On Thu, Jun 11, 2026 at 11:02 AM Mattia Verga via devel <
[email protected]> wrote:

> Il 11/06/26 15:56, Dominik 'Rathann' Mierzejewski ha scritto:
> > On Thursday, 11 June 2026 at 15:46, Michael Catanzaro via devel wrote:
> >>     I use 2FA for basically everything except Fedora. Yet my Fedora
> account
> >>     is one of my highest-value accounts. Compromise a Fedora packager
> and
> >>     you can push malware more or less directly to users.
> >>
> >>     I'm afraid Fedora is just not ready for 2FA. Kerberos is currently
> the
> >>     biggest problem. No way would I be willing to enable 2FA before
> >>     gnome-online-accounts is able to handle ticket
> >>     renewals:
> https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171
> > [...]
> >
> > FWIW, I've been using YubiKey-based OTP (via ykman) and fkinit for 2FA
> with
> > Fedora account for quite some time now and it works quite well.
> >
> > Regards
> > Dominik
>
> I've recently purchased a yubikey, but I didn't set up it for
> authentication with Fedora kerberos. Is there any guide on how to do that?
>
> BTW my idea of using a yubikey with kerberos is to issue fkinit + enter
> yubikey pin and confirm user presence: is it possible? I must say I'm a
> newby with hardware tokens and I struggled a lot to understand how to
> configure the key for basic usage like storing ssh keys for several
> online accounts. I thought it was and should be easier for users to set
> up their devices.
>

What you're basically asking for there is to set up your Yubikey as a
smart-card with your Fedora account. In theory, the FreeIPA system backing
it would support this, but I don't know what it would take to accomplish
with the Fedora Accounts bits layered on top.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to