Multi-factor authentication

Mike McGrath mmcgrath at redhat.com
Fri May 1 23:08:15 UTC 2009 

I had intended to send this earlier but am only getting around to it.

As per our discussion online (this is unrelated to the other thread about
ldap and wanting a C coder.

Dennis and I have started looking at yubikey for authentication.  After
some discussion in the last meeting these are some of the talking points.
As of right now nothing is set in stone but yubikeys are a strong front
runner.

 * Will likely be required for sysadmin-main and probably a few other
highly sensitive groups (package signing)
 * Will probably be required for those groups on specific high target
servers.
 * Will likely be an additional layer of authentication instead of a
replacement.
 * Possibly required for sudo access
 * Possibly required for shell access
 * Concerns about SPOF (yubikeys in particular require a central server)
 * Might be optional for other contributors wanting to use additional
   security.
 * Obviously will require only Free Software.
 * kerberos was discussed, some for some against.  The primary hangup
   being people who use kerberos as their $DAYJOB will have conflicts when
   working in Fedora.
 * Concerns over what to do when a key is stolen[1] Though phone numbers
   were mentioned as an additional verification level.
 * Still unclear how to make the keys
 * Implementation details still unclear though it was generally
   considered that "yubikey + ssh key" were both "something you have".
   Meaning it'd be "yubikey + fas password" "Something you have +
   something you know" as is common with most multifactor authentication
   mechanisms.

My initial looks at yubikey are pretty promising, from knowing nothing to
being able to ssh using the yubikey took only about 15 minutes.  It'll
take less now that dgilmore has the software packaged like pam_yubico.

Questions comments?

	-Mike

[1] This is an issue even with non keys, it's nearly impossible for us to
verify someone is who they say they are if they no longer have access to
their email address, even that's not really 'proof'.

More information about the Fedora-infrastructure-list mailing list