Hi,
Kenneth Goldman <kgoldman@xxxxxxxxxx> wrote:
-----Original Message-----
From: Clemens Lang <cllang@xxxxxxxxxx>
Sent: Tuesday, February 14, 2023 12:59 PM
To: Development discussions related to Fedora
You are right, but fkinit will tell you, so I don’t think we need to
clarify this in
the documentation:
:) cllang@frootmig:~$ fkinit -u clang
Enter your password and OTP concatenated. (Ignore that the prompt is for
only the token)
Enter OTP Token Value:
:) cllang@frootmig:~$
For a newbie (me), it's not clear what the OTP is. Is it something from
here?
https://accounts.fedoraproject.org/user/kgold/settings/otp/
Yes.
If correct, might a link be useful, along with some guidance on then to
use it?
If you have two-factor authentication enabled on this page (or always?), it
will display the following message:
Additional configuration is required when using Kerberos tickets when OTP
is enabled Read the documentation for details on configuring your system
“documentation” is a link to
https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit.
As a user, you should thus never end up in a situation where you have
two-factor authentication enabled, but have not read this documentation.
(Additionally, we should probably update this documentation to also explain
that fkinit can be used.)
It is a bit unfortunate that fkinit always prints the "Enter your password
and OTP concatenated. (Ignore that the prompt is for only the token)” line
even for users that do not have OTP enabled, though. Compare:
$ fkinit -u clang
Enter your password and OTP concatenated. (Ignore that the prompt is for
only the token)
Enter OTP Token Value:
with
$ fkinit -u jjelen # shamelessly calling you out for not having 2FA
enabled!
Enter your password and OTP concatenated. (Ignore that the prompt is for
only the token)
Password for jjelen@xxxxxxxxxxxxxxxxx:
kinit: Password read interrupted while getting initial credentials
Since there seems to be some API that can be used without authentication to
determine whether a user has two-factor authentication enabled, maybe fkinit
should query that API, and only show that hint when used with an account
that actually uses it to avoid confusion?
--
Clemens Lang
RHEL Crypto Team
Red Hat
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue