Jason L Tibbitts III wrote:
> >>>>> Mattia Verga via devel <[email protected]> writes:  
> > I've recently purchased a yubikey, but I didn't set up it for
> > authentication with Fedora kerberos. Is there any guide on how to do
> > that?  

You can use a Yubikey to generate the OATH-TOTP codes that FAS supports.
The GUI program for that became packaging-unfriendly and was dropped
from Fedora, but there's the command-line program "ykman" and a wrapper
script called "ykocli".

The secret from which TOTPs are generated is written to the Yubikey when
you set it up, and can't be read back out, which makes the Yubikey a
true second factor. You can configure it to require you to show your
presence by touching the Yubikey. If the touch requirement is disabled,
then someone with remote access can generate TOTPs while the Yubikey is
plugged in.

I use this for various websites, but not for Fedora. The workflow with
fedpkg and kinit or fkinit is designed around typing a password and
optionally a TOTP. My "password" is a strong random passcode stored in a
passcode manager. I'm not going to type that. I can pipe the passcode
from the passcode manager to kinit, but that leaves no place for a TOTP.
I need to write a program to integrate fedpkg, kinit, the passcode
manager and the Yubikey before I can use OATH-TOTP with FAS.

If your FAS password is so weak that you can remember it and type it,
then you can probably use OATH-TOTP with FAS – and then you're also
among those who need it most.

> You know, I'm in the same boat except that I've owned yubikeys for
> probably over a decade but never got to the point where I actually used them 
> for
> anything.  (And now they're probably too old to be useful, if I could
> even find them.)

I bought my Yubikey 4 in 2017. It works with OATH-TOTP, so it should
work with FAS if the workflow were acceptable. It also works with U2F
among other things. For FIDO2 you need a newer Yubikey 5.

Björn Persson

Attachment: pgpyi0cJTmuyj.pgp
Description: OpenPGP digital signatur

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to