On Fri, Sep 16, 2022 at 10:29:17AM +0300, Alexander Bokovoy wrote: > > One thing I want to get properly implemented in SSSD in upcoming FIDO2 > support is to allow admins to filter out certain types of public SSH > keys associated with the user account. E.g. get a way for administrator > to say 'only FIDO2 keys and their OpenSSH equivalents (ecdsa-sk, > ed25519-sk) allowed for these users' and let SSSD's > sss_ssh_authorized_keys to filter all other types. Then your git server > could be able to deny non-FIDO2 SSH keys on per-user base.
That would be cool. Even better IMHO would be support for ssh certs. ie, auth with your FIDO2 key/otp and you get a ssh cert thats has a time limit / other restrictions for just pushing git commits, etc. > FreeIPA Kerberos already gives you this feature for various > authentication methods[1] but it is not integrated in OpenSSH's GSSAPI > support. > > [1] > https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html > > > > these days than, say, FIDO2 tokens. A card reader cost is around 10EUR > > > (Amazon.de gives me ~100 options of USB smartcard readers below 20EUR), > > > a smartcard is typically your government-issued ID in many countries. > > > > > > Though with Token2 FIDO2 tokens that cost 14EUR themselves we get close > > > enough to a lower boundary. > > > > Yeah, it will still be hard to require 100% of packagers, but it might > > be doable. > > Solving this is a social problem. I'd like to remove technical > roadblocks so that we can better focus on the solutions to social > problems. Right now we aren't there on both sides. Agreed. ...snip... > Sure. I guess we can aim last week of October. I'll write up a call for > participation next week. Thanks. > > > > > Do we have any statistics of how we stand now that Fedora Accounts is > > > > > deployed for more than a year and people were enabled to use 2FA > > > > > tokens > > > > > through it? > > > > > > > > I could try and gather some. What stats would be helpfull? > > > > > > A particular argument by smooge and others was arount 'passwords or > > > tokens being lost frequently'. I'd like to see how widespread is this > > > problem. Can we collect stats on amount of requests to reset passwords, > > > reset tokens, etc. for a period of a year or so? > > > > We currently have 1560 tokens enrolled. > > (Of course some users have more than one, but most seem to have one) > > > > In the 1 year period from 2021-07-01 to 2022-07-01 we had 87 requests to > > reset otp. Some of these were people who were confused and didn't actually > > even have a otp enabled, but it's hard to count those without going > > through each request. > > > > So, it's less than 5% a year it seems like, or a request every 4days if > > they were evenly spaced. > > Thank you. This is actually better than I expected to see. Improving > technical measures and UX should help but there always will be something > that is harder to deal with, anyway. I'll also note that I think many more of them came toward the first part of that time period. We made some changes to the interface that helped a good deal. At first we had a mailto: link and got a bunch of blank emails (bots just following the link? confused users?) https://github.com/fedora-infra/noggin/issues/678 So, it might be interesting to see how things look after that change landed. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
