On Sat, Apr 24, 2021 at 12:12:19PM +0300, Alexander Bokovoy wrote: > On Пт, 23 апр 2021, Kevin Fenzi wrote: > > On Fri, Apr 23, 2021 at 07:40:14AM +0200, Miroslav Suchý wrote: > > > I have been using 2FA with the new Fedora Account system and the UX is ... can be improved. The question is how? > > ...snip... > > > > I am pretty sure the IPA folks are aware that this can be improved and > > are working on it. Hopefully one of them will chime in here. :) > > Aside from completing work on the 2FA SPAKE pre-authentication mechanism > for Kerberos, right now we can do the following, all in hands of Fedora > Accounts development team: > > - (easy) supply a script/wrapper like Miroslav is showing as a part of > the fedora-packager rpm package Yeah, we talked about this a while back, I am not sure why it wasn't implemented. ;( Would someone care to submit a PR to fedora-packager for it? Otherwise hopefully we can get to it... > - add PKINIT certificate management to Fedora Accounts application so > that users can ask for and issue a personal PKINIT certificate from > IPA CA used by Fedora and CentOS, which they then can use with their > PIV smart cards Sure, we could look at doing that. Note however that we don't support smart cards at all currently, it's just TOTP. > > We know that U2F support would be the best approach here but right now > it is not possible to support it without some heavy work MIT Kerberos > upstream and FreeIPA upstream and that hinges on an RFC that is not yet > written. Yep. U2F would be lovely indeed. > > Kerberos tickets can be issued for a longer time and can be refreshed. > For example, I am typically issuing Fedora tickets for a week-long > period, so I only need to run the kinit sequence once a week and then > SSSD/GNOME Accounts tools are refreshing it every 8 hours automatically. Yep. Same here. Thanks Alexander! kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
