2factor auth

Toshio Kuratomi a.badger at gmail.com
Tue Oct 18 02:02:35 UTC 2011


On Mon, Oct 17, 2011 at 08:26:37PM -0500, Jeffrey Ollie wrote:
> On Mon, Oct 17, 2011 at 5:54 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> >
> > On the other hand google-authenticator doesn't have any server ability
> > yet. ;(
> 
> I didn't think that google-authenticator needed a server to do the
> authentication - you just need the app on your phone and some
> configuration on the system that you want to access.
> 
Correct.  But this is actually a bit of a drawback here.  We have a large
number of people coming into infrastructure who have various amounts of
access on the boxes.  We're constantly trying to balance security with the
need to keep entry barriers low enough for new contributors to get started.
With that in mind, there are many users who have an unprivileged shell on
boxes that, although we feel we know them well enough to give them that,
we've never met in person or have anything other than email/IRC
conversations to track who they really are.

google-authenticator stores a shared secret in clear on every box that you
want to be able to auth on.  These secrets are protected by normal Unix
filesystem permissions but nothing else.  When evaluating this risk with how
much we don't know about our contributors, things begin to feel a little out
of balance wrt security.

So what Kevin's getting at is that if we ran google authenticator, we'd need
to write a server for it so that we could keep those shared secrets on just
a few boxes with higher security, similarly to how yubikey and fas depend on
the database server and the three account system-dedicated app servers being
more secure.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111017/6a4deb37/attachment.bin 


More information about the infrastructure mailing list