diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-05-28 18:18:54 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-06-01 13:31:53 +0200 |
| commit | 17e7561a973495992014dd102135f15eb808ae01 (patch) | |
| tree | 2ee7ecb59582619e814b9662171f75374521d7ea /man/homectl.xml | |
| parent | 7dba77a67ed334d9336b89371b0601661609d277 (diff) | |
| download | systemd-17e7561a973495992014dd102135f15eb808ae01.tar.gz | |
homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.
This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
Diffstat (limited to 'man/homectl.xml')
| -rw-r--r-- | man/homectl.xml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/man/homectl.xml b/man/homectl.xml index f2858166f7..4b0b120ca8 100644 --- a/man/homectl.xml +++ b/man/homectl.xml @@ -379,6 +379,35 @@ </varlistentry> <varlistentry> + <term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to enter + a PIN when unlocking the account (the FIDO2 <literal>clientPin</literal> feature). Defaults to + <literal>yes</literal>. (Note: this setting is without effect if the security token does not support + the <literal>clientPin</literal> feature at all, or does not allow enabling or disabling + it.)</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--fido2-with-user-presence=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to + verify presence (tap the token, the FIDO2 <literal>up</literal> feature) when unlocking the account. + Defaults to <literal>yes</literal>. (Note: this setting is without effect if the security token does not support + the <literal>up</literal> feature at all, or does not allow enabling or disabling it.) + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--fido2-with-user-verification=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>When enrolling a FIDO2 security token, controls whether to require user verification + when unlocking the account (the FIDO2 <literal>uv</literal> feature). Defaults to + <literal>no</literal>. (Note: this setting is without effect if the security token does not support + the <literal>uv</literal> feature at all, or does not allow enabling or disabling it.)</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--recovery-key=</option><replaceable>BOOL</replaceable></term> <listitem><para>Accepts a boolean argument. If enabled a recovery key is configured for the |