From Fedora Project Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

http://etherpad-whearn.rhcloud.com/p/FAS_Two_Factor


Primary FAD Deliverable:

  • Be able to require two-factor auth for sudo on fedora infrastructure boxes
    • on the box, sudo uses pam_url (or pam_otp or similar)
    • pam module takes in user input for both factors
    • pam module formats and sends to fas
    • fas processes information and sends back code for success/failure
    • pam module allows or denies sudo
  • FAS needs to do the following to auth:
    • URL that accepts username, password, token, "auth method" (or guess this from the token)
    • URL's controller compares username and password to db as normal login
    • URL's controller checks validity of username + token => need to look at how yubikey is integrated
    • If both of those are correct, URL's controller returns success
    • If either is incorrect, URL's controller returns failure
    • If there are errors (no 2nd factor, error contacting db, etc): return either an error or failure (what the protocol supports)
  • FAS needs to do the following for setup:
    • self enrollment page for the second factor (see how yubikey is implemented)
  • Meta FAS needs
  • Optional
    • Backup codes, change of factors:
      • Proposal: See Two Factor Authentication Policy
    • FAS requires 2 factor
    • Add totp/googleauth support
      • Need the following for auth
        • Setup totp-cgi on fas servers [[1]]
        • use the postgresql backend so that it can run on all of the fas* servers
        • have fas format the data and pass it to the totp-cgi backend to verify
      • Need the following for setup
        • self enrollment page (see how yubikey is implemented)

Two Factor Authentication Policy We have several ways we can authenticate you:

  • Something you know
    • password
    • access to email (password for the email account)
    • Security questions/answers
      • Could be possibly guessable
      • Could be stored in a place someone could copy them off
  • Something you have with caveats
    • ssh key
      • Usually lives on a computer but can be copied
      • Some may be a hw token, thus truly something you have
      • Hopefully protected by a password
    • gpg key
      • Usually lives on a computer but can be copied
      • Some may be a hw token, thus truly something you have
      • Hopefully protected by a password
    • googleauth key
      • Usually lives on a handheld device (phone/tablet) but can be copied
      • rooted phones can be accessed over the network like any other computer (?)
      • Keys themselves are not encrypted
  • Something you have
    • yubikey
    • openpgp card as a separate factor (Note: we don't have plans to support this yet but it may be the same as supporting googleauth)
      • If it is the same as googleauth, that also means we don't have a server-side method of telling the difference

For the purposes of Fedora Infrastructure, we decided that stealing a device or gaining root access on a device for the purposes of compromising your Fedora account were beyond the scope of what we were trying to prevent. We were

Legend: [MUST] [OPTIONAL] [POLICY] [DECISION]

  • initial enroll:
    • self enrollment? [MUST]
    • give backup codes? [OPTIONAL]
  • day to day:
    • does fas require 2 factor when enabled? (I'd say yes if possible)
    • does group can require 2 factor?
  • lost token:
    • give codes? [DECISION]
    • require security question/manual intervention to reset? [DECISION][POLICY]
  • backends:
    • yubikey [MUST]
    • googleauth [OPTIONAL]
  • webapps:
    • can webapps do two factor? [OPTIONAL]
    • can hosted/trac do two factor? [OPTIONAL]
    • can nagios/direct pgsql stuff do two factor? [OPTIONAL]
  • requires on groups? [OPTIONAL][POLICY][DECISION]
    • can we have groups require 2 factor before you join?
    • what happens to people already in those if not 2 factored?
    • can users not in those groups enable 2 factor?
    • Note: currently removing a person from a group when that group is needed as a prerequisite for other things does no additional checking. This is arguably a bug
  • interface questions
    • can we scan in a qrcode for googleauth? [OPTIONAL]
    • do we need to change the yubikey burn script any?
    • do we want a seperate pin vs password. [DECISION][POLICY]

Enabling 2 factor for ssh

  • Could allow use for packagers/hosted groups
  • Would be painfull day to day potientially.
  • Would protect vs owned laptop issues.
Retrieved from "https://fedoraproject.org/w/index.php?title=FAD_Infrastructure_Security_2012/FAS_plan&oldid=309626"