infra-docs-fpo/modules/sysadmin_guide/pages/2-factor.adoc

= Two factor authentication

The Fedora account system frontend (noggin) allows for users to enroll otp token(s).
See https://noggin-aaa.readthedocs.io/en/latest/userguide.html#two-factor-authentication
for end user documentation.

Otp tokens are then stored and managed in IPA backend. 

Users who enroll a otp are then required to append it to their password
or add it in a seperate field (if available) whenever they use their
Fedora account system login. 

Users who enroll a otp are also prohibited from removing the last otp
they have enabled on their account. This is to prevent someone from removing
the last otp to allow password only access to resources like sudo.
See https://github.com/fedora-infra/noggin/issues/579 for discussion.

For this reason it's advised to enroll multipule otp tokens, 
and/or to backup these tokens in case of device breakage/failure/loss.

== Administration

Sometimes users will loose or otherwise no longer have access to their
last otp and will need it to be cleared to allow them to login again
and set a new one. These requests are sent into admin@fedoraproject.org. 
(Be sure to 'reply all' when processing these so other sysadmin-main
members know they are processed)

Admins need to verify the users identity before processing these requests.

Including, but not limited to: 

* user sends gpg signed email with gpg key attached to their Fedora account

* user can ssh to fedorapeople.org with the ssh private key associated with
a ssh public key associated with their Fedora account

* rover verification (in case of Red Hat employee). 

* Video or in person meeting with admin who knows their identity on sight.

Additionally, users only in ipausers group can have their token cleared
as they don't have access to much of anything (yet).

To clear a token, admin should: 

* login to ipa01.rdu3.fedoraproject.org
* kinit admin@FEDORAPROJECT.ORG (enter the admin password)
* ipa otptoken-find --owner <username>
* ipa otptoken-del <token uuid from previous step>

Or alternately, admin can use the ipa web ui:
https://id.fedoraproject.org/ipa/ui/
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`= Two factor authentication`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`The Fedora account system frontend (noggin) allows for users to enroll otp token(s).`
			`See https://noggin-aaa.readthedocs.io/en/latest/userguide.html#two-factor-authentication`
			`for end user documentation.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Otp tokens are then stored and managed in IPA backend.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Users who enroll a otp are then required to append it to their password`
			`or add it in a seperate field (if available) whenever they use their`
			`Fedora account system login.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Users who enroll a otp are also prohibited from removing the last otp`
			`they have enabled on their account. This is to prevent someone from removing`
			`the last otp to allow password only access to resources like sudo.`
			`See https://github.com/fedora-infra/noggin/issues/579 for discussion.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`For this reason it's advised to enroll multipule otp tokens,`
			`and/or to backup these tokens in case of device breakage/failure/loss.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
Fix Antora error. 2022-04-04 20:42:57 +02:00			`== Administration`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Sometimes users will loose or otherwise no longer have access to their`
			`last otp and will need it to be cleared to allow them to login again`
			`and set a new one. These requests are sent into admin@fedoraproject.org.`
			`(Be sure to 'reply all' when processing these so other sysadmin-main`
			`members know they are processed)`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Admins need to verify the users identity before processing these requests.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Including, but not limited to:`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`* user sends gpg signed email with gpg key attached to their Fedora account`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`* user can ssh to fedorapeople.org with the ssh private key associated with`
			`a ssh public key associated with their Fedora account`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`* rover verification (in case of Red Hat employee).`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`* Video or in person meeting with admin who knows their identity on sight.`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Additionally, users only in ipausers group can have their token cleared`
			`as they don't have access to much of anything (yet).`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`To clear a token, admin should:`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
DC move: iad => rdu3, 10.3. => 10.16. And remove some obsolete things. Signed-off-by: Nils Philippsen <nils@redhat.com> 2025-07-04 11:55:02 +02:00			`* login to ipa01.rdu3.fedoraproject.org`
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`* kinit admin@FEDORAPROJECT.ORG (enter the admin password)`
			`* ipa otptoken-find --owner <username>`
			`* ipa otptoken-del <token uuid from previous step>`
Added the infra SOPs ported to asciidoc. 2021-07-26 10:39:47 +02:00
2-factor doc: rework completely for new 2fa setup Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-25 10:39:44 -07:00			`Or alternately, admin can use the ipa web ui:`
			`https://id.fedoraproject.org/ipa/ui/`