On ke, 14 joulu 2016, Petr Mensik wrote:
That sounds like way to use (sort of) certificates again. With updated
realmd package I can now save fedora account password into Gnome
keyring. But...
I thought about it yesterday, but did not dare to ask. Are not password
less strong kind of authentication that keys? We have SSH keys, we had
generated certificates until now. Now only passwords backed by
Kerberos. Sure, Kerberos is not simple password system sending
plaintext over network. Anyway, is there planned way to obtain main
kerberos ticket for fedoraproject.org by something stronger than
password?
I cannot tell of how Fedora Infrastructure would use features available
in FreeIPA, but at least on FreeIPA level we have support for
multi-factor authentication on Kerberos level.
The use of it is a bit less convenient right now for secondary cases
where you are not utilizing your Kerberos infrastructure for a system
logon directly but we are working on improvements to Kerberos initial
ticket exchange that will make it easier. Right now you have to have an
initial ticket created with some other means to provide a secure channel
between the client and the KDC to exchange second factor information.
This *other* initial ticket is typically your machine's account in case
of enrolled computers (like "normal" FreeIPA client) or an anonymous
PKINIT-based authenticated principal. With SPAKE exchange this will be
replaced by a more secure exchange that requires no additional
communication/channels.
It is far away yet, may be Fedora 26/27 time frame, but this gives us
also time to improve other tooling around the user experience -- GNOME
Online accounts and the rest of tools not directly involved into a
system level logon flow.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
