On Mon, 28 Nov 2016 11:51:36 -0500
Nathaniel McCallum wrote:
> On Mon, Nov 28, 2016 at 3:10 AM, Alexander Bokovoy
> wrote:
> > On su, 27 marras 2016, Ken Dreyer wrote:
> >>
> >> On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy
> >> wrote:
> >>>
> >>> Heimdal does not support MS-KKDCP spec
On Mon, Nov 28, 2016 at 3:10 AM, Alexander Bokovoy wrote:
> On su, 27 marras 2016, Ken Dreyer wrote:
>>
>> On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy
>> wrote:
>>>
>>> Heimdal does not support MS-KKDCP spec, so you are left with direct
>>> Kerberos communication over port 88/tcp or 88/udp
On Mon, Nov 21, 2016 at 10:03 AM, Alexander Bokovoy wrote:
> On ma, 21 marras 2016, Florian Weimer wrote:
>>
>> On 11/21/2016 01:31 PM, Stephen Gallagher wrote:
>>
>> Thanks for your explanation.
>>
>>> So yes, we have protection against that. FreeIPA (which is backing this
>>> solution) requires
On su, 27 marras 2016, Ken Dreyer wrote:
On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy wrote:
Heimdal does not support MS-KKDCP spec, so you are left with direct
Kerberos communication over port 88/tcp or 88/udp, but these are enabled
in Fedora infrastructure, yes.
I thought direct Kerbe
On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy wrote:
> Heimdal does not support MS-KKDCP spec, so you are left with direct
> Kerberos communication over port 88/tcp or 88/udp, but these are enabled
> in Fedora infrastructure, yes.
I thought direct Kerberos service was going to be disabled, t
On Fri, 25 Nov 2016 03:19:49 +0100
Kevin Kofler wrote:
> Peter Robinson wrote:
> > Well the koji web interface itself doesn't use authentication
> > anymore, from a fedpkg PoV there's a lot of complexity with http(s)
> > because it could be proxied or NATed (worst is CG-NAT) so the same
> > conne
Peter Robinson wrote:
> Well the koji web interface itself doesn't use authentication anymore,
> from a fedpkg PoV there's a lot of complexity with http(s) because it
> could be proxied or NATed (worst is CG-NAT) so the same connection
> from the same laptop might not even come via the same IP. Bas
On ke, 23 marras 2016, Dave Love wrote:
Is this going to work for those of us who use RHEL, not Fedora (and are
only actually interested in EPEL)? Also, will it work with Heimdal
clients? (The Fedora packager stuff is rather hit and miss under EPEL
at the best of times.)
EPEL builds are coming
On Wed, 23 Nov 2016 11:44:14 +
Dave Love wrote:
> Is this going to work for those of us who use RHEL, not Fedora (and
> are only actually interested in EPEL)?
Yes, it should.
> Also, will it work with
> Heimdal clients? (The Fedora packager stuff is rather hit and miss
> under EPEL at t
> On 11/21/2016 03:51 PM, Patrick マルタインアンドレアス Uiterwijk wrote:
>
>
> Exactly like that, yes. It isn't present (yet?) on Fedora 25, though I see now
> it's been added to Rawhide.
Right, I dropped the ball there for a bit while testing.
However, I'm building for epel6,epel7,f23,f24,f25 today, so
Is this going to work for those of us who use RHEL, not Fedora (and are
only actually interested in EPEL)? Also, will it work with Heimdal
clients? (The Fedora packager stuff is rather hit and miss under EPEL
at the best of times.)
___
devel mailing lis
> On 11/21/2016 08:07 AM, Vít Ondruch wrote:
>
>
> So, it turns out that this doesn't work yet. It's complicated, but there's a
> patch pending for Koji that will make this work. It hasn't landed yet.
> Hopefully
> that will change before the flag day.
And I'm thrilled to say that my patch to g
On Tue, 22 Nov 2016 11:40:12 +0100
Igor Gnatenko wrote:
> On Nov 22, 2016 10:42 AM, "Vít Ondruch" wrote:
> >...snip...
> > Hm, I would need to downgrade more packages apparently I'll
> > wait and hopefully it'll get fixed soon
> Not really, you hit that bug in dnf about installing l
I am unable to use email correctly today. I apologize for the extra email.
On 22 November 2016 at 10:14, Stephen John Smoogen wrote:
> Off-list:
>
> On 22 November 2016 at 01:12, Kevin Kofler wrote:
>> Dennis Gilmore wrote:
>>> koji authentication will be switching to Kerberos. Koji supports mul
Off-list:
On 22 November 2016 at 01:12, Kevin Kofler wrote:
> Dennis Gilmore wrote:
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>> instance internally that has credential syncing to fas. We a
On Nov 22, 2016 10:42 AM, "Vít Ondruch" wrote:
>
>
>
> Dne 21.11.2016 v 21:52 Patrick マルタインアンドレアス Uiterwijk napsal(a):
> >> Dne 21.11.2016 v 16:07 Alexander Bokovoy napsal(a):
> >>
> >>
> >> $ KRB5_TRACE=/dev/stderr kinit vondruch(a)FEDORAPROJECT.ORG
> >> [8655] 1479746886.252240: Resolving unique
Dne 21.11.2016 v 21:52 Patrick マルタインアンドレアス Uiterwijk napsal(a):
>> Dne 21.11.2016 v 16:07 Alexander Bokovoy napsal(a):
>>
>>
>> $ KRB5_TRACE=/dev/stderr kinit vondruch(a)FEDORAPROJECT.ORG
>> [8655] 1479746886.252240: Resolving unique ccache of type KEYRING
>> [8655] 1479746886.252281: Getting ini
On Tue, Nov 22, 2016 at 6:12 AM, Kevin Kofler wrote:
> Dennis Gilmore wrote:
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>> instance internally that has credential syncing to fas. We are worki
On Mon, Nov 21, 2016 at 07:46:13AM -0500, Stephen Gallagher wrote:
> On 11/21/2016 04:32 AM, Vít Ondruch wrote:
> >
> >
> > Dne 20.11.2016 v 02:11 Dennis Gilmore napsal(a):
> >> koji authentication will be switching to Kerberos. Koji supports multiple
> >> authentication mechanisms. Fedora infra
Dennis Gilmore wrote:
> koji authentication will be switching to Kerberos. Koji supports multiple
> authentication mechanisms. Fedora infrastructure has set up a freeipa
> instance internally that has credential syncing to fas. We are working on
> ensuring that gssapi caching is supported so that y
On ma, 21 marras 2016, Florian Weimer wrote:
On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
automatically with the help of DNS URI. For older clients w
On 11/21/2016 03:51 PM, Patrick マルタインアンドレアス Uiterwijk wrote:
>> On 11/21/2016 10:32 AM, Florian Weimer wrote:
>>
>> Yes, as I mentioned elsewhere, we should probably have the fedora-packager
>> RPM
>> ship with a krb5.conf.d snippet that sets the appropriate values.
>
> You mean something like
On Mon, Nov 21, 2016 at 5:48 PM, Vít Ondruch wrote:
>
>
> Dne 21.11.2016 v 16:07 Alexander Bokovoy napsal(a):
>>
>>>
> }
> [domain_realm]
> .fedoraproject.org = FEDORAPROJECT.ORG
> fedoraproject.org = FEDORAPROJECT.ORG
> ```
>
But apparently, with this snippet, I ca
> Dne 21.11.2016 v 16:07 Alexander Bokovoy napsal(a):
>
>
> $ KRB5_TRACE=/dev/stderr kinit vondruch(a)FEDORAPROJECT.ORG
> [8655] 1479746886.252240: Resolving unique ccache of type KEYRING
> [8655] 1479746886.252281: Getting initial credentials for
> vondruch(a)FEDORAPROJECT.ORG
> [8655] 147974688
> On 11/21/2016 10:32 AM, Florian Weimer wrote:
>
> Yes, as I mentioned elsewhere, we should probably have the fedora-packager RPM
> ship with a krb5.conf.d snippet that sets the appropriate values.
You mean something like
http://pkgs.fedoraproject.org/cgit/rpms/fedora-packager.git/commit/?id=b3
Dne 21.11.2016 v 16:07 Alexander Bokovoy napsal(a):
>
>>
}
[domain_realm]
.fedoraproject.org = FEDORAPROJECT.ORG
fedoraproject.org = FEDORAPROJECT.ORG
```
>>> But apparently, with this snippet, I can't kinit anymore :/
>>>
>>> ```
>>> $ kinit vondr...@fedoraprojec
On 11/21/2016 10:32 AM, Florian Weimer wrote:
> On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
>
>> Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
>> tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
>> automatically with the help of DNS URI. For olde
On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
automatically with the help of DNS URI. For older clients which don't
support DNS-based discovery you can
On 2016-11-21, Vít Ondruch wrote:
> From: =?UTF-8?Q?V=c3=adt_Ondruch?=
>> You mean something like this?
>>
>> ```
>> # rpm -qf /etc/krb5.conf.d/fedoraproject_org
>> fedora-packager-0.5.10.7-4.fc26.noarch
>>
>> # cat /etc/krb5.conf.d/fedoraproject_org
>> [realms]
>> FEDORAPROJECT.ORG = {
>>
On ma, 21 marras 2016, Florian Weimer wrote:
On 11/21/2016 01:31 PM, Stephen Gallagher wrote:
Thanks for your explanation.
So yes, we have protection against that. FreeIPA (which is backing this
solution) requires preauthentication for all user accounts.
“That” meaning offline attacks withou
On ma, 21 marras 2016, Vít Ondruch wrote:
Dne 21.11.2016 v 14:18 Vít Ondruch napsal(a):
Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wro
On 11/21/2016 08:07 AM, Vít Ondruch wrote:
>
>
> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
koji authentication will be switching to Kerberos. Koji supports multiple
>
Dne 21.11.2016 v 14:18 Vít Ondruch napsal(a):
>
> Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
>> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
> koji authentication wil
On 11/21/2016 01:31 PM, Stephen Gallagher wrote:
Thanks for your explanation.
So yes, we have protection against that. FreeIPA (which is backing this
solution) requires preauthentication for all user accounts.
“That” meaning offline attacks without intercepted packets. With
intercepted pack
Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
>
> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
koji authentication will be switching to Kerberos. Koji supports multiple
Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>> koji authentication will be switching to Kerberos. Koji supports multiple
>>> authentication mechanisms. Fedora infrastructure
On 11/21/2016 04:32 AM, Vít Ondruch wrote:
>
>
> Dne 20.11.2016 v 02:11 Dennis Gilmore napsal(a):
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>> instance
>> internally that has credential
On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>> instance
>> internally that has c
On 11/20/2016 08:50 AM, Florian Weimer wrote:
> On 11/20/2016 02:11 AM, Dennis Gilmore wrote:
>> koji authentication will be switching to Kerberos. Koji supports multiple
>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>> instance
>> internally that has credential syncing
> On 2016-11-20, 01:11 GMT, Dennis Gilmore wrote:
>
> a) Is it possible to have multiple tickets, each from different
> realm? When I do kinit mcepl(a)FEDORAPROJECT.ORG, klist lookslike my
> @REDHAT.COM ticket has been knocked out (i.e., thereis only FPO
> ticket there). Ah, klist -A seems
On 11/21/2016 05:02 AM, Matěj Cepl wrote:
> On 2016-11-20, 01:11 GMT, Dennis Gilmore wrote:
>> you can get started today by doing kinit > username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert
>> file out of the way authentication will still work.
>
> a) Is it possible to have multiple ticke
On 2016-11-20, 01:11 GMT, Dennis Gilmore wrote:
> you can get started today by doing kinit username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert
> file out of the way authentication will still work.
a) Is it possible to have multiple tickets, each from different
realm? When I do kinit mc..
Dne 20.11.2016 v 02:11 Dennis Gilmore napsal(a):
> koji authentication will be switching to Kerberos. Koji supports multiple
> authentication mechanisms. Fedora infrastructure has set up a freeipa
> instance
> internally that has credential syncing to fas. We are working on ensuring
> that
>
On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
> koji authentication will be switching to Kerberos. Koji supports multiple
> authentication mechanisms. Fedora infrastructure has set up a freeipa
> instance
> internally that has credential syncing to fas. We are working on ensuri
Michael Catanzaro wrote:
> I have no idea how this fancy Kerberos works or integrates with GNOME,
> but the above is a truism that stands the test of time.
Kerberos integrates fine with KDE's Konqueror. If I go to a kerberised page
for which I have a TGT, KDE will do the ticket look up automati
On Ne, 2016-11-20 at 18:47 -0600, Michael Catanzaro wrote:
>
> Well I fixed all my typos except the two in that quote there. :)
> Maybe
> I am a shitty htypist byt yeah I have to use backspace al ot. Somehow
> I
> tnhink the popelo (oh gosh I am doing really badly here) who
> recommend
> passphare
On Sun, 2016-11-20 at 14:06 -0700, Kevin Fenzi wrote:
> Well, this same ticket will hopefully be used to sign you into
> various
> Fedora Infrastructure websites too at some point, so 6 months is way
> too long for that IMHO.
OK I have to bite: I never want to be signed out of websites. If you're
On Sun, 20 Nov 2016 14:36:54 -0600
Michael Catanzaro wrote:
> On Sun, 2016-11-20 at 12:29 -0700, Kevin Fenzi wrote:
> > One question: So, 6 months is long enough for you to use a longer
> > passphrase, but 1 week is not. Where is the line?
>
> I don't know. 6 months seemed good to me. What is
On Sun, 2016-11-20 at 12:29 -0700, Kevin Fenzi wrote:
> One question: So, 6 months is long enough for you to use a longer
> passphrase, but 1 week is not. Where is the line?
I don't know. 6 months seemed good to me. What is the security goal
here?
> and Two suggestions:
>
> 1. Use a password m
On Sun, 2016-11-20 at 11:14 -0700, Kevin Fenzi wrote:
> On Sun, 20 Nov 2016 11:43:55 +0100
> Mathieu Bridon wrote:
> > On Sat, 2016-11-19 at 19:11 -0600, Dennis Gilmore wrote:
> > > We are wanting to write to you all about an important date coming
> > > up. On the 12th of December 2016 we will be
On Sun, 20 Nov 2016 13:03:27 -0600
Michael Catanzaro wrote:
> On Sun, 2016-11-20 at 18:30 +, Tom Hughes wrote:
> > Opening that every six months to copy and paste the password is one
> > thing but I'm not going to be doing that every day/week, so
> > realistically that's going to mean switc
On Sun, 2016-11-20 at 18:30 +, Tom Hughes wrote:
> Opening that every six months to copy and paste the password is one
> thing but I'm not going to be doing that every day/week, so
> realistically that's going to mean switching to a much simpler
> password
> that I can remember.
Yup, if I h
On 20/11/16 18:13, Kevin Fenzi wrote:
On Sun, 20 Nov 2016 10:10:17 +
Tom Hughes wrote:
Bearing in mind that I've never used kerberos before, so I may be
misunderstanding something completely here, a little experimentation
suggests that currently the longest ticket lifetime we can request
w
On Sun, 20 Nov 2016 11:43:55 +0100
Mathieu Bridon wrote:
> Hi,
>
> On Sat, 2016-11-19 at 19:11 -0600, Dennis Gilmore wrote:
> > We are wanting to write to you all about an important date coming
> > up. On the 12th of December 2016 we will be making some important
> > changes that will require ch
On Sun, 20 Nov 2016 10:10:17 +
Tom Hughes wrote:
> On 20/11/16 01:11, Dennis Gilmore wrote:
>
> > koji authentication will be switching to Kerberos. Koji supports
> > multiple authentication mechanisms. Fedora infrastructure has set
> > up a freeipa instance internally that has credential sy
On 11/20/2016 02:11 AM, Dennis Gilmore wrote:
koji authentication will be switching to Kerberos. Koji supports multiple
authentication mechanisms. Fedora infrastructure has set up a freeipa instance
internally that has credential syncing to fas. We are working on ensuring that
gssapi caching is s
On Sun, Nov 20, 2016 at 11:21:03AM +0100, Tomasz Torcz wrote:
> What do you mean by above, exactly? Right now koji certs are signed by
> „Fedora CA”, will those be replaced by certificates signed by universally
> trusted CA?
Yes.
Regards
Till
___
de
Hi,
On Sat, 2016-11-19 at 19:11 -0600, Dennis Gilmore wrote:
> We are wanting to write to you all about an important date coming up.
> On the 12th of December 2016 we will be making some important changes
> that will require changes on every developers machine. In this case
> developers means ever
On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>
> Using well known certs for koji.fedoraproject.org arm.koji.fedoraproject.org
> ppc.koji.fedoraproject.org s390.koji.fedoraproject.org pkgs.fedoraproject.org
> this is the last step needed to have fedoraproject.org switch to hsts
On 20/11/16 01:11, Dennis Gilmore wrote:
koji authentication will be switching to Kerberos. Koji supports multiple
authentication mechanisms. Fedora infrastructure has set up a freeipa instance
internally that has credential syncing to fas. We are working on ensuring that
gssapi caching is suppo
Hi All,
We are wanting to write to you all about an important date coming up. On the
12th of December 2016 we will be making some important changes that will
require changes on every developers machine. In this case developers means
every one that interacts with koji using authentication
looka
61 matches
Mail list logo
