On ke, 14 syys 2022, Stephen Smoogen wrote:
On Wed, 14 Sept 2022 at 05:28, Alexander Bokovoy <abokovoy@xxxxxxxxxx>
wrote:
Sadly, it cannot be just 'any' certificate, it has to be issued by a
certificate authority that is trusted by the KDC as well. For example,
by FreeIPA CA which is already ran by the Fedora project infrastructure
team. An alternative is to set up certificate mapping and validating
rules.
If someone from Fedora Accounts team wants to experiment with this, I
can guide you what to do.
There is no continual running Fedora Accounts 'team'. There are 2-3 system
administrators split between releng, operations and continual
firefighting. There are also a team of developers who are split between
CentOS Stream initiatives and other work. Changes like this need to have
more than just an 'oh I have finally an afternoon free where all the other
crap in the build infra is actually working for once.. lets dive into IPA'
I understand all of that myself. I think what is important here is to
plan to work together so that eventually we can implement this.
This whole thread is about agreeing or disagreeing whether Fedora as a
project would want to have better security methods to identify and
authenticate its contributors when performing tasks that have large
impact.
If Fedora contributors would have had access to Fedora's FreeIPA web UI
or IPA API directly, we wouldn't even need to have a conversation about
PKINIT and certificates. We could have added instructions how to request
and associate a certificate with your account. But since Fedora Accounts
system is the frontend to Fedora Project's FreeIPA deployment, we cannot
simply do that. However, FreeIPA-wise, smartcards are supported now for
Kerberos authentication, so we as Fedora contributors could benefit from
that.
I hope we can plan to work together on this improvement again, similar
how we did with the initial rewrite of Fedora Accounts on top of
FreeIPA. Again, if this is deemed to be valuable to Fedora contributors,
perhaps CPA team could consider scheduling this effort as part of the
initiatives.
Let me round up methods that we have supported now or plan to add in
Fedora 38-39 timeframe, from FreeIPA and SSSD side. All these lead to
issuance of a Kerberos ticket that can be used for communicating with
the rest of Fedora services:
- basic password-based authentication
- use of 2FA HOTP/TOTP tokens implemented by FreeIPA itself
- use of an external RADIUS server for validation of a string passed as
a 'password' or 'token' value
- use of a certificate stored on a supported PKCS11 token (smartcard,
softtoken (SoftHSMv2, NSS) or just in plain keypair files)
- use of OAuth2 device authorization grant against some OAuth2 IdP (new
in FreeIPA 4.9.10+)
- (future) use of a FIDO2/WebAuthn token
Fedora accounts system implements the management of the first two
methods right now.
As much as I enjoy better security, everyone should remember that the ones
affected are either packagers who are volunteering to make spec files for
software they need for something else.. or developers who only look at spec
files as the last hassle they need to do before they can mark on their list
'shipped and done'. Most of them do not package/build things very often,
and it takes years for them to get retrained when some change in the
workflow occurs.
A particular benefit of using Kerberos authentication to Fedora services
is that it does not need to change the workflow for all those things.
Once you've got your ticket, it works against all the services you are
allowed to access. Sure, actual process of obtaining that ticket might
change -- like with 2FA token one needs to get a wrap ticket first --
but the rest is the same.
They are also the only ones around to do the work. Making workflow changes
like adding certificates, tokens, etc may be needed but they are going to
need a lot of documentation, continual training, and coaching to actually
make function. If there is no staff or people available to do this, then
the change will fail hard.
Do we have any statistics of how we stand now that Fedora Accounts is
deployed for more than a year and people were enabled to use 2FA tokens
through it?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
