On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote:
> On 22/02/2022 12:33, Daniel P. Berrangé wrote:
> > Given that the accounts system already supports these OTPs, what
> > is the reason for not mandating this OTP based 2FA for*all*
> > contributors today, as oppposed to
On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote:
> On 22/02/2022 12:33, Daniel P. Berrangé wrote:
> > Given that the accounts system already supports these OTPs, what
> > is the reason for not mandating this OTP based 2FA for*all*
> > contributors today, as oppposed to
On 22/02/2022 12:33, Daniel P. Berrangé wrote:
Given that the accounts system already supports these OTPs, what
is the reason for not mandating this OTP based 2FA for*all*
contributors today, as oppposed to merely infra people ?
I like it, but many Fedora contributors won't be happy. Google
On 23/02/2022 00:03, Gary Buhrmaster wrote:
a TPM(2?) chip as a possible secure processor.
In some countries, TPM can't be pre-installed on all new PCs/Laptops due
to regulation issues.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
___
On Mon, Feb 21, 2022 at 7:17 PM Vitaly Zaitsev via devel
wrote:
> OTP is absolutely free. FIDO2 requires the purchase of a special
> hardware token.
Not necessarily. Not only can some mobile devices
present the needed credentials (as if they were an
external hardware token), but as I recall
On Tue, Feb 22, 2022 at 9:54 PM Kevin Fenzi wrote:
> I don't think there's any way in IPA to require otp as a requirement for
> group membership currently. (Please let me know if there is).
> Which would leave us checking after the fact and removing people without
> one set, which is a big pile
On Tue, Feb 22, 2022 at 11:33:55AM +, Daniel P. Berrangé wrote:
> On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote:
> > On Sun, 2022-02-20 at 16:42 +, Gary Buhrmaster wrote:
> > > Unfortunately, last I checked, the FAS account
> > > system did not support adding something
>
On 2/22/22 06:33, Daniel P. Berrangé wrote:
> On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote:
>> On Sun, 2022-02-20 at 16:42 +, Gary Buhrmaster wrote:
>>> Unfortunately, last I checked, the FAS account
>>> system did not support adding something
>>> like a FIDO2 security key
On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote:
> On Sun, 2022-02-20 at 16:42 +, Gary Buhrmaster wrote:
> > Unfortunately, last I checked, the FAS account
> > system did not support adding something
> > like a FIDO2 security key to an account(**).
> > Even if it did, I suspect
On 22/02/2022 04:17, Ian McInerney via devel wrote:
The only viable option I see for requiring the use of hardware keys
would be if RedHat (or another sponsor) provided them to packagers when
needed.
There is another problem - the US export/sanctions policies. You can't
ship such
On 22/02/2022 03:14, Demi Marie Obenour wrote:
Developing a roadmap to encourage, and eventually require, the use of
hardware authenticators to submit packages is a reasonable precaution
in this threat environment. A hardware authenticator could be a FIDO2
token, smart card, etc.
Who will pay
On 2/21/22 22:17, Ian McInerney via devel wrote:
> On Tue, Feb 22, 2022 at 2:15 AM Demi Marie Obenour
> wrote:
>
>> On 2/21/22 14:16, Vitaly Zaitsev via devel wrote:
>>> On 21/02/2022 19:25, Demi Marie Obenour wrote:
FIDO keys are significantly more secure than OTPs, and FAS should get
On Tue, Feb 22, 2022 at 2:15 AM Demi Marie Obenour
wrote:
> On 2/21/22 14:16, Vitaly Zaitsev via devel wrote:
> > On 21/02/2022 19:25, Demi Marie Obenour wrote:
> >> FIDO keys are significantly more secure than OTPs, and FAS should get
> >> support for them. OTPs are still phishable, whereas
On 2/21/22 14:16, Vitaly Zaitsev via devel wrote:
> On 21/02/2022 19:25, Demi Marie Obenour wrote:
>> FIDO keys are significantly more secure than OTPs, and FAS should get
>> support for them. OTPs are still phishable, whereas FIDO2 generally
>> isn’t.
>
> OTP is absolutely free. FIDO2 requires
On 21/02/2022 19:25, Demi Marie Obenour wrote:
FIDO keys are significantly more secure than OTPs, and FAS should get
support for them. OTPs are still phishable, whereas FIDO2 generally
isn’t.
OTP is absolutely free. FIDO2 requires the purchase of a special
hardware token.
--
Sincerely,
On 2/20/22 19:08, Adam Williamson wrote:
> On Sun, 2022-02-20 at 16:42 +, Gary Buhrmaster wrote:
>> Unfortunately, last I checked, the FAS account
>> system did not support adding something
>> like a FIDO2 security key to an account(**).
>> Even if it did, I suspect not all the other parts
>>
On Mon, Feb 21, 2022 at 8:35 AM Alexander Bokovoy wrote:
> This is not ready for general consumption but we plan to have something
> to submit to Rawhide in a month or so. Enrolling IPA users into this
> would be similar to already existing RADIUS proxy authentication path in
> FreeIPA.
Also it's possible to use gopass which is able to store the OTP seed secured by
GPG and keep the GPG keys on a Yubikey to ensure their safety.
Best,
Fale
On Mon, Feb 21, 2022, at 11:03, Björn Persson wrote:
> Adam Williamson wrote:
> > However, it supports Google Authenticator-style OTPs. Folks
Adam Williamson wrote:
> However, it supports Google Authenticator-style OTPs. Folks
> with infra privileges on their accounts (like me) are already required
> to use these. It works fine. I preferred being able to use a yubikey so
> I don't always have to open an app on my phone and retype a six
On su, 20 helmi 2022, Kevin Fenzi wrote:
On Sun, Feb 20, 2022 at 04:43:13PM -0800, Gary Buhrmaster wrote:
On Sun, Feb 20, 2022, 16:09 Adam Williamson
wrote:
> It used to support these, but the support was lost with the recent
> rewrite. However, it supports Google Authenticator-style OTPs.
On Sun, Feb 20, 2022 at 04:43:13PM -0800, Gary Buhrmaster wrote:
> On Sun, Feb 20, 2022, 16:09 Adam Williamson
> wrote:
>
> > It used to support these, but the support was lost with the recent
> > rewrite. However, it supports Google Authenticator-style OTPs. Folks
> > with infra privileges on
On Sun, Feb 20, 2022, 16:09 Adam Williamson
wrote:
> It used to support these, but the support was lost with the recent
> rewrite. However, it supports Google Authenticator-style OTPs. Folks
> with infra privileges on their accounts (like me) are already required
> to use these. It works fine. I
On Sun, 2022-02-20 at 16:42 +, Gary Buhrmaster wrote:
> Unfortunately, last I checked, the FAS account
> system did not support adding something
> like a FIDO2 security key to an account(**).
> Even if it did, I suspect not all the other parts
> of the system would support FIDO keys.
It used
Demi Marie Obenour wrote:
> Security keys are the only form of 2fa that is immune to
> phishing attacks.
U2F and FIDO2 are said to be immune to phishing. HOTP, TOTP and various
proprietary challenge-respone protocols are not immune.
Björn Persson
pgp_7IhtLa4JI.pgp
Description: OpenPGP digital
Mattia Verga via devel wrote:
> Il 19/02/22 19:38, Björn Persson ha scritto:
> > Zbigniew Jędrzejewski-Szmek wrote:
> >> I think it'd be better to check the status weekly and only require
> >> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋
> >> times in a row (where
On Sun, Feb 20, 2022 at 4:01 PM Demi Marie Obenour
wrote:
> I think we should also require security key-based 2fa for all
> packagers.
In a previous discussion on this topic that was
suggested (and at least partially rejected(*)).
Many (larger) orgs have decided that issuing
hardware security
On 2/20/22 05:00, Mattia Verga via devel wrote:
> Il 19/02/22 19:38, Björn Persson ha scritto:
>> Zbigniew Jędrzejewski-Szmek wrote:
>>> I think it'd be better to check the status weekly and only require
>>> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋
>>> times in a row
Il 19/02/22 19:38, Björn Persson ha scritto:
> Zbigniew Jędrzejewski-Szmek wrote:
>> I think it'd be better to check the status weekly and only require
>> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋
>> times in a row (where N=quarantine length in days).
> It will be
Zbigniew Jędrzejewski-Szmek wrote:
> I think it'd be better to check the status weekly and only require
> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋
> times in a row (where N=quarantine length in days).
It will be fine as long as it's done before the domain is
On Sat, Feb 19, 2022 at 02:18:38PM +0100, Björn Persson wrote:
> Possible step 3: A program on a Fedora Project server notes that
> example.net has been deactivated. The program removes the address
> j@example.net from J. Doe's account, or disables sending to the
> nonexistent address.
...
>
Vitaly Zaitsev via devel wrote:
> We're talking about potentially hacked accounts, right?
In this subthread I'm talking about *preventing* account takeovers so
that they don't happen in the first place. One specific method of
takeover that the Fedora Project would be able to prevent.
I thought
31 matches
Mail list logo
