Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On 4/8/22 13:28, Björn Persson wrote: > Michael Catanzaro wrote: >> On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher >> wrote: >>> Well, it *could* grow an interface to some of the password wallet >>> services that support TOTP or HOTP codes (like Bitwarden, Lastpass, >>> 1password, etc.) and configure it to query that service and append the >>> code to the password. It doesn't help if you want/need a physical >>> token, though. >> >> Good idea. Of course we'd probably want to use GNOME Keyring for this >> (which does not currently support third-party services, but could in >> the future). I suppose gnome-online-accounts would only need to store >> the TOTP/HOTP seed and some config data. > > This sounds like you would store the password and the TOTP seed > together in the same keyring. That's rather pointless. If you store two > secrets together, then they are effectively a single secret, and the > TOTP just adds an unnecessary step to the authentication protocol. It's > better to generate a long random key for your "password", store that in > your keyring, and not bother with TOTP. > > Two-factor authentication is when you have two secrets stored in two > different storage media, for example one in Gnome Keyring and the > other in a Yubikey. > > If the keyring is encrypted with a master passphrase, then that's also > two-factor authentication. The encrypted key stored in the keyring is > one factor, and the master passphrase stored in the user's brain is the > other factor. In that case a TOTP seed stored in a Yubikey becomes a > third factor. That is basically what I do. I use full disk encryption, which means that the entire drive (not just the keyring) is encrypted. That is one factor, and the keyring is the other. -- Sincerely, Demi Marie Obenour (she/her/hers) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Fri, Apr 8, 2022 at 1:29 PM Björn Persson wrote: > > Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher > > wrote: > > > Well, it *could* grow an interface to some of the password wallet > > > services that support TOTP or HOTP codes (like Bitwarden, Lastpass, > > > 1password, etc.) and configure it to query that service and append the > > > code to the password. It doesn't help if you want/need a physical > > > token, though. > > > > Good idea. Of course we'd probably want to use GNOME Keyring for this > > (which does not currently support third-party services, but could in > > the future). I suppose gnome-online-accounts would only need to store > > the TOTP/HOTP seed and some config data. > > This sounds like you would store the password and the TOTP seed > together in the same keyring. That's rather pointless. If you store two > secrets together, then they are effectively a single secret, and the > TOTP just adds an unnecessary step to the authentication protocol. It's > better to generate a long random key for your "password", store that in > your keyring, and not bother with TOTP. It would be pointless if you did this everywhere, but not if you only did it for certain excepted services that you trust. Then, you're using 2FA everywhere except that trusted service. Many services with 2FA support application-specific passwords that are intended to be used once in a trusted service and forgotten, leaving that service the only application that uses that specific credential (usually used for applications that are not interactive or otherwise don't support OTP codes). This also allows that service's password to be revoked independently. So, the authentication requirements would look like: (password + OTP) OR (app-specific password 1) OR (app-specific password 2) OR etc. Fedora could provide application-specific passwords in our OTP implementation for that purpose. Or, GNOME could be made to prompt for a new OTP when needed, use it to get a new Kerberos ticket, and then discard it until that ticket can no longer be renewed without re-authenticating. Even then, the OTP should only be requested when the credential is actually being used by the user. The first option is simpler and a reasonable compromise, but the second is clearly more secure. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
Vitaly Zaitsev via devel wrote: > If Fedora's kinit will start asking for an OTP code in a separate field, > it would technically be possible to store the password in Gnome Keyring > and just ask for an OTP code once a week. It should ask for an OTP when the user does something that requires authentication, if the previous ticket has expired. Don't ask for authentication just for the sake of renewing a ticket when the user is doing something else. That would teach users dangerous habits. Björn Persson pgpkW8N6aTay3.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
Michael Catanzaro wrote: > On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher > wrote: > > Well, it *could* grow an interface to some of the password wallet > > services that support TOTP or HOTP codes (like Bitwarden, Lastpass, > > 1password, etc.) and configure it to query that service and append the > > code to the password. It doesn't help if you want/need a physical > > token, though. > > Good idea. Of course we'd probably want to use GNOME Keyring for this > (which does not currently support third-party services, but could in > the future). I suppose gnome-online-accounts would only need to store > the TOTP/HOTP seed and some config data. This sounds like you would store the password and the TOTP seed together in the same keyring. That's rather pointless. If you store two secrets together, then they are effectively a single secret, and the TOTP just adds an unnecessary step to the authentication protocol. It's better to generate a long random key for your "password", store that in your keyring, and not bother with TOTP. Two-factor authentication is when you have two secrets stored in two different storage media, for example one in Gnome Keyring and the other in a Yubikey. If the keyring is encrypted with a master passphrase, then that's also two-factor authentication. The encrypted key stored in the keyring is one factor, and the master passphrase stored in the user's brain is the other factor. In that case a TOTP seed stored in a Yubikey becomes a third factor. Björn Persson pgpBJJfbjJHPN.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On 07/04/2022 18:30, Stephen Gallagher wrote: Well, it*could* grow an interface to some of the password wallet services that support TOTP or HOTP codes (like Bitwarden, Lastpass, 1password, etc.) and configure it to query that service and append the code to the password. Password+OTP is the worst choice, I've ever seen. OTP code must be entered in a separate field. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On 07/04/2022 16:58, Michael Catanzaro wrote: Well the whole point of gnome-online-accounts is to keep you authenticated permanently. That just does not work if your kerberos password is an OTP. I'm not sure what we could possibly change. Kerberos ticket renewal doesn't require you to enter credentials during the grace period (7 days on Fedora). If Fedora's kinit will start asking for an OTP code in a separate field, it would technically be possible to store the password in Gnome Keyring and just ask for an OTP code once a week. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 2:59 PM Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 02:41:42 PM +, Gary Buhrmaster > wrote: > > I had thought there was an open (RFE) issue with > > gnome-online-accounts to request support for > > OTP use cases, although, as a hard problem, it > > is likely not going to see a resolution quickly. > > Well the whole point of gnome-online-accounts is to keep you > authenticated permanently. That just does not work if your kerberos > password is an OTP. I'm not sure what we could possibly change. Thinking inside the box, I could imagine that if your authenticator token was generated from the key material inside your TPM chip, or secure enclave, or plugged in FIDO2 key, or proximity to some external device (say, your mobile device), that the experience could be (semi-) automated to renew authentication. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 3:50 PM Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 03:46:14 PM -0400, Stephen Gallagher > wrote: > > The original message didn't come to fedora-devel. Could you restate > > what the original issue was so we can take a look? > > It did, here: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3R6STPWZ63YP5SR5QRUDGNJXNDUTRCPM/ Odd, it never reached my inbox... So, "preauthentication failed" means (as has been said earlier in the thread) that you have OTP set up and don't have an armored credential cache set up to use the OTP to secure the communication with the Kerberos server. This is an issue with GOA (so you should file a ticket upstream there). ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7 2022 at 03:46:14 PM -0400, Stephen Gallagher wrote: The original message didn't come to fedora-devel. Could you restate what the original issue was so we can take a look? It did, here: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3R6STPWZ63YP5SR5QRUDGNJXNDUTRCPM/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 3:44 PM Christopher wrote: > > On Thu, Apr 7, 2022 at 2:21 PM Michael Catanzaro wrote: > > > > On Thu, Apr 7 2022 at 02:10:06 PM -0400, Christopher > > wrote: > > > At the very least, it could give a more useful error message. One of > > > my questions in the original post was whether this is even related to > > > OTP or not... it's not obvious that it is related at all. So far, > > > there's discussion in response regarding OTP... I have no reason to > > > believe that's even the problem yet. It would help if somebody could > > > confirm that OTP is the cause of this error, and that it still works > > > otherwise. > > > > Have you reported a bug (upstream, not downstream)? A bug report would > > be the place to start. > > No. I don't know who upstream is for this. As far as I can tell, this > is a login service specifically for Fedora developers in GOA. I don't > even know if this is a message coming remotely, from Fedora's KDC, > something specific to my FAS account, from a Kerberos library, from > GOA, or the specific extension or whatever that adds the Fedora > account as an option to GOA. I usually try to do information gathering > before filing bugs. Maybe it's a known issue? Maybe it's > Fedora-specific? Right now, though, I'm just hoping to understand if > it's just me, or if others, with or without OTP, have also seen it, so > I know where to look next. If I were to file a bug right now, it would > almost certainly be against the wrong component, and merely say "saw > error message X", because I have no information yet. The original message didn't come to fedora-devel. Could you restate what the original issue was so we can take a look? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 2:21 PM Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 02:10:06 PM -0400, Christopher > wrote: > > At the very least, it could give a more useful error message. One of > > my questions in the original post was whether this is even related to > > OTP or not... it's not obvious that it is related at all. So far, > > there's discussion in response regarding OTP... I have no reason to > > believe that's even the problem yet. It would help if somebody could > > confirm that OTP is the cause of this error, and that it still works > > otherwise. > > Have you reported a bug (upstream, not downstream)? A bug report would > be the place to start. No. I don't know who upstream is for this. As far as I can tell, this is a login service specifically for Fedora developers in GOA. I don't even know if this is a message coming remotely, from Fedora's KDC, something specific to my FAS account, from a Kerberos library, from GOA, or the specific extension or whatever that adds the Fedora account as an option to GOA. I usually try to do information gathering before filing bugs. Maybe it's a known issue? Maybe it's Fedora-specific? Right now, though, I'm just hoping to understand if it's just me, or if others, with or without OTP, have also seen it, so I know where to look next. If I were to file a bug right now, it would almost certainly be against the wrong component, and merely say "saw error message X", because I have no information yet. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7 2022 at 02:10:06 PM -0400, Christopher wrote: At the very least, it could give a more useful error message. One of my questions in the original post was whether this is even related to OTP or not... it's not obvious that it is related at all. So far, there's discussion in response regarding OTP... I have no reason to believe that's even the problem yet. It would help if somebody could confirm that OTP is the cause of this error, and that it still works otherwise. Have you reported a bug (upstream, not downstream)? A bug report would be the place to start. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher wrote: Well, it *could* grow an interface to some of the password wallet services that support TOTP or HOTP codes (like Bitwarden, Lastpass, 1password, etc.) and configure it to query that service and append the code to the password. It doesn't help if you want/need a physical token, though. Good idea. Of course we'd probably want to use GNOME Keyring for this (which does not currently support third-party services, but could in the future). I suppose gnome-online-accounts would only need to store the TOTP/HOTP seed and some config data. In the latter case, someone could investigate adding support for smartcards to GOA and FAS. A request for a TGT could use the pkinit protocol and query your Yubikey for the certificate. I know FAS *could* be made to support this, because it's using FreeIPA behind the scenes and that supports smartcard auth. I have no idea what it would take for GOA, though. Another good idea. I suppose I was insufficiently creative Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 10:59 AM Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 02:41:42 PM +, Gary Buhrmaster > wrote: > > I had thought there was an open (RFE) issue with > > gnome-online-accounts to request support for > > OTP use cases, although, as a hard problem, it > > is likely not going to see a resolution quickly. > > Well the whole point of gnome-online-accounts is to keep you > authenticated permanently. That just does not work if your kerberos > password is an OTP. I'm not sure what we could possibly change. > Well, if it could try to renew the previous ticket/lease. If that fails, it could have a separate box for the (optional) OTP, and if there was one entered before, it could prompt for a new OTP, so it could at least remember the password. At the very least, it could give a more useful error message. One of my questions in the original post was whether this is even related to OTP or not... it's not obvious that it is related at all. So far, there's discussion in response regarding OTP... I have no reason to believe that's even the problem yet. It would help if somebody could confirm that OTP is the cause of this error, and that it still works otherwise. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7, 2022 at 10:59 AM Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 02:41:42 PM +, Gary Buhrmaster > wrote: > > I had thought there was an open (RFE) issue with > > gnome-online-accounts to request support for > > OTP use cases, although, as a hard problem, it > > is likely not going to see a resolution quickly. > > Well the whole point of gnome-online-accounts is to keep you > authenticated permanently. That just does not work if your kerberos > password is an OTP. I'm not sure what we could possibly change. Well, it *could* grow an interface to some of the password wallet services that support TOTP or HOTP codes (like Bitwarden, Lastpass, 1password, etc.) and configure it to query that service and append the code to the password. It doesn't help if you want/need a physical token, though. In the latter case, someone could investigate adding support for smartcards to GOA and FAS. A request for a TGT could use the pkinit protocol and query your Yubikey for the certificate. I know FAS *could* be made to support this, because it's using FreeIPA behind the scenes and that supports smartcard auth. I have no idea what it would take for GOA, though. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Thu, Apr 7 2022 at 02:41:42 PM +, Gary Buhrmaster wrote: I had thought there was an open (RFE) issue with gnome-online-accounts to request support for OTP use cases, although, as a hard problem, it is likely not going to see a resolution quickly. Well the whole point of gnome-online-accounts is to keep you authenticated permanently. That just does not work if your kerberos password is an OTP. I'm not sure what we could possibly change. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Wed, Apr 6, 2022 at 4:41 PM Michael Catanzaro wrote: > Myself, I will not enable OTP until there is a way to disable it again. > Currently, once enabled, you are stuck with it and cannot go back if > things break, which is too much risk for me. In some ideal implementation turning on OTP would allow a "revert" functionality (if issued, say, within 24 hours) so that one could test one's use cases before it became (more or less) permanent [0][1]. While OTP is generally considered a good thing to enhance authentication, not easily allowing the community to dip one's toe into waters before jumping in almost certainly slows uptake. > I'd be very sad if I couldn't use gnome-online-accounts > to manage kerberos anymore. :/ I had thought there was an open (RFE) issue with gnome-online-accounts to request support for OTP use cases, although, as a hard problem, it is likely not going to see a resolution quickly. Gary [0] Some network vendors sort of reverse that, and allow one to commit a change with an automatic revert if it is not confirmed within a specified time. While the automated revert should not be needed often (if ever) if one properly vets the changes in advance, it can save your butt (from having to dispatch remote hands to the physical location to recover the device) when things go sideways. [1] As I recall, getting OTP turned off by admins for an account (due to issues, or new devices or lost tokens) also requires one to have prepared for such a reversion by creating alternative out of band authentication steps in advance. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On 06/04/2022 18:40, Michael Catanzaro wrote: Currently, once enabled, you are stuck with it and cannot go back if things break, which is too much risk for me. Admins can manually disable OTP from your account. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: GNOME Online Accounts "Fedora" - Pre-authentication failed
On Wed, Apr 6 2022 at 09:42:42 AM -0400, Christopher wrote: Is this a problem with GNOME Online Accounts, or is this a problem with the KDC, or is this related to the use of 2FA/OTP? For the password in the GNOME Online Accounts dialogue box, I entered my Fedora password followed by my OTP. Er, that's not going to work, because your OTP is going to change, but the password you enter here gets saved locally and therefore has to be static. I don't know what the solution is. Myself, I will not enable OTP until there is a way to disable it again. Currently, once enabled, you are stuck with it and cannot go back if things break, which is too much risk for me. I'd be very sad if I couldn't use gnome-online-accounts to manage kerberos anymore. :/ Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
GNOME Online Accounts "Fedora" - Pre-authentication failed
In the past, I have used GNOME Online Accounts "Fedora Account" before to maintain my Kerberos identity in my Fedora desktop so I can easily access packager tooling without having to authenticate on the command-line manually. However, this no longer seems to work. Now, I get "Pre-authentication failed: Invalid argument". Is this a problem with GNOME Online Accounts, or is this a problem with the KDC, or is this related to the use of 2FA/OTP? For the password in the GNOME Online Accounts dialogue box, I entered my Fedora password followed by my OTP. Do I need to do something else to use this method to authenticate for Fedora packager tools? Or is this permanently broken? Thanks, Christopher ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure