On Thu, Jun 11, 2026 at 08:46:45AM -0500, Michael Catanzaro via devel wrote:
I'm afraid Fedora is just not ready for 2FA. Kerberos is currently
the biggest problem. No way would I be willing to enable 2FA before
gnome-online-accounts is able to handle ticket renewals:
https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171
I wrote a simple script to access a keypassxc database on my private nextcloud
instance. It makes using 2FA with Fedora reasonably easy. And yes in theory I
shouldn't have passwords and totp in the same db, but I'm ok with that.
Steve
#!/bin/bash
# I've taken the process below from the fkinit shell script. I used to use
# that script directly, but as of 2024-12 it has changed to separately prompt
# for the password and totp. There is no way to pass in the password and
# totp from the command line anymore so I had to take a different approach.
# The cache is known by two names. The "man kinit" page says that "kinit -c"
# specifies the Kerberos 5 credentials (ticket) cache. It also says that
# "kinit -T" specifies the "armor_ccache". As far as I can tell, they are
# essentially the same. In any case, we use the same temporary file for both.
# For brevity, I refer to a credentials cache as a ccache.
# TUNABLE PARAMETERS
#
# nextcloud password file:
DB="${HOME}/Nextcloud/Shared_Files/passwords.kdbx"
ACCOUNT="[email protected]"
# Our working credentials will be stored by the KCM daemon so it is ok to
# delete the temporary file. Thus we destroy the armor ccache file on exit.
finalize()
{
rm -f $armorcache
}
trap finalize EXIT
# Get a temporary file for the armor cache.
armorcache=$(mktemp)
# Ask for the key to the nextcloud keypass database.
IFS= read -s -p "Password: " PASSWORD
echo
# Extract the password and totp from keepass.
PW=$(echo "$PASSWORD" | keepassxc-cli show -q -a "password" "$DB" /Linux/Fedora)
TOTP=$(echo "$PASSWORD" | keepassxc-cli show -q -t "$DB" /Linux/Fedora)
# Blow away any prior tickets, because they are likely out of date, else we
# wouldn't be running this script in the first place. This will operate on
# the ccache stored in the KCM daemon because we don't specify the ccache.
kdestroy
# Note that we are using 2-factor authentication, which requires that the
# kinit be done in two phases - once for an anonymous user to prime the
# temporary ccache, and once to get the ticket for the actual user.
#
# See this web page for more details:
# https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit
# Prime the ccache for an anonymous user. This will later be used to encrypt
# the transaction for the actual user:
kinit -n @FEDORAPROJECT.ORG -c FILE:$armorcache
# Pass in the password and totp to get a ticket for the named user:
echo -n ${PW}${TOTP} | \
kinit -T FILE:$armorcache "$ACCOUNT" > /dev/null
# Show what we got:
echo
klist
exit 0
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new