|
|
80c633 |
# Authentication
|
|
|
80c633 |
|
|
|
991dca |
## Creating your account
|
|
|
991dca |
|
|
|
991dca |
You can create your account on our community portal running on [https://accounts.centos.org](https://accounts.centos.org).
|
|
|
991dca |
|
|
|
991dca |
To register/create an account, just click on "Register" on the portal and follow the process.
|
|
|
991dca |
More information and user documentation is available on consolidated [online documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/) for the portal
|
|
|
991dca |
|
|
|
991dca |
## Modifying your account
|
|
|
991dca |
|
|
|
991dca |
Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.
|
|
|
991dca |
|
|
|
991dca |
Some settings you can modify directly:
|
|
|
991dca |
|
|
|
991dca |
* First/Last Name
|
|
|
991dca |
* Locale
|
|
|
991dca |
* Timezone
|
|
|
991dca |
* email address (attention that it needs to be a valid email address)
|
|
|
991dca |
* other personal details
|
|
|
991dca |
* your password
|
|
|
991dca |
* adding/removing OTP tokens (see below for 2FA)
|
|
|
991dca |
* ssh and gpg public keys
|
|
|
991dca |
|
|
|
991dca |
### Enabling 2FA on your account (optional)
|
|
|
991dca |
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).
|
|
|
991dca |
|
|
|
991dca |
You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :
|
|
|
991dca |
|
|
|
991dca |
* Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop
|
|
|
991dca |
* FreeOTP (available on Google Play Store)
|
|
|
991dca |
* OTPClient (available as rpm pkg and flatpak/flathub)
|
|
|
991dca |
* others (list is non exhaustive)
|
|
|
991dca |
|
|
|
991dca |
More informations about 2FA is available on specific [portal documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor)
|
|
|
991dca |
|
|
|
991dca |
|
|
|
80c633 |
## SIG group membership
|
|
|
991dca |
|
|
|
991dca |
There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and he can then add you, after having confirmed that you can be onboarded in the SIG
|
|
|
991dca |
|
|
|
991dca |
To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/)
|
|
|
991dca |
|
|
|
991dca |
|
|
|
991dca |
## Retrieving your TLS certificate
|
|
|
991dca |
|
|
|
991dca |
To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.
|
|
|
991dca |
|
|
|
991dca |
Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
991dca |
sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora
|
|
|
991dca |
sudo dnf install -y centos-packager
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
991dca |
Your user certificate bundle comes in the form of 1 file:
|
|
|
991dca |
|
|
|
991dca |
~/.centos.cert : PEM file with your X509 Client Certificate and Key
|
|
|
991dca |
|
|
|
991dca |
To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
991dca |
centos-cert
|
|
|
991dca |
|
|
|
991dca |
You need to call the script like this : /usr/bin/centos-cert -arguments
|
|
|
991dca |
-u : username ([REQUIRED] : your existing ACO/FAS username)
|
|
|
991dca |
-v : just validates the existing TLS certificate ([OPTIONAL])
|
|
|
991dca |
-r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
|
|
|
991dca |
-f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
|
|
|
991dca |
-h : display this help
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
991dca |
If you've signed up with the account name `tuser`, you can generate your new certificate like this:
|
|
|
991dca |
|
|
|
991dca |
```
|
|
|
991dca |
[tuser@myworkstation]$ centos-cert -u tuser
|
|
|
991dca |
```
|
|
|
991dca |
|
|
|
991dca |
!!! note
|
|
|
991dca |
Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.
|
|
|
991dca |
|
|
|
991dca |
!!! warning
|
|
|
991dca |
Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See details on the [Fedora Accounts Documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) for this
|
|
|
991dca |
|
|
|
991dca |
|
|
|
991dca |
|