On Чцв, 11 чэр 2026, Stephen Gallagher wrote:
On Thu, Jun 11, 2026 at 11:02 AM Mattia Verga via devel <[1][email protected]> wrote: > Il 11/06/26 15:56, Dominik 'Rathann' Mierzejewski ha scritto: > > On Thursday, 11 June 2026 at 15:46, Michael Catanzaro via devel wrote: > >> I use 2FA for basically everything except Fedora. Yet my Fedora > account > >> is one of my highest-value accounts. Compromise a Fedora packager > and > >> you can push malware more or less directly to users. > >> > >> I'm afraid Fedora is just not ready for 2FA. Kerberos is > currently the > >> biggest problem. No way would I be willing to enable 2FA before > >> gnome-online-accounts is able to handle ticket > >> renewals: > [2]https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171 > > [...] > > > > FWIW, I've been using YubiKey-based OTP (via ykman) and fkinit for 2FA > with > > Fedora account for quite some time now and it works quite well. > > > > Regards > > Dominik > I've recently purchased a yubikey, but I didn't set up it for > authentication with Fedora kerberos. Is there any guide on how to do > that? > BTW my idea of using a yubikey with kerberos is to issue fkinit + enter > yubikey pin and confirm user presence: is it possible? I must say I'm a > newby with hardware tokens and I struggled a lot to understand how to > configure the key for basic usage like storing ssh keys for several > online accounts. I thought it was and should be easier for users to set > up their devices. What you're basically asking for there is to set up your Yubikey as a smart-card with your Fedora account. In theory, the FreeIPA system backing it would support this, but I don't know what it would take to accomplish with the Fedora Accounts bits layered on top.
Both FIDO2 and smartcard-based setup are possible with FreeIPA. Indeed, there is some trouble with Fedora Accounts (Nogin) bits. I have some news to share at the Flock, but I had hard time finding *anyone* from the accounts team to respond to my queries over Matrix and IRC in the past few months. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
