On Пан, 24 чэр 2024, Alexander Bokovoy wrote:
On Няд, 23 чэр 2024, Neal Gompa wrote:
On Sun, Jun 23, 2024 at 11:59 AM Miroslav Suchý <msu...@redhat.com> wrote:
Dne 23. 06. 24 v 11:50 dop. Leigh Scott napsal(a):
it has made kerberos login much harder
Can you elaborate?
I use Kerberos login without a problem.
I'm considering ditching provenpackager rights if that is a condition.
Or you can help us to improve the user experience.
What reasonable path do any of us have to improve that user
experience? Most of the problems are tied up in FreeIPA. This is not
exactly a system that any Fedora contributor is necessarily skilled
in, and the complexity of the stack makes it difficult for a newcomer
to grasp. It's not like the old FAS which was all in Python, even if
it was custom.
I've asked before about making GOA and KAccounts support Kerberos-FAS
fully even with MFA, and I've been told that it's basically not
possible as things currently stand.
Can you point me to a discussion where it says it is impossible to
implement that in GOA?
The missing part here is a time and effort, not a technical limitation.
GOA already has all needed bits and pieces to support Fedora's use of
multi-factor Kerberos methods FreeIPA provides, there is a need to add a
way to configure and acquire an anonymous PKINIT ticket which is a
couple dozen lines of code.
I've been against the move to MFA for the sole reason that there has
been no effort around supporting it in GOA in a decade. What makes me
think it would change now?
I have a work in progress branch
https://gitlab.gnome.org/abbra/gnome-online-accounts/-/tree/add-fast-channel-wrap?ref_type=heads
that attempts to implement use of Anonymous PKINIT for the FAST channel
in GOA. I am talking to Ray Strode to get this further upstream.
Small update. We've got to the point where I am able to handle all
FreeIPA supported pre-authentication methods in GNOME Online Accounts. I
am working with Ray on fixing up some UX stuff that comes in the way of
first probing for a supported method and then asking for the credentials
(as opposed to first asking for a password and then authenticating now).
A progress can be tracked in the following merge request:
https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/merge_requests/250
We aim to finish this for GNOME 47, give or take.
I am on vacation for this and next weeks and might have some time to
advance this work...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
