You are not logged in.

#1 2023-04-28 16:32:12

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Arch Linux accounts and SSO

I tried to report a bug, but it is on GitLab, and they propose me to install something to a mobile phone, which I would rather not do.

I don't understand the thing about "Arch Linux accounts", I already have passwords for

    ├── aur.archlinux.org
    ├── bbs.archlinux.org
    ├── bugs.archlinux.org
    └── wiki.archlinux.org

do I have to create more?

Is there a normal way to get out of this situation with SSO if one doesn't use that? I think it's just complete shame that one has to use another OS (Android/IOS) and another device to make a bug report for Arch. I found no justification of this decision, and I believe that bug reports are beneficial for software and people should not be restricted from making them.

Thank you.

Offline

#2 2023-04-28 18:39:44

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,705

Re: Arch Linux accounts and SSO

Things are currently separate, but moving towards SSO.

You don't have to have something on your phone, you just need TOTP, there are plenty of options to do that, including on Arch. I use KeePassXC.

Offline

#3 2023-04-28 18:52:15

progandy
Member
Registered: 2012-05-17
Posts: 5,212

Re: Arch Linux accounts and SSO

The minimal basically insecure option is storing your OTP key unencrypted and then calling oathtool in your terminal https://wiki.archlinux.org/title/Initia … mmand_line
Then as mentioned there is keepassxc, bitwarden, pass-otp, addons for your browser and even standalone applications like keysmith or (Gnome) Authenticator (the last one is not in the arch repositories)

I can not recommend any browser addon as I do not use them.

Last edited by progandy (2023-04-28 19:00:06)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2023-04-28 19:34:28

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Thank you, I shall try that. However, I see no reason why to submit a bug report or to create a feature request I have to install a separate program and use a separate technology.
As I understand, this is just GitLab policy. For GitHub, PyPI it works without that.
Was there some discussion in the Arch Community about that? Can I read it somewhere?

Offline

#5 2023-04-30 09:39:55

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,422
Website

Re: Arch Linux accounts and SSO

You can open a bug, but it will immediately be closed as "won't fix".  Either accept it, or you will not have access to anything requiring a login in Arch in the future.

Offline

#6 2023-04-30 10:57:37

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Well, when I watched some Arch Conference online, Levente Polyak said that community is his priority for Arch.
Does that mean that the fate of Arch is decided by a group of elite technocrats? Did I miss something in community discussions?

Offline

#7 2023-04-30 12:16:04

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 12,033
Website

Re: Arch Linux accounts and SSO

From the discussions I've been privy to, apparently the community that is important isn't the ones we have currently (on this bbs, irc, mailing lists, etc), but rather those who are apparently crying out to be forced to use MFA, SSO, and either the latest Chrome or Firefox exclusively; and until we migrate to that they can't possibly join in discussions.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#8 2023-04-30 12:48:14

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,733
Website

Re: Arch Linux accounts and SSO

Allan wrote:

You can open a bug, but it will immediately be closed as "won't fix".  Either accept it, or you will not have access to anything requiring a login in Arch in the future.

The irony here is great.  Allan, I think you may have misunderstood the point of the thread.  The OP is not seeking to open a bug report about SSO or the SSO mechanisms - rather the OP has some other bug they'd like to submit information about, but they are unable to do so because of SSO and / or the SSO mechansisms.

So saying they can open a bug (but it will be closed) is a catch 22: no, they can't open a bug.  And if they could submit their yet undescribed bug report, noting that it would be immediately closed without even knowing what it's about is a bit harsh ... although also a fairly likely prediction.

Together these really scream to regular users: "dont submit bugs, we don't want to see them".


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#9 2023-04-30 13:02:58

progandy
Member
Registered: 2012-05-17
Posts: 5,212

Re: Arch Linux accounts and SSO

The last request to allow some gitlab access for e.g. bug reports without 2FA was declined here: https://gitlab.archlinux.org/archlinux/ … issues/295
There seems to be no record of the original decision, though.

By the way, the absolutely worst way to use TOTP: https://totp.danhersam.com/ https://totp.app/

Last edited by progandy (2023-04-30 13:08:29)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#10 2023-04-30 15:08:18

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Well, I actually managed to open some bugs in the old system (since it is not technically prohibited, maybe it exists for those less prepared users?),
https://bugs.archlinux.org/index.php?project=6
Thanks for the links!

> you will not have access to anything requiring a login in Arch in the future.
- yes, it would be a bit harsh for new users who can't install Arch and try to ask for help on the Forum, to install some super-professional software for that (I use `github`, and they don't require that). But yes, they sometimes require to check my phone notifications, but at least I don't have to install a new app for that.

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication

Offline

#11 2023-04-30 18:27:43

3beb6e7c46a615a
Member
Registered: 2021-03-27
Posts: 165

Re: Arch Linux accounts and SSO

ynikitenko wrote:

to install some super-professional software for that

"Super professional"?  For Christ's sake, by your own account you live in a country where every bank has to have a more complicated form of 2FA already…

I use `github`, and they don't require that.

Github will require 2FA by the end of 2023.   I think that's long overdue given Github's essential position in the supply chain, and I for my part am very happy that central parts of Archlinux' infrastructure have stricter security requirements already.

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication

In the context of SSO, you persumably meant "OAuth". https://oauth.net has perfectly valid certificates.

Last edited by 3beb6e7c46a615a (2023-04-30 18:34:46)

Offline

#12 2023-04-30 19:43:48

progandy
Member
Registered: 2012-05-17
Posts: 5,212

Re: Arch Linux accounts and SSO

lunaryorn wrote:

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication

In the context of SSO, you persumably meant "OAuth". https://oauth.net has perfectly valid certificates.

OATH ("Initiative for Open Authentication") is/was an "industry organization working towards the propogation of ubiquitous strong authentication". They were the ones to design TOTP, OCRA, and some other standards. Maybe the members feel that its role has been fulfilled and nobody is really left to shut it down properly.

Last edited by progandy (2023-04-30 19:44:24)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#13 2023-04-30 21:34:31

3beb6e7c46a615a
Member
Registered: 2021-03-27
Posts: 165

Re: Arch Linux accounts and SSO

Oh, I didn't know… thanks. TOTP is an RFC since ten years or more, so this initiative probably lost its relevance.

Offline

#14 2023-05-01 05:22:03

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,422
Website

Re: Arch Linux accounts and SSO

Trilby wrote:
Allan wrote:

You can open a bug, but it will immediately be closed as "won't fix".  Either accept it, or you will not have access to anything requiring a login in Arch in the future.

The irony here is great.  Allan, I think you may have misunderstood the point of the thread.  The OP is not seeking to open a bug report about SSO or the SSO mechanisms - rather the OP has some other bug they'd like to submit information about, but they are unable to do so because of SSO and / or the SSO mechansisms.

Oops! Combination of misreading and that I forget bugs can be reported on gitlab these days... 

Trilby wrote:

Together these really scream to regular users: "dont submit bugs, we don't want to see them".

No comment smile

Offline

#15 2023-05-02 13:55:36

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

About OATH: there was a link above to ArchWiki, in its very beginning there is a link to Wikipedia, and in the end of that there are three links with expired certificates like https://openauthentication.org/, but now they've updated them (so good that we had written it here!).

Thank you for all feedback and links to GitHub. I shall read them thoroughly and understand that technology. It's nice to see that this 2FA is implemented there as well, so Arch Linux is not too radical compared to other software communities. On the other hand, they announced that in their blog in advance and described the process, but what has Arch Linux done on that side? I can't see any news on these Authentication methods on https://archlinux.org/news/ . Why can't detailed information be posted on the site?

As I said, for me there was enough information and input (I have to study that), so one can close this topic, but if one wants to continue the discussion, please do it. Write to me when/whether I shall close. Thanks again.

Offline

#16 2023-05-03 12:20:26

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Well, actually I've found a very nice follow-up. When trying to submit a feature request to CMake, I was brought to its GitLab. And it didn't ask me to install any program, but allowed to login using my GitHub account! Maybe it could be allowed for Arch Linux bug reports as well? If GitHub is going to force a stricter policy this year, then we are probably not in danger because of that? And super professional Arch Developers, I'm sure, already use 2FA for GitHub (or other portals).

Offline

#17 2023-05-04 00:03:29

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,422
Website

Re: Arch Linux accounts and SSO

The Arch SSO already lets you use GitHub.

Offline

#18 2023-05-04 15:46:12

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

No, it requires something different when I choose GitHub authentication. Sorry, I don't understand how to upload an image here sad


Mobile Authenticator Setup

You need to set up a Mobile Authenticator to activate your account.

Warning: For security reasons, we may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials. For this reason, it is highly recommended that you backup your credentials.

    Install one of the following applications on your mobile:
        Android
            Aegis
            andOTP
            FreeOTP+
        iOS
            Authy
            LastPass Authenticator
            OTP Auth

    Open the application and scan the barcode:
    Figure: Barcode

    Unable to scan?

    Enter the one-time code provided by the application and click Submit to finish the setup.

    Provide a Device Name to help you manage your OTP devices.

Offline

#19 2023-05-05 10:29:41

Lone_Wolf
Forum Moderator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,167

Re: Arch Linux accounts and SSO

Enter the one-time code provided by the application and click Submit to finish the setup

That line holds the solution, setup TOTP on your pc . I had similar issues not long ago , see https://bbs.archlinux.org/viewtopic.php?id=285181 .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#20 2023-05-05 13:09:47

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Many thanks. Reading your thread, it seems you could not log in using your GitHub account only (which we were discussing above). Yes, I'll have to setup one of those methods, thanks.

Offline

#21 2023-05-21 15:49:40

shtirlic
Member
Registered: 2022-08-24
Posts: 12
Website

Re: Arch Linux accounts and SSO

I experience some issue logging to SSO for accessing arch gitlab, I can still login to bbs,bugs and when I try to login with SSO it asking me  2fa code, I don't remember I ever created and TOTP values are empty for arch records in my keepass, what should I do?


H: Thinkpad P14s Gen4 AMD 7840U, S: Wayland, KDE, UEFI SB

Offline

#22 2023-05-21 23:16:54

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,705

Re: Arch Linux accounts and SSO

Did you ever create an account? bbs and bugs don't use the SSO (yet).

Offline

#23 2023-05-22 02:53:50

shtirlic
Member
Registered: 2022-08-24
Posts: 12
Website

Re: Arch Linux accounts and SSO

I don't think so, I've tried to register instead and the SSO form tells me "Username already exists,Email" already exists. Maybe it's somehow forced my account to 2fa? There is a chance that I registered the SSO account in the February/January and lost info about it due to LUKS issue I had and my keepass backup don't know it. If someone can check the registration date of my  SSO account I diffidently can tell if it was in the same time frame, since I already recovered my KDE Gitlab account in the same time.


H: Thinkpad P14s Gen4 AMD 7840U, S: Wayland, KDE, UEFI SB

Offline

#24 2023-05-22 04:45:27

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 630

Re: Arch Linux accounts and SSO

If you have issues with the SSO account, email accountsupport@archlinux.org

Offline

#25 2023-05-22 09:52:07

ynikitenko
Member
From: Aachen, Germany
Registered: 2020-11-15
Posts: 44
Website

Re: Arch Linux accounts and SSO

Glad that this discussion was useful, maybe should I close this topic as solved? People can start new ones if needed.

Offline

Board footer

Powered by FluxBB