Sign in / up

back to article Linux kernel devs made to finger their dongles before contributing code

Beginning on Monday, the security of the Linux kernel source code has become a little bit tighter with the addition of two-factor authentication for the kernel's Git code repositories. Contributing code changes to the Linux kernel sources at Kernel.org already required more than just a password, even before the change. …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Eugene Crosser
    Thumb Up

    Good for them, and for Yubico

    Yubikey is much more convenient to use than traditional TOTP tokens (or google authenticator on the phone) where you have to type in the the code from the token's display. Good publicity for Yubico, too.

    2 0 Reply
    1. djack
      Reply Icon

      Re: Good for them, and for Yubico

      Yep,

      I really like Yubikey. Effective and nice and cheap. So cheap that it's feasible to use for your home system security. Each key costs about £25 and that's it. No licensing fees for authentication software, 'agents' or ongoing support fees.

      As they supply a preconfigured freeradius virtual appliance, you can (with a bit of work - no more than any other 2FA system) use it with almost anything.

      1 0 Reply
      1. MyffyW Silver badge
        Reply Icon

        Re: Good for them, and for Yubico

        @djack Looks like a good solution - am I right in assuming these are perpetual (not like time-limited RSA fobs)?

        1 0 Reply
        1. phuzz Silver badge
          Reply Icon

          Re: Good for them, and for Yubico

          Yup, it behaves as a USB keyboard. In our environment we use them to log into the more sensitive systems (that contain customer info etc.), and it's a case of typing your password, then press the button on the Yubikey whereupon it outputs a string of characters followed by a carriage return and you're logged straight in.

          Each user has a unique yubikey, and they're so small they easily fit on a keyring.

          1 0 Reply
        2. djack
          Reply Icon

          Re: Good for them, and for Yubico

          @MyffyW

          There is no hard 'artificial' expiration feature.However, there is an internal counter that is incremented every time the device is plugged in. This counter serves as part of the authentication mechanism to prevent replay (and provide some protection from pre-play) attacks. That counter is a 16bit word. Yubico say that this will his corresponds to about 25 tokens every day for 7 years or 5 tokens every day for 35 years.

          (http://static.yubico.com/var/uploads/pdfs/Security_Evaluation_2009-09-09.pdf)

          You can replace the secret key on a Yubikey but I'm not sure if this resets that counter or not.

          1 0 Reply
          1. MyffyW Silver badge
            Reply Icon

            Re: Good for them, and for Yubico

            Thanks @phuzz and @djack

            0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Good Start

    Now if they can just find a way to stop Lennart Poettering from making any more malicious changes

    6 0 Reply
    1. Gene Cash Silver badge
      Reply Icon

      Re: Good Start

      I wish I had more upvotes.... F^#*$ing systemd. They've now broken udevd in a similar manner, and I have to work around it by running scripts to upload from my camera with "at now"

      1 0 Reply
  3. Down in the weeds
    Boffin

    Security Policy anyone?

    Is there a (formal, written) Security Policy for kernel devs?

    Are the Linux Foundation considering developing such a thing?

    How do we gain assurance that all kernel devs possess a *genuine* Yubikey

    Seems to me these are USB 'automatic keyboard' devices, a la the 'USB is universally hacked / hackable' scenario

    A modicum of increased confidence in the integrity of kernel modules arises from this 2FA ...

    ... just a tad

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like