On Sun, 20 Nov 2016 10:10:17 +0000 Tom Hughes <t...@compton.nu> wrote:
> On 20/11/16 01:11, Dennis Gilmore wrote: > > > koji authentication will be switching to Kerberos. Koji supports > > multiple authentication mechanisms. Fedora infrastructure has set > > up a freeipa instance internally that has credential syncing to > > fas. We are working on ensuring that gssapi caching is supported so > > that you can have multiple TGT's and the ability to work in > > multiple reams at once. you can get started today by doing kinit > > <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert > > file out of the way authentication will still work. > > Bearing in mind that I've never used kerberos before, so I may be > misunderstanding something completely here, a little experimentation > suggests that currently the longest ticket lifetime we can request > with kinit is 24 hours? > > It looks like it can be renewed up to a week (well six days, plus the > one day lifetime of the final ticket) but you do have to remember to > keep renewing before the 24 hour expiry is reached. Correct. Thats the current setting. Note that I think gnome online accounts auto handles the renewing for you (but I could be misremembering that) if you are using that. > > All of which is something of a change from the current six month > cycle with the client certificates. True, but getting a new ticket once a week doesn't seem like that big a deal to me. We can of course adjust it if desired. kevin
pgpajpBt5cs5T.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
