Re: [gentoo-dev] Initial version of gander/goose statistics up for testing
On Tue, 19 May 2020 13:27:40 +0200 Michał Górny wrote: > gander --submit The server replied (500): Server Error (500) Server Error (500) Submission failed. pgpLOndd9Coih.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Wed, 2020-05-20 at 00:59 -0700, Alec Warner wrote: > On Wed, May 20, 2020 at 12:26 AM Michał Górny wrote: > > > On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote: > > > On Tue, May 19, 2020 at 1:23 AM Lars Wendler > > > wrote: > > > > > > > Hi Alec, > > > > > > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: > > > > > > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that > > > > > provides authentication for Gentoo properties? Basically, 1 username > > / > > > > > password for wiki, bugs, email, forums, and any other http > > > > > service[0][1]. > > > > > > > > > > Today Gentoo has numerous systems that mostly work in a segmented > > way. > > > > > - To connect to hosts, we use ssh keys. > > > > > - Git is authenticated via ssh keys. > > > > > - Email uses LDAP passwords. > > > > > - Bugzilla has its own identities, with their own passwords. > > > > > - Wiki is separate, with its own passwords. > > > > > - Forums are separate. > > > > > - Infra has an additional 4 systems that use separate credentials. > > > > > > > > > > Some applications support 2FA (such as wiki.) > > > > > Some applications do not support 2FA. > > > > > Applications that require 2FA have a configuration for each app, so > > you > > > > > have N configurations. > > > > > > > > > > If we configured id.gentoo.org you would have 1 identity across all > > > > > gentoo properties. > > > > > > > > > > Is this a thing people are interested in? > > > > > > > > > > [0] It's unlikely operations for git via ssh would change in this > > > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any > > > > > community member." The former have LDAP accounts and @gentoo.org > > email > > > > > addresses and so we can manage them easily; managing 1000s of other > > > > > accounts in the IDP remains to be seem. > > > > > > > > In case 2FA won't be mandatory I find this a good idea. > > > > > > > > > > 2FA is definitely a reason to deploy software like keycloak, but in the > > > first rollout I don't expect to enforce 2FA. Ideally we would deploy the > > > U2F support in keycloak and then, similar to our earlier program, offer > > > discounted or free u2f devices for Gentoo developers; this would likely > > be > > > on a 1-2 year timeframe. > > > > > > Is there some reason you don't want to use 2FA? > > > > > > > I myself would find 2FA bothersome for low importance services. Whether > > it's U2F or OTP, I would generally find it silly to have to carry > > the hardware/software on me all the time or even use it when it's laying > > right next to me, say, just to approve a comment on a blog. > > > > But I guess if we go for SSO, it becomes a necessity to better protect > > our passwords. > > > > I think each application, when it ends up integrating with keycloak, gets > to decide what security level the application wants; I think this leads to > flexibility for low-importance stuff. E.g. we may not need OTP for blogs, > or wiki. Obvious cases are apps like our AWS credentials (where theft means > financial harm for Gentoo) or the sso.gentoo.org itself (because you > probably want to require OTP to change your password, for example.) > This is going only to work if you can have multiple passwords per security level. Otherwise, a low-level login could be used to guess your password, then a separate attack against the second factor could be devised. Of course, I'm assuming that 2FA is implemented properly here, without giving tips about each factor separately. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Wed, May 20, 2020 at 12:26 AM Michał Górny wrote: > On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote: > > On Tue, May 19, 2020 at 1:23 AM Lars Wendler > > wrote: > > > > > Hi Alec, > > > > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: > > > > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that > > > > provides authentication for Gentoo properties? Basically, 1 username > / > > > > password for wiki, bugs, email, forums, and any other http > > > > service[0][1]. > > > > > > > > Today Gentoo has numerous systems that mostly work in a segmented > way. > > > > > > > > - To connect to hosts, we use ssh keys. > > > > - Git is authenticated via ssh keys. > > > > - Email uses LDAP passwords. > > > > - Bugzilla has its own identities, with their own passwords. > > > > - Wiki is separate, with its own passwords. > > > > - Forums are separate. > > > > - Infra has an additional 4 systems that use separate credentials. > > > > > > > > Some applications support 2FA (such as wiki.) > > > > Some applications do not support 2FA. > > > > Applications that require 2FA have a configuration for each app, so > you > > > > have N configurations. > > > > > > > > If we configured id.gentoo.org you would have 1 identity across all > > > > gentoo properties. > > > > > > > > Is this a thing people are interested in? > > > > > > > > [0] It's unlikely operations for git via ssh would change in this > > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any > > > > community member." The former have LDAP accounts and @gentoo.org > email > > > > addresses and so we can manage them easily; managing 1000s of other > > > > accounts in the IDP remains to be seem. > > > > > > In case 2FA won't be mandatory I find this a good idea. > > > > > > > 2FA is definitely a reason to deploy software like keycloak, but in the > > first rollout I don't expect to enforce 2FA. Ideally we would deploy the > > U2F support in keycloak and then, similar to our earlier program, offer > > discounted or free u2f devices for Gentoo developers; this would likely > be > > on a 1-2 year timeframe. > > > > Is there some reason you don't want to use 2FA? > > > > I myself would find 2FA bothersome for low importance services. Whether > it's U2F or OTP, I would generally find it silly to have to carry > the hardware/software on me all the time or even use it when it's laying > right next to me, say, just to approve a comment on a blog. > > But I guess if we go for SSO, it becomes a necessity to better protect > our passwords. > I think each application, when it ends up integrating with keycloak, gets to decide what security level the application wants; I think this leads to flexibility for low-importance stuff. E.g. we may not need OTP for blogs, or wiki. Obvious cases are apps like our AWS credentials (where theft means financial harm for Gentoo) or the sso.gentoo.org itself (because you probably want to require OTP to change your password, for example.) The other common thing I've seen is some kind of longer-lived renewable token that requires an OTP to get, but does not require an OTP to renew. These are commonly things like "API keys" or other such credentials that are scopeable (unlike a password) and revocable (e.g. you can go to sso.gentoo.org and revoke your token.) This seems more common on mobile where there is a 'setup' flow and maybe you do it once (at setup), or once a month, or whatnot. This would mean you don't have to OTP all the time. -A > -- > Best regards, > Michał Górny > >
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Wed, 20 May 2020 00:21:37 -0700 Alec Warner wrote: >On Tue, May 19, 2020 at 1:23 AM Lars Wendler >wrote: > >> Hi Alec, >> >> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: >> >> >TL;DR: What if we launched id.gentoo.org, an identity provider that >> >provides authentication for Gentoo properties? Basically, 1 >> >username / password for wiki, bugs, email, forums, and any other >> >http service[0][1]. >> > >> >Today Gentoo has numerous systems that mostly work in a segmented >> >way. >> > >> > - To connect to hosts, we use ssh keys. >> > - Git is authenticated via ssh keys. >> > - Email uses LDAP passwords. >> > - Bugzilla has its own identities, with their own passwords. >> > - Wiki is separate, with its own passwords. >> > - Forums are separate. >> > - Infra has an additional 4 systems that use separate credentials. >> > >> >Some applications support 2FA (such as wiki.) >> >Some applications do not support 2FA. >> >Applications that require 2FA have a configuration for each app, so >> >you have N configurations. >> > >> >If we configured id.gentoo.org you would have 1 identity across all >> >gentoo properties. >> > >> >Is this a thing people are interested in? >> > >> >[0] It's unlikely operations for git via ssh would change in this >> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any >> >community member." The former have LDAP accounts and @gentoo.org >> >email addresses and so we can manage them easily; managing 1000s of >> >other accounts in the IDP remains to be seem. >> >> In case 2FA won't be mandatory I find this a good idea. >> > >2FA is definitely a reason to deploy software like keycloak, but in the >first rollout I don't expect to enforce 2FA. Ideally we would deploy >the U2F support in keycloak and then, similar to our earlier program, >offer discounted or free u2f devices for Gentoo developers; this would >likely be on a 1-2 year timeframe. > >Is there some reason you don't want to use 2FA? > >-A Well, I haven't found any 2FA solution that isn't a PITA to use. Especially Nitrokey is not easily useable for 2FA. And having some OTP or U2F software on my mobile phone is a no-go. I know about the value of 2FA and I use it in some places but I find it not being the perfect solution for everything. >> >> Kind regards >> -- >> Lars Wendler >> Gentoo package maintainer >> GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 >> Cheers -- Lars Wendler Gentoo package maintainer GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 pgpuB4K6yaZYS.pgp Description: Digitale Signatur von OpenPGP
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote: > On Tue, May 19, 2020 at 1:23 AM Lars Wendler > wrote: > > > Hi Alec, > > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: > > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that > > > provides authentication for Gentoo properties? Basically, 1 username / > > > password for wiki, bugs, email, forums, and any other http > > > service[0][1]. > > > > > > Today Gentoo has numerous systems that mostly work in a segmented way. > > > > > > - To connect to hosts, we use ssh keys. > > > - Git is authenticated via ssh keys. > > > - Email uses LDAP passwords. > > > - Bugzilla has its own identities, with their own passwords. > > > - Wiki is separate, with its own passwords. > > > - Forums are separate. > > > - Infra has an additional 4 systems that use separate credentials. > > > > > > Some applications support 2FA (such as wiki.) > > > Some applications do not support 2FA. > > > Applications that require 2FA have a configuration for each app, so you > > > have N configurations. > > > > > > If we configured id.gentoo.org you would have 1 identity across all > > > gentoo properties. > > > > > > Is this a thing people are interested in? > > > > > > [0] It's unlikely operations for git via ssh would change in this > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any > > > community member." The former have LDAP accounts and @gentoo.org email > > > addresses and so we can manage them easily; managing 1000s of other > > > accounts in the IDP remains to be seem. > > > > In case 2FA won't be mandatory I find this a good idea. > > > > 2FA is definitely a reason to deploy software like keycloak, but in the > first rollout I don't expect to enforce 2FA. Ideally we would deploy the > U2F support in keycloak and then, similar to our earlier program, offer > discounted or free u2f devices for Gentoo developers; this would likely be > on a 1-2 year timeframe. > > Is there some reason you don't want to use 2FA? > I myself would find 2FA bothersome for low importance services. Whether it's U2F or OTP, I would generally find it silly to have to carry the hardware/software on me all the time or even use it when it's laying right next to me, say, just to approve a comment on a blog. But I guess if we go for SSO, it becomes a necessity to better protect our passwords. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Tue, May 19, 2020 at 1:23 AM Lars Wendler wrote: > Hi Alec, > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote: > > >TL;DR: What if we launched id.gentoo.org, an identity provider that > >provides authentication for Gentoo properties? Basically, 1 username / > >password for wiki, bugs, email, forums, and any other http > >service[0][1]. > > > >Today Gentoo has numerous systems that mostly work in a segmented way. > > > > - To connect to hosts, we use ssh keys. > > - Git is authenticated via ssh keys. > > - Email uses LDAP passwords. > > - Bugzilla has its own identities, with their own passwords. > > - Wiki is separate, with its own passwords. > > - Forums are separate. > > - Infra has an additional 4 systems that use separate credentials. > > > >Some applications support 2FA (such as wiki.) > >Some applications do not support 2FA. > >Applications that require 2FA have a configuration for each app, so you > >have N configurations. > > > >If we configured id.gentoo.org you would have 1 identity across all > >gentoo properties. > > > >Is this a thing people are interested in? > > > >[0] It's unlikely operations for git via ssh would change in this > >rollout. [1] Its unclear if the scope is "gentoo developers" or "any > >community member." The former have LDAP accounts and @gentoo.org email > >addresses and so we can manage them easily; managing 1000s of other > >accounts in the IDP remains to be seem. > > In case 2FA won't be mandatory I find this a good idea. > 2FA is definitely a reason to deploy software like keycloak, but in the first rollout I don't expect to enforce 2FA. Ideally we would deploy the U2F support in keycloak and then, similar to our earlier program, offer discounted or free u2f devices for Gentoo developers; this would likely be on a 1-2 year timeframe. Is there some reason you don't want to use 2FA? -A > > Kind regards > -- > Lars Wendler > Gentoo package maintainer > GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 >
Re: [gentoo-dev] RFC: Gentoo Identity Provider
On Mon, May 18, 2020 at 11:47 PM Michał Górny wrote: > On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote: > > TL;DR: What if we launched id.gentoo.org, an identity provider that > > provides authentication for Gentoo properties? Basically, 1 username / > > password for wiki, bugs, email, forums, and any other http service[0][1]. > > > > Today Gentoo has numerous systems that mostly work in a segmented way. > > > > - To connect to hosts, we use ssh keys. > > - Git is authenticated via ssh keys. > > - Email uses LDAP passwords. > > - Bugzilla has its own identities, with their own passwords. > > - Wiki is separate, with its own passwords. > > - Forums are separate. > > - Infra has an additional 4 systems that use separate credentials. > > > > Some applications support 2FA (such as wiki.) > > Some applications do not support 2FA. > > Applications that require 2FA have a configuration for each app, so you > > have N configurations. > > > > If we configured id.gentoo.org you would have 1 identity across all > gentoo > > properties. > > > > Is this a thing people are interested in? > > > > What a coincidence I've just archived our old identity.gentoo.org [1] > project. And yes, we almost had this back in 2013 but Infra failed to > deploy, and it was claimed obsolete by the time I joined Infra. > > Do you have any specific solution in mind? > Currently we have a standalone keycloak install with LDAP user federation. We are looking to do a domain installation for redundancy purposes. Our existing LDAP infrastructure for example (which few services use for Auth) has at least 3 replicas. -A > > [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/ > > > -- > Best regards, > Michał Górny > >
