nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-08 09:41:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: Fetch latest manual

Browse Source 
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
James Valleroy 2026-04-06 20:41:21 -04:00
parent 2694cbc367
commit 640463e17e
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
6 changed files with 172 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
doc/manual/en/Passkeys.raw.wiki Normal file
View File

@ -0,0 +1,117 @@
#language en
##TAG:TRANSLATION-HEADER-START
~- [[FreedomBox/Guide/Passkeys|English]] - [[DebianWiki/EditorGuide#translation|(+)]] -~
##TAG:TRANSLATION-HEADER-END
<<TableOfContents>>
## BEGIN_INCLUDE
== Use Passkeys to Improve Login Security ==
{{{#!wiki tip
Passkeys are strongly recommended over passwords.
}}}
'''Available since''': !FreedomBox 26.6
!FreedomBox allows users to login to their account with passkeys. Passkeys are way to verify user's identity using digital signatures. They are a more secure alternative to passwords. Secret information is kept with the user on their phone, laptop, or a hardware token and unlocked using a PIN, fingerprint, or face ID. No secrets are stored on the server. The server knows only the public information that can be used to verify user's signatures.
=== How do passkeys work? ===
After the user logs into their account, one or more passkeys can be added to the account from the 'Manage Passkeys' page. At the time of adding passkeys, the passkey hardware (or authenticator), will generate a public and private key pair that is tied to the domain and user account. The private key is kept in the hardware and public key is provided to the server. The server stores the public key along with user account. Later when a user is trying to log in to their account, the server sends a long randomly generated string to the authenticator called the challenge. The hardware digitally signs the challenge using the private key and sends it to the server. The server is able to verify that the signature is made by the holder of private key by just using the public key that it has (this is a feature of public/private key pairs). Once verified, the server logs into the user account associated with that public key.
During this process, the browser acts as a trusted intermediary between the passkey hardware and the server. It ensures that the user is verified by providing PIN, fingerprint, face ID, etc. It also ensures that a passkey is only used with the domain it is meant for.
=== Better security ===
Passkeys provide better security than passwords:
* '''Multi-factor authentication''': During registration of a passkey and during login, !FreedomBox requests that the browser verify the user. This means the user will need to unlock the authenticator device by providing a PIN, fingerprint, face ID, etc. This acts as one of the authentication factors: "something you know" or "something your are". Another authentication factor is "something that you have": the hardware that stores your passkey (such as Solokey, Nitrokey, or Yubikey) or a phone. Together, this is similar to using a password along with a second factor authentication. So, passkeys can replace two-factor authentication while being much more convenient and easier to use.
* '''No reuse''': Passkeys are never reused. For each domain a separate passkey is generated and used. Browsers ensure that passkey for a domain is never used with another domain. Unlike reused passwords, when a website or a service is compromised, adversaries can't use that to gain access to your account in different website or service. This also prevents phishing attacks were adversarial websites pretend to be legitimate ones.
* '''No secrets on the server''': The website allowing use of passkeys for login does not store any secret information. It only stores the public key part of the passkey. If this information is obtained by an adversary, they will not be able to login to the website. Only the private key stored on the authenticator device can be used to login to the website (since only a private key can create signatures needed for login process).
* '''No guessing''': The secret part of a passkey is much more impractical to guess compared to a password. There is no risk that someone will be able to guess your password and access your account. There is no risk that you might accidentally set a predictable password.
* '''Convenience''': Users don't need to remember username, email, or a secret to login to a website. They don't need to receive OTP via text or email, use TOTP app, or confirm login using a mobile app. After clicking on the 'Login with passkey' button, they unlock their authenticator using a PIN, fingerprint, or face ID. Then they physically tap on the authenticator (if necessary). The user is then logged in. There are fewer things to remember. Even the PIN for a hardware authenticator is typically easier to remember than a password. This convenience encourages users to use this mechanism, ultimately leading to better security.
=== Hardware Needed for Passkeys ===
{{{#!wiki tip
'''[[https://solokeys.com/|Solokeys]]''' are recommend for passkey storage by the !FreedomBox project.
* The [[https://github.com/solokeys/solo2|firmware]] (the OS for the hardware) is free software.
* The [[https://github.com/solokeys/solo2-hw|hardware]] designs are free too.
* The Solokeys team and the !FreedomBox team collaborate.
}}}
There are many ways to get started with passkeys:
* '''Separate passkey hardware''': The recommended way to store passkeys is on a specific hardware key. In this setup, the private key part of the passkey never leaves the hardware device. They are also typically built such that it is hard for an adversary with physical access the device to extract passkey from it. Another advantage of these devices is that the hardware can be used with all your existing devices such as phones, laptops, and desktops. These devices interact with phones and desktops using USB, Bluetooth, or NFC tap. In case of NFC, the device works with proximity from the phone without additional power. When using a separate hardware, however, you must have a backup way of logging into your account in the event that you loose the hardware device. This could be an additional passkey hardware or a password. See the section on backup below.
* '''Builtin passkey hardware''': When a separate hardware device is not available, specialized hardware, such as a TPM, built into the computer is preferable. This setup will still ensure that passkeys do not leave the hardware. One disadvantage of this approach is that the passkey only works with that device and you will need register each device you use separately.
* '''Password managers''': As a last resort, one could use password managers that support passkeys and work with your browser or OS. Android, iOS, and Windows offer such password managers. Passkeys stored in password managers are typically synchronized to the cloud and a breach of that service/account could result in compromise of all your accounts. However, they work across multiple devices and you typically don't have to worry about loosing a single hardware device.
=== Naming Your Passkey ===
In !FreedomBox, when a passkey is added to your account, it by default named as 'Key 1'. The next one will be named 'Key 2' and so on. However, it is good practice to name them such that you know which device they are stored on. For example, you can name them 'Key on Primary Solokey', 'Key on Android Phone', etc. If a device is lost, you can login to your account and remove that key from the list of passkeys associated with your account.
=== Multiple Domains ===
Each passkey is strictly tied to a domain and never used for another domain. This necessary to ensure that a malicious domain does not impersonate a legitimate domain. Hence, if your !FreedomBox is configured with multiple domains, then the browser and hardware authenticator device will treat them as separate accounts for the purpose of authentication with passkeys. This means you need to register separate passkeys for each of your domains.
For example, assume your !FreedomBox has two domains configured mydomain1.fbx.one and mydomain2.example. Visit mydomain1.fbx.one, log in to your account, and add a passkey. This passkey will be tied to this domain. When you are trying to log in, the passkey will work if you are accessing mydomain1.fbx.one but it won't work when accessing mydomain2.example. To make the second domain work, you need to add a second passkey while accessing your !FreedomBox with the domain name mydomain2.example. Two passkeys are then stored in your hardware token. First one will be tied to mydomain1.fbx.one and will only be used when accessing that domain. Second one will be tied to mydomain2.example and will only be used when accessing that domain.
=== Multiple User Accounts ===
When you use a passkey hardware for multiple user accounts on the same !FreedomBox, separate passkeys will be created for each of the accounts. Each passkey will be assigned the username of the account it is tied to. This information is stored in the passkey as well as the server. During login, the browser will prompt to select the user account you want to log into. If only a single passkey exists for a given domain name, then the selection dialog is not shown and user will login to the account corresponding to the passkey.
=== Backup for Passkey ===
In case the device storing your passkey is lost, you need alternate ways to login to you account:
1. You can register and maintain two passkeys on two separate devices. For example, your primary passkey could be on a Solokey hardware token and the second passkey could be on an Android phone or another Solokey hardware token. If one is lost, you can login with the other. This is the recommended approach.
1. !FreedomBox continues to support passwords even after passkeys are registered. So, if a passkey device is lost, you can login with a password.
1. If you forget your password and if your user account is not the only administrator account on the !FreedomBox, you can ask an administrator to reset your password. After that you can register a new passkey stored on a new device.
=== Supported Platforms ===
Passkeys are based on WebAuthn, a standard published by World Wide Web Consortium. So, !FreedomBox's implementation is expected to work wherever passkeys work. It has been tested as follows:
|| '''OS/Device''' || '''Browser''' || '''Authenticator''' || '''Result''' ||
|| GNU/Linux || Firefox || Solokeys || Pass ||
|| GNU/Linux || Firefox || Yubikey || Pass ||
|| GNU/Linux || Chromium || Solokeys || Pass ||
|| GNU/Linux || GNOME Web || - || Fail (Browser does not support Webauthn) ||
|| Windows || Firefox || Windows Hello || Pass ||
|| Windows || Firefox || Solokeys || Pass ||
|| Windows || Firefox || Android Phone || Pass ||
|| Windows || Chrome || Windows Hello || Pass ||
|| Windows || Chrome || Solokeys || Pass ||
|| Windows || Chrome || Android Phone || Pass ||
|| Windows || Edge || Windows Hello || Pass ||
|| Windows || Edge || Solokeys || Pass ||
|| Windows || Edge || Android Phone || Pass ||
|| Android || Firefox || Google Password Manager || Pass ||
|| Android || Firefox || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
|| Android || Firefox || Solokeys NFC || Fail (Need to understand NFC setup) ||
|| Android || Firefox || Another device || Untested ||
|| Android || Chrome || Google Password Manager || Pass ||
|| Android || Chrome || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
|| Android || Chrome || Solokeys NFC || Fail (Need to understand NFC setup) ||
|| Android || Chrome || Another device || Untested ||
## END_INCLUDE
Back to [[FreedomBox/Features|Features introduction]] or [[FreedomBox/Manual|manual]] pages.
<<Include(FreedomBox/Portal)>>
----
CategoryFreedomBox

22
doc/manual/en/ReleaseNotes.raw.wiki
View File

@ -8,6 +8,28 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
The following are the release notes for each !FreedomBox version.
== FreedomBox 26.6 (2026-04-06) ==
=== Highlights ===
* users: Add support for logging in with passkeys
=== Other Changes ===
* d/control: Add fido2 library as dependency
* locale: Update translations for French, German, Hindi, Italian
* service: Capture stdout/stderr when running as systemd unit
* users: Add link to guide on passkeys
* users: Add support for registering, editing, and deleting passkeys
* views: Add a decorator to handle exceptions in JSON views
== FreedomBox 26.5.1 (2026-03-26) ==
* debian/control: Fix building with nocheck profile
* debian/copyright: Drop a removed file, correct path for another
* locale: Update translations for Albanian, Turkish
* web_server: Fix locating SVG icons on production setup
== FreedomBox 26.5 (2026-03-23) ==
=== Highlights ===

18
doc/manual/en/Users.raw.wiki
View File

@ -8,25 +8,25 @@
== Users and Groups ==
You can grant access to your !FreedomBox for other users. Provide the Username with a password and assign a group to it. Currently the groups
This app can be used to create, edit, and remove user accounts on !FreedomBox. Many apps with web interface in !FreedomBox support single sign-on using OpenID Connect. This means that if you are logged into !FreedomBox web interface, there is no need to login to the app separately. Other apps support using the !FreedomBox user accounts via LDAP. Finally, there are some apps that manage their own user accounts separate from the accounts you have in !FreedomBox.
Access to an app is allowed if the user accessing the app is part of the app's group. You can grant access to apps in !FreedomBox for specific users by adding them to the following groups:
* admin
* bit-torrent
* calibre
* ed2k
* feed-reader
* freedombox-share
* freedombox-ssh
* git-access
* minidlna
* syncthing
* kiwix
* syncthing-access
* vpn
* web-search
* wiki
are supported.
The user will be able to log in to services that support single sign-on through LDAP, if they are in the appropriate group.
Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo). A user's groups can also be changed later.
Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo).
A user's groups can also be changed later.
!FreedomBox supports logging in with passkeys. Passkeys are a secure alternative to passwords and are the recommended way of authenticating to !FreedomBox. Read more in the [[FreedomBox/Guide/Passkeys|FreedomBox's guide to passkeys]].
It is also possible to set an SSH public key which will allow this user to securely log in to the system without using a password. You may enter multiple keys, one on each line. Blank lines and lines starting with # will be ignored.

1
doc/manual/en/freedombox-manual.raw.wiki
View File

@ -83,6 +83,7 @@
<<Include(FreedomBox/Manual/Users, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
= Guides =
<<Include(FreedomBox/Guide/Passkeys, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
<<Include(FreedomBox/Guide/ExposeLocalService, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
= Hardware =

1
doc/manual/es/Manual.raw.wiki
View File

@ -83,6 +83,7 @@
<<Include(FreedomBox/Manual/Users, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
= Guides =
<<Include(FreedomBox/Guide/Passkeys, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
<<Include(FreedomBox/Guide/ExposeLocalService, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
= Hardware =

22
doc/manual/es/ReleaseNotes.raw.wiki
View File

@ -8,6 +8,28 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
The following are the release notes for each !FreedomBox version.
== FreedomBox 26.6 (2026-04-06) ==
=== Highlights ===
* users: Add support for logging in with passkeys
=== Other Changes ===
* d/control: Add fido2 library as dependency
* locale: Update translations for French, German, Hindi, Italian
* service: Capture stdout/stderr when running as systemd unit
* users: Add link to guide on passkeys
* users: Add support for registering, editing, and deleting passkeys
* views: Add a decorator to handle exceptions in JSON views
== FreedomBox 26.5.1 (2026-03-26) ==
* debian/control: Fix building with nocheck profile
* debian/copyright: Drop a removed file, correct path for another
* locale: Update translations for Albanian, Turkish
* web_server: Fix locating SVG icons on production setup
== FreedomBox 26.5 (2026-03-23) ==
=== Highlights ===