99 lines
3.2 KiB
Text
99 lines
3.2 KiB
Text
|
= Two factor auth
|
||
|
|
||
|
Fedora Infrastructure has implemented a form of two factor auth for
|
||
|
people who have sudo access on Fedora machines. In the future we may
|
||
|
expand this to include more than sudo but this was deemed to be a high
|
||
|
value, low hanging fruit.
|
||
|
|
||
|
== Using two factor
|
||
|
|
||
|
http://fedoraproject.org/wiki/Infrastructure_Two_Factor_Auth
|
||
|
|
||
|
To enroll a Yubikey, use the fedora-burn-yubikey script like normal. To
|
||
|
enroll using FreeOTP or Google Authenticator, go to
|
||
|
https://admin.fedoraproject.org/totpcgiprovision/
|
||
|
|
||
|
=== What's enough authentication?
|
||
|
|
||
|
FAS Password+FreeOTP or FAS Password+Yubikey Note: don't actually enter
|
||
|
a +, simple enter your FAS Password and press your yubikey or enter your
|
||
|
FreeOTP code.
|
||
|
|
||
|
== Administrating and troubleshooting two factor
|
||
|
|
||
|
Two factor auth is implemented by a modified copy of the
|
||
|
https://github.com/mricon/totp-cgi project doing the authentication and
|
||
|
pam_url submitting the authentication tokens.
|
||
|
|
||
|
totp-cgi runs on the fas servers (currently fas01.stg and
|
||
|
fas01/fas02/fas03 in production), listening on port 8443 for pam_url
|
||
|
requests.
|
||
|
|
||
|
FreeOTP, Google authenticator and yubikeys are supported as tokens to
|
||
|
use with your password.
|
||
|
|
||
|
=== FreeOTP, Google authenticator:
|
||
|
|
||
|
FreeOTP application is preferred, however Google authenticator works as
|
||
|
well. (Note that Google authenticator is not open source)
|
||
|
|
||
|
This is handled via totpcgi. There's a command line tool to manage
|
||
|
users, totpprov. See 'man totpprov' for more info. Admins can use this
|
||
|
tool to revoke lost tokens (google authenticator only) with 'totpprov
|
||
|
delete-user username'
|
||
|
|
||
|
To enroll using FreeOTP or Google Authenticator for production machines,
|
||
|
go to https://admin.fedoraproject.org/totpcgiprovision/
|
||
|
|
||
|
To enroll using FreeOTP or Google Authenticator for staging machines, go
|
||
|
to https://admin.stg.fedoraproject.org/totpcgiprovision/
|
||
|
|
||
|
You'll be prompted to login with your fas username and password.
|
||
|
|
||
|
Note that staging and production differ.
|
||
|
|
||
|
=== YubiKeys:
|
||
|
|
||
|
Yubikeys are enrolled and managed in FAS. Users can self-enroll using
|
||
|
the fedora-burn-yubikey utility included in the fedora-packager package.
|
||
|
|
||
|
=== What do I do if I lose my token?
|
||
|
|
||
|
Send an email to admin@fedoraproject.org that is encrypted/signed with
|
||
|
your gpg key from FAS, or otherwise identifies you are you.
|
||
|
|
||
|
=== How to remove a token (so the user can re-enroll)?
|
||
|
|
||
|
First we MUST verify that the user is who they say they are, using any
|
||
|
of the following:
|
||
|
|
||
|
* Personal contact where the person can be verified by member of
|
||
|
sysadmin-main.
|
||
|
* Correct answers to security questions.
|
||
|
* Email request to admin@fedoraproject.org that is gpg encrypted by the
|
||
|
key listed for the user in fas.
|
||
|
|
||
|
Then:
|
||
|
|
||
|
. For google authenticator,
|
||
|
+
|
||
|
____
|
||
|
.. ssh into batcave01 as root
|
||
|
.. ssh into os-master01.iad2.fedoraproject.org
|
||
|
.. $ oc project fas
|
||
|
.. $ oc get pods
|
||
|
.. $ oc rsh <pod> (Pick one of totpcgi pods from the above list)
|
||
|
.. $ totpprov delete-user <username>
|
||
|
____
|
||
|
. For yubikey: login to one of the fas machines and run:
|
||
|
/usr/local/bin/yubikey-remove.py username
|
||
|
|
||
|
The user can then go to
|
||
|
https://admin.fedoraproject.org/totpcgiprovision/ and reprovision a new
|
||
|
device.
|
||
|
|
||
|
If the user emails admin@fedoraproject.org with the signed request, make
|
||
|
sure to reply to all indicating that a reset was performed. This is so
|
||
|
that other admins don't step in and reset it again after its been reset
|
||
|
once.
|