On ke, 14 syys 2022, Demi Marie Obenour wrote:
On 9/14/22 03:55, Vitaly Zaitsev via devel wrote:
On 14/09/2022 08:46, Demi Marie Obenour wrote:
The only other
non-phishable authentication method is TLS client certificates and
I would be fine with those.
Fedora used to have TLS client certificate authorization (in Koji), but
this has been replaced by Kerberos.
Could Fedora turn on PKINIT or make TLS client certificate authentication
an option again?
I think PKINIT support is active, otherwise you would not be able to use
Anonymous PKINIT for FAST channel wrapping with OTP preauthentication.
All we need is a way to associate a trusted certificate with the user
and have the trust between KDC cert and the client machine where you'd
run kinit:
[1660786] 1663147221.189471: PKINIT client verified DH reply
[1660786] 1663147221.189472: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@xxxxxxxxxxxxxxxxx
[1660786] 1663147221.189473: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@xxxxxxxxxxxxxxxxx against id-pkinit-san; no EKU check required
[1660786] 1663147221.189474: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/1D6D
[1660786] 1663147221.189475: Preauth module pkinit (17) (real) returned: 0/Success
The latter works fine, so we just need to have a certificate in the user
account to use PKINIT, not Anonymous PKINIT. And since we have no direct
access to FreeIPA server behind Fedora Accounts system, Fedora Accounts
should be extended to allow adding a public certificate to the user's
account.
Sadly, it cannot be just 'any' certificate, it has to be issued by a
certificate authority that is trusted by the KDC as well. For example,
by FreeIPA CA which is already ran by the Fedora project infrastructure
team. An alternative is to set up certificate mapping and validating
rules.
If someone from Fedora Accounts team wants to experiment with this, I
can guide you what to do.
since almost every laptop has a TPM.
In some countries (Russia, China and some other countries from the US
export banlist) hardware TPMs are prohibited.
Still, even a pure software FIDO2 implementation is much better than
TOTP etc.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue