On Wed, Apr 03, 2024 at 07:27:12AM -0400, Stephen Gallagher wrote:
On Tue, Apr 2, 2024 at 7:41 PM Kevin Fenzi kevin@scrye.com wrote:
On Tue, Apr 02, 2024 at 04:38:25PM -0400, Stephen Gallagher wrote:
On Tue, Apr 2, 2024 at 3:55 PM Steve Cossette farchord@gmail.com wrote:
I personally would very much agree with enforcing the use of 2fa on the Fedora Account System. Maybe take that opportunity to make it a bit more user friendly? (Such as the fkinit prompt requiring the 2fa code being added at the end of your password -- to be clear I think the 2fa code should be separate)
I agree that fixing the mismatch in prompts might be nice, but why does having 2fa seperate make things any better? I mean, it's one more return you get to hit. ;)
And... I am not sure about moving the handling of passwords to a bash script from a kinit prompt.
The kinit is already being run inside a bash script, so if bash is compromised with a keylogger, you've already lost the game... I'm not sure how this is worse.
Well, I meant more that now $PASSWORD has your password where before kinit was the only thing you input your password into. :) So, if someone does say a 'sh -x fkinit' to look at something, their password will show up, but it's probibly fine.
Yeah, it's an extra keystroke, but I think there's value in helping the user provide the input in the proper format. Right now it's confusing (particularly since the kinit prompt gives bad information that we have to warn about).
Sure.
kevin