Next week a number of Fedora Infrastructure folks will be heading out to lovely Raleigh, NC for a FAD (Fedora Activity Day) based around security.
Why gather in person to work on this, instead of our usual distributed workflow? Well, we have had a rough outline of a plan to enable 2 factor authentication for all sudo access since the last fudcon (almost a year ago now), but we just keep not having everyone available or time or too many distractions, so we decided to schedule a time, get a bunch of people together and just get it done(tm). 🙂
In a broad overview, we will be using pam_url on machines talking to either totp-cgi or fas backend that handles the 2nd factor. We hope to support yubikeys and googleauthenticator to start with as backend factors, and hope to have fas handle the enrolling, etc details. If everything goes smoothly with sudo, we may look at selective ssh enablement down the road (so, for example fedorahosted projects could choose to enable, or we could optionally enable for pkgs, etc).
So, the main goal of the FAD is of course the aforementioned two factor authentication for all sudo access on all our machines, but if we have time after that we have a bunch of other security related tasks we hope to at least discuss and hash out so we can work on them in our normal distributed workflow.
Monday will be a travel day, so if you are looking for infrastructure folks, please be patient. Tuesday and Wed we will be working full on on our primary task. Thursday morning will be finishing up things and traveling home. We should be all gathering in #fedora-fad on IRC for folks that want to help us out remotely. We will be meeting in the lovely new Red Hat tower.
https://fedoraproject.org/wiki/FAD_Infrastructure_Security_2012 has further details and tasklists and so forth.
I’m confident we will finish our primary goal. 🙂