Kernel.org news: two-factor authentication and more
There are, Konstantin said, now 286 developer accounts on kernel.org — 34 more than one year ago. The number of Git trees hosted has grown considerably; there are now 604 repositories on the site, most of which are clones of the mainline kernel repository. The Git "alternate" mechanism is used to store these repositories, though, so there is only one copy of each distinct object on the site. That means that, despite hosting over 600 repositories, kernel.org only dedicates about 20GB of disk space to that task.
There is a new front-end system being installed in Montreal; full off-site backups will be performed to that system. Once that is in place, Konstantin said, the west coast of the United States could disappear entirely. "We'll miss you," but kernel.org will be able to recover and continue serving repositories.
Two other front-end systems are in operation now, one in Palo Alto (hosted
by ISC) and one in Portland (hosted by the Tizen Association). Previous efforts to place
front-end systems outside of North America seem to have fallen by the
wayside for the time being; these systems are expensive to run and the
![[Konstantin
Ryabitsev]](https://static.lwn.net/images/conf/2014/ks/KonstantinRyabitsev-sm.jpg "Konstantin Ryabitsev")
sponsorship support just isn't there. The good news is that the problem
has been somewhat "sidestepped" with the creation of a set of mirrors on kernel.googlesource.com. These
servers are located all around the world and should only be a few minutes
behind the main kernel.org servers. Developers wanting to clone trees
can use this resource if kernel.org is too slow from their location.
Access in mainland China remains a bit problematic, though; the Google servers are not reachable from there. Konstantin said that the problem is being worked on, but he offered no thoughts on when a China-based server might become available.
Systems installed for kernel.org tend to be big, since they must support a planet full of developers. The recently installed "Si-Pi" system is an exception, though. It is a Raspberry-Pi-based system charged with the generation of SHA hashes for files stored on the site. This little machine is plugged directly into the main storage array and goes about its task without bothering the rest of the network.
Getting back to big systems, there is a new mirrors.kernel.org system going into service in the near future. The mirror network provides access to distributions and more; it needs a lot of space. The new box will feature 60TB of storage, a significant increase from the 16TB offered by the current system. There will be two mirror nodes, again hosted in Palo Alto and Portland. A European mirror is high on the list of things they would like to have, but the funding isn't there. These mirrors consume a lot of bandwidth, so it is hard to find a host willing to take one on.
Two-factor authentication
The biggest change at kernel.org this year, though, is arguably the addition of two-factor authentication for write access to repositories. The 2011 compromise almost certainly started with the acquisition of SSH keys from one or more developer laptops; it is important to be less exposed to that type of attack in the future. The removal of shell access has certainly helped in that regard, but an attacker with access to an SSH key could still corrupt a repository. Two-factor authentication aims to mitigate that risk.
The use of two-factor authentication is optional, at least for now, and can be enabled on a per-repository basis. It is not being forced on anybody, and there will be no flag day where it must be used. Only operations that change repositories are affected by two-factor authentication; repositories remain readable to all as always. Authentication via HOTP (as found in hardware tokens like the Yubikey devices) and TOTP (a time-based mechanism) is supported.
The kernel.org mechanism comes down to the whitelisting of IP addresses. Each repository can have a list of one or more user/address pairs that have been authenticated for write access. When a user attempts to push a repository update to kernel.org, the system will check to see if the originating address has been whitelisted already; if so, the update proceeds normally. Otherwise, the push will be rejected. The developer would then run a command like:
ssh git.kernel.org 2fa val token
Where token is a magic one-time token provided by the authentication device. Assuming the token validates, the originating IP address will be whitelisted for the next 24 hours. Optionally, developers can ask for a longer whitelisting period up to 30 days.
Authentication is per-user; in cases where multiple users have access to the same repository, each must validate separately. There are two modes for the enabling of two-factor authentication on a repository; the "opt-in" mode only enforces two-factor authentication for users who are enrolled, while the "required" mode requires all users to be enrolled.
For developers who want to use TOTP, there are a few options available. The proprietary Google Authenticator system is supported, as is Authy. The best option, though, according to Konstantin, is FreeOTP, which was forked from Google Authenticator before it went proprietary. In the end, though, most developers may opt for hardware-based authentication instead. To help in that regard, Konstantin was passing out Yubikey devices from a bag donated by Yubico.
Linus Torvalds and Greg Kroah-Hartman, it seems, have been using two-factor
authentication for
about a month without any serious ill effects. With a couple of the
toughest customers already satisfied, chances are that the new two-factor
authentication mechanism will catch on without much in the way of major
hitches. And that, in turn, should help to improve the security of
kernel.org and boost confidence in the security of the kernel code base
going forward.
| Index entries for this article | |
|---|---|
| Kernel | Development tools/Infrastructure |
| Kernel | Kernel.org |
| Conference | Kernel Summit/2014 |
Posted Aug 25, 2014 18:54 UTC (Mon)
by jnareb (subscriber, #46500)
[Link] (4 responses)
Posted Aug 25, 2014 18:55 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Posted Aug 25, 2014 18:56 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link]
Posted Aug 25, 2014 19:15 UTC (Mon)
by mricon (subscriber, #59252)
[Link] (1 responses)
Posted Aug 26, 2014 0:44 UTC (Tue)
by mathstuf (subscriber, #69389)
[Link]
Posted Aug 25, 2014 20:43 UTC (Mon)
by NightMonkey (subscriber, #23051)
[Link] (1 responses)
Awesome. More is coming. A new hardware revolution is in progress. Fun! :)
Posted Aug 27, 2014 2:07 UTC (Wed)
by zblaxell (subscriber, #26385)
[Link]
Posted Aug 29, 2014 14:58 UTC (Fri)
by Cato (guest, #7643)
[Link]
The admin and recovery features of 2FA are often neglected - while HOTP and particularly TOTP are nice, the acid test is how easy is it for an admin, or a user, to recover from a phone that gets lost with all the TOTP secret keys (i.e. seeds) for 10-20 services. Enrolling a 2nd token (maybe a hardware token) is one way, but that requires interaction with every service.
I don't think there's a great solution to any of this, and I'm not aware of any open source tools, but I'd urge anyone looking at TOTP or HOTP to think about the recovery scenarios. Phones do get lost or stolen, along with the seeds for many services, so quick recovery is important for security and continued access for the user.
From a security POV you also need to watch out for what happens to the TOTP secrets/seeds in your phone app, or the hardware token. Stolen/lost phones mean the seeds are in the hands of a possible attacker, requiring quick reset - but at least mobile phone apps can permit that with the right TOTP server setup. Stolen/lost tokens are less of an issue as the seeds are usually held in RAM (but cold boot attacks may apply) - and there's the issue of the token factory, which normally has the keys from when they were manufactured.
Yubikey is an interesting option (can also work with Duo or directly with suitable services) - it's a HOTP-supporting hardware token so no timer, but you can configure it with fresh keys when you issue the token. So the keys are as secure as you can make them and you can re-key quite easily.
The only downside of Yubikey is the lack of timer required for TOTP, so that requires a helper app on your computer or Android phone (with NFC). I'd strongly recommend Yubikey NEO for TOTP, as that lets you store a whole set of TOTP seeds on the Yubikey, whereas the older Yubikey standard only lets you store one TOTP seed per slot (max 2 per token). See http://www.yubico.com/products/yubikey-hardware/yubikey-neo/ - not cheap though.
Posted Aug 29, 2014 16:04 UTC (Fri)
by mstone_ (subscriber, #66309)
[Link]
Posted Sep 4, 2014 5:29 UTC (Thu)
by madhatter (subscriber, #4665)
[Link]
I have a Yubikey Neo doing TOTP via the free (libre, gratis) Yubico Authenticator program for Android, which I use in production.
Disclaimer: I have no connection with Yubico, I just like their product and use it in real life.
How the two-factor authentication is done?
How the two-factor authentication is done?
How the two-factor authentication is done?
How the two-factor authentication is done?
https://github.com/mricon/totp-cgi/tree/master/contrib/gi...
How the two-factor authentication is done?
Kernel.org news: two-factor authentication and more
Kernel.org news: two-factor authentication and more
Kernel.org news: two-factor authentication and more
Kernel.org news: two-factor authentication and more
Kernel.org news: two-factor authentication and more