On Wed, 14 Dec 2016 13:21:50 +0200 Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote: > I cannot tell of how Fedora Infrastructure would use features > available in FreeIPA, but at least on FreeIPA level we have support > for multi-factor authentication on Kerberos level. > > The use of it is a bit less convenient right now for secondary cases > where you are not utilizing your Kerberos infrastructure for a system > logon directly but we are working on improvements to Kerberos initial > ticket exchange that will make it easier. Right now you have to have > an initial ticket created with some other means to provide a secure > channel between the client and the KDC to exchange second factor > information. This *other* initial ticket is typically your machine's > account in case of enrolled computers (like "normal" FreeIPA client) > or an anonymous PKINIT-based authenticated principal. With SPAKE > exchange this will be replaced by a more secure exchange that > requires no additional communication/channels. > > It is far away yet, may be Fedora 26/27 time frame, but this gives us > also time to improve other tooling around the user experience -- GNOME > Online accounts and the rest of tools not directly involved into a > system level logon flow. We definitely plan to enable/use 2fa with Kerberos down the road. kevin
Attachment:
pgpi36iWd2kNG.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
