Linux kernel source code repositories get better security

Summary:The Linux Foundation is strengthening the walls around the Linux kernel's source code Git repositories.

CHICAGO – Almost three years ago, crackers broke into the kernel.org, Linux's most important site. While no damage was done, it was still worrisome. So, at the Linux Kernel Summit, the Linux Foundation announced that it was securing Linux's Git source code repositories with two-factor authentication.

yubico
Some Linux kernel developers will be using YubiKeys to secure their log-ins to the Linux master source code repositories.

Immediately after the 2011 break-in, the Linux Foundation began "mandating a fairly strict authentication policy for those developers who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org." That's good, but it's not enough.

As Konstantin Ryabitsev, ‎a senior systems and network administrator at The Linux Foundation, explained: "While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands -- for example if the developer's workstation is compromised or if someone manages to access some poorly secured backups. … Keeping that in mind, we wanted to further tighten our access requirements, but without causing undue difficulties for the kernel developers."

So, the Foundation has moved on to using two-factor authentication. In two-factor authentication, instead of simply having a user ID and password, an additional step is added. With Google and Twitter , for example, it works by requiring both a password and entering a numeric code texted to your phone number. If any one part doesn't work, you can't get into your account.

Special Feature

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Because this is all done by software (except for your phone), this is called "soft-token" authentication. If you have to use an actual physical object, such as a RSA SecurID key fob or a YubiKey, you're using "hard-token" authentication.

For Linux's Git, a distributed revision control and source code management (SCM) system, the Linux Foundation is giving its top developers a choice of using soft or hard tokens. True, as Ryabitsev observed, hard tokens are inherently more secure, but even a "soft token is still dramatically more secure than no two-factor authentication at all."

To encourage the use of hard tokens, "Yubico went well above and beyond a simple discount and offered to donate a hundred yubikeys to all Linux kernel developers who currently hold accounts at kernel.org."

Either way, the Linux source files will be protected by the Initiative For Open Authentication (OATH)'s HMAC-based One-time Password Algorithm and Time-Based One-Time Password Algorithm (TOTP). Both are Internet Engineering Task Force (IETF) security standards.

Programmers probably don't want to enter passwords and new random six digit codes every time they log in. Therefore, Ryabitsev explained, they've set their version of the Git management tool, gitolite, so that once a developer has been allowed into the system, the system will allow them to write to git by white-listing their user-name and current remote Internet Protocol (IP) address.

So, "Once this is done, all future git operations from that IP address for that particular user would succeed until the validation expires after 24 hours. Developers may optionally validate their IP address for an extended period of time -- up to a max of 30 days -- which is handy if someone mostly works from the same location."

This system is now up and running for both the mainline and stable Linux kernel repositories. At this time, two-factor authentication is not mandatory. Eventually, it will be.

In making this security move, the Linux Foundation is following a growing trend as more and more popular Web sites, such as Facebook , Tumblr , and Evernote, have moved to using two-factor authentication to block unwelcome intruders. 

Related Stories:

Topics: Security, Linux

About

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.His work has been published in everything from highly technical publications... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.