Managing your account

Since April 2021, you only need one account for both the CentOS Project and the Fedora project.

Both projects were migrated to a new consolidated authentication platform (based on (Free)IPA ), and existing accounts merged into the new one.

Creating your account

You can create your account on our community portal running on https://accounts.centos.org.

To register/create an account, just click on "Register" on the portal and follow the process. More information and user documentation is available on consolidated online documentation for the portal

Modifying your account

Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.

Some settings you can modify directly:

More information and user documentation is available on consolidated online documentation for the portal

Enabling 2FA

It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).

You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far :

More informations about 2FA is available on specific portal documentation

Authenticating to CentOS services with your accounts

Some infra services (but not all) are using the new authentication platform to give you access.

IdP for CentOS service

As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards

Authenticating with your username and password

Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org. You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.

If you have enabled 2FA (see above), your password field is a combination of both your real password and the OTP token

Enabling kerberos for IdP

If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org

For this you need to first install a mandatory package, that has the needed configuration for kerberos :

sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora
sudo dnf install -y fedora-packager

You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !

After that, you can kinit as usual (see upstream doc and you should have your kerberos ticket ready to be used for authentication

You still need to configure your browser :

Firefox settings

While in Firefox, type about:config in the location/url bar and press enter. You can then edit the following key/value :

network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org

Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)

Chrome/Chromium

Depending on Chrome or Chromium, the path of the json file to create is different : * Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json * Chromium : /etc/chromium/policies/managed/fedora-centos.json

You should have there something like this :

{
  "AuthServerWhitelist": "*.fedoraproject.org,*.centos.org",
  "AuthNegotiateDelegateWhitelist": "*.fedoraproject.org,*.centos.org"
}

TLS certificate

To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.

Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34

sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora
sudo dnf install -y centos-packager

Your user certificate bundle comes in the form of 1 file:

Filename

Purpose

~/.centos.cert

PEM file with your X509 Client Certificate and Key

To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:

 centos-cert 

You need to call the script like this : /usr/bin/centos-cert -arguments
 -u : username ([REQUIRED] : your existing ACO/FAS username)
 -v : just validates the existing TLS certificate ([OPTIONAL])
 -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
 -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
 -h : display this help

If you've signed up with the account name tuser, you can generate your new certificate like this:

    [tuser@myworkstation]$ centos-cert -u tuser 

Attention that centos-cert -u tuser will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine.

Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See Fedora Accounts Documentation for this

Authentication (last edited 2021-05-13 17:30:01 by FabianArrotin)