Passkey_child executable missing(?)

elastic626 · April 6, 2025, 1:24pm

Hi,

I’m currently trying to setup FIDO2 login for NixOS machines in my FreeIPA homelab domain.

To do so, I need to use the ipa user-add-passkey --register command, which in turn uses sssd. Since I’m fairly new to NixOS, I didn’t want to raise an issue on GitHub before confirming if this is actually a missing dependency/incompatibility through a hardcoded path or if I made a rookie mistake.

The error message I’m getting whenever I execute the command is the following:

[root@nixos:~]# ipa user-add-passkey --register --require-user-verification false --cose-type eddsa --cred-type discoverable
Anmeldename: admin
ipa: ERROR: invalid 'register': Missing executable /usr/libexec/sssd/passkey_child, use the command with LOGIN PASSKEY instead of LOGIN --register

I’m also having a hard time figuring out what to make of the error message as the suggested alternatives are both not part of the original command.

I already tried locating the passkey_child executable using find but didn’t have any luck:

[root@nixos:~]# find / -name passkey_child
find: ‘/mnt/shared’: Permission denied
find: ‘/mnt/home’: Permission denied
find: ‘/run/user/1000/doc’: Permission denied

For good measure, I tried executing the same command on the ipa server and besides it failing due to the missing USB key (I was in through SSH), it seemd to work fine.

If anyone could help me figure out how I can get this to run on NixOS, you’d make my day.

Thanks in advance.

Best,
Elastic

arianvp · April 7, 2025, 11:01am

I expect this will require patching the ipa package so that it stops looking at /usr/libexec/sssd/passkey_child but instead in ${sssd}/lib/passkey_child

It might also be the case we need to change the sssd package to add the passkey support.

Might be worth opening an issue in GitHub - NixOS/nixpkgs: Nix Packages collection & NixOS as this seems like a packaging bug.

elastic626 · April 9, 2025, 5:34pm

I’ll mention the issue I created here so navigation is a little easier.

github.com/NixOS/nixpkgs

freeipa: passkey support missing

opened 11:58AM - 09 Apr 25 UTC

Gabgobie

0.kind: bug

### Nixpkgs version - Stable (24.11) ### Describe the bug With version 4.11, …the FreeIPA team has [added support for passkeys](https://www.freeipa.org/release-notes/4-11-0.html). I installed FreeIPA on my NixOS PC and enrolled it to the domain. It is possible to login using username and password, however, the necessary dependencies for logging in using a passkey seem to be missing. Before coming here I assured myself if this is actually an issue with the package or if I made a mistake on the discourse forum: https://discourse.nixos.org/t/passkey-child-executable-missing/62740 The package in question: [pkgs/os-specific/linux/freeipa/default.nix](https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/os-specific/linux/freeipa/default.nix) ### Steps to reproduce 1. Have a working FreeIPA domain 2. Install FreeIPA on your NixOS machine and enroll it to the domain 3. Try to create a new passkey (will fail due to missing dependency) - `ipa user-add-passkey --register` 4. Since step 3 failed, create the passkey from another machine 5. When trying to use the passkey during the login screen, NixOS will not make use of the passkey and entirely ignore its presence. You still need to login using your username and password. ### Expected behaviour The ipa command for adding a passkey should run successfully and it should be possible to use the passkey later on to login. ### Screenshots _No response_ ### Relevant log output ```console ``` ### Additional context From what I understand, the IPA command is a wrapper around SSSD, which is doing the heavy lifting around the passkey. The issue may be that SSSD is compiled or packaged without passkey support. FreeIPA troubleshooting section: https://freeipa.readthedocs.io/en/latest/designs/passkeys.html#troubleshooting-and-debugging ### System metadata - system: `"x86_64-linux"` - host os: `Linux 6.6.85, NixOS, 24.11 (Vicuna), 24.11.716687.bdb91860de2f` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.24.13` - channels(root): `"nixos-24.11"` - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos` ### Notify maintainers @s1341 @benley --- **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.) ### I assert that this issue is relevant for Nixpkgs - [x] I assert that this is a bug and not a support request. - [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+-label%3A%226.topic%3A+darwin%22+-label%3A%226.topic%3A+nixos%22). - [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it. ### Is this issue important to you? Add a :+1: [reaction] to [issues you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc