The Linux Foundation announced on Monday that it has added a two-factor authentication (2FA) mechanism to the source code repositories housing the Linux kernel in an effort to improve access security for developers.
Up until now, kernel developers have been provided with their own SSH private keys which they utilize to push code changes. While this method provides a decent level of security, the Linux Foundation believes that it’s not enough because the SSH keys can fall into the wrong hands.
“Unfortunately, even though ssh keys are very long and are stored on the hard drive of your workstation instead of kept in your memory the way a password is, they can’t be considered true ‘2-factor authentication,’ even when the ssh key is protected by a passphrase — […] the ssh private key can be stolen or leaked,” Konstantin Ryabitsev, a senior systems and network administrator at The Linux Foundation, explained in a blog post.
2FA systems ensure that accounts can’t be breached even if the primary login credentials become compromised. They usually involve a software (an application installed on a smartphone) or hardware (a key fob) solution which provides a one-time password (OTP) that’s entered when logging in to the account. However, in the case of Linux kernel developers, there were some factors that needed to be taken into account before the system was developed.
“Kernel developers work from anywhere in the world, which makes device provisioning extra difficult. We needed a solution that would allow people to enroll their own devices remotely and do most token management on their own,” Ryabitsev said.
Since developers would not want to enter OTPs every time they performed a remote git operation, The Linux Foundation has decided to implement additional security checks only when a write operation is carried out.
“Since we already knew the username and the remote IP address of the developer attempting to perform a write operation, we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token,” noted Ryabitsev.
When developers attempt to perform a write operation such as “git push” from an IP address that hasn’t already been validated, they’re instructed to validate their current IP address by running the following command: ssh git@gitolite.kernel.org 2fa val [token].
Once this is done, the IP address will be valid for 24 hours, but developers have the option to extend the period up to 30 days.
As for the tokens, Linux kernel developers can generate them by using both software and hardware tokens. However, the organization wants to encourage them to use the more secure hardware tokens so it has reached out to Yubico, the creators of Yubikeys. The company has agreed to donate Yubikeys to all Linux kernel developers who have accounts on kernel.org.
Yubikeys are small devices that generate a one-time token based on a pre-shared secret that’s stored on an incorporated chip. They’re plugged into the computer’s USB port and they’re recognized by the operating system as a keyboard. When the button on the Yubikey is pressed, the token is generated and sent to the computer as a sequence of keystrokes.
“In addition to Yubico’s own 2-factor implementation, yubikeys also support OATH’s HOTP standard, which is what we opted to use for our kernel.org needs. Doing so allows us to use both soft-tokens and hard tokens interchangeably (TOTP standard is an extension of the HOTP standard),” said Ryabitsev.