On Sun, Feb 20, 2022 at 04:43:13PM -0800, Gary Buhrmaster wrote: > On Sun, Feb 20, 2022, 16:09 Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> > wrote: > > > It used to support these, but the support was lost with the recent > > rewrite. However, it supports Google Authenticator-style OTPs. Folks > > with infra privileges on their accounts (like me) are already required > > to use these. It works fine. I preferred being able to use a yubikey so > > I don't always have to open an app on my phone and retype a six digit > > code when I need to log in to something, but that's just a minor > > annoyance. The old account system (fas2) used to support yubikeys, but it did not support U2F. It only supported them in HOTP mode, not U2f. The new account system is a frontend to IPA, and IPA does not currently support U2F. There's a RFE ( https://github.com/SSSD/sssd/issues/4322 ) but I don't know where it is on their roadmap. Not only does IPA need to add support, but then we would need to add support to noggin to enroll/etc. > TOTP (what the authenticator app does), > is, indeed, better than nothing, but U2F > (FIDO), is considered to be stronger. Yeah. So, as to the topic of this thread... I agree it's a possible attack vector, but it seems... like a lot more work than just coming in through the new maintainer workflow, but I do suppose there might be more scrutiny there. When someone makes an account, basically we are saying "This person is the person who controls that email address". So, if we don't have the email address, we have to fall back on other data that was added to the account, like ssh pub key, gnupg key, etc. Or real world information, like "I know them and met them at the pub", they work for Red Hat and we can verify them, etc. In fas2 we also had a 'challenge/response' thing that someone could fill in, but not many folks did (and the new system doesn't have that anyhow). I think some kind of keep alive ping could be worthwhile, although we have always rejected them in the past for bothering mataintainers too much. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
