On Fri, Jun 19, 2026 at 07:37:35PM +0300, Alexander Bokovoy wrote:
> On Пят, 19 чэр 2026, Mattia Verga via devel wrote:
> > Il 17/06/26 18:51, Adam Williamson ha scritto:
> > > As someone with 2FA enabled, I have to use my second factor when
> > > authenticating to kerberos in order to be able to submit builds. Yes, I
> > > don't have to use the second factor every time I do a push to dist-git,
> > > at least not currently (though 2FA was required to issue the token the
> > > process uses, and that token can be stored pretty securely). But as
> > > Daniel says, waiting for things to be perfect before having the
> > > requirement doesn't seem sensible. It's still much safer with 2FA on
> > > than without.
> > 
> > I also have 2FA enabled and use kerberos to avoid logging in separately
> > in each Fedora places. But as someone who do 99.99% of Fedora related
> > work on my home PC or in a VM inside it, I'd like to have the kerberos
> > ticket validity more than just a day... at least a week, or perhaps a
> > month. I doubt anyone stealing my PC or sneaking access to it just to
> > hack Fedora stuff...
> 
> As said by others, you don't need the ticket validity for longer time.
> Instead, what you are looking at is renewable tickets. This is working
> well with KCM storage -- sssd_kcm is refreshing tickets automatically.
> Fedora's FreeIPA deployment is configured to allow two weeks of total
> renewable time of 24hr tickets.

Just to clarify, the current policy is: 

Max renew: 604800 ( 7 days)
Max life: 100800 ( 28 hours)

kevin
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to