Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 24 Jun 2024 at 10:39, Mattia Verga via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Il 17/06/24 22:20, Zbigniew Jędrzejewski-Szmek ha scritto:
> > Proven packagers,
> >
> > we changed [2,3] the FESCo policy document [1] for provenpackagers to say:
> >
> > "Provenpackagers SHOULD have two-factor-authentication (2FA) enabled for their FAS accounts."
> >
> > This is not enforced or checked, but please take steps to conform
> > to the policy if you haven't yet.
> >
> > [1] https://docs.fedoraproject.org/en-US/fesco/Provenpackager_policy/
> > [2] It's not visible on the web yet, because antora is doing its thing … slowly.
> > [3] https://pagure.io/fesco/issue/3186
> >
> > Zbyszek
>
> Perhaps it's a stupid idea, but we already have ssh public keys stored
> in fas, would it be possible for fkinit to use the private key as second
> factor? That way, on a system which is considered secure (it has the
> private key stored in it) we would only require the user to enter the
> FAS password, while on a smartphone or a temporary device the
> password+otp would still be required.
>

The corner case which makes this ineffective is
1. Various (proven) packagers like to copy their .ssh/ blindly to
whatever systems they are running on. When I was in Systems
Administration, I was regularly deleting private key files from
various shared systems like people, bastion, etc.
2. Many of those private keys had no extra security on them (aka they
were not locked) so they were pretty much open to anyone who could get
them.
3. This happened enough over 12 years that I just realized many people
don't see it as a problem.

While we could say 'oh that should be a reason to remove (proven)
packager from someone' etc.. it puts sysadmin into being a hated
nanny, and also only says 'oh you didn't do that to the Fedora
systems, but the 800 other places you have placed them that we don't
know about.'

This illustrates why "we can't have nice things". You start finding
more and more 'common' cases which for X individual makes perfect
sense to them and doesn't seem a problem, but overall makes everyone
else's life hell when a problem occurs.

The same goes with keyfiles and such. We 'assume' that people keep
them on a single laptop that is encrypted with backups that are
encrypted.. but a significant minority either keep it on multiple
shared systems, don't encrypt their drives, or have open backups
somewhere. Eventually one of those gets cracked and you can end up
with a chain of problems ranging anywhere from 'ooh all our systems
have been crypto-blackmailed' to 'someone else pushed a commit which
we didn't find until after a release and now 1 million user laptops
are crypto-blackmailed.'

> Mattia
>
> --
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue



-- 
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard
battle. -- Ian MacClaren
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux