On 09/06/2017 05:25 AM, Nikos Mavrogiannopoulos wrote: > Hi, > What's the story between the recently introduced support of kerberos > in koji? My understanding was that eventually all services of fedora > would switch to kerberos authentication, though information on the > following bugs for bodhi seems to contradict that: > > https://bugzilla.redhat.com/show_bug.cgi?id=1483538 > https://github.com/fedora-infra/bodhi/issues/1179 I'm not sure where you got the understanding that everything was moving to kerberos. Did we say that somewhere? > In fact currently we have: > * To change code: ssh public key authentication > * To compile changed code: koji: kerberos ticket > * To submit a changed package: bodhi: raw passwords > * To subscribe to a mailing list: lists.fedoraproject.org: openid? > > and probably few more options that I missed. Is there an integration > story behind all these, or is it intentional that various different > services will require different credentials? For ssh keys, we are looking at various options. Possibly ssh certificates. Patrick has been investigating this. For all the web apps we have now (except wiki, but it should move soon), we should have openid or openid-connect. In that case if you have a valid kerberos ticket, your browser is configured right (default in all recent ones), you automatically can authenticate via ipsilon. ie, you click the login thing, it redirects to ipsilon, which sees you have a valid kerberos ticket and just authenticates you. Do you not see this happening there? So, they are all tied together via ipsilon (except ssh keys, and wiki login). Once we have a concrete plan for ssh we will be happy to share it. kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
