On Wed, May 20, 2020 at 12:26 AM Michał Górny <mgo...@gentoo.org> wrote:
> On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote: > > On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomia...@gentoo.org> > > wrote: > > > > > Hi Alec, > > > > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: > > > > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that > > > > provides authentication for Gentoo properties? Basically, 1 username > / > > > > password for wiki, bugs, email, forums, and any other http > > > > service[0][1]. > > > > > > > > Today Gentoo has numerous systems that mostly work in a segmented > way. > > > > > > > > - To connect to hosts, we use ssh keys. > > > > - Git is authenticated via ssh keys. > > > > - Email uses LDAP passwords. > > > > - Bugzilla has its own identities, with their own passwords. > > > > - Wiki is separate, with its own passwords. > > > > - Forums are separate. > > > > - Infra has an additional 4 systems that use separate credentials. > > > > > > > > Some applications support 2FA (such as wiki.) > > > > Some applications do not support 2FA. > > > > Applications that require 2FA have a configuration for each app, so > you > > > > have N configurations. > > > > > > > > If we configured id.gentoo.org you would have 1 identity across all > > > > gentoo properties. > > > > > > > > Is this a thing people are interested in? > > > > > > > > [0] It's unlikely operations for git via ssh would change in this > > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any > > > > community member." The former have LDAP accounts and @gentoo.org > email > > > > addresses and so we can manage them easily; managing 1000s of other > > > > accounts in the IDP remains to be seem. > > > > > > In case 2FA won't be mandatory I find this a good idea. > > > > > > > 2FA is definitely a reason to deploy software like keycloak, but in the > > first rollout I don't expect to enforce 2FA. Ideally we would deploy the > > U2F support in keycloak and then, similar to our earlier program, offer > > discounted or free u2f devices for Gentoo developers; this would likely > be > > on a 1-2 year timeframe. > > > > Is there some reason you don't want to use 2FA? > > > > I myself would find 2FA bothersome for low importance services. Whether > it's U2F or OTP, I would generally find it silly to have to carry > the hardware/software on me all the time or even use it when it's laying > right next to me, say, just to approve a comment on a blog. > > But I guess if we go for SSO, it becomes a necessity to better protect > our passwords. > I think each application, when it ends up integrating with keycloak, gets to decide what security level the application wants; I think this leads to flexibility for low-importance stuff. E.g. we may not need OTP for blogs, or wiki. Obvious cases are apps like our AWS credentials (where theft means financial harm for Gentoo) or the sso.gentoo.org itself (because you probably want to require OTP to change your password, for example.) The other common thing I've seen is some kind of longer-lived renewable token that requires an OTP to get, but does not require an OTP to renew. These are commonly things like "API keys" or other such credentials that are scopeable (unlike a password) and revocable (e.g. you can go to sso.gentoo.org and revoke your token.) This seems more common on mobile where there is a 'setup' flow and maybe you do it once (at setup), or once a month, or whatnot. This would mean you don't have to OTP all the time. -A > -- > Best regards, > Michał Górny > >
