On Thu, Apr 7, 2022 at 10:59 AM Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote: > > On Thu, Apr 7 2022 at 02:41:42 PM +0000, Gary Buhrmaster > <gary.buhrmaster@xxxxxxxxx> wrote: > > I had thought there was an open (RFE) issue with > > gnome-online-accounts to request support for > > OTP use cases, although, as a hard problem, it > > is likely not going to see a resolution quickly. > > Well the whole point of gnome-online-accounts is to keep you > authenticated permanently. That just does not work if your kerberos > password is an OTP. I'm not sure what we could possibly change. Well, it *could* grow an interface to some of the password wallet services that support TOTP or HOTP codes (like Bitwarden, Lastpass, 1password, etc.) and configure it to query that service and append the code to the password. It doesn't help if you want/need a physical token, though. In the latter case, someone could investigate adding support for smartcards to GOA and FAS. A request for a TGT could use the pkinit protocol and query your Yubikey for the certificate. I know FAS *could* be made to support this, because it's using FreeIPA behind the scenes and that supports smartcard auth. I have no idea what it would take for GOA, though. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
