Re: Kerberos and Fedora's 2FA UX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Apr 24, 2021 at 12:12:19PM +0300, Alexander Bokovoy wrote:
> On Пт, 23 апр 2021, Kevin Fenzi wrote:
> > On Fri, Apr 23, 2021 at 07:40:14AM +0200, Miroslav Suchý wrote:
> > > I have been using 2FA with the new Fedora Account system and the UX is ... can be improved. The question is how?
> > ...snip...
> > 
> > I am pretty sure the IPA folks are aware that this can be improved and
> > are working on it. Hopefully one of them will chime in here. :)
> 
> Aside from completing work on the 2FA SPAKE pre-authentication mechanism
> for Kerberos, right now we can do the following, all in hands of Fedora
> Accounts development team:
> 
>  - (easy) supply a script/wrapper like Miroslav is showing as a part of
>    the fedora-packager rpm package

Yeah, we talked about this a while back, I am not sure why it wasn't
implemented. ;( Would someone care to submit a PR to fedora-packager for
it? Otherwise hopefully we can get to it... 

>  - add PKINIT certificate management to Fedora Accounts application so
>    that users can ask for and issue a personal PKINIT certificate from
>    IPA CA used by Fedora and CentOS, which they then can use with their
>    PIV smart cards

Sure, we could look at doing that. Note however that we don't support
smart cards at all currently, it's just TOTP. 
> 
> We know that U2F support would be the best approach here but right now
> it is not possible to support it without some heavy work MIT Kerberos
> upstream and FreeIPA upstream and that hinges on an RFC that is not yet
> written.

Yep. U2F would be lovely indeed. 
> 
> Kerberos tickets can be issued for a longer time and can be refreshed.
> For example, I am typically issuing Fedora tickets for a week-long
> period, so I only need to run the kinit sequence once a week and then
> SSSD/GNOME Accounts tools are refreshing it every 8 hours automatically.

Yep. Same here. 

Thanks Alexander!

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux