Two factor auth
Fedora Infrastructure has implemented a form of two factor auth for people who have sudo access on Fedora machines. In the future we may expand this to include more than sudo but this was deemed to be a high value, low hanging fruit.
To enroll a Yubikey, use the fedora-burn-yubikey script like normal. To enroll using FreeOTP or Google Authenticator, go to https://admin.fedoraproject.org/totpcgiprovision/
Two factor auth is implemented by a modified copy of the https://github.com/mricon/totp-cgi project doing the authentication and pam_url submitting the authentication tokens.
totp-cgi runs on the fas servers (currently fas01.stg and fas01/fas02/fas03 in production), listening on port 8443 for pam_url requests.
FreeOTP, Google authenticator and yubikeys are supported as tokens to use with your password.
FreeOTP application is preferred, however Google authenticator works as well. (Note that Google authenticator is not open source)
This is handled via totpcgi. There’s a command line tool to manage users, totpprov. See 'man totpprov' for more info. Admins can use this tool to revoke lost tokens (google authenticator only) with 'totpprov delete-user username'
To enroll using FreeOTP or Google Authenticator for production machines, go to https://admin.fedoraproject.org/totpcgiprovision/
To enroll using FreeOTP or Google Authenticator for staging machines, go to https://admin.stg.fedoraproject.org/totpcgiprovision/
You’ll be prompted to login with your fas username and password.
Note that staging and production differ.
Yubikeys are enrolled and managed in FAS. Users can self-enroll using the fedora-burn-yubikey utility included in the fedora-packager package.
Send an email to firstname.lastname@example.org that is encrypted/signed with your gpg key from FAS, or otherwise identifies you are you.
First we MUST verify that the user is who they say they are, using any of the following:
Personal contact where the person can be verified by member of sysadmin-main.
Correct answers to security questions.
Email request to email@example.com that is gpg encrypted by the key listed for the user in fas.
For google authenticator,
ssh into batcave01 as root
ssh into os-master01.iad2.fedoraproject.org
$ oc project fas
$ oc get pods
$ oc rsh <pod> (Pick one of totpcgi pods from the above list)
$ totpprov delete-user <username>
For yubikey: login to one of the fas machines and run: /usr/local/bin/yubikey-remove.py username
The user can then go to https://admin.fedoraproject.org/totpcgiprovision/ and reprovision a new device.
If the user emails firstname.lastname@example.org with the signed request, make sure to reply to all indicating that a reset was performed. This is so that other admins don’t step in and reset it again after its been reset once.