<> = Managing your account = {{{#!wiki note Since April 2021, you only need one account for both the CentOS Project and the Fedora project. Both projects were migrated to a new consolidated authentication platform (based on [[https://www.freeipa.org/|(Free)IPA]] ), and existing accounts merged into the new one. }}} == Creating your account == You can create your account on our community portal running on https://accounts.centos.org. To register/create an account, just click on "Register" on the portal and follow the process. More information and user documentation is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/ | consolidated online documentation for the portal ]] == Modifying your account == Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership. Some settings you can modify directly: * First/Last Name * Locale * Timezone * email address (attention that it '''needs''' to be a valid email address) * other personal details * your password * adding/removing OTP tokens (see below for 2FA) * ssh and gpg public keys More information and user documentation is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/ | consolidated online documentation for the portal ]] = Enabling 2FA = It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required). You can add one (or more, adviced) OTP tokens on your profile. Known to work solutions so far : * Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop * FreeOTP (available on Google Play Store) * OTPClient (available as rpm pkg and flatpak/flathub) * others (list is non exhaustive) More informations about 2FA is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor | specific portal documentation ]] = Authenticating to CentOS services with your accounts = Some infra services (but not all) are using the new authentication platform to give you access. == IdP for CentOS service == As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards == Authenticating with your username and password == Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org. You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with. {{{#!wiki warning If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token }}} == Enabling kerberos for IdP == If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org For this you need to first install a mandatory package, that has the needed configuration for kerberos : {{{ sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora sudo dnf install -y fedora-packager }}} {{{#!wiki important You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work ! }}} After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication You still need to configure your browser : === Firefox settings === While in Firefox, type '''about:config''' in the location/url bar and press enter. You can then edit the following key/value : {{{ network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org }}} Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password) === Chrome/Chromium === Depending on Chrome or Chromium, the path of the json file to create is different : * Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json * Chromium : /etc/chromium/policies/managed/fedora-centos.json You should have there something like this : {{{ { "AuthServerAllowlist": "*.fedoraproject.org,*.centos.org", "AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org" } }}} {{{#!wiki warning Chrome/Chromium browsers with version < '100' were using different names like ''AuthServerWhitelist'' and ''AuthNegotiateDelegateWhitelist'' so check version and adapt accordingly }}} == TLS certificate == To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back. Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34 {{{ sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora sudo dnf install -y centos-packager }}} Your user certificate bundle comes in the form of 1 file: || Filename || Purpose || || ~/.centos.cert || PEM file with your X509 Client Certificate and Key || To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package: {{{ centos-cert You need to call the script like this : /usr/bin/centos-cert -arguments -u : username ([REQUIRED] : your existing ACO/FAS username) -v : just validates the existing TLS certificate ([OPTIONAL]) -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG) -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org) -h : display this help }}} If you've signed up with the account name '''tuser''', you can generate your new certificate like this: {{{ [tuser@myworkstation]$ centos-cert -u tuser }}} {{{#!wiki important Attention that '''centos-cert -u tuser ''' will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine. }}} {{{#!wiki note Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor|Fedora Accounts Documentation for this]] }}}