On Mon, Jun 24, 2024 at 01:33:52PM -0400, Stephen Gallagher wrote: > On Mon, Jun 24, 2024 at 1:30 PM Daniel P. Berrangé <berra...@redhat.com> > wrote: > > > > On Mon, Jun 24, 2024 at 05:11:07PM +0000, Mattia Verga via devel wrote: > > > > > > -------- Messaggio originale -------- > > > 24/06/24 18:21, Kevin Fenzi <ke...@scrye.com> ha scritto: > > > > > > > > > > > I personally don't see why entering a otp once a week is such a > > > > burden... but it does seem to be. ;( > > > > > > > > > > Once a week? When I get a kerberos ticket with fkinit it expires > > > after 24h. Is there a setting to change somewhere to make it last > > > a week? > > > > Tickets expire after 24 hours, but before expiry, it is possible > > to request renewal eg > > > > kinit <fas-user-name>@FEDORAPROJECT.ORG -R > > > > this renewable won't prompt for credentials. IIUC, it basically just > > validates that your krb account hasn't been disabled by the server > > admin. > > > > klist will tell you the upper limit on renewals before you must > > fully re-authenticate, and in Fedora it appears to be 7 days. > > > > Note, you *MUST* renew it before it expires, as you can't renew an > > expired ticket, even if it were still within the renewal lifetime. > > > > Incidentally there's not particularly any need to use fkinit, as > > it is just a thin wrapper around kinit. It avoids the need to type > > the "@FEDORAPROJECT.ORG" part of your krb account, and for some > > reason forces use of the "FILE" credential cache, overriding the > > system default. The latter feels dubious to me but perhaps there's > > some good reason for it ? > > > > It's required if you are using 2FA because it handles the fact that > you need to do TWO kinit actions, one to set up the anonymous > pre-authentication channel and another to actually send the > credentials. I wrote fkinit to abstract those details for Fedora users > since it's subtle and easy to get wrong. Also, it doesn't use the FILE > credential cache for the final credentials, it uses whatever your > system default is. It only uses FILE: to set up the preauthentication > channel.
Ah that's interesting to know, thanks! With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
