Arch Linux accounts and SSO

ynikitenko · 2023-04-28 16:32:12

I tried to report a bug, but it is on GitLab, and they propose me to install something to a mobile phone, which I would rather not do.

I don't understand the thing about "Arch Linux accounts", I already have passwords for

├── aur.archlinux.org
├── bbs.archlinux.org
├── bugs.archlinux.org
└── wiki.archlinux.org

do I have to create more?

Is there a normal way to get out of this situation with SSO if one doesn't use that? I think it's just complete shame that one has to use another OS (Android/IOS) and another device to make a bug report for Arch. I found no justification of this decision, and I believe that bug reports are beneficial for software and people should not be restricted from making them.

Thank you.

Scimmia · 2023-04-28 18:39:44

Things are currently separate, but moving towards SSO.

You don't have to have something on your phone, you just need TOTP, there are plenty of options to do that, including on Arch. I use KeePassXC.

progandy · 2023-04-28 18:52:15

The minimal basically insecure option is storing your OTP key unencrypted and then calling oathtool in your terminal https://wiki.archlinux.org/title/Initia … mmand_line
Then as mentioned there is keepassxc, bitwarden, pass-otp, addons for your browser and even standalone applications like keysmith or (Gnome) Authenticator (the last one is not in the arch repositories)

I can not recommend any browser addon as I do not use them.

Last edited by progandy (2023-04-28 19:00:06)

ynikitenko · 2023-04-28 19:34:28

Thank you, I shall try that. However, I see no reason why to submit a bug report or to create a feature request I have to install a separate program and use a separate technology.
As I understand, this is just GitLab policy. For GitHub, PyPI it works without that.
Was there some discussion in the Arch Community about that? Can I read it somewhere?

Allan · 2023-04-30 09:39:55

You can open a bug, but it will immediately be closed as "won't fix". Either accept it, or you will not have access to anything requiring a login in Arch in the future.

ynikitenko · 2023-04-30 10:57:37

Well, when I watched some Arch Conference online, Levente Polyak said that community is his priority for Arch.
Does that mean that the fate of Arch is decided by a group of elite technocrats? Did I miss something in community discussions?

WorMzy · 2023-04-30 12:16:04

From the discussions I've been privy to, apparently the community that is important isn't the ones we have currently (on this bbs, irc, mailing lists, etc), but rather those who are apparently crying out to be forced to use MFA, SSO, and either the latest Chrome or Firefox exclusively; and until we migrate to that they can't possibly join in discussions.

Trilby · 2023-04-30 12:48:14

Allan wrote:

You can open a bug, but it will immediately be closed as "won't fix". Either accept it, or you will not have access to anything requiring a login in Arch in the future.

The irony here is great. Allan, I think you may have misunderstood the point of the thread. The OP is not seeking to open a bug report about SSO or the SSO mechanisms - rather the OP has some other bug they'd like to submit information about, but they are unable to do so because of SSO and / or the SSO mechansisms.

So saying they can open a bug (but it will be closed) is a catch 22: no, they can't open a bug. And if they could submit their yet undescribed bug report, noting that it would be immediately closed without even knowing what it's about is a bit harsh ... although also a fairly likely prediction.

Together these really scream to regular users: "dont submit bugs, we don't want to see them".

progandy · 2023-04-30 13:02:58

The last request to allow some gitlab access for e.g. bug reports without 2FA was declined here: https://gitlab.archlinux.org/archlinux/ … issues/295
There seems to be no record of the original decision, though.

By the way, the absolutely worst way to use TOTP: https://totp.danhersam.com/ https://totp.app/

Last edited by progandy (2023-04-30 13:08:29)

ynikitenko · 2023-04-30 15:08:18

Well, I actually managed to open some bugs in the old system (since it is not technically prohibited, maybe it exists for those less prepared users?),
https://bugs.archlinux.org/index.php?project=6
Thanks for the links!

> you will not have access to anything requiring a login in Arch in the future.
- yes, it would be a bit harsh for new users who can't install Arch and try to ask for help on the Forum, to install some super-professional software for that (I use `github`, and they don't require that). But yes, they sometimes require to check my phone notifications, but at least I don't have to install a new app for that.

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication

3beb6e7c46a615a · 2023-04-30 18:27:43

ynikitenko wrote:

to install some super-professional software for that

"Super professional"? For Christ's sake, by your own account you live in a country where every bank has to have a more complicated form of 2FA already…

I use `github`, and they don't require that.

Github will require 2FA by the end of 2023. I think that's long overdue given Github's essential position in the supply chain, and I for my part am very happy that central parts of Archlinux' infrastructure have stricter security requirements already.

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication

In the context of SSO, you persumably meant "OAuth". https://oauth.net has perfectly valid certificates.

Last edited by 3beb6e7c46a615a (2023-04-30 18:34:46)

progandy · 2023-04-30 19:43:48

lunaryorn wrote:

Which also looks strange to me, is that the OATH sites have expired SSL certificates. It doesn't look very professional or supported, or secure.
https://en.wikipedia.org/wiki/Initiativ … entication
In the context of SSO, you persumably meant "OAuth". https://oauth.net has perfectly valid certificates.

OATH ("Initiative for Open Authentication") is/was an "industry organization working towards the propogation of ubiquitous strong authentication". They were the ones to design TOTP, OCRA, and some other standards. Maybe the members feel that its role has been fulfilled and nobody is really left to shut it down properly.

Last edited by progandy (2023-04-30 19:44:24)

3beb6e7c46a615a · 2023-04-30 21:34:31

Oh, I didn't know… thanks. TOTP is an RFC since ten years or more, so this initiative probably lost its relevance.

Allan · 2023-05-01 05:22:03

Trilby wrote:

Allan wrote:
You can open a bug, but it will immediately be closed as "won't fix". Either accept it, or you will not have access to anything requiring a login in Arch in the future.
The irony here is great. Allan, I think you may have misunderstood the point of the thread. The OP is not seeking to open a bug report about SSO or the SSO mechanisms - rather the OP has some other bug they'd like to submit information about, but they are unable to do so because of SSO and / or the SSO mechansisms.

Oops! Combination of misreading and that I forget bugs can be reported on gitlab these days...

Trilby wrote:

Together these really scream to regular users: "dont submit bugs, we don't want to see them".

No comment

ynikitenko · 2023-05-02 13:55:36

About OATH: there was a link above to ArchWiki, in its very beginning there is a link to Wikipedia, and in the end of that there are three links with expired certificates like https://openauthentication.org/, but now they've updated them (so good that we had written it here!).

Thank you for all feedback and links to GitHub. I shall read them thoroughly and understand that technology. It's nice to see that this 2FA is implemented there as well, so Arch Linux is not too radical compared to other software communities. On the other hand, they announced that in their blog in advance and described the process, but what has Arch Linux done on that side? I can't see any news on these Authentication methods on https://archlinux.org/news/ . Why can't detailed information be posted on the site?

As I said, for me there was enough information and input (I have to study that), so one can close this topic, but if one wants to continue the discussion, please do it. Write to me when/whether I shall close. Thanks again.

ynikitenko · 2023-05-03 12:20:26

Well, actually I've found a very nice follow-up. When trying to submit a feature request to CMake, I was brought to its GitLab. And it didn't ask me to install any program, but allowed to login using my GitHub account! Maybe it could be allowed for Arch Linux bug reports as well? If GitHub is going to force a stricter policy this year, then we are probably not in danger because of that? And super professional Arch Developers, I'm sure, already use 2FA for GitHub (or other portals).

Allan · 2023-05-04 00:03:29

The Arch SSO already lets you use GitHub.

ynikitenko · 2023-05-04 15:46:12

No, it requires something different when I choose GitHub authentication. Sorry, I don't understand how to upload an image here

Mobile Authenticator Setup

You need to set up a Mobile Authenticator to activate your account.

Warning: For security reasons, we may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials. For this reason, it is highly recommended that you backup your credentials.

Install one of the following applications on your mobile:
Android
Aegis
andOTP
FreeOTP+
iOS
Authy
LastPass Authenticator
OTP Auth

Open the application and scan the barcode:
Figure: Barcode

Unable to scan?

Enter the one-time code provided by the application and click Submit to finish the setup.

Provide a Device Name to help you manage your OTP devices.

Lone_Wolf · 2023-05-05 10:29:41

Enter the one-time code provided by the application and click Submit to finish the setup

That line holds the solution, setup TOTP on your pc . I had similar issues not long ago , see https://bbs.archlinux.org/viewtopic.php?id=285181 .

ynikitenko · 2023-05-05 13:09:47

Many thanks. Reading your thread, it seems you could not log in using your GitHub account only (which we were discussing above). Yes, I'll have to setup one of those methods, thanks.

shtirlic · 2023-05-21 15:49:40

I experience some issue logging to SSO for accessing arch gitlab, I can still login to bbs,bugs and when I try to login with SSO it asking me 2fa code, I don't remember I ever created and TOTP values are empty for arch records in my keepass, what should I do?

Scimmia · 2023-05-21 23:16:54

Did you ever create an account? bbs and bugs don't use the SSO (yet).

shtirlic · 2023-05-22 02:53:50

I don't think so, I've tried to register instead and the SSO form tells me "Username already exists,Email" already exists. Maybe it's somehow forced my account to 2fa? There is a chance that I registered the SSO account in the February/January and lost info about it due to LUKS issue I had and my keepass backup don't know it. If someone can check the registration date of my SSO account I diffidently can tell if it was in the same time frame, since I already recovered my KDE Gitlab account in the same time.

nl6720 · 2023-05-22 04:45:27

If you have issues with the SSO account, email accountsupport@archlinux.org

ynikitenko · 2023-05-22 09:52:07

Glad that this discussion was useful, maybe should I close this topic as solved? People can start new ones if needed.

Arch Linux

#1 2023-04-28 16:32:12

Arch Linux accounts and SSO

#2 2023-04-28 18:39:44

Re: Arch Linux accounts and SSO

#3 2023-04-28 18:52:15

Re: Arch Linux accounts and SSO

#4 2023-04-28 19:34:28

Re: Arch Linux accounts and SSO

#5 2023-04-30 09:39:55

Re: Arch Linux accounts and SSO

#6 2023-04-30 10:57:37

Re: Arch Linux accounts and SSO

#7 2023-04-30 12:16:04

Re: Arch Linux accounts and SSO

#8 2023-04-30 12:48:14

Re: Arch Linux accounts and SSO

#9 2023-04-30 13:02:58

Re: Arch Linux accounts and SSO

#10 2023-04-30 15:08:18

Re: Arch Linux accounts and SSO

#11 2023-04-30 18:27:43

Re: Arch Linux accounts and SSO

#12 2023-04-30 19:43:48

Re: Arch Linux accounts and SSO

#13 2023-04-30 21:34:31

Re: Arch Linux accounts and SSO

#14 2023-05-01 05:22:03

Re: Arch Linux accounts and SSO

#15 2023-05-02 13:55:36

Re: Arch Linux accounts and SSO

#16 2023-05-03 12:20:26

Re: Arch Linux accounts and SSO

#17 2023-05-04 00:03:29

Re: Arch Linux accounts and SSO

#18 2023-05-04 15:46:12

Re: Arch Linux accounts and SSO

#19 2023-05-05 10:29:41

Re: Arch Linux accounts and SSO

#20 2023-05-05 13:09:47

Re: Arch Linux accounts and SSO

#21 2023-05-21 15:49:40

Re: Arch Linux accounts and SSO

#22 2023-05-21 23:16:54

Re: Arch Linux accounts and SSO

#23 2023-05-22 02:53:50

Re: Arch Linux accounts and SSO

#24 2023-05-22 04:45:27

Re: Arch Linux accounts and SSO

#25 2023-05-22 09:52:07

Re: Arch Linux accounts and SSO

Board footer