Fedora: 2FA, or not 2FA, that is the question

infinet1 pts0 comments

Fedora: 2FA, or not 2FA, that is the question [LWN.net]

LWN<br>.net<br>News from the source

Content Weekly Edition<br>Archives<br>Search<br>Kernel<br>Security<br>Events calendar<br>Unread comments

LWN FAQ<br>Write for us

Edition Return to the Front page

User:<br>Password: |

Log in /<br>Subscribe /<br>Register

Fedora: 2FA, or not 2FA, that is the question

Ready to give LWN a try?

With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription , no credit card required, so that you can see for yourself. Please, join us!

By Joe Brockmeier<br>June 24, 2026

Compromised accounts are one of the most common ways that attackers<br>can sneak malware into the open-source supply chain. One way to<br>reduce account compromise is for projects to require two-factor<br>authentication (2FA) or multi-factor authentication (MFA), but that is<br>easier said than done. However, Fedora is currently discussing putting<br>2FA requirements in place soon, following an an alleged account<br>compromise that led to an AI agent causing a number of problems<br>for the project. After some discussion, Fedora will begin by requiring<br>packagers in the "provenpackager"<br>group to enable 2FA within the next three months or so.

"Rather embarrassing"

Fedora took notice of the agent's activities in May, but it seems<br>to have had access much earlier; how much earlier is unclear. Its<br>contributions appear to have been benign, if unhelpful, but there is<br>no reason to expect that Fedora's luck will hold if another account is<br>compromised. On June 11, Daniel P. Berrangé replied<br>on Fedora's development mailing list in the thread about the<br>unsupervised AI agent. He pointed out that Fedora had considered<br>mandating 2FA two years ago, after the XZ backdoor, but had yet<br>to do so. If the episode was truly a case of password compromise<br>leading to account takeover, "then this is rather an embarrassing<br>situation for Fedora".

Of course, Fedora is not alone; none of the other major Linux<br>distributions with community contributors have 2FA requirements, and<br>it does not seem that there is widespread infrastructure support for it,<br>either. Debian's Salsa<br>collaboration platform does not support enabling 2FA as far as I can tell, nor does<br>openSUSE's Open Build<br>Service (OBS). Ubuntu's single-sign-on service, which is used for its Launchpad collaboration platform,<br>does allow users to enable 2FA, but it is unclear whether there is any<br>requirement for Ubuntu contributors to actually do so. However, Debian<br>and Ubuntu require signing packages with an OpenPGP signature before<br>upload. (Update : Salsa apparently does support 2FA. Apologies for the error.)

Michael Catanzaro said<br>that he uses 2FA for "basically everything *except* Fedora",<br>even though his Fedora account would be of high value to an<br>attacker. "Compromise a Fedora packager and you can push malware<br>more or less directly to users." However, he argued that Fedora is<br>not ready for 2FA.

His complaint was that he did not want to use 2FA until GNOME's online<br>accounts feature supported Kerberos ticket renewals; Fedora uses<br>Kerberos<br>authentication for some infrastructure, such as its koji<br>build system. Catanzaro followed<br>up to say that he was pretty sure he'd made the same objection<br>before, perhaps several years ago, and no progress had been made<br>since. "Unfortunately we're all busy with our usual work, and<br>nobody has been prioritizing these problems. So: basically the usual<br>explanation for how things happen in open source projects."

Support for Kerberos 2FA in GNOME's online accounts feature seems<br>to have been implemented years ago, but has not yet been<br>accepted. Alexander Bokovoy said<br>that he had submitted a merge<br>request to enable MFA Kerberos authentication, but it was stuck on<br>the GNOME side. The feature was submitted in June 2024, and it has<br>been reviewed extensively since, but not yet merged. Catanzaro pointed<br>out that the request's status was still set as "Draft"; perhaps it<br>will see the light of day soon once Bokovoy clicks the proper<br>button.

Make it mandatory first

The problem with waiting until Fedora was fully ready for 2FA, Berrangé said, was<br>that no one was motivated to prioritize 2FA improvements because its<br>use was not mandatory; if it were mandatory, someone would make it<br>a priority to fix the remaining problems. "Or we could continue<br>ignoring the problem until another Fedora account's credentials are<br>compromised and does greater damage that causes Fedora significant<br>reputational harm."

Stephen Smoogen replied<br>that he would love it if that would fix things, but the reality is<br>more complicated:

Anything which slows down builds or makes an already complicated<br>system worse, gets pushed down the queue over higher priority<br>items. Pretty much every time it is said "This time will be different<br>and you have this top priority to work on this over other items" gets<br>a week later "I know we said that, but we...

fedora account said compromise authentication support

Related Articles