On Wed, 20 May 2020 00:21:37 -0700 Alec Warner wrote: >On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomia...@gentoo.org> >wrote: > >> Hi Alec, >> >> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: >> >> >TL;DR: What if we launched id.gentoo.org, an identity provider that >> >provides authentication for Gentoo properties? Basically, 1 >> >username / password for wiki, bugs, email, forums, and any other >> >http service[0][1]. >> > >> >Today Gentoo has numerous systems that mostly work in a segmented >> >way. >> > >> > - To connect to hosts, we use ssh keys. >> > - Git is authenticated via ssh keys. >> > - Email uses LDAP passwords. >> > - Bugzilla has its own identities, with their own passwords. >> > - Wiki is separate, with its own passwords. >> > - Forums are separate. >> > - Infra has an additional 4 systems that use separate credentials. >> > >> >Some applications support 2FA (such as wiki.) >> >Some applications do not support 2FA. >> >Applications that require 2FA have a configuration for each app, so >> >you have N configurations. >> > >> >If we configured id.gentoo.org you would have 1 identity across all >> >gentoo properties. >> > >> >Is this a thing people are interested in? >> > >> >[0] It's unlikely operations for git via ssh would change in this >> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any >> >community member." The former have LDAP accounts and @gentoo.org >> >email addresses and so we can manage them easily; managing 1000s of >> >other accounts in the IDP remains to be seem. >> >> In case 2FA won't be mandatory I find this a good idea. >> > >2FA is definitely a reason to deploy software like keycloak, but in the >first rollout I don't expect to enforce 2FA. Ideally we would deploy >the U2F support in keycloak and then, similar to our earlier program, >offer discounted or free u2f devices for Gentoo developers; this would >likely be on a 1-2 year timeframe. > >Is there some reason you don't want to use 2FA? > >-A
Well, I haven't found any 2FA solution that isn't a PITA to use. Especially Nitrokey is not easily useable for 2FA. And having some OTP or U2F software on my mobile phone is a no-go. I know about the value of 2FA and I use it in some places but I find it not being the perfect solution for everything. >> >> Kind regards >> -- >> Lars Wendler >> Gentoo package maintainer >> GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 >> Cheers -- Lars Wendler Gentoo package maintainer GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39
pgpuB4K6yaZYS.pgp
Description: Digitale Signatur von OpenPGP
