2factor auth

Kevin Fenzi kevin at scrye.com
Mon Oct 17 22:54:50 UTC 2011


So, there's a lot of data here and info to process. ;) 

Some things (in no particular order): 

I think we have the following groups to consider: 

1. Sysadmin-main folks who can sudo and login to everything. 
(small. ~10-20)
2. Sysadmin* folks who can login to some things and sudo on some things
(a number of small groups, total ~120ish ). 
3. packagers ( larger group, ~1100 ish).
4. cla+1group, fedorapeople, etc (larger yet, ~2500). 
5. web application users (testers, election voters, account sys,
mirrormanager). ( larger group still)

I think the amount of hassle people will put up with increases as we go
down the list, but also the amount of sensitive access decreases. I'm
not sure we will have much luck pushing things down past the first few
groups unless we make it VERY easy to use and manage and make sure
there are no costs. 

I think some groups will see advantages in yubikey and others in a
smartphone app. If you already have a smartphone it's natural to want
to just keep using that. If you don't you may be interested in the more
modest cost of the yubikey, etc. 

Does the yubikey OATH mode work with linotp/googleauth? 
From what I can see it should. So, perhaps we can support both?

I'm a bit leary of linotp having a 'community' and 'enterprise'
edition, and some of the features in the enterprise we would need to
re-implement. Also, it's not packaged at all yet that I can see. 
On the other hand google-authenticator doesn't have any server ability
yet. ;(  I did notice this stalled review: 
https://bugzilla.redhat.com/show_bug.cgi?id=538327
for otpd that might be worth looking at. 

Ideally, I'd love to see a solution like the duo-security one, but of
course opensource and where we run all the parts of it (not a 3rd
party). 

I sure wonder if other open source groups would be interested in
getting something together, since I think a lot of them have similar
groups to handle. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111017/925d2bbf/attachment-0001.bin 


More information about the infrastructure mailing list