On Fri, Jun 19, 2026 at 07:37:35PM +0300, Alexander Bokovoy wrote: > On Пят, 19 чэр 2026, Mattia Verga via devel wrote: > > Il 17/06/26 18:51, Adam Williamson ha scritto: > > > As someone with 2FA enabled, I have to use my second factor when > > > authenticating to kerberos in order to be able to submit builds. Yes, I > > > don't have to use the second factor every time I do a push to dist-git, > > > at least not currently (though 2FA was required to issue the token the > > > process uses, and that token can be stored pretty securely). But as > > > Daniel says, waiting for things to be perfect before having the > > > requirement doesn't seem sensible. It's still much safer with 2FA on > > > than without. > > > > I also have 2FA enabled and use kerberos to avoid logging in separately > > in each Fedora places. But as someone who do 99.99% of Fedora related > > work on my home PC or in a VM inside it, I'd like to have the kerberos > > ticket validity more than just a day... at least a week, or perhaps a > > month. I doubt anyone stealing my PC or sneaking access to it just to > > hack Fedora stuff... > > As said by others, you don't need the ticket validity for longer time. > Instead, what you are looking at is renewable tickets. This is working > well with KCM storage -- sssd_kcm is refreshing tickets automatically. > Fedora's FreeIPA deployment is configured to allow two weeks of total > renewable time of 24hr tickets.
Just to clarify, the current policy is: Max renew: 604800 ( 7 days) Max life: 100800 ( 28 hours) kevin -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
