Re: Proposed F19 Feature: Enterprise / distributed two-factor authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 29, 2013 at 9:48 AM, Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote:
= Features/EnterpriseTwoFactorAuthentication =
https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication

Feature owner(s): Daniel Pocock <daniel@xxxxxxxxxxxxx>

Provide a flexible solution for two-factor authentication on a distributed
basis, suitable for enterprise and SSO.

== Detailed description ==
Most OTP solutions for two-factor authentication require some kind of storage
backend for counters or other volatile data. Early implementations work with
flat files on a single host. dynalogin was created to bring stability and
flexibility, storing counters in just about any type of database. Other
solutions such as totp-cgi have similar goals (although it only mentions
Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC).
dynalogin has been successfully integrated with the SimpleID provider for
OpenID authentication.

Well, the main reason totpcgi doesn't use MySQL is because it hasn't been a requested feature so far. Adding support for mysql would be a couple of hours of work. Notably, using a database for this is a net loss in security, since not only are we transferring pre-shared secrets over the network now (hope you connect via ssl), but we also lose extra SELinux enforcement that is added onto tokens stored on the filesystem. Database backends should only be used when you want to add multiple redundant 2fa servers.

(I'm also worried that unixODBC doesn't appear to support advisory locking that we use in postgresql backend to make sure that we only allow one member of the redundant cluster to work on a token -- thus preventing potential race conditions allowing token reuse.)

My main objection, though, is that this feature implies that there currently isn't a "flexible solution for two-factor authentication suitable for enterprise" in Fedora. While totpcgi doesn't currently provide a lot of SSO options (if you don't count Radius -- which you really shouldn't), that's mainly because there are so many SSO options to choose besides just OpenID.

Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec 
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux