Contents
Managing your account
Since April 2021, you only need one account for both the CentOS Project and the Fedora project.
Both projects were migrated to a new consolidated authentication platform (based on (Free)IPA ), and existing accounts merged into the new one.
1. Creating your account
You can create your account on our community portal running on https://accounts.centos.org.
To register/create an account, just click on "Register" on the portal and follow the process. More information and user documentation is available on consolidated online documentation for the portal
2. Modifying your account
Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.
Some settings you can modify directly:
- First/Last Name
- Locale
- Timezone
email address (attention that it needs to be a valid email address)
- other personal details
- your password
- adding/removing OTP tokens (see below for 2FA)
- ssh and gpg public keys
More information and user documentation is available on consolidated online documentation for the portal
Enabling 2FA
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).
You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :
- Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop
- FreeOTP (available on Google Play Store)
- OTPClient (available as rpm pkg and flatpak/flathub)
- others (list is non exhaustive)
More informations about 2FA is available on specific portal documentation
Authenticating to CentOS services with your accounts
Some infra services (but not all) are using the new authentication platform to give you access.
1. IdP for CentOS service
As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards
2. Authenticating with your username and password
Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org. You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.
If you have enabled 2FA (see above), your password field is a combination of both your real password and the OTP token
3. Enabling kerberos for IdP
If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org
For this you need to first install a mandatory package, that has the needed configuration for kerberos :
sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora sudo dnf install -y fedora-packager
You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !
After that, you can kinit as usual (see upstream doc and you should have your kerberos ticket ready to be used for authentication
You still need to configure your browser :
3.1. Firefox settings
While in Firefox, type about:config in the location/url bar and press enter. You can then edit the following key/value :
network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org
Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)
3.2. Chrome/Chromium
Depending on Chrome or Chromium, the path of the json file to create is different :
- Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json
- Chromium : /etc/chromium/policies/managed/fedora-centos.json
You should have there something like this :
{
"AuthServerAllowlist": "*.fedoraproject.org,*.centos.org",
"AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org"
}Chrome/Chromium browsers with version < '100' were using different names like AuthServerWhitelist and AuthNegotiateDelegateWhitelist so check version and adapt accordingly
4. TLS certificate
To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.
Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34
sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora sudo dnf install -y centos-packager
Your user certificate bundle comes in the form of 1 file:
Filename |
Purpose |
~/.centos.cert |
PEM file with your X509 Client Certificate and Key |
To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:
centos-cert You need to call the script like this : /usr/bin/centos-cert -arguments -u : username ([REQUIRED] : your existing ACO/FAS username) -v : just validates the existing TLS certificate ([OPTIONAL]) -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG) -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org) -h : display this help
If you've signed up with the account name tuser, you can generate your new certificate like this:
[tuser@myworkstation]$ centos-cert -u tuser
Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.
Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See Fedora Accounts Documentation for this