On ke, 14 joulu 2016, Petr Mensik wrote:
That sounds like way to use (sort of) certificates again. With updated realmd package I can now save fedora account password into Gnome keyring. But... I thought about it yesterday, but did not dare to ask. Are not password less strong kind of authentication that keys? We have SSH keys, we had generated certificates until now. Now only passwords backed by Kerberos. Sure, Kerberos is not simple password system sending plaintext over network. Anyway, is there planned way to obtain main kerberos ticket for fedoraproject.org by something stronger than password?
I cannot tell of how Fedora Infrastructure would use features available in FreeIPA, but at least on FreeIPA level we have support for multi-factor authentication on Kerberos level. The use of it is a bit less convenient right now for secondary cases where you are not utilizing your Kerberos infrastructure for a system logon directly but we are working on improvements to Kerberos initial ticket exchange that will make it easier. Right now you have to have an initial ticket created with some other means to provide a secure channel between the client and the KDC to exchange second factor information. This *other* initial ticket is typically your machine's account in case of enrolled computers (like "normal" FreeIPA client) or an anonymous PKINIT-based authenticated principal. With SPAKE exchange this will be replaced by a more secure exchange that requires no additional communication/channels. It is far away yet, may be Fedora 26/27 time frame, but this gives us also time to improve other tooling around the user experience -- GNOME Online accounts and the rest of tools not directly involved into a system level logon flow. -- / Alexander Bokovoy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
