On la, 24 huhti 2021, Kevin Fenzi wrote:
On Sat, Apr 24, 2021 at 12:12:19PM +0300, Alexander Bokovoy wrote:
On Пт, 23 апр 2021, Kevin Fenzi wrote:
> On Fri, Apr 23, 2021 at 07:40:14AM +0200, Miroslav Suchý wrote:
> > I have been using 2FA with the new Fedora Account system and the UX is ... can be improved. The question is how?
> ...snip...
>
> I am pretty sure the IPA folks are aware that this can be improved and
> are working on it. Hopefully one of them will chime in here. :)
Aside from completing work on the 2FA SPAKE pre-authentication mechanism
for Kerberos, right now we can do the following, all in hands of Fedora
Accounts development team:
- (easy) supply a script/wrapper like Miroslav is showing as a part of
the fedora-packager rpm package
Yeah, we talked about this a while back, I am not sure why it wasn't
implemented. ;( Would someone care to submit a PR to fedora-packager for
it? Otherwise hopefully we can get to it...
- add PKINIT certificate management to Fedora Accounts application so
that users can ask for and issue a personal PKINIT certificate from
IPA CA used by Fedora and CentOS, which they then can use with their
PIV smart cards
Sure, we could look at doing that. Note however that we don't support
smart cards at all currently, it's just TOTP.
FreeIPA does support it, even if you don't provide an interface to it in
Fedora Accounts. You are already using PKINIT to generate an anonymous
PKINIT ticket for use as a FAST channel wrapper, so Fedora IPA instance
is already configured for PKINIT.
When a smart card pre-authentication is used, there is no need for
two-step kinit use, PKINIT is a separate pre-authentication method and
can be done at once.
There are two ways of accepting certificates for PKINIT in FreeIPA:
- add a public key to the user entry and make sure both KDCs and the
client side trust the issuer chain
- add certificate mapping rules that identify a user (Kerberos
principal) from the certificate's properties. In this case only a
client needs to know the issuer chain.
In both cases it is possible to accept certificates that do not need to
be issued by IPA CA itself, which makes possible to use something like
your government-issued ID card, for example.
See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/index
for more details.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure