On Fri, Sep 16, 2022 at 10:29:17AM +0300, Alexander Bokovoy wrote:
One thing I want to get properly implemented in SSSD in upcoming FIDO2
support is to allow admins to filter out certain types of public SSH
keys associated with the user account. E.g. get a way for administrator
to say 'only FIDO2 keys and their OpenSSH equivalents (ecdsa-sk,
ed25519-sk) allowed for these users' and let SSSD's
sss_ssh_authorized_keys to filter all other types. Then your git server
could be able to deny non-FIDO2 SSH keys on per-user base.
That would be cool.
Even better IMHO would be support for ssh certs.
ie, auth with your FIDO2 key/otp and you get a ssh cert thats has a time
limit / other restrictions for just pushing git commits, etc.
FreeIPA Kerberos already gives you this feature for various
authentication methods[1] but it is not integrated in OpenSSH's GSSAPI
support.
[1]
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
> > these days than, say, FIDO2 tokens. A card reader cost is around 10EUR
> > (Amazon.de gives me ~100 options of USB smartcard readers below 20EUR),
> > a smartcard is typically your government-issued ID in many countries.
> >
> > Though with Token2 FIDO2 tokens that cost 14EUR themselves we get close
> > enough to a lower boundary.
>
> Yeah, it will still be hard to require 100% of packagers, but it might
> be doable.
Solving this is a social problem. I'd like to remove technical
roadblocks so that we can better focus on the solutions to social
problems. Right now we aren't there on both sides.
Agreed.
...snip...
Sure. I guess we can aim last week of October. I'll write up a
call for
participation next week.
Thanks.
> > > > Do we have any statistics of how we stand now
that Fedora Accounts is
> > > > deployed for more than a year and people were enabled to use 2FA
tokens
> > > > through it?
> > >
> > > I could try and gather some. What stats would be helpfull?
> >
> > A particular argument by smooge and others was arount 'passwords or
> > tokens being lost frequently'. I'd like to see how widespread is this
> > problem. Can we collect stats on amount of requests to reset passwords,
> > reset tokens, etc. for a period of a year or so?
>
> We currently have 1560 tokens enrolled.
> (Of course some users have more than one, but most seem to have one)
>
> In the 1 year period from 2021-07-01 to 2022-07-01 we had 87 requests to
> reset otp. Some of these were people who were confused and didn't actually
> even have a otp enabled, but it's hard to count those without going
> through each request.
>
> So, it's less than 5% a year it seems like, or a request every 4days if
> they were evenly spaced.
Thank you. This is actually better than I expected to see. Improving
technical measures and UX should help but there always will be something
that is harder to deal with, anyway.
I'll also note that I think many more of them came toward the first part
of that time period. We made some changes to the interface that helped a
good deal. At first we had a mailto: link and got a bunch of blank
emails (bots just following the link? confused users?)
https://github.com/fedora-infra/noggin/issues/678
So, it might be interesting to see how things look after that change
landed.
kevin