Re: Kerberos and Fedora's 2FA UX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On la, 24 huhti 2021, Kevin Fenzi wrote:
On Sat, Apr 24, 2021 at 12:12:19PM +0300, Alexander Bokovoy wrote:
On Пт, 23 апр 2021, Kevin Fenzi wrote:
> On Fri, Apr 23, 2021 at 07:40:14AM +0200, Miroslav Suchý wrote:
> > I have been using 2FA with the new Fedora Account system and the UX is ... can be improved. The question is how?
> ...snip...
>
> I am pretty sure the IPA folks are aware that this can be improved and
> are working on it. Hopefully one of them will chime in here. :)

Aside from completing work on the 2FA SPAKE pre-authentication mechanism
for Kerberos, right now we can do the following, all in hands of Fedora
Accounts development team:

 - (easy) supply a script/wrapper like Miroslav is showing as a part of
   the fedora-packager rpm package

Yeah, we talked about this a while back, I am not sure why it wasn't
implemented. ;( Would someone care to submit a PR to fedora-packager for
it? Otherwise hopefully we can get to it...

 - add PKINIT certificate management to Fedora Accounts application so
   that users can ask for and issue a personal PKINIT certificate from
   IPA CA used by Fedora and CentOS, which they then can use with their
   PIV smart cards

Sure, we could look at doing that. Note however that we don't support
smart cards at all currently, it's just TOTP.

FreeIPA does support it, even if you don't provide an interface to it in
Fedora Accounts. You are already using PKINIT to generate an anonymous
PKINIT ticket for use as a FAST channel wrapper, so Fedora IPA instance
is already configured for PKINIT.

When a smart card pre-authentication is used, there is no need for
two-step kinit use, PKINIT is a separate pre-authentication method and
can be done at once.

There are two ways of accepting certificates for PKINIT in FreeIPA:

 - add a public key to the user entry and make sure both KDCs and the
   client side trust the issuer chain

 - add certificate mapping rules that identify a user (Kerberos
   principal) from the certificate's properties. In this case only a
   client needs to know the issuer chain.

In both cases it is possible to accept certificates that do not need to
be issued by IPA CA itself, which makes possible to use something like
your government-issued ID card, for example.

See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/index
for more details.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux