If you've ever used Cockpit you might know of the different authentication methods it currently supports. It can be pretty much anything, such as username and password, Kerberos, public keys, Single Sign-On (SSO), or smart cards. But given the nature of Cockpit being a web-based interface we can only support public key authentication through our Flatpak package called Cockpit Client as browsers themselves are sandboxed and can't access your system keys.

If we don't want to setup SSO or smart cards for a system, we're pretty much left with username and password authentication in the browser using PAM modules. Password authentication is less than ideal, let's see if passkeys can save the day! We'll look over what it takes to support WebAuthn with PAM modules, what limitations there are, and what tools currently exist to help us with this - such as Yubico's pam-u2f, sssd, and FreeIPA.

Cockpit is a web-based graphical interface for server management of a variety of Linux distributions. Our modifications of the system are made using system APIs and commands with our authentication functioning in the same way with the help of PAM modules.

• https://cockpit-project.org/
• https://sssd.io/
• https://www.freeipa.org/page/Main_Page
• https://flathub.org/en/apps/org.cockpit_project.CockpitClient
• https://github.com/Yubico/pam-u2f/

(Slides will be added here as a link when available)