Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Linux Foundation Protects Kernel Git Repositories With 2FA

The Linux Foundation announced on Monday that it has added a two-factor authentication (2FA) mechanism to the source code repositories housing the Linux kernel in an effort to improve access security for developers.

The Linux Foundation announced on Monday that it has added a two-factor authentication (2FA) mechanism to the source code repositories housing the Linux kernel in an effort to improve access security for developers.

Up until now, kernel developers have been provided with their own SSH private keys which they utilize to push code changes. While this method provides a decent level of security, the Linux Foundation believes that it’s not enough because the SSH keys can fall into the wrong hands.

Linux Kernel Git Repositories Gets 2FA

“Unfortunately, even though ssh keys are very long and are stored on the hard drive of your workstation instead of kept in your memory the way a password is, they can’t be considered true ‘2-factor authentication,’ even when the ssh key is protected by a passphrase — […] the ssh private key can be stolen or leaked,” Konstantin Ryabitsev, ‎a senior systems and network administrator at The Linux Foundation, explained in a blog post.

2FA systems ensure that accounts can’t be breached even if the primary login credentials become compromised. They usually involve a software (an application installed on a smartphone) or hardware (a key fob) solution which provides a one-time password (OTP) that’s entered when logging in to the account. However, in the case of Linux kernel developers, there were some factors that needed to be taken into account before the system was developed.

“Kernel developers work from anywhere in the world, which makes device provisioning extra difficult. We needed a solution that would allow people to enroll their own devices remotely and do most token management on their own,” Ryabitsev said.

Since developers would not want to enter OTPs every time they performed a remote git operation, The Linux Foundation has decided to implement additional security checks only when a write operation is carried out.

“Since we already knew the username and the remote IP address of the developer attempting to perform a write operation, we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token,” noted Ryabitsev.

Advertisement. Scroll to continue reading.

When developers attempt to perform a write operation such as “git push” from an IP address that hasn’t already been validated, they’re instructed to validate their current IP address by running the following command: ssh [email protected] 2fa val [token].

Once this is done, the IP address will be valid for 24 hours, but developers have the option to extend the period up to 30 days.

As for the tokens, Linux kernel developers can generate them by using both software and hardware tokens. However, the organization wants to encourage them to use the more secure hardware tokens so it has reached out to Yubico, the creators of Yubikeys. The company has agreed to donate Yubikeys to all Linux kernel developers who have accounts on kernel.org.

Yubikeys are small devices that generate a one-time token based on a pre-shared secret that’s stored on an incorporated chip. They’re plugged into the computer’s USB port and they’re recognized by the operating system as a keyboard. When the button on the Yubikey is pressed, the token is generated and sent to the computer as a sequence of keystrokes.

“In addition to Yubico’s own 2-factor implementation, yubikeys also support OATH’s HOTP standard, which is what we opted to use for our kernel.org needs. Doing so allows us to use both soft-tokens and hard tokens interchangeably (TOTP standard is an extension of the HOTP standard),” said Ryabitsev.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet