Pbrobinson (talk | contribs) |
(update/instructions for new devices) |
||
| Line 19: | Line 19: | ||
= Enrolling = | = Enrolling = | ||
Yubikeys can be enrolled per | Yubikeys can be enrolled per [[Infrastructure/Yubikey#How_do_I_burn_my_yubikey.3F]] | ||
Google authenticator or FreeOTP via: | Google authenticator or FreeOTP via: | ||
| Line 31: | Line 31: | ||
* Run the android or ios app, select add token, scan the qr code. | * Run the android or ios app, select add token, scan the qr code. | ||
= What happens if I lost my token? = | = What happens if I lost my token or got a new device? = | ||
Mail admin@fedoraproject.org and explain what happened. Additionally, you will need to provide some or all of the below information to prove your identity: | Mail admin@fedoraproject.org and explain what happened. Additionally, you will need to provide some or all of the below information to prove your identity: | ||
| Line 43: | Line 43: | ||
= Software used = | = Software used = | ||
https:// | https://github.com/mricon/pam_url | ||
https://github.com/mricon/totp-cgi | |||
https:// | == Supporated Apps == | ||
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 | |||
https://code.google.com/p/google-authenticator/ | |||
https:// | https://play.google.com/store/apps/details?id=com.yubico.yubioath | ||
https:// | https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8 | ||
http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b | http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b | ||
Revision as of 18:09, 30 September 2017
Introduction
Fedora infrastructure has setup to use two factor authenication for all 'sudo' access on any machines. At some point in time it may be expanded for other access, but currently it's restricted to just 'sudo' calls on infrastructure machines.
Audience
You need to know about this if you are in a FAS group that provides you shell access to any infrastructure machines, and additionally you have permissions / need to sudo on those machines.
Supported tokens
Currently we support two backend tokens:
1. yubikey - You setup this as noted on the yubikey burn page.
2. google authenticator or FreeOTP - You can install either free application on your iphone / android / windows mobile device to use this option.
If you do not have a yubikey or a android or iphone device, please contact us for options.
Enrolling
Yubikeys can be enrolled per Infrastructure/Yubikey#How_do_I_burn_my_yubikey.3F
Google authenticator or FreeOTP via:
- Go to https://admin.stg.fedoraproject.org/totpcgiprovision/ (staging) or https://admin.fedoraproject.org/totpcgiprovision/ (production)
- Login with your FAS username and password.
- You should get a page with a QR code and some backup/scratch codes. Store them in a non electronic safe place. Do NOT save them on your computer.
- Run the android or ios app, select add token, scan the qr code.
What happens if I lost my token or got a new device?
Mail admin@fedoraproject.org and explain what happened. Additionally, you will need to provide some or all of the below information to prove your identity:
- A gpg signed email with the gpg key listed for your account in FAS.
- Correct answer to security questions stored in FAS.
- Any other means that are acceptable to admins (video chat where the person is known by look/voice, phone call where user answers questions only user would know, etc).
Software used
https://github.com/mricon/pam_url
https://github.com/mricon/totp-cgi
Supporated Apps
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
https://code.google.com/p/google-authenticator/
https://play.google.com/store/apps/details?id=com.yubico.yubioath
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b