On 24. 06. 24 19:38, Stephen Gallagher wrote:
On Mon, Jun 24, 2024 at 1:30 PM Miro Hrončok wrote:
On 24. 06. 24 19:13, Kevin Fenzi wrote:
tickets are valid for 24hours and can be renewed for 1 week. (Either via
gnome online accounts or just 'kinit -R')
How do I do that?
$ fkinit
... all go
On Пан, 24 чэр 2024, Alexander Bokovoy wrote:
On Няд, 23 чэр 2024, Neal Gompa wrote:
On Sun, Jun 23, 2024 at 11:59 AM Miroslav Suchý wrote:
Dne 23. 06. 24 v 11:50 dop. Leigh Scott napsal(a):
it has made kerberos login much harder
Can you elaborate?
I use Kerberos login without a problem.
On Tue, Jun 25, 2024 at 10:47:34AM +0200, Vitaly Zaitsev via devel wrote:
> On 24/06/2024 23:38, Gary Buhrmaster wrote:
> > As I recall from a previous query, there are
> > (around) 90 active proven packagers (and
> > ~250 total who were in the PP group).
>
> I think most privacy/security focused
On Tue, Jun 25, 2024 at 2:22 PM Vitaly Zaitsev via devel
wrote:
> I would prefer this one since I can use open source applications to
> generate these codes. I can't find any FIDO2 implementations that are
> completely open source which doesn't require proprietary technologies
> like TPM or SGX.
On Tue, Jun 25, 2024 at 10:32 AM Vitaly Zaitsev via devel
wrote:
>
> On 25/06/2024 15:06, Stephen Gallagher wrote:
> > I am not a lawyer, but I would assume that if Fedora offered to
> > provide such a token, it would be reviewed by Legal and provide some
> > form of legally-binding assertion that
On Tue, 2024-06-25 at 16:21 +0200, Vitaly Zaitsev via devel wrote:
> On 25/06/2024 15:06, Stephen Gallagher wrote:
> > I am not a lawyer, but I would assume that if Fedora offered to
> > provide such a token, it would be reviewed by Legal and provide some
> > form of legally-binding assertion that
On Аўт, 25 чэр 2024, Vitaly Zaitsev via devel wrote:
On 25/06/2024 15:06, Stephen Gallagher wrote:
I am not a lawyer, but I would assume that if Fedora offered to
provide such a token, it would be reviewed by Legal and provide some
form of legally-binding assertion that we weren't sending out
ma
On 25/06/2024 15:06, Stephen Gallagher wrote:
I am not a lawyer, but I would assume that if Fedora offered to
provide such a token, it would be reviewed by Legal and provide some
form of legally-binding assertion that we weren't sending out
malicious devices.
Who can guarantee that these device
On Tue, Jun 25, 2024 at 4:48 AM Vitaly Zaitsev via devel
wrote:
>
> On 24/06/2024 23:38, Gary Buhrmaster wrote:
> > As I recall from a previous query, there are
> > (around) 90 active proven packagers (and
> > ~250 total who were in the PP group).
>
> I think most privacy/security focused develope
Am 24.06.24 um 22:29 schrieb Simo Sorce:
On Mon, 2024-06-24 at 21:09 +0200, Leon Fauster via devel wrote:
Am 24.06.24 um 20:14 schrieb Tom Hughes via devel:
On 24/06/2024 18:26, Stephen Gallagher wrote:
Not really an issue if you have GSSAPI set up on your system. Such as
by installing fedora
On 24/06/2024 23:38, Gary Buhrmaster wrote:
As I recall from a previous query, there are
(around) 90 active proven packagers (and
~250 total who were in the PP group).
I think most privacy/security focused developers/maintainers won't plug
USB tokens they get from random people on the Internet
On Mon, Jun 24, 2024 at 5:48 PM Matthew Miller wrote:
>
> If we decide that this is a good idea, we might be able to get funding to
> distribute these to all proven packagers (and perhaps more).
>
FD: I am *strongly* in favor of FIDO2 support.
As I recall from a previous query, there are
(aroun
On Mon, Jun 24, 2024 at 6:02 PM Alexander Bokovoy wrote:
> BTW, the cheapest and verified to work with Fedora USB token I was able
> to find is T2F2-NFC-Slim from Token2.eu:
> https://www.token2.eu/shop/product/token2-t2f2-nfc-slim-fido2-u2f-and-totp-security-key
When I was looking for "cheap",
On Mon, 2024-06-24 at 21:09 +0200, Leon Fauster via devel wrote:
> Am 24.06.24 um 20:14 schrieb Tom Hughes via devel:
> > On 24/06/2024 18:26, Stephen Gallagher wrote:
> >
> > > Not really an issue if you have GSSAPI set up on your system. Such as
> > > by installing fedora-chromium-config-gssapi
On 24/06/2024 19:47, Matthew Miller wrote:
If we decide that this is a good idea, we might be able to get funding to
distribute these to all proven packagers (and perhaps more).
Even to those countries that the US does not like? :-)
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
--
___
24. kesäkuuta 2024 19.21.02 GMT+03:00 DJ Delorie kirjoitti:
>Kilian Hanich writes:
>> So, if we really don't count the password manager file because it can be
>> copied easily, one also cannot count the ones from from apps since they
>> can also be easily replicated.
>
>I agree. Hence "grudgin
On Mon, Jun 24, 2024 at 09:09:58PM GMT, Leon Fauster via devel wrote:
> Am 24.06.24 um 20:14 schrieb Tom Hughes via devel:
> > On 24/06/2024 18:26, Stephen Gallagher wrote:
> >
> > > Not really an issue if you have GSSAPI set up on your system. Such as
> > > by installing fedora-chromium-config-gs
Am 24.06.24 um 20:14 schrieb Tom Hughes via devel:
On 24/06/2024 18:26, Stephen Gallagher wrote:
Not really an issue if you have GSSAPI set up on your system. Such as
by installing fedora-chromium-config-gssapi (for Chrome/Chromium
users) or by using Firefox which is set up for GSSAPI out-of-th
On Mon, Jun 24, 2024 at 09:02:05PM GMT, Alexander Bokovoy wrote:
>
> BTW, the cheapest and verified to work with Fedora USB token I was able
> to find is T2F2-NFC-Slim from Token2.eu:
> https://www.token2.eu/shop/product/token2-t2f2-nfc-slim-fido2-u2f-and-totp-security-key
>
> The company actuall
On 24/06/2024 18:26, Stephen Gallagher wrote:
Not really an issue if you have GSSAPI set up on your system. Such as
by installing fedora-chromium-config-gssapi (for Chrome/Chromium
users) or by using Firefox which is set up for GSSAPI out-of-the-box.
I've never seen Firefox use my kerberos tic
On Пан, 24 чэр 2024, Matthew Miller wrote:
On Mon, Jun 24, 2024 at 03:41:19PM +0200, Kilian Hanich via devel wrote:
1. You need to buy one (and not loose them). Sure, they aren't overly
expensive, but it's also not free.
If we decide that this is a good idea, we might be able to get funding to
On Mon, Jun 24, 2024 at 03:41:19PM +0200, Kilian Hanich via devel wrote:
> 1. You need to buy one (and not loose them). Sure, they aren't overly
> expensive, but it's also not free.
If we decide that this is a good idea, we might be able to get funding to
distribute these to all proven packagers (
On Mon, Jun 24, 2024 at 1:30 PM Miro Hrončok wrote:
>
> On 24. 06. 24 19:13, Kevin Fenzi wrote:
> > tickets are valid for 24hours and can be renewed for 1 week. (Either via
> > gnome online accounts or just 'kinit -R')
>
> How do I do that?
>
> $ fkinit
> ... all good ...
>
> later:
>
> $ klist
>
On Mon, Jun 24, 2024 at 01:33:52PM -0400, Stephen Gallagher wrote:
> On Mon, Jun 24, 2024 at 1:30 PM Daniel P. Berrangé
> wrote:
> >
> > On Mon, Jun 24, 2024 at 05:11:07PM +, Mattia Verga via devel wrote:
> > >
> > > Messaggio originale
> > > 24/06/24 18:21, Kevin Fenzi ha
On Mon, Jun 24, 2024 at 1:30 PM Daniel P. Berrangé wrote:
>
> On Mon, Jun 24, 2024 at 05:11:07PM +, Mattia Verga via devel wrote:
> >
> > Messaggio originale
> > 24/06/24 18:21, Kevin Fenzi ha scritto:
> >
> > >
> > > I personally don't see why entering a otp once a week is
On 24. 06. 24 19:13, Kevin Fenzi wrote:
tickets are valid for 24hours and can be renewed for 1 week. (Either via
gnome online accounts or just 'kinit -R')
How do I do that?
$ fkinit
... all good ...
later:
$ klist
Ticket cache: KCM:1000:.
Default principal: churchy...@fedoraproject.org
On Mon, Jun 24, 2024 at 1:11 PM Mattia Verga via devel
wrote:
>
>
> Messaggio originale
> 24/06/24 18:21, Kevin Fenzi ha scritto:
>
> >
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
>
> Once a week? When I get
On Mon, Jun 24, 2024 at 05:11:07PM +, Mattia Verga via devel wrote:
>
> Messaggio originale
> 24/06/24 18:21, Kevin Fenzi ha scritto:
>
> >
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
>
> Once a wee
On Mon, Jun 24, 2024 at 12:54 PM Leigh Scott wrote:
>
>
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
> > kevin
>
> It isn't just once.
>
> 1. kerberos
> 2. Web login on infra, bugzilla, bodhi, devel list and accounts
Not really a
On Пан, 24 чэр 2024, Leigh Scott wrote:
I personally don't see why entering a otp once a week is such a
burden... but it does seem to be. ;(
kevin
It isn't just once.
1. kerberos
2. Web login on infra, bugzilla, bodhi, devel list and accounts
If you do nightly shutdown you would need to en
On Пан, 24 чэр 2024, Kevin Fenzi wrote:
On Mon, Jun 24, 2024 at 02:39:13PM GMT, Mattia Verga via devel wrote:
Perhaps it's a stupid idea, but we already have ssh public keys stored
in fas, would it be possible for fkinit to use the private key as second
factor? That way, on a system which is co
On Mon, Jun 24, 2024 at 04:53:22PM GMT, Leigh Scott wrote:
>
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
> > kevin
>
> It isn't just once.
>
> 1. kerberos
> 2. Web login on infra, bugzilla, bodhi, devel list and accounts
>
>
On Mon, 24 Jun 2024 17:11:07 +
Mattia Verga via devel wrote:
>
> Messaggio originale
> 24/06/24 18:21, Kevin Fenzi ha scritto:
>
> >
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
>
> Once a week? Wh
Messaggio originale
24/06/24 18:53, Leigh Scott ha scritto:
>
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
> > kevin
>
> It isn't just once.
>
> 1. kerberos
> 2. Web login on infra, bugzilla, bodhi
Messaggio originale
24/06/24 18:21, Kevin Fenzi ha scritto:
>
> I personally don't see why entering a otp once a week is such a
> burden... but it does seem to be. ;(
>
Once a week? When I get a kerberos ticket with fkinit it expires after 24h. Is
there a setting to cha
On Mon, 24 Jun 2024 16:53:22 -
"Leigh Scott" wrote:
>
> > I personally don't see why entering a otp once a week is such a
> > burden... but it does seem to be. ;(
> >
> > kevin
>
> It isn't just once.
>
> 1. kerberos
> 2. Web login on infra, bugzilla, bodhi, devel list and accounts
>
>
> I personally don't see why entering a otp once a week is such a
> burden... but it does seem to be. ;(
>
> kevin
It isn't just once.
1. kerberos
2. Web login on infra, bugzilla, bodhi, devel list and accounts
If you do nightly shutdown you would need to enter it many times per week.
--
On Mon, Jun 24, 2024 at 02:39:13PM GMT, Mattia Verga via devel wrote:
>
> Perhaps it's a stupid idea, but we already have ssh public keys stored
> in fas, would it be possible for fkinit to use the private key as second
> factor? That way, on a system which is considered secure (it has the
> pr
Kilian Hanich writes:
> So, if we really don't count the password manager file because it can be
> copied easily, one also cannot count the ones from from apps since they
> can also be easily replicated.
I agree. Hence "grudgingly accepted".
--
___
dev
Am 24.06.24 um 17:51 schrieb DJ Delorie:
Kilian Hanich via devel writes:
One could argue that the "password manager file" is the "something you
have" thing.
No, one cannot. The three factors in security are:
1. Something you know, which means other people do NOT know it. It
exists in y
On 6/24/24 10:27 AM, Michael J Gruber wrote:
Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37:
On 6/24/24 5:08 AM, Miroslav Suchý wrote:
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going
from 2FA to 1FA effect
Kilian Hanich via devel writes:
> One could argue that the "password manager file" is the "something you
> have" thing.
No, one cannot. The three factors in security are:
1. Something you know, which means other people do NOT know it. It
exists in your brain and nowhere else.
2. Something
Il 24/06/24 16:54, Stephen Smoogen ha scritto:
> The corner case which makes this ineffective is
> ...
Sure, system security is affected by user actions too, but considering that the
alternative is to have the vast majority of users will continue ignoring 2FA
because it is not handy, using some
On Mon, 24 Jun 2024 at 10:39, Mattia Verga via devel
wrote:
>
> Il 17/06/24 22:20, Zbigniew Jędrzejewski-Szmek ha scritto:
> > Proven packagers,
> >
> > we changed [2,3] the FESCo policy document [1] for provenpackagers to say:
> >
> > "Provenpackagers SHOULD have two-factor-authentication (2FA) e
Once upon a time, Stephen Gallagher said:
> Remember that security is a spectrum, not an end-state. Every person
> and environment makes a choice between how much security and how much
> convenience is appropriate. If you want perfect security, you can
> unplug your PC, fill it with concrete and d
On 24/06/2024 15:27, Michael J Gruber wrote:
Or else, all cloneable OTP apps would need to be disallowed as 2nd
factors, and only physical tokens should count.
FIDO2 is even worse than OTP since most (or even all) implementations
are proprietary (for example, Android requires proprietary GMS t
Il 17/06/24 22:20, Zbigniew Jędrzejewski-Szmek ha scritto:
> Proven packagers,
>
> we changed [2,3] the FESCo policy document [1] for provenpackagers to say:
>
> "Provenpackagers SHOULD have two-factor-authentication (2FA) enabled for
> their FAS accounts."
>
> This is not enforced or checked, but
Am 24.06.24 um 13:53 schrieb Guinevere Larsen:
On 6/24/24 5:08 AM, Miroslav Suchý wrote:
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going
from 2FA to 1FA effectively ;-) if someone gets access to your
password manager
Am 24.06.24 um 09:48 schrieb Mattia Verga via devel:
That said, even if the token is stored in the password manager, it is
not cushy to be used with kerberos. I have been using 2FA for over a
year now and I get used to, but it's clumsy to use it in Fedora
infrastructure. I'd really like if we can
On Mon, Jun 24, 2024 at 9:28 AM Michael J Gruber wrote:
>
> Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37:
> > On 6/24/24 5:08 AM, Miroslav Suchý wrote:
> > > Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
> > >> IMO, having the token stored in your password manager means
Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37:
> On 6/24/24 5:08 AM, Miroslav Suchý wrote:
> > Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
> >> IMO, having the token stored in your password manager means going
> >> from 2FA to 1FA effectively ;-) if someone gets access
On Пан, 24 чэр 2024, Vitaly Zaitsev via devel wrote:
On 24/06/2024 10:45, Alexander Bokovoy wrote:
Can you point me to a discussion where it says it is impossible to
implement that in GOA?
FAS (kinit) should request the OTP code in a separate prompt.
This is not how it works in Kerberos. FAS
On 24/06/2024 10:45, Alexander Bokovoy wrote:
Can you point me to a discussion where it says it is impossible to
implement that in GOA?
FAS (kinit) should request the OTP code in a separate prompt.
If kinit asks for a password and OTP codes in separate prompts, GOA will
be able to parse it, s
On 24/06/2024 03:42, Kevin Fenzi wrote:
You can enroll as many tokens as you like, so you can enroll one in a
backup device or system in case you loose your primary token.
Backup codes must be generated when the user enables 2FA. They can later
use these one-time codes to log in if they lose a
On 6/24/24 5:08 AM, Miroslav Suchý wrote:
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going
from 2FA to 1FA effectively ;-) if someone gets access to your
password manager vault, all accounts will be compromised.
Onl
On Няд, 23 чэр 2024, Neal Gompa wrote:
On Sun, Jun 23, 2024 at 11:59 AM Miroslav Suchý wrote:
Dne 23. 06. 24 v 11:50 dop. Leigh Scott napsal(a):
it has made kerberos login much harder
Can you elaborate?
I use Kerberos login without a problem.
I'm considering ditching provenpackager rights
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going from 2FA to 1FA effectively ;-) if someone gets
access to your password manager vault, all accounts will be compromised.
Only if you use the same password manager for b
Il 24/06/24 03:42, Kevin Fenzi ha scritto:
> You can enroll as many tokens as you like, so you can enroll one in a
> backup device or system in case you loose your primary token. You only
> need any one otp to login. Things like keepassxc and bitwarden allow you
> to setup OTPs these days.
>
> kev
On Sun, Jun 23, 2024 at 07:01:02PM GMT, Leigh Scott wrote:
> > On 23. 06. 24 20:33, Leigh Scott wrote:
> >
> > Leaving the group won't disable 2FA.
> >
> > I recommend opening a fedora-infrastructure ticket and asking for help.
> I can't login as I don't have the otp needed to login
If you are u
On 6/23/24 14:01, Leigh Scott wrote:
>> On 23. 06. 24 20:33, Leigh Scott wrote:
>>
>> Leaving the group won't disable 2FA.
>>
>> I recommend opening a fedora-infrastructure ticket and asking for help.
> I can't login as I don't have the otp needed to login
So you say. Or you may be someone who's ta
> On 23. 06. 24 20:33, Leigh Scott wrote:
>
> Leaving the group won't disable 2FA.
>
> I recommend opening a fedora-infrastructure ticket and asking for help.
I can't login as I don't have the otp needed to login
--
___
devel mailing list -- devel@lists
Il 23/06/24 20:54, Leigh Scott ha scritto:
>> I have deleted the google authentication app form my phone intentionally,
>> no backup.
>> Please remove the OTP form my fedora account!
> I refuse to use 2FA for my account!
Please stop. We've already understood that three emails ago.
If you want t
On 23. 06. 24 20:33, Leigh Scott wrote:
Once set you can't disable it.
If this persists I will ditch provenpackager group
Leaving the group won't disable 2FA.
I recommend opening a fedora-infrastructure ticket and asking for help.
--
Miro Hrončok
--
Phone: +420777974800
Fedora Matrix: mhronco
> I have deleted the google authentication app form my phone intentionally, no
> backup.
> Please remove the OTP form my fedora account!
I refuse to use 2FA for my account!
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send
> I'm so pissed of with this change I will probably leave the project if it's
> not
> reversed.
I have deleted the google authentication app form my phone intentionally, no
backup.
Please remove the OTP form my fedora account!
--
___
devel mailing l
I'm so pissed of with this change I will probably leave the project if it's not
reversed.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs
Once set you can't disable it.
If this persists I will ditch provenpackager group
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedorapr
Am 23.06.24 um 2:20 PM schrieb Sérgio Basto:
On Sun, 2024-06-23 at 09:50 +, Leigh Scott wrote:
How do I disable this?, it has made kerberos login much harder.
I'm considering ditching provenpackager rights if that is a
condition.
This (2FA) is not enforced or checked,
Hopefully this s
On Sun, 2024-06-23 at 09:50 +, Leigh Scott wrote:
> How do I disable this?, it has made kerberos login much harder.
> I'm considering ditching provenpackager rights if that is a
> condition.
This (2FA) is not enforced or checked,
--
Sérgio M. B.
--
__
On Sun, Jun 23, 2024 at 11:59 AM Miroslav Suchý wrote:
>
> Dne 23. 06. 24 v 11:50 dop. Leigh Scott napsal(a):
>
> it has made kerberos login much harder
>
> Can you elaborate?
>
> I use Kerberos login without a problem.
>
> I'm considering ditching provenpackager rights if that is a condition.
>
>
I normally use gnome-online-accounts to unlock Kerberos when I login, now I
need to use CLI.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://d
Dne 23. 06. 24 v 11:50 dop. Leigh Scott napsal(a):
it has made kerberos login much harder
Can you elaborate?
I use Kerberos login without a problem.
I'm considering ditching provenpackager rights if that is a condition.
Or you can help us to improve the user experience.
--
Miroslav Suchy,
How do I disable this?, it has made kerberos login much harder.
I'm considering ditching provenpackager rights if that is a condition.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproje
73 matches
Mail list logo
