From Fedora Project Wiki

(Update for the new fedora AAA system)
 
(6 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Fedora infrastructure has setup to use two factor authenication for all 'sudo' access on any machines. At some point in time it may be expanded for other access, but currently it's restricted to just 'sudo' calls on infrastructure machines.  
Fedora infrastructure has setup to use two factor authenication for all 'sudo' access on any machines. Setting up two factor authentication for this will also require it for all logins using the fedora account system.  


= Audience =
= Audience =
Line 9: Line 9:
= Supported tokens =
= Supported tokens =


Currently we support two backend tokens:  
Currently we support otp tokens:  


1. yubikey - You setup this as noted on the yubikey burn page.  
google authenticator or FreeOTP as well as others - You can install the free application on your iphone / android / windows mobile device to use this option.  


2. google authenticator - You can install a free application from google to your iphone or android device to use this option.
If you do not have an android or iphone device, please contact us for options.
 
If you do not have a yubikey or a android or iphone device, please contact us for options.  


= Enrolling =
= Enrolling =


Yubikeys can be enrolled per http://fedoraproject.org/wiki/Infrastructure/Yubikey#How_do_I_burn_my_yubikey.3F
Google authenticator or FreeOTP via:  


Google authenticator via:  
* Go to https://accounts.stg.fedoraproject.org/ (staging) or https://accounts.fedoraproject.org/ (production)


* Go to https://admin.stg.fedoraproject.org/totpcgiprovision/ (staging) or https://admin.fedoraproject.org/totpcgiprovision/ (production)
* Login with your FAS username and password.  


* Login with your FAS username and password.  
* Click on the edit profile button underneath your avatar and then select the otp tab.


* You should get a page with a QR code and some backup/scratch codes. Store them in a non electronic safe place. Do NOT save them on your computer.  
* Click the Add OTP token button and enter your username and password into the form. A QR code will appear.  


* Run the android or ios app, select add token, scan the qr code.  
* Run the android or ios app, select add token, scan the qr code. This qr code will not appear again so take care to ensure it scanned correctly before clicking off it.


= What happens if I lost my token? =
= What happens if I lost my token or got a new device? =


Mail admin@fedoraproject.org and explain what happened. Additionally, you will need to provide some or all of the below information to prove your identity:  
Please open a ticket at https://pagure.io/fedora-infrastructure/new_issue and explain what happened. Additionally, you may need to provide some or all of the below information to prove your identity:  


* A gpg signed email with the gpg key listed for your account in FAS.  
* A gpg signed email with the gpg key listed for your account in FAS.  


* Correct answer to security questions stored in FAS.  
* Any other means that are acceptable to admins (video chat where the person is known by look/voice, phone call where user answers questions only user would know, etc).


* Any other means that are acceptable to admins (video chat where the person is known by look/voice, phone call where user answers questions only user would know, etc).
= Software used =


= Software used =
https://github.com/freeipa/freeipa


https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
https://github.com/fedora-infra/noggin


http://code.google.com/p/google-authenticator/
== Supported Apps ==
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp


https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2


https://fedorahosted.org/pam_url/
https://code.google.com/p/google-authenticator/


https://github.com/mricon/totp-cgi
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8


http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b
http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b

Latest revision as of 09:55, 16 April 2021

Introduction

Fedora infrastructure has setup to use two factor authenication for all 'sudo' access on any machines. Setting up two factor authentication for this will also require it for all logins using the fedora account system.

Audience

You need to know about this if you are in a FAS group that provides you shell access to any infrastructure machines, and additionally you have permissions / need to sudo on those machines.

Supported tokens

Currently we support otp tokens:

google authenticator or FreeOTP as well as others - You can install the free application on your iphone / android / windows mobile device to use this option.

If you do not have an android or iphone device, please contact us for options.

Enrolling

Google authenticator or FreeOTP via:

  • Login with your FAS username and password.
  • Click on the edit profile button underneath your avatar and then select the otp tab.
  • Click the Add OTP token button and enter your username and password into the form. A QR code will appear.
  • Run the android or ios app, select add token, scan the qr code. This qr code will not appear again so take care to ensure it scanned correctly before clicking off it.

What happens if I lost my token or got a new device?

Please open a ticket at https://pagure.io/fedora-infrastructure/new_issue and explain what happened. Additionally, you may need to provide some or all of the below information to prove your identity:

  • A gpg signed email with the gpg key listed for your account in FAS.
  • Any other means that are acceptable to admins (video chat where the person is known by look/voice, phone call where user answers questions only user would know, etc).

Software used

https://github.com/freeipa/freeipa

https://github.com/fedora-infra/noggin

Supported Apps

https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

https://code.google.com/p/google-authenticator/

https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b