Re: announcing HTTPS pushing to dist-git/src.fedoraproject.org for packagers and non-packagers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Simo,

On Mon, 22 Apr 2019 at 20:39, Simo Sorce <simo@xxxxxxxxxx> wrote:
>
> Any reason why oidc is required instead of a simple GSSAPI (via
> mod_auth_gssapi) ?
> GSSAPI authentication won't require a graphical session to work.

The main reasons for going with OIDS rather than GSSAPI are:

1. User support: we have had a *lot* of contributors that had issues
using GSSAPI for Fedora, often because they have older or
employer-specific krb configurations: a lot of them are for example
missing the "includedir /etc/krb5.conf.d" and the dns_kdc_lookup
options.
One other very common occurrence are the dns_canonicalize_hostname and
rdns options: the Fedora defaults for these options are required for
the Fedora Infra krb5 to work, but a lot of employers set (or even
require) these to be set to "true". Fedora Infra is unable to work
with these options set to true, because we have a lot of nodes for
which we do not control recursive DNS, in addition to the fact that we
have the exact same set of entry points for all services, which means
reverse DNS is useless.

2. With the upcoming account system change (to be backed by FreeIPA)
our plan is to start requiring 2 factor auth for some groups
(primarily the system administrators, it'll be opt-in for other
users), and then we want to be able to enforce using the same 2fa
tokens for any access.
The 2FA scheme that we are solely planning to support is U2F/FIDO2,
and to the best of my knowledge there has so far not been any work on
integrating this with any krb5 server.
The current plan is to integrate the 2FA flow into the identity
provider, and have it enforce and check the tokens. Using OpenID
Connect for this login would mean that we get the 2fa enforcement "for
free".

Also, please note that there are concrete plans to lift the
requirement for a graphical session for OpenID Connect tokens, but
that would be part of the same authentication work.

Patrick
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux