Requiring Launchpad 2FA from Ubuntu uploaders

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Requiring Launchpad 2FA from Ubuntu uploaders

Robie Basak-4
Launchpad 2FA is currently opt-in for everyone. However, it has been
mandatory for Canonical employees for a number of years now. Details are
documented here:

    https://help.ubuntu.com/community/SSO/FAQs/2FA

TOTP and HOTP are supported, so this works with hardware authenticators
such as Yubikeys as well as smartphone apps like OTP Authenticator (from
F-Droid) and Google Authenticator (Play Store), etc.

We[1] think this is now easy enough and standard enough not to be a
burden, so we are inclined to implement this as a requirement for all
Ubuntu uploaders[2]. Any objections?

Robie

[1] "We" means the TB and the DMB

[2] By "Ubuntu uploaders" I mean anyone who can upload to the Ubuntu
archive, which I think means all members of ~ubuntu-uploaders whether
directly or indirectly.

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Philipp Kern-6
On 2018-08-14 15:31, Robie Basak wrote:

> Launchpad 2FA is currently opt-in for everyone. However, it has been
> mandatory for Canonical employees for a number of years now. Details
> are
> documented here:
>
>     https://help.ubuntu.com/community/SSO/FAQs/2FA
>
> TOTP and HOTP are supported, so this works with hardware authenticators
> such as Yubikeys as well as smartphone apps like OTP Authenticator
> (from
> F-Droid) and Google Authenticator (Play Store), etc.
>
> We[1] think this is now easy enough and standard enough not to be a
> burden, so we are inclined to implement this as a requirement for all
> Ubuntu uploaders[2]. Any objections?
>
> Robie
>
> [1] "We" means the TB and the DMB
>
> [2] By "Ubuntu uploaders" I mean anyone who can upload to the Ubuntu
> archive, which I think means all members of ~ubuntu-uploaders whether
> directly or indirectly.

It's probably worth pointing out what this is trying to protect from:
drive-by logins with stolen passwords and hence at least access to
change the upload key set is curtailed. And that's already a good thing.

There are two improvements that would be nice to have, though:

- u2f support. Getting out the HOTP token (I guess I enrolled too early
for TOTP) is annoying. But I guess a Launchpad session is pretty
permanent, so you don't actually need to reauth on the same device,
right? (Which might also be a bad thing.)
- It only protects access to Launchpad, not access to the keys that sign
the uploads and ultimately control what gets put into the archive.
Shouldn't there be a way behind 2fa to contribute to Ubuntu as well? :)

Kind regards
Philipp Kern

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Colin Watson
In reply to this post by Robie Basak-4
On Tue, Aug 14, 2018 at 02:31:05PM +0100, Robie Basak wrote:

> Launchpad 2FA is currently opt-in for everyone. However, it has been
> mandatory for Canonical employees for a number of years now. Details are
> documented here:
>
>     https://help.ubuntu.com/community/SSO/FAQs/2FA
>
> TOTP and HOTP are supported, so this works with hardware authenticators
> such as Yubikeys as well as smartphone apps like OTP Authenticator (from
> F-Droid) and Google Authenticator (Play Store), etc.
>
> We[1] think this is now easy enough and standard enough not to be a
> burden, so we are inclined to implement this as a requirement for all
> Ubuntu uploaders[2]. Any objections?

This isn't a hard objection, but one thing to consider is that we don't
have a terribly good recovery mechanism at the moment; indeed, this is
why 2FA in SSO still has a slightly complicated and explicit opt-in
procedure for most people.

For Canonical employees, we avoid this being a fatal problem because we
have ways to do out-of-band verification when (not if) people lose their
2FA tokens, since if nothing else their manager should be in regular
contact with them.  Is that something we can expect to have for all
Ubuntu uploaders?  I suppose we could manually exchange GPG-signed email
with them or something ...

--
Colin Watson                                       [[hidden email]]

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Colin Watson
In reply to this post by Philipp Kern-6
On Tue, Aug 14, 2018 at 05:18:38PM +0200, Philipp Kern wrote:
> - u2f support.

I agree that would be useful
(https://bugs.launchpad.net/canonical-identity-provider/+bug/1755021).
Maybe somebody with skills in this area could look into
lp:canonical-identity-provider and see what's involved in adding it?

> Getting out the HOTP token (I guess I enrolled too early for TOTP) is
> annoying.

If I'm understanding you right, you can easily just add a TOTP device to
your SSO account.

> But I guess a Launchpad session is pretty permanent, so you don't
> actually need to reauth on the same device, right? (Which might also
> be a bad thing.)

I didn't think they were quite permanent, but that bit of LP is very
stable code and I've never had to dig into it to find out.  There are
certain operations that require a fresh SSO login (editing SSH keys, GPG
keys, or email addresses).

> - It only protects access to Launchpad, not access to the keys that sign the
> uploads and ultimately control what gets put into the archive. Shouldn't
> there be a way behind 2fa to contribute to Ubuntu as well? :)

How would this work, even conceptually?  Some kind of extra challenge
when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
timeout arrangement so that it isn't hopelessly annoying)?  What about
FTP uploads?

--
Colin Watson                                       [[hidden email]]

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Simon Quigley-2
Hello,

On 08/14/2018 11:34 AM, Colin Watson wrote:
> How would this work, even conceptually?  Some kind of extra challenge
> when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
> timeout arrangement so that it isn't hopelessly annoying)?  What about
> FTP uploads?

In my opinion, SFTP should be the default for uploads to Ubuntu*, and we
should phase out FTP. My local /etc/dput.cf has been patched to do this
for a while now, and it works fine.

If this is done, we should be able to use PAM with google-authenticator.

Thoughts on going this route?

*If I recall correctly, Debian has already done this for uploads to
security-master.

--
Simon Quigley
[hidden email]
tsimonq2 on freenode and OFTC
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Steve Langasek-6
On Tue, Aug 14, 2018 at 01:35:00PM -0500, Simon Quigley wrote:

> On 08/14/2018 11:34 AM, Colin Watson wrote:
> > How would this work, even conceptually?  Some kind of extra challenge
> > when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
> > timeout arrangement so that it isn't hopelessly annoying)?  What about
> > FTP uploads?

> In my opinion, SFTP should be the default for uploads to Ubuntu*, and we
> should phase out FTP. My local /etc/dput.cf has been patched to do this
> for a while now, and it works fine.

> If this is done, we should be able to use PAM with google-authenticator.

> Thoughts on going this route?

This would make mass uploads for library transitions a tremendous hassle.

--
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
[hidden email]                                     [hidden email]

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Requiring Launchpad 2FA from Ubuntu uploaders

Colin Watson
In reply to this post by Simon Quigley-2
On Tue, Aug 14, 2018 at 01:35:00PM -0500, Simon Quigley wrote:
> On 08/14/2018 11:34 AM, Colin Watson wrote:
> > How would this work, even conceptually?  Some kind of extra challenge
> > when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
> > timeout arrangement so that it isn't hopelessly annoying)?  What about
> > FTP uploads?
>
> In my opinion, SFTP should be the default for uploads to Ubuntu*, and we
> should phase out FTP. My local /etc/dput.cf has been patched to do this
> for a while now, and it works fine.

The reason we haven't done this is that there's no good way to make it
the default in everyone's dput configuration.

> If this is done, we should be able to use PAM with google-authenticator.

Not an option; Launchpad's SSH endpoints are custom servers, not
OpenSSH, and don't use PAM.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel