#150 Drop fedora-cert
Closed 7 years ago Opened 7 years ago by vondruch.

Since we are using Kerberos for authentication, there fedora-cert become useless and should be dropped


nak, there are other tools using fedora-cert and it is still useful as a mechanism to get a fedora user name that can not be done with kerberos

@ausil changed the status to Closed

7 years ago

@ausil, can you please be more specific which other tools do use the
certificate-based authentication?

Recently I installed Rawhide on a new laptop, followed the procedure at
https://fedoraproject.org/wiki/Join_the_package_collection_maintainers#Install_the_developer_client_tools
which suggested running fedora-packager-setup, and to my surprise:

  • user certificate was generated while allegedly it should no longer be
    needed as we switched to using Kerberos

  • it looks to me that the original certificate on the other machine got
    consequently abandonded at Fedora server/FAS side (I cannot test that
    as everything seems to be using Kerberos auth now, hence the original
    question), which I would consider pretty counter-intuitive behavior:
    it should notify me that I have another certificate already enrolled
    and that I may prefer to copy it from the other location should it be
    expected to work everywhere, and perhaps it should allow me to continue
    in creating a new one if it's indeed my intention

the fedora-cert cli can go, but the python module needs to stay.

@jpokorny what version of fedora-packager did you have installed. the cert functionality has not yet been removed from fas. with the right version of fedora-packager it should write out a ~/.fedora.upn file with your fas username in it that fedora-cert python module can use to determine your fas name.

@ausil, it was an updated rawhide system as of yesterday:

fedora-{packager,cert}-0.6.0.1-1.fc26.x86_64
python-fedora-0.8.0-3.fc26.x86_64

AFAICT, it did not generate /.fedora.upn, but it's still possible I've moved it out the way when I was trying to check access with old fedora*.certfiles from the old machine, which I was expecting to no longer be accepted (can you confirm this hypothesis if you know all the background?).

Login to comment on this ticket.

Metadata