The previous reports on the Fedora Infrastructure Security FAD have been very very light on details as I have been wanting to summarize them separately from the events themselves.
Two Factor Authentication tries to hamper problems with passwords being stolen by requiring a person using a service to have a second "factor" which should increase the probability that the item trying to authenticate is actually that item.
Over the last 4+ years, Fedora Infrastructure has been wanting to implement two factor authorization to increase security. I believe Mike McGrath and some others began looking at Yubikey in 2009 or 2010. Parts were implemented into the Fedora Account System by that years FUDcon, but other fires began to take over and it was put off til the next year to fully implement. Other parts were worked on and a couple of different ways to implement were looked and or tested at one point another. However, every time these were ready to be fully implemented, other items took precedence and eventually the two factor would be put on a back-burner til "next year". This year, Kevin Fenzi made sure this would not happen again by getting the people needed to accomplish the goal into one location for a dedicated couple of days. It was decided that it needed to be a FAD versus FUDcon as we had found at previous FUDcons that sysadmins time gets pulled into various other meetings needing to know if X or Y or Z can be done with what hardware Fedora has available.
By getting everyone in Raleigh, the group has been able to get the infrastructure together, fix various bugs in pam_url, and have a solution we can roll out into production for 2 factor sudo access in the next couple of days.
2012-11-28
Fedora Activity Day: Day 2
Got up reasonably early, but found everyone had already been up for a while. Got some tea at the hotel Starbucks and got into our location on the 13th floor. Seth, Kevin, Toshio and Icon got to hacking pam_url and getting a working set in our staging infrastructure. Ricky Elrod, Nick Bebout, Clint Savage, and Sam Kottler worked on testing and helping where various issues came up. Around 10 am Ruth Suehle arrived and made sure that the whip was being cracked on blog posts... which well I was being lax on. After a suitable beating.. people were able to get back to work. [Ruth is a true professional, none of our fingers were broken so we could keep working.. and most of the bruising from the rubber hose won't show up for a couple of days.]
At around 12 am, Ruth also made sure we stopped what we were doing and got some food at another restaurant on the bottom floor of the Red Hat Tower, Dickies BBQ. The BBQ was quite good and we were able to get back quite fuller than we had been before. It was around this point a critical issue came up... we were having lots of success in the 64 bit environment, but two factor was not working in 32 bit systems. After the usual maligned suspects (wrong binary on wrong architecture, selinux, systemd and pulseadio **) had been discounted the afternoon was taken up with debugging and finding out what kind of coding issue.
By around 5:30pm, another break was taken as we went to local Italian restaurant, Gravy's for a fine dinner. On the way we were serenaded by MC Vidal and his remix of a Beastie Boys classic.
I found out that beer at Oktoberfest is served in liter sized drinks and after 2 or three you can be quite toasted. I also learned what Salmon Ladders are, and how to get a killer interview with John Barrowman. There were other cool stories, but they paled and I forgot them. Eventually we had to go back, which was good because by this time several West Coast hackers were freed up on their day jobs to help on the debugging of the pam_url issue. [Thankyou rzhou, awilcox and all the others.]
It is 11:30pm and hacking is still ongoing so I am going to finish this post with photos of people today:
** Yes it is a joke. No systemd or pulseaudio rpms were harmed in the pursuit of this debugging.
At around 12 am, Ruth also made sure we stopped what we were doing and got some food at another restaurant on the bottom floor of the Red Hat Tower, Dickies BBQ. The BBQ was quite good and we were able to get back quite fuller than we had been before. It was around this point a critical issue came up... we were having lots of success in the 64 bit environment, but two factor was not working in 32 bit systems. After the usual maligned suspects (wrong binary on wrong architecture, selinux, systemd and pulseadio **) had been discounted the afternoon was taken up with debugging and finding out what kind of coding issue.
By around 5:30pm, another break was taken as we went to local Italian restaurant, Gravy's for a fine dinner. On the way we were serenaded by MC Vidal and his remix of a Beastie Boys classic.
I found out that beer at Oktoberfest is served in liter sized drinks and after 2 or three you can be quite toasted. I also learned what Salmon Ladders are, and how to get a killer interview with John Barrowman. There were other cool stories, but they paled and I forgot them. Eventually we had to go back, which was good because by this time several West Coast hackers were freed up on their day jobs to help on the debugging of the pam_url issue. [Thankyou rzhou, awilcox and all the others.]
It is 11:30pm and hacking is still ongoing so I am going to finish this post with photos of people today:
** Yes it is a joke. No systemd or pulseaudio rpms were harmed in the pursuit of this debugging.
Fedora Activity Day: 1
On Tuesday the main part of the hack fest began. People got up and going to the Tower by 9am which was quite good since most people are from several time zones later and also had been working to 1am on various parts. Bill Nottingham had gotten a nice enclave for us off the 16th floor lunchroom where we spent the rest of the day in and out of.
The main goals for the morning hackfest was to make sure that the plan for two factor authorization made sense: Who would be affected (those people with access to critical hardware) and those who would not (everyone else), What would be covered (sudo and some FAS functions) and what would not (wiki, ssh logins, and many other applications), and How it would be done (pam_url, yubikey, google authenticator) and how it would not (pam_otp, linotp, home made app, etc). This took up a good portion of the morning because while we had worked out many similar ideas the night before we ended up finding slight differences. It also helped to make sure we had covered what corner cases would trip us up and which ones we didn't care about because the people affected were the ones making the changes.
At a late lunch time, we decided not to walk to the places that had been closed the night before, but stay on the block finding a nice sandwich place called Sosa's. It was actually about closing time for them, but the owner was very excellent to us keeping it open for an extra hour. The sandwiches were great and we got back to hacking around 3pm. We ended up working til around 7pm getting an initial set of packages together. By this time, the skys had been raining for a couple of hours (which for someone used to the deserts of New Mexico was quite amazing...) but we decided to walk to the restaurant we had wanted to go the night before. Sadly, it was packed as were the next 3 places we tried. In the end, we ended up at the Raleigh News which is a lovely food and pub place where food and hacking was done til about 9pm. A long walk back to the hotel and more hacking followed. I crashed but others kept up til around 2 am I was told. [Sorry for a lack of hacking details today.. most of my day was working out Fedora hardware purchases and other arcane issues.. ]
The main goals for the morning hackfest was to make sure that the plan for two factor authorization made sense: Who would be affected (those people with access to critical hardware) and those who would not (everyone else), What would be covered (sudo and some FAS functions) and what would not (wiki, ssh logins, and many other applications), and How it would be done (pam_url, yubikey, google authenticator) and how it would not (pam_otp, linotp, home made app, etc). This took up a good portion of the morning because while we had worked out many similar ideas the night before we ended up finding slight differences. It also helped to make sure we had covered what corner cases would trip us up and which ones we didn't care about because the people affected were the ones making the changes.
At a late lunch time, we decided not to walk to the places that had been closed the night before, but stay on the block finding a nice sandwich place called Sosa's. It was actually about closing time for them, but the owner was very excellent to us keeping it open for an extra hour. The sandwiches were great and we got back to hacking around 3pm. We ended up working til around 7pm getting an initial set of packages together. By this time, the skys had been raining for a couple of hours (which for someone used to the deserts of New Mexico was quite amazing...) but we decided to walk to the restaurant we had wanted to go the night before. Sadly, it was packed as were the next 3 places we tried. In the end, we ended up at the Raleigh News which is a lovely food and pub place where food and hacking was done til about 9pm. A long walk back to the hotel and more hacking followed. I crashed but others kept up til around 2 am I was told. [Sorry for a lack of hacking details today.. most of my day was working out Fedora hardware purchases and other arcane issues.. ]
Fedora Activity Day 0
Monday was a day of travelling for most people with airflights from various places in the country. I drove up from South Carolina and got to Raleigh around 1pm. The new Red Hat offices are very nice but still under construction with some people already in the floors and others still over at the old location on North Carolina State. I got to meet with various old friends (Bill Nottingham, Rob Landry, James Laska and Doug Ledford). Other people I hoped to run in would have to take trips across town later.
Later in the afternoon, Seth rolled in like MCA, and we began doing tag team pickups from the airport. By around 6pm we had enough for a dinner run, and found that many downtown places are closed on Monday night. In the end we ended up at Bu Ku and had a nice mix of "Street Foods". Icon (Konstantin) and MC Vidal ordered the Red Tree mix which was all the vegetarian mixes... others filled out their meats and a good time was had by all. The best part is outside of the restaurant is the open source cow.. while not spherical it does have nice red horns.
After dinner, we retired back to the hotel while I went back to pick up Nick Bebout from a late flight. People back at the hotel caught up with email from the day and scoped out what items would be needed to get two factor authorization working.
Later in the afternoon, Seth rolled in like MCA, and we began doing tag team pickups from the airport. By around 6pm we had enough for a dinner run, and found that many downtown places are closed on Monday night. In the end we ended up at Bu Ku and had a nice mix of "Street Foods". Icon (Konstantin) and MC Vidal ordered the Red Tree mix which was all the vegetarian mixes... others filled out their meats and a good time was had by all. The best part is outside of the restaurant is the open source cow.. while not spherical it does have nice red horns.
After dinner, we retired back to the hotel while I went back to pick up Nick Bebout from a late flight. People back at the hotel caught up with email from the day and scoped out what items would be needed to get two factor authorization working.
2012-11-25
Fedora Infrastructure Security FAD: Day -1
Today was mainly spent writing a paper... well attempting to write a paper on Password Security in Fedora. The process of writing seems to be the following:
- Open up a text document in a simple editor. Over the years I found that writing first drafts in fancy office programs to make things worse as I spend hours trying to figure out which font to use, how large to make the margins, etc. etc. would derail the paper. For a simple editor I use Emacs .. well its not simple or small but it is a good OS while I look for a simple editor :).
- Get all the distractions of the day out of the way. That means read through my Facebook queue to find out if I have cat pictures to like, friends political posts to ignore, and family birthdays to say "Happy .." to. Go through the large Fedora email queue and find out which emails I need to answer and what tickets needs to get done.
- Stare at the empty editor page for an hour. Try various first sentences and delete them. Realize you don't know where you will be meeting people tomorrow.
- Figure out where I need to go tomorrow in Raleigh. Red Hat moved offices during the summer and I need to get to the new ones in downtown. Go look at various maps to figure the best way to get to the offices.
- Look intently at the empty page... put a bunch of ideas down for what should be noted in the paper and what should not. Go research some papers by Alec Muffet (the writer of Crack and other tools).
- Get some tea.
- Take the ideas from the page and put them in a different file. See an empty page and type lalalalala for a while.
- Run out of the house yelling "You will never take me alive!!!!" For extra points remember half-way that clothes would be a good idea.
- Go back and start typing in the page. Get about 4 paragraphs done.
- Get a page about systems and go do steps 1-9 again.
- Remember that you needed to post a before the FAD post and go do that.
- Go back to typing because you have nothing left to distract yourself for a good 10 minutes.
2012-11-24
Fedora Infrastructure Security FAD: Day -2
From Monday evening til Thursday morning, various system administrators will be meeting in Raleigh, North Carolina for a Fedora Activity Day (FAD). We will be discussing and working on improving the security of Fedora's Infrastructure to bring in various 2 factor security methods via Yubikeys and Google Authentication. Many of the parts have been worked on in the past, but getting all the people in the same place to focus on them took a lot longer than expected :). Most people will be travelling to North Carolina by plane on Monday, but I decided to come in early and spend the weekend with my parents in South Carolina. Then on Monday I will drive up and pick up people from the airport and get them to the hotel and such.
My original goal was to use my parent's truck and put people in the back, but the laws have changed and system administrators are no longer classified as cattle. So I have had to borrow a different car and people will just have to get in the trunk :). After I get them to the hotel, we will all check in and do an evening get together of what our goals for Tuesday are and anything that is thought hackable starting off.
While I won't be working on the Fedora Account System (FAS) integration of 2 factor, I will be working on mapping our security controls with the top 20 Critical Controls and the Top 35 Mitigation Strategies. These aren't much different from other security documents but I decided to pick something and SANS looked like a good place (and going through the 400+ pages of NIST documents usually makes people insane.) This will basically be a goal of just pointing out our good practices, figuring out what we might want to check, and where we could improve in a way that outsiders can compare with their own tools (if they use those security documents and not one of the myriad other ones). [This isn't about locking down a system but more about how to protect as much as usable and deal with the eventual breakins and problems that occur.]
I also plan to finish off a talk on what changes in Password Security over the last 3 years have "bought" us as an organization. I want to have this as a finished talk at FUDcon as this all started from FUDcon Phoenix.
Anyway, happy hacking.
My original goal was to use my parent's truck and put people in the back, but the laws have changed and system administrators are no longer classified as cattle. So I have had to borrow a different car and people will just have to get in the trunk :). After I get them to the hotel, we will all check in and do an evening get together of what our goals for Tuesday are and anything that is thought hackable starting off.
While I won't be working on the Fedora Account System (FAS) integration of 2 factor, I will be working on mapping our security controls with the top 20 Critical Controls and the Top 35 Mitigation Strategies. These aren't much different from other security documents but I decided to pick something and SANS looked like a good place (and going through the 400+ pages of NIST documents usually makes people insane.) This will basically be a goal of just pointing out our good practices, figuring out what we might want to check, and where we could improve in a way that outsiders can compare with their own tools (if they use those security documents and not one of the myriad other ones). [This isn't about locking down a system but more about how to protect as much as usable and deal with the eventual breakins and problems that occur.]
I also plan to finish off a talk on what changes in Password Security over the last 3 years have "bought" us as an organization. I want to have this as a finished talk at FUDcon as this all started from FUDcon Phoenix.
Anyway, happy hacking.
2012-11-06
Voted Today
Wow, I have not posted in a long long time. Well I will start doing so with today's topic starting with a non-Fedora one... US Elections. I voted. It was easy, it was fast, and I think our local county clerk did a great job in making it so that every voting place could be 'your' voting place by moving the printing of ballots to each place. There were multiple receipts and coverage so that verification of the correct ballot and correct voter could be done after the election. Which is nice after watching the videos of people who are trying to vote for X candidate but getting Y chosen for them due to either capacitive touch problems (or possibly other issues.)
In the backyard right now I am watching the mountain birds begin to arrive at the bird feeders. They haven't found the "suet" feeder as attractive as the Nyger seed or the regular seed. The local pigeons have grown fat over the summer... the dog actually was able to grab one yesterday.. which after eating her share, decided to give the rest to me. Good doggie... but I am not sure I want rat-bird to eat. But it has meant that the back yard has fewer pigeons in it today so I am happy.
In Fedora news. I am working on some papers for the FUDcon.. have to finish them up in the next week or so. For relaxation, I built a box out of various spare parts from friends.. it is about 2 year old hardware and probably the fastest system in my house :). The story of Frankenbox will be my next post.
In the backyard right now I am watching the mountain birds begin to arrive at the bird feeders. They haven't found the "suet" feeder as attractive as the Nyger seed or the regular seed. The local pigeons have grown fat over the summer... the dog actually was able to grab one yesterday.. which after eating her share, decided to give the rest to me. Good doggie... but I am not sure I want rat-bird to eat. But it has meant that the back yard has fewer pigeons in it today so I am happy.
In Fedora news. I am working on some papers for the FUDcon.. have to finish them up in the next week or so. For relaxation, I built a box out of various spare parts from friends.. it is about 2 year old hardware and probably the fastest system in my house :). The story of Frankenbox will be my next post.
Subscribe to:
Posts (Atom)