On Пт, 23 апр 2021, Kevin Fenzi wrote:
On Fri, Apr 23, 2021 at 07:40:14AM +0200, Miroslav Suchý wrote:
I have been using 2FA with the new Fedora Account system and the UX is ... can be improved. The question is how?
...snip...
I am pretty sure the IPA folks are aware that this can be improved and
are working on it. Hopefully one of them will chime in here. :)
Aside from completing work on the 2FA SPAKE pre-authentication mechanism
for Kerberos, right now we can do the following, all in hands of Fedora
Accounts development team:
- (easy) supply a script/wrapper like Miroslav is showing as a part of
the fedora-packager rpm package
- add PKINIT certificate management to Fedora Accounts application so
that users can ask for and issue a personal PKINIT certificate from
IPA CA used by Fedora and CentOS, which they then can use with their
PIV smart cards
We know that U2F support would be the best approach here but right now
it is not possible to support it without some heavy work MIT Kerberos
upstream and FreeIPA upstream and that hinges on an RFC that is not yet
written.
Kerberos tickets can be issued for a longer time and can be refreshed.
For example, I am typically issuing Fedora tickets for a week-long
period, so I only need to run the kinit sequence once a week and then
SSSD/GNOME Accounts tools are refreshing it every 8 hours automatically.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
