CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Linux Foundation Protects Kernel Git Repositories With 2FA

The Linux Foundation announced on Monday that it has added a two-factor authentication (2FA) mechanism to the source code repositories housing the Linux kernel in an effort to improve access security for developers.

The Linux Foundation announced on Monday that it has added a two-factor authentication (2FA) mechanism to the source code repositories housing the Linux kernel in an effort to improve access security for developers.

Up until now, kernel developers have been provided with their own SSH private keys which they utilize to push code changes. While this method provides a decent level of security, the Linux Foundation believes that it’s not enough because the SSH keys can fall into the wrong hands.

Linux Kernel Git Repositories Gets 2FA

“Unfortunately, even though ssh keys are very long and are stored on the hard drive of your workstation instead of kept in your memory the way a password is, they can’t be considered true ‘2-factor authentication,’ even when the ssh key is protected by a passphrase — […] the ssh private key can be stolen or leaked,” Konstantin Ryabitsev, ‎a senior systems and network administrator at The Linux Foundation, explained in a blog post.

2FA systems ensure that accounts can’t be breached even if the primary login credentials become compromised. They usually involve a software (an application installed on a smartphone) or hardware (a key fob) solution which provides a one-time password (OTP) that’s entered when logging in to the account. However, in the case of Linux kernel developers, there were some factors that needed to be taken into account before the system was developed.

“Kernel developers work from anywhere in the world, which makes device provisioning extra difficult. We needed a solution that would allow people to enroll their own devices remotely and do most token management on their own,” Ryabitsev said.

Since developers would not want to enter OTPs every time they performed a remote git operation, The Linux Foundation has decided to implement additional security checks only when a write operation is carried out.

“Since we already knew the username and the remote IP address of the developer attempting to perform a write operation, we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token,” noted Ryabitsev.

Advertisement. Scroll to continue reading.

When developers attempt to perform a write operation such as “git push” from an IP address that hasn’t already been validated, they’re instructed to validate their current IP address by running the following command: ssh [email protected] 2fa val [token].

Once this is done, the IP address will be valid for 24 hours, but developers have the option to extend the period up to 30 days.

As for the tokens, Linux kernel developers can generate them by using both software and hardware tokens. However, the organization wants to encourage them to use the more secure hardware tokens so it has reached out to Yubico, the creators of Yubikeys. The company has agreed to donate Yubikeys to all Linux kernel developers who have accounts on kernel.org.

Yubikeys are small devices that generate a one-time token based on a pre-shared secret that’s stored on an incorporated chip. They’re plugged into the computer’s USB port and they’re recognized by the operating system as a keyboard. When the button on the Yubikey is pressed, the token is generated and sent to the computer as a sequence of keystrokes.

“In addition to Yubico’s own 2-factor implementation, yubikeys also support OATH’s HOTP standard, which is what we opted to use for our kernel.org needs. Doing so allows us to use both soft-tokens and hard tokens interchangeably (TOTP standard is an extension of the HOTP standard),” said Ryabitsev.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.