Hey ~clubbers. I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
On 26/2/20 4:45 am, deepend wrote:
Hey ~clubbers. I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
I am of the opinion that extra authentication methods are certainly viable and a great idea, but only if they do not come to the cost of security. 2FA + password is fine, IMO.
(Also everyone please note that it is not restricted to Google Autenticator... everything Google Authenticator can do can be done by other apps like Authy or Yubico Authenticator if you have a YubiKey).
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
February 26, 2020 8:09 AM, "fosslinux" fosslinux@aussies.space wrote:
On 26/2/20 4:45 am, deepend wrote:
Hey ~clubbers. I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
I am of the opinion that extra authentication methods are certainly viable and a great idea, but only if they do not come to the cost of security. 2FA + password is fine, IMO.
(Also everyone please note that it is not restricted to Google Autenticator... everything Google Authenticator can do can be done by other apps like Authy or Yubico Authenticator if you have a YubiKey).
can't the poll question be changed? s/google Authenticator/2-factor auth/
mentioning google skews perception ;)
On Wed, 2020-02-26 at 15:04 +0000, turbo@tilde.club wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
February 26, 2020 8:09 AM, "fosslinux" fosslinux@aussies.space wrote:
On 26/2/20 4:45 am, deepend wrote:
Hey ~clubbers. I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
I am of the opinion that extra authentication methods are certainly viable and a great idea, but only if they do not come to the cost of security. 2FA + password is fine, IMO.
(Also everyone please note that it is not restricted to Google Autenticator... everything Google Authenticator can do can be done by other apps like Authy or Yubico Authenticator if you have a YubiKey).
Recovery would be same as recovering ssh keys. As long as you email root@tilde.club from the email address you signed up with then we would reset it.
And yes it would be an option instead of requiring public key auth (which is harder for many new users)
Thanks
On Feb 26, 2020, at 8:06 AM, turbo@tilde.club wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
February 26, 2020 8:09 AM, "fosslinux" fosslinux@aussies.space wrote:
On 26/2/20 4:45 am, deepend wrote:
Hey ~clubbers. I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
I am of the opinion that extra authentication methods are certainly viable and a great idea, but only if they do not come to the cost of security. 2FA + password is fine, IMO.
(Also everyone please note that it is not restricted to Google Autenticator... everything Google Authenticator can do can be done by other apps like Authy or Yubico Authenticator if you have a YubiKey).
On Wed Feb 26, 2020 at 3:04 PM, wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
OpenSSH's latest version also has support for FIDO/U2F. I haven't gotten the chance to use it yet, but it could be a pretty nice alternative to OTP. Second on OTP bugs/lock out. I've been locked out of my email provider because OTP randomly stopped accepting my tokens.
It’s all based on time. If the server time is out of wack or your personal system time is out of wack it won’t be a valid code.
I’ll look into that Fido/U2F
On Feb 26, 2020, at 8:49 AM, ngp ngp@tilde.club wrote:
On Wed Feb 26, 2020 at 3:04 PM, wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
OpenSSH's latest version also has support for FIDO/U2F. I haven't gotten the chance to use it yet, but it could be a pretty nice alternative to OTP. Second on OTP bugs/lock out. I've been locked out of my email provider because OTP randomly stopped accepting my tokens.
On Wed Feb 26, 2020 at 8:53 AM, deepend wrote:
It’s all based on time. If the server time is out of wack or your personal system time is out of wack it won’t be a valid code.
Yeah, my email provider is based in Switzerland, while I am US based, so it could easily have been clock drift, though I would hope they were syncing using an atomic clock somewhere.
I’ll look into that Fido/U2F
I don't remember what distro ~club is off the top of my head, but there's a good chance you'd be compiling OpenSSH or using unofficial packages to get the feature unfortunately. We're talking right-off-the-press features here. I would personally consider that a no-go, but maybe the admins here feel differently.
Found a file mentioning that Fido/U2F auth being available in 8.1. But some websites say it came in 8.2. Not sure who to believe.
Tilde club currently runs Fedora 30.
On Feb 26, 2020, at 8:59 AM, ngp ngp@tilde.club wrote:
On Wed Feb 26, 2020 at 8:53 AM, deepend wrote:
It’s all based on time. If the server time is out of wack or your personal system time is out of wack it won’t be a valid code.
Yeah, my email provider is based in Switzerland, while I am US based, so it could easily have been clock drift, though I would hope they were syncing using an atomic clock somewhere.
I’ll look into that Fido/U2F
I don't remember what distro ~club is off the top of my head, but there's a good chance you'd be compiling OpenSSH or using unofficial packages to get the feature unfortunately. We're talking right-off-the-press features here. I would personally consider that a no-go, but maybe the admins here feel differently.
On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
Found a file mentioning that Fido/U2F auth being available in 8.1. But some websites say it came in 8.2. Not sure who to believe.
Tilde club currently runs Fedora 30.
Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not available :/
tildeclub@lists.tildeverse.org
-
bdeshi -
deepend -
fosslinux -
ngp -
turbo@tilde.club