Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 24, 2024 at 1:30 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
>
> On Mon, Jun 24, 2024 at 05:11:07PM +0000, Mattia Verga via devel wrote:
> >
> > -------- Messaggio originale --------
> > 24/06/24 18:21, Kevin Fenzi <kevin@xxxxxxxxx> ha scritto:
> >
> > >
> > >  I personally don't see why entering a otp once a week is such a
> > >  burden... but it does seem to be. ;(
> > >
> >
> > Once a week? When I get a kerberos ticket with fkinit it expires
> > after 24h. Is there a setting to change somewhere to make it last
> > a week?
>
> Tickets expire after 24 hours, but before expiry, it is possible
> to request renewal eg
>
>   kinit <fas-user-name>@FEDORAPROJECT.ORG -R
>
> this renewable won't prompt for credentials. IIUC, it basically just
> validates that your krb account hasn't been disabled by the server
> admin.
>
> klist will tell you the upper limit on renewals before you must
> fully re-authenticate, and in Fedora it appears to be 7 days.
>
> Note, you *MUST* renew it before it expires, as you can't renew an
> expired ticket, even if it were still within the renewal lifetime.
>
> Incidentally there's not particularly any need to use fkinit, as
> it is just a thin wrapper around kinit. It avoids the need to type
> the "@FEDORAPROJECT.ORG" part of your krb account, and for some
> reason forces use of the "FILE" credential cache, overriding the
> system default. The latter feels dubious to me but perhaps there's
> some good reason for it ?
>

It's required if you are using 2FA because it handles the fact that
you need to do TWO kinit actions, one to set up the anonymous
pre-authentication channel and another to actually send the
credentials. I wrote fkinit to abstract those details for Fedora users
since it's subtle and easy to get wrong. Also, it doesn't use the FILE
credential cache for the final credentials, it uses whatever your
system default is. It only uses FILE: to set up the preauthentication
channel.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux