Hi,
Since Fedora rawhide compose 20250927.n.0, MIT Kerberos build in Rawhide
supports automatic handling of multi-factor Kerberos authentication
provided by FreeIPA (OTP tokens, RADIUS authentication, external IdP,
passkey, etc.). And since Fedora rawhide compose 20250926.n.0
fedora-packager package enables this support for FEDORAPROJECT.ORG
realm.
This means that if you are using OTP tokens for your Fedora account, you
can simply use
$ kinit [email protected]
and Kerberos library will handle the rest automatically. What happens
behind the scenes is that Kerberos library will acquire an anonymous
PKINIT ticket first and then use this ticket to wrap the request for
your credentials. This enables FreeIPA KDC to advertise multi-factor
authentication methods associated with your account.
Currently to achieve multi-factor authentication you'd need to perform
the same operations manually as separate steps:
$ kinit -c temp.ccache -n @FEDORAPROJECT.ORG
$ kinit -T temp.ccache [email protected]
These are still possible and thus fkinit tool will continue to work.
The implementation is going to change as we are preparing to merge this
feature upstream and make it working with more complex scenarios like
upcoming IAKERB support, but the code we have now is something we'd like
to test in Rawhide.
So, if you are a Fedora packager who uses multi-factor authentication
for your Fedora account, please try it in Rawhide.
How to try:
1. Create a Fedora Rawhide toolbox:
$ toolbox create rawhide -i fedora-toolbox:44
$ toolbox enter rawhide
[rawhide] $ sudo dnf install fedora-packager-kerberos
[rawhide] $ kinit [email protected]
[rawhide] $ klist -C
For example, below is my attempt after I installed those packages and
asked to acquire a Kerberos ticket valid for 7 days. FEDORAPROJECT.ORG
Kerberos KDC doesn't allow longer tickets, but I got a ticket I can
renew within one week:
["rawhide"]$ kinit -l 14d [email protected]
Enter OTP Token Value:
["rawhide"]$ klist -C
Ticket cache: KCM:1000:2874
Default principal: [email protected]
Valid starting Expires Service principal
config: pa_type(krbtgt/[email protected]) = 141
config: fast_avail(krbtgt/[email protected]) = yes
29.09.2025 11:52:20 30.09.2025 15:52:20
krbtgt/[email protected]
renew until 06.10.2025 11:52:20
The 'pa_type' configuration entry above says '141' which is the number
under which OTP/RADIUS pre-authentication method is registered in
Kerberos:
141 PA-OTP-CHALLENGE [RFC6560]
If you don't use multi-factor methods, Rawhide version of Kerberos will
use SPAKE method:
151 PA-SPAKE [RFC9588]
The other supported methods in FreeIPA are
152 PA-REDHAT-IDP-OAUTH2
153 PA-REDHAT-PASSKEY
They also should work just fine, though Fedora deployment of FreeIPA
does not make it easy to enable them for Fedora packagers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
