On Sun, 31 Mar 2024, Neal Gompa wrote:
On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols <art...@bols.dev> wrote:
On 31/03/2024 13:03, Kevin Kofler via devel wrote:
This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
contributors for a while, starting with "important" projects, then getting
stricter and stricter. It has done absolutely nothing to stop this attack.
How could it, when the backdoor was apparently introduced by the authorized
maintainer? (Or if not, the attacker must have had access to their 2FA
secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
US! And especially DO NOT abuse this incident as an excuse to force 2FA down
our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!
2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's
point. What Adam is saying is that we're in danger of focusing too much on a
specific issue while we should spent our time and energy on the general
security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a
lot. A compromised (proven)packager account can do a lot of harm and can take a
while to be noticed. If this would happen to us, Fedora's reputation would tank
immediately. Mint is still regarded as a insecure distro (in my circles) for
things that happened before I even entered the linux scene...
Like it or not, this is 2024 and passwords are not as secure as they used to
be. Yelling about it isn't going to solve anything. Meanwhile, enabling 2FA
helps A LOT even if used incorrectly (e.g. storing it in the same keepassxc
database).
At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.
If MFA is turned on:
1. The Fedora account integration in GNOME breaks
2. You need to concatenate password and OTP for getting a krb5 session ticket
3. The recovery mechanism involves GPG signed emails
The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.
We need to fix these problems anyway. For the first two I am working on
a potential solution as a part of FreeIPA passwordless authentication
support. As you know, FreeIPA supports more than just OTP method that
Fedora Project is currently using. The way how that support is
implemented through Kerberos makes it uniform for OTP, RADIUS, passkeys,
and external IdP pre-authentication methods. Since internal bits of SSSD
already implement support for all these methods in a proper way, we
might reuse those to improve Fedora user experience.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
