Re: Inactive packagers to be removed after the F37 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 16, 2022 at 10:29:17AM +0300, Alexander Bokovoy wrote:
> 
> One thing I want to get properly implemented in SSSD in upcoming FIDO2
> support is to allow admins to filter out certain types of public SSH
> keys associated with the user account. E.g. get a way for administrator
> to say 'only FIDO2 keys and their OpenSSH equivalents (ecdsa-sk,
> ed25519-sk) allowed for these users' and let SSSD's
> sss_ssh_authorized_keys to filter all other types. Then your git server
> could be able to deny non-FIDO2 SSH keys on per-user base.

That would be cool. 

Even better IMHO would be support for ssh certs. 
ie, auth with your FIDO2 key/otp and you get a ssh cert thats has a time
limit / other restrictions for just pushing git commits, etc.

> FreeIPA Kerberos already gives you this feature for various
> authentication methods[1] but it is not integrated in OpenSSH's GSSAPI
> support.
> 
> [1] https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html
> 
> > > these days than, say, FIDO2 tokens. A card reader cost is around 10EUR
> > > (Amazon.de gives me ~100 options of USB smartcard readers below 20EUR),
> > > a smartcard is typically your government-issued ID in many countries.
> > > 
> > > Though with Token2 FIDO2 tokens that cost 14EUR themselves we get close
> > > enough to a lower boundary.
> > 
> > Yeah, it will still be hard to require 100% of packagers, but it might
> > be doable.
> 
> Solving this is a social problem. I'd like to remove technical
> roadblocks so that we can better focus on the solutions to social
> problems. Right now we aren't there on both sides.

Agreed.

...snip...

> Sure. I guess we can aim last week of October. I'll write up a call for
> participation next week.

Thanks.
 
> > > > > Do we have any statistics of how we stand now that Fedora Accounts is
> > > > > deployed for more than a year and people were enabled to use 2FA tokens
> > > > > through it?
> > > >
> > > > I could try and gather some. What stats would be helpfull?
> > > 
> > > A particular argument by smooge and others was arount 'passwords or
> > > tokens being lost frequently'. I'd like to see how widespread is this
> > > problem. Can we collect stats on amount of requests to reset passwords,
> > > reset tokens, etc. for a period of a year or so?
> > 
> > We currently have 1560 tokens enrolled.
> > (Of course some users have more than one, but most seem to have one)
> > 
> > In the 1 year period from 2021-07-01 to 2022-07-01 we had 87 requests to
> > reset otp. Some of these were people who were confused and didn't actually
> > even have a otp enabled, but it's hard to count those without going
> > through each request.
> > 
> > So, it's less than 5% a year it seems like, or a request every 4days if
> > they were evenly spaced.
> 
> Thank you. This is actually better than I expected to see. Improving
> technical measures and UX should help but there always will be something
> that is harder to deal with, anyway.

I'll also note that I think many more of them came toward the first part
of that time period. We made some changes to the interface that helped a
good deal. At first we had a mailto: link and got a bunch of blank
emails (bots just following the link? confused users?)
https://github.com/fedora-infra/noggin/issues/678

So, it might be interesting to see how things look after that change
landed.

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux