On Mon, 24 Jun 2024 at 10:39, Mattia Verga via devel <devel@lists.fedoraproject.org> wrote: > > Il 17/06/24 22:20, Zbigniew Jędrzejewski-Szmek ha scritto: > > Proven packagers, > > > > we changed [2,3] the FESCo policy document [1] for provenpackagers to say: > > > > "Provenpackagers SHOULD have two-factor-authentication (2FA) enabled for > > their FAS accounts." > > > > This is not enforced or checked, but please take steps to conform > > to the policy if you haven't yet. > > > > [1] https://docs.fedoraproject.org/en-US/fesco/Provenpackager_policy/ > > [2] It's not visible on the web yet, because antora is doing its thing … > > slowly. > > [3] https://pagure.io/fesco/issue/3186 > > > > Zbyszek > > Perhaps it's a stupid idea, but we already have ssh public keys stored > in fas, would it be possible for fkinit to use the private key as second > factor? That way, on a system which is considered secure (it has the > private key stored in it) we would only require the user to enter the > FAS password, while on a smartphone or a temporary device the > password+otp would still be required. >
The corner case which makes this ineffective is 1. Various (proven) packagers like to copy their .ssh/ blindly to whatever systems they are running on. When I was in Systems Administration, I was regularly deleting private key files from various shared systems like people, bastion, etc. 2. Many of those private keys had no extra security on them (aka they were not locked) so they were pretty much open to anyone who could get them. 3. This happened enough over 12 years that I just realized many people don't see it as a problem. While we could say 'oh that should be a reason to remove (proven) packager from someone' etc.. it puts sysadmin into being a hated nanny, and also only says 'oh you didn't do that to the Fedora systems, but the 800 other places you have placed them that we don't know about.' This illustrates why "we can't have nice things". You start finding more and more 'common' cases which for X individual makes perfect sense to them and doesn't seem a problem, but overall makes everyone else's life hell when a problem occurs. The same goes with keyfiles and such. We 'assume' that people keep them on a single laptop that is encrypted with backups that are encrypted.. but a significant minority either keep it on multiple shared systems, don't encrypt their drives, or have open backups somewhere. Eventually one of those gets cracked and you can end up with a chain of problems ranging anywhere from 'ooh all our systems have been crypto-blackmailed' to 'someone else pushed a commit which we didn't find until after a release and now 1 million user laptops are crypto-blackmailed.' > Mattia > > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
