New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Package Request: google-authenticator-libpam #1037
Comments
To clarify here, this question is about layering the package via rpm-ostree install, either on first boot or post installation. There is a package in Fedora so this is a Yes. But as far as I understand this requires manual / coordinated setup for it to be usable thus you will not be able to configure it directly via Ignition. This makes it less interesting for inclusion in the base image as this requires manual attention anyway. |
I think the best solution would be to include some kind of This will allow to have two-factor authentication out-of-box. This is important in deployment environments with limited access to internet or any kind of external network but remote SSH access is still required for management and maintenance. And configure it with Butane/Ignition by simple changing the It will be also possible to extend current Butane/Ignition specification with the passwd:
users:
- name: core
otp: true # Enable two-factor authentication OTP (One-Time Password)
ssh_authorized_keys:
- <key> This may be a nice security feature for the Fedora CoreOS project. |
To setup OTP, you need a shared secret between the client and server. Thus this will at least need another field to store this secret. |
Perhaps a bit of a subjective opinion, but overall I don't think we want to push *COS user towards more customized/heavyweight SSH usage. |
@travier Yes, I'm aware of that. For now this can be handled with Butane @lucab Maybe to illustrate my request I will describe from my experience how most of my deployments looks:
And I was thinking how to secure this more when someone expose/loose his SSH private key. Key rotation and revocation can be hard because it requires constant access to network and some customers automatically revoke accesses over time. TOTP works offline. |
We discussed this in the community meeting today.
That being said there were some other points of discussion during the meeting that are worth bringing up:
|
if I'm not mistaken it requires some external centralized provider like FreeIPA, LDAP or Kerberos? I have looked into sssd code and I saw only OTP abstraction to these providers but any kind of OTP implementation. Other sssd services like files, simple, sudo don't provide any kind of OTP support. But I'm not expert in sssd. Still I don't have any possibility to setup full realm domain. How about pre-installing |
On the first question:
I talked to a few experts on this:
@tymonx - you are right. |
On the second question:
@tymonx if I gave you a dev build with this package included could you show us exactly how you would use it? i.e. what Ignition config you would use to deploy everything with no manual interaction? |
@dustymabe I do something like this:
Example passwd:
users:
- name: core
ssh_authorized_keys:
- <key>
storage:
files:
- path: /etc/pam.d/sshd # Set auth *.so
- path: /etc/ssh/sshd_config # Set ChallengeResponseAuthentication to yes, set UsePAM to yes, set AuthenticationMethods to publickey,password publickey,keyboard-interactive
- path: /home/core/.google_authenticator # Include generated shared OTP secrets This will work only for |
I can create a public git sample project with Butane YAML to show how to setup SSH + OTP for Fedora CoreOS. I already have some little experience with custom derived Fedora CoreOS and I can prepare configuration that will include preinstalled OTP PAM module ( I can also prepare an example for Fedora CoreOS Documentation to show how to setup and use SSH with OTP. This should be a nice security add-on for everyone who like to harden their deployments. |
Project: google-authenticator-libpam
Fedora Magazine article: Set up two-factor authentication for SSH on Fedora
Please try to answer the following questions about the package you are requesting:
No additional dependencies. It is a pure C source code that is normally compiling using any existing C compiler with PAM headers. It uses the same dependencies like any other existing PAM modules. All required dynamic libraries are already present in the Fedora CoreOS:
linux-vdso.so.1
libpam.so.0
libdl.so.2
libc.so.6
libaudit.so.1
libeconf.so.0
libm.so.6
/lib64/ld-linux-x86-64.so.2
libcap-ng.so.0
For the
x86_64
architecture without any fancy build options around 129kB.Two-factor authorization for remote SSH access. This will greatly improve security for deployment OS.
No. It is strictly configured using PAM configuration files configured by system administrator (or using Butane/Ignition).
No.
No.
Yes. It is quite easy to compile and install under
/usr/lib64/security
location.Yes. It requires only compiled
pam_*.so
library and install under/usr/lib64/security
location.I don't believe so.
Yes like CVE-2012-6140.
The text was updated successfully, but these errors were encountered: