The patch was added to simplify the use of two-factor authentication for fkinit, since people were constantly confused by the misleading message coming from kinit.

The fkinit tool is intended to be a helpful utility to simplify logging in to Fedora services when you have 2FA enabled, but it's really not expected to be a solution for all possible ways one might want to interact with kinit.

Given how simple fkinit is under the hood (it just creates the armor cache, prompts for the password and token and then concatenates them into kinit), it would probably be best if you just reimplemented it into a script that can call secret-tool for you.

That said, if you feel VERY STRONGLY about, it we can probably add a flag that skips the systemd-ask-password prompt.

Is there any requirement for 2FA for fkinit? I do not have 2FA enabled on Fedora and never had. But I found it useful enough to help with relogins on longer running machines. I think it is useful for just password login enough, not necessary in combination with OTP.

Then the thing is, we use concatenated pin and OTP tokens in Red Hat, it should not confuse any RH employees. Okay, it never had decent prompt hinting where should OTP keys go. I think maybe it should use tty command to determine what type is stdin and do not use systemd password tool if stdin is not a normal terminal.

An option to actually skip OTP prompt would be nice too. I think 2FA is not yet mandatory and I doubt majority of Fedora developers have it configured. Maybe even super simple config to store username if it differs from the system one.

I could use my own kinit @FEDORAPROJECT.ORG, right. But I expect this is useful helper and could be expanded a bit. I will try some proposal later when I have time.

Is there any requirement for 2FA for fkinit?

No strict requirement, no. But there's also not much reason to use it otherwise; if you don't have 2FA, then kinit fasname@FEDORAPROJECT.ORG is all you need. If you're not fond of typing the @FEDORAPROJECT.ORG, you can also add default_realm = FEDORAPROJECT.ORG into your kerberos config directory under [libdefaults] and that reduces down to kinit fasname.

I do not have 2FA enabled on Fedora and never had. But I found it useful enough to help with relogins on longer running machines. I think it is useful for just password login enough, not necessary in combination with OTP.

It's certainly doable (and I wrote the prompts in such a way to make the UX easier on people who might be confused), but it's definitely not necessary.

Then the thing is, we use concatenated pin and OTP tokens in Red Hat, it should not confuse any RH employees. Okay, it never had decent prompt hinting where should OTP keys go. I think maybe it should use tty command to determine what type is stdin and do not use systemd password tool if stdin is not a normal terminal.

I really feel like this is over-engineering a solution here, but if you want to send a patch that will auto-detect whether it's an interactive or non-interactive invocation and skip systemd-ask-password for the non-interactive case, I'll review it.

An option to actually skip OTP prompt would be nice too. I think 2FA is not yet mandatory and I doubt majority of Fedora developers have it configured. Maybe even super simple config to store username if it differs from the system one.

Again, the whole point of fkinit is to enable the 2FA logins. The non-2FA case is handled just to address confused users who launched the "wrong" tool in a graceful way.

As for 2FA not being mandatory: there are proposals on the table to change this. The lack of 2FA among package maintainers is a notable problem in our supply-chain story.

I could use my own kinit @FEDORAPROJECT.ORG, right. But I expect this is useful helper and could be expanded a bit. I will try some proposal later when I have time.

Even if I use OTP, i can enter both into the same kinit. That does not change anything significantly.

I am not against 2FA, but I would like to avoid having Yubi key extra for Fedora and for RH. As I noted already, my primary domain is not Fedora, so setting default realm to it is not an option. I want to avoid fiddling with any OTP pin typing by hand and my yubikey is already used for RH VPN. If we find any way to use FIDO token for 2FA, I am all in. Until that, I would say password and trusted machine should be enough. Ideally I would want TPM chip to store private key and just touch a key when logging in, nothing inserted into my normal laptop used for Fedora work. But that is far in the future. OTP does not scale well when used for multiple accounts, but is the only supported way now.

Even if I use OTP, i can enter both into the same kinit. That does not change anything significantly.

I am not against 2FA, but I would like to avoid having Yubi key extra for Fedora and for RH. As I noted already, my primary domain is not Fedora, so setting default realm to it is not an option. I want to avoid fiddling with any OTP pin typing by hand and my yubikey is already used for RH VPN.

The same Yubikey can be used for both (I do it!). There are two slots on the Yubikey; slot 0 is a short press and slot 1 is a long press. You can leave the VPN on one and Fedora on the other.

If we find any way to use FIDO token for 2FA, I am all in.

That's a different feature request and worth its own ticket on the releng tracker. I know FreeIPA supports it, so in theory it could be set up for Fedora.

Until that, I would say password and trusted machine should be enough. Ideally I would want TPM chip to store private key and just touch a key when logging in, nothing inserted into my normal laptop used for Fedora work. But that is far in the future. OTP does not scale well when used for multiple accounts, but is the only supported way now.

Strictly speaking, there are ways to do this today, but they're painfully complicated to set up.

Yeah, I know there are short and long press slots, the problem is 2 might not be enough, as I have multiple OTP accounts. I have used the first for something else and I somehow do not want to have multiple yubi keys serving different thing. As I said, I use SSH key for pushing commits anyway. I think some sort of asymmetric crypto is better way to verify trusted machine than OTP tokens.

I would say the biggest issue is the lack of any user guide for setting 2FA on Fedora account anyway. fkinit does not have any man page. Haven't found a guide at https://docs.fedoraproject.org/en-US/package-maintainers/Installing_Packager_Tools/ or better search. Found faster doc how to manage 2FA on server side than how to use it as a client, which is an unfortunate state. Maybe I have tried wrong keywords, did just quick search. Any improvements with 2FA should start with well linked start guide.

When I were searching how to use my laptop's TPM chip, I have not found a decent documentation for it. Something for power users understading the system enough, but not expert on TPM usage, there is hardly any good guide how to start. Expected to enable it just as pkcs11 token, but have not found a good guide how to do that.

Anyway, I would sometime try it, but cannot focus on it now.

Even if I use OTP, i can enter both into the same kinit. That does not change anything significantly.

Well, if you have a OTP enabled, you have two kinit calls (you must first fetch the armour cache, then can authenticate)

I am not against 2FA, but I would like to avoid having Yubi key extra for Fedora and for RH. As I noted already, my primary domain is not Fedora, so setting default realm to it is not an option. I want to avoid fiddling with any OTP pin typing by hand and my yubikey is already used for RH VPN.

Additionally, if you get a kerberos ticket and are using workstation, gnome-online-accounts will renew for up to 1 week.
(which just makes it less painful, doesn't solve the issue)

If we find any way to use FIDO token for 2FA, I am all in. Until that, I would say password and trusted machine should be enough. Ideally I would want TPM chip to store private key and just touch a key when logging in, nothing inserted into my normal laptop used for Fedora work. But that is far in the future. OTP does not scale well when used for multiple accounts, but is the only supported way now.

https://github.com/fedora-infra/noggin/issues/1424