Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Пан, 24 чэр 2024, Kevin Fenzi wrote:

On Mon, Jun 24, 2024 at 02:39:13PM GMT, Mattia Verga via devel wrote:


Perhaps it's a stupid idea, but we already have ssh public keys stored
in fas, would it be possible for fkinit to use the private key as second
factor? That way, on a system which is considered secure (it has the
private key stored in it) we would only require the user to enter the
FAS password, while on a smartphone or a temporary device the
password+otp would still be required.


No, it's not currently possible.

Rememver that we are using IPA as a backend, so it would need support in
IPA.

How would it know you wanted to use a ssh key instead of otp?
I suppose it would have to try all your keys and see if any worked?
It likely would cause a lot of confusion also for those that didn't
expect it.


In order to have any specific authentication logic added to Kerberos,
one needs:

 - design a new pre-authentication method

 - review the proposal and its security properties through IETF and
   register in Kerberos parameters's IANA registry for
   'Pre-authentication and Typed Data' [1]

 - implement new pre-authentication method. We did this recently
   (2020-2023) for PA-REDHAT-IDP-OAUTH2 [3] and PA-REDHAT-PASSKEY [2] in SSSD
   project

 - implement support for new pre-authentication method in FreeIPA ([3]
   and [4] for idp and passkey methods).

The whole process can easily take couple years.

[1] https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#pre-authentication
[3] https://sssd.io/design-pages/passkey_kerberos.html
[4] https://freeipa.readthedocs.io/en/latest/designs/external-idp/external-idp.html
[5] https://freeipa.readthedocs.io/en/latest/designs/passkeys.html



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux