On Wed, 2020-12-23 at 18:04 +0100, Florian Weimer wrote:
* Gary Buhrmaster:
> It does support it, but AFAIK does not require it.
>
> Arguably those with elevated access (provenpackagers(*))
> should be required to use a hardware token such
> as a FIDO2 authenticators with biometrics and/or
> PIN required (some phones with biometrics are
> are equivalent to external tokens) where passwords
> themselves can away. That may be a bridge too
> far at this point, but I would like to see that as a goal
> to work towards (2021 should be the year passwords
> die according to Microsoft).
Is there even meaningful two-factor authentication support for Git
pushes, anywhere? (Not just in the Fedora infrastructure.)
I mean, they *kinda* are 2FA already: we use certs and hopefully
packagers all have a passphrase, so you need the cert and the
passphrase.
The weakest point in the current system is really the FAS password. If
you have a packager's FAS password you can change the ssh key
associated with the account to another that you control, and the FAS
password is also all you need to run a build and submit it to Bodhi.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net