para>
119+
</listitem>
120+
</varlistentry>
121+
</variablelist>
122+
</para>
123+
</refsect1>
124+
125+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
126+
127+
</refentry>
128+
</reference>

src/man/sssd.conf.5.xml

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -682,15 +682,16 @@
682682
<listitem>
683683
<para> Enable or disable the user
684684
verification (i.e. PIN, fingerprint)
685-
during authentication. If enabled, the
686-
PIN will always be requested.
685+
during authentication.
687686
</para>
688687
<para>
689-
The default is that the key settings
690-
decide what to do. In the IPA or
691-
kerberos pre-authentication case,
692-
this value will be overwritten by the
693-
server.
688+
See
689+
<citerefentry>
690+
<refentrytitle>sssd-passkey</refentrytitle>
691+
<manvolnum>5</manvolnum>
692+
</citerefentry> to
693+
understand the behaviour of this option
694+
in the different scenarios.
694695
</para>
695696
</listitem>
696697
</varlistentry>

0 commit comments

Comments
 (0)