On Пят, 19 чэр 2026, Mattia Verga via devel wrote:
Il 17/06/26 18:51, Adam Williamson ha scritto:
As someone with 2FA enabled, I have to use my second factor when
authenticating to kerberos in order to be able to submit builds. Yes, I
don't have to use the second factor every time I do a push to dist-git,
at least not currently (though 2FA was required to issue the token the
process uses, and that token can be stored pretty securely). But as
Daniel says, waiting for things to be perfect before having the
requirement doesn't seem sensible. It's still much safer with 2FA on
than without.

I also have 2FA enabled and use kerberos to avoid logging in separately
in each Fedora places. But as someone who do 99.99% of Fedora related
work on my home PC or in a VM inside it, I'd like to have the kerberos
ticket validity more than just a day... at least a week, or perhaps a
month. I doubt anyone stealing my PC or sneaking access to it just to
hack Fedora stuff...

As said by others, you don't need the ticket validity for longer time.
Instead, what you are looking at is renewable tickets. This is working
well with KCM storage -- sssd_kcm is refreshing tickets automatically.
Fedora's FreeIPA deployment is configured to allow two weeks of total
renewable time of 24hr tickets.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to