Getting set up with Fedora Project services

In addition to providing an operating system, the Fedora Project provides numerous services for users and developers. Services such as Ask Fedora, the Fedora Project Wiki and the Fedora Project Mailing Lists provide users with valuable resources for learning how to best take advantage of Fedora. For developers of Fedora, there are many other services such as dist-git, Pagure, Bodhi, COPR and Bugzilla that are involved with the packaging and release process.

These services are available for use with a free account from the Fedora Accounts System (FAS). This account is the passport to all things Fedora! This article covers how to get set up with an account and configure Fedora Workstation for browser single sign-on.

Signing up for a Fedora account

To create a FAS account, browse to the account creation page. Here, you will fill out your basic identity data:

Account creation page

Once you enter your data, an email will be sent to the email address provided, with a temporary password. Pick a strong password and use it.

Password reset page

Next, the account details page appears. If you intend to become a contributor to the Fedora Project, you should complete the Contributor Agreement now. Otherwise, you are done and your account can now be used to log into the various Fedora services.

Account details page

Configuring Fedora Workstation for single sign-On

Now that you have your account, you can sign into any of the Fedora Project services. Most of these services support single sign-on (SSO), allowing you to sign in without re-entering your username and password.

Fedora Workstation provides an easy workflow to add SSO credentials. The GNOME Online Accounts tool helps you quickly set up your system to access many popular services. To access it, go to the Settings menu.

GNOME Online Accounts

Click on the ⋮ button and select Enterprise Login (Kerberos), which provides a single text prompt for a principal. Enter fasname@FEDORAPROJECT.ORG (being sure to capitalize FEDORAPROJECT.ORG) and click Connect.

Kerberos principal dialog

GNOME prompts you to enter your password for FAS and given the option to save it. If you choose to save it, it is stored in GNOME Keyring and unlocked automatically at login. If you choose not to save it, you will need to open GNOME Online Accounts and enter your password each time you want to enable single sign-on.

Single sign-on with a web browser

Today, Fedora Workstation supports three web browsers “out of the box” with support for single sign-on with the Fedora Project services. These are Mozilla Firefox, GNOME Web, and Google Chrome. Due to a bug in Chromium, single sign-on does not currently work properly in many cases. As a result, this has not been enabled for Chromium in Fedora.

To sign on to a service, browse to it and select the “login” option for that service. For most Fedora services, this is the only thing you need to do and the browser handles the rest. Some services such as the Fedora Mailing Lists and Bugzilla support multiple login types. For them, you need to select the “Fedora” or “Fedora Account System” login type.

That’s it! You can now log into any of the Fedora Project services without re-entering your password.

Special consideration for Google Chrome

In order to enable single sign-on out of the box for Google Chrome, Fedora needed to take advantage of certain features in Chrome that are intended for use in “managed” environments. A managed environment is traditionally a corporate or other organization that sets certain security and/or monitoring requirements on the browser.

Recently, Google Chrome changed its behavior and it now reports “Managed by your organization” under the ⋮ menu in Google Chrome. That link leads to a page that states “If your Chrome browser is managed, your administrator can set up or restrict certain features, install extensions, monitor activity, and control how you use Chrome.” Fedora will never monitor your browser activity or restrict your actions.

Enter chrome://policy in the address bar to see exactly what settings Fedora has enabled in the browser. The AuthNegotiateDelegateWhitelist and AuthServerWhitelist options will be set to *.fedoraproject.org. These are the only changes Fedora makes.

Fedora Project community

12 Comments

  1. Ph0zzy

    I wonder what is behind FAS, is it an IPA instance?

  2. Yazan Al Monshed

    Thanks for this Blog, but it’s the same step in another GUI?

    • Other desktop environments may provide support for Kerberos logins as well. You will need to consult the documentation for those environments on your own.

      For advanced users, it’s also possible to get Kerberos credentials manually at the command prompt by typing

      kinit fasname@FEDORAPROJECT.ORG

      , but unlike the procedure documented for Fedora Workstation, this will have to be done manually at each login.

      • Peter Braet

        Using Xfce4 environment this doesn’t work: “bash: kinit: command not found”.

        • varesa

          You need to install the kerberos command line utilities. Try

          dnf whatprovides kinit

          to find the package.

          Seems it’s krb5-workstation

  3. QtWebEngine (as used, e.g., in Falkon) also supposedly supports Kerberos, though I have not tried it. (I think it needs the same manual setup as Chromium.) The Fedora QtWebEngine package is not a “component build” (unlike the Fedora Chromium package), so it should not be affected by #1640158, hopefully. (The way the qt5-qtwebengine-freeworld package in the external repository works is that it replaces the whole

    libQt5WebEngine*.so.*

    libraries, not just the media component.)

  4. Wolfgang Maier

    Works fine with AskFedora, but on bugzilla, after selecting Fedora Account System, I just get redirected to the regular Login page.

  5. Wolfgang Maier

    Of course, this also works with the GNOME Web/Epiphany browser as a third option.

  6. Konstantin

    Fedora 30 here. I have created an account based on previous related article. I tried to use the Kerberos login as is shown in this article, and it tells me, that “Error connecting to the enterprise identity server:
    Client fasname@FEDORAPROJECT.ORG not found in Kerberos database.”

    • You need to use your actual FAS user account, not the literal word “fasname” there. So if your FAS username is “konstantin”, you’d use

      konstantin@FEDORAPROJECT.ORG

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: