On Mon, 2019-04-22 at 22:06 +0200, Patrick Uiterwijk wrote: > Hi Simo, > > On Mon, 22 Apr 2019 at 20:39, Simo Sorce <s...@redhat.com> wrote: > > > > Any reason why oidc is required instead of a simple GSSAPI (via > > mod_auth_gssapi) ? > > GSSAPI authentication won't require a graphical session to work. > > The main reasons for going with OIDS rather than GSSAPI are: > > 1. User support: we have had a *lot* of contributors that had issues > using GSSAPI for Fedora, often because they have older or > employer-specific krb configurations: a lot of them are for example > missing the "includedir /etc/krb5.conf.d" and the dns_kdc_lookup > options. > One other very common occurrence are the dns_canonicalize_hostname and > rdns options: the Fedora defaults for these options are required for > the Fedora Infra krb5 to work, but a lot of employers set (or even > require) these to be set to "true". Fedora Infra is unable to work > with these options set to true, because we have a lot of nodes for > which we do not control recursive DNS, in addition to the fact that we > have the exact same set of entry points for all services, which means > reverse DNS is useless. > > 2. With the upcoming account system change (to be backed by FreeIPA) > our plan is to start requiring 2 factor auth for some groups > (primarily the system administrators, it'll be opt-in for other > users), and then we want to be able to enforce using the same 2fa > tokens for any access. > The 2FA scheme that we are solely planning to support is U2F/FIDO2, > and to the best of my knowledge there has so far not been any work on > integrating this with any krb5 server. > The current plan is to integrate the 2FA flow into the identity > provider, and have it enforce and check the tokens. Using OpenID > Connect for this login would mean that we get the 2fa enforcement "for > free". > > Also, please note that there are concrete plans to lift the > requirement for a graphical session for OpenID Connect tokens, but > that would be part of the same authentication work.
I guess I should have asked why don't you allow *both*. Apache definitely support stacking multiple auth methods and then users could use either (not admins once 2FA is required at least until they will be able to get krb creds via 2FA, but that's ok). Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
