On Thu, Jun 11, 2026 at 08:46:45AM -0500, Michael Catanzaro via devel wrote:
I'm afraid Fedora is just not ready for 2FA. Kerberos is currently
the biggest problem. No way would I be willing to enable 2FA before
gnome-online-accounts is able to handle ticket renewals:
https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171

I wrote a simple script to access a keypassxc database on my private nextcloud 
instance.  It makes using 2FA with Fedora reasonably easy.  And yes in theory I 
shouldn't have passwords and totp in the same db, but I'm ok with that.

        Steve


#!/bin/bash

# I've taken the process below from the fkinit shell script.  I used to use
# that script directly, but as of 2024-12 it has changed to separately prompt
# for the password and totp.  There is no way to pass in the password and
# totp from the command line anymore so I had to take a different approach.

# The cache is known by two names.  The "man kinit" page says that "kinit -c"
# specifies the Kerberos 5 credentials (ticket) cache.  It also says that
# "kinit -T" specifies the "armor_ccache".  As far as I can tell, they are
# essentially the same.  In any case, we use the same temporary file for both.
# For brevity, I refer to a credentials cache as a ccache.

# TUNABLE PARAMETERS
#
# nextcloud password file:
DB="${HOME}/Nextcloud/Shared_Files/passwords.kdbx"
ACCOUNT="[email protected]"

# Our working credentials will be stored by the KCM daemon so it is ok to
# delete the temporary file.  Thus we destroy the armor ccache file on exit.
finalize()
{
        rm -f $armorcache
}
trap finalize EXIT

# Get a temporary file for the armor cache.
armorcache=$(mktemp)

# Ask for the key to the nextcloud keypass database.
IFS= read -s -p "Password: " PASSWORD
echo

# Extract the password and totp from keepass.
PW=$(echo "$PASSWORD" | keepassxc-cli show -q -a "password" "$DB" /Linux/Fedora)
TOTP=$(echo "$PASSWORD" | keepassxc-cli show -q -t "$DB" /Linux/Fedora)

# Blow away any prior tickets, because they are likely out of date, else we
# wouldn't be running this script in the first place.  This will operate on
# the ccache stored in the KCM daemon because we don't specify the ccache.
kdestroy

# Note that we are using 2-factor authentication, which requires that the
# kinit be done in two phases - once for an anonymous user to prime the
# temporary ccache, and once to get the ticket for the actual user.
#
# See this web page for more details:
# https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit

# Prime the ccache for an anonymous user.  This will later be used to encrypt
# the transaction for the actual user:
kinit -n @FEDORAPROJECT.ORG -c FILE:$armorcache

# Pass in the password and totp to get a ticket for the named user:
echo -n ${PW}${TOTP} | \
    kinit -T FILE:$armorcache "$ACCOUNT" > /dev/null

# Show what we got:
echo
klist

exit 0
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to