Hi all,
Xavier pointed me to this article this morning [1] about the kernel.org infrastructure now requiring 2-Factor Auth on the git of the kernel.
We were wondering if this is something that would be worth considering for the private repos -main has access to. I am leaning towards yes it would be nice, but I do realize that it would prevent someone from changing passwords (pushing to the repo), not reading/using them (assuming they could clone the repo).
Thoughts?
Pierre
[1] http://www.linux.com/news/featured-blogs/203-konstantin-ryabitsev/784544-lin...
On Fri, 22 Aug 2014 12:17:52 +0200 Pierre-Yves Chibon pingou@pingoured.fr wrote:
Hi all,
Xavier pointed me to this article this morning [1] about the kernel.org infrastructure now requiring 2-Factor Auth on the git of the kernel.
Yeah.
We were wondering if this is something that would be worth considering for the private repos -main has access to. I am leaning towards yes it would be nice, but I do realize that it would prevent someone from changing passwords (pushing to the repo), not reading/using them (assuming they could clone the repo).
Thoughts?
Well, our private repos are all on lockbox01... so I'm not sure it makes much sense to do much there.
I think it would be nice to explore making our dist-git more secure. Not sure all our package maintainers would put up with the setup they are using at kernel.org, but perhaps. Note that that just allows you to whitelist the IP you are using. If someone can get a IP thats already whitelisted they could still use that to attack, and if they compromise the maintainers machines they could use the existing whitelist to push whatever.
Another thought we have had in the past was to setup things so commits need to be signed. We could have a hook to check that the commit is signed by the key they list in fas. Again this wouldn't help a compromised maintainer machine probibly, but might be interesting.
I guess the highest level here would be just to require ssh key and 2factor auth to push dist-git commits. That might really annoy maintainers that push lots of commits though.
Anyhow, just some thoughts.
kevin
On Fri, Aug 22, 2014 at 12:49:59PM -0600, Kevin Fenzi wrote:
I think it would be nice to explore making our dist-git more secure.
Since access to dist-git (e.g. ssh keys) is managed via FAS, initially FAS should require 2FA if you require 2FA for other services. This might already be a problem for current sudo 2FA if someone can just change the 2FA token using only the FAS password. I am not familiar enough with the internals of Fedora's 2FA.
I guess the highest level here would be just to require ssh key and 2factor auth to push dist-git commits. That might really annoy maintainers that push lots of commits though.
For this SSH connection multiplexing might ease things, where you 2FA authenticate the initial connection can are allowed to push to repos as long as the initial connection is open. So it is not just an IP that is whitelisted (which might be accessible to multiple users, e.g. on conferences) but the connection.
Regards Till
Hello: This is nerdsville from IRC, I have worked a little with development on the fedora project (I worked on an addition for the elections group for pingou) and I have had a lot going on the past week or so and have not had time to do much work for the project. I am now at a state where I could go back to development so I am just sending out this email to inform you that I will be attending the next meeting to introduce myself and see where you need me for fi-apprentice. I look forward to the IRC meeting!
Thanks, Joshua Santos Nerdsville LLC www.nerdsville.net freenode: nerdsville
infrastructure@lists.fedoraproject.org
-
Joshua Santos -
Kevin Fenzi -
Pierre-Yves Chibon -
Till Maas