CHICAGO – Almost three years ago, crackers broke into the kernel.org, Linux's most important site. While no damage was done, it was still worrisome. So, at the Linux Kernel Summit, the Linux Foundation announced that it was securing Linux's Git source code repositories with two-factor authentication.
Immediately after the 2011 break-in, the Linux Foundation began "mandating a fairly strict authentication policy for those developers who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org." That's good, but it's not enough.
As Konstantin Ryabitsev, a senior systems and network administrator at The Linux Foundation, explained: "While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands -- for example if the developer's workstation is compromised or if someone manages to access some poorly secured backups. … Keeping that in mind, we wanted to further tighten our access requirements, but without causing undue difficulties for the kernel developers."
So, the Foundation has moved on to using two-factor authentication. In two-factor authentication, instead of simply having a user ID and password, an additional step is added. With Google and Twitter, for example, it works by requiring both a password and entering a numeric code texted to your phone number. If any one part doesn't work, you can't get into your account.
Because this is all done by software (except for your phone), this is called "soft-token" authentication. If you have to use an actual physical object, such as a RSA SecurID key fob or a YubiKey, you're using "hard-token" authentication.
For Linux's Git, a distributed revision control and source code management (SCM) system, the Linux Foundation is giving its top developers a choice of using soft or hard tokens. True, as Ryabitsev observed, hard tokens are inherently more secure, but even a "soft token is still dramatically more secure than no two-factor authentication at all."
To encourage the use of hard tokens, "Yubico went well above and beyond a simple discount and offered to donate a hundred yubikeys to all Linux kernel developers who currently hold accounts at kernel.org."
Either way, the Linux source files will be protected by the Initiative For Open Authentication (OATH)'s HMAC-based One-time Password Algorithm and Time-Based One-Time Password Algorithm (TOTP). Both are Internet Engineering Task Force (IETF) security standards.
Programmers probably don't want to enter passwords and new random six digit codes every time they log in. Therefore, Ryabitsev explained, they've set their version of the Git management tool, gitolite, so that once a developer has been allowed into the system, the system will allow them to write to git by white-listing their user-name and current remote Internet Protocol (IP) address.
So, "Once this is done, all future git operations from that IP address for that particular user would succeed until the validation expires after 24 hours. Developers may optionally validate their IP address for an extended period of time -- up to a max of 30 days -- which is handy if someone mostly works from the same location."
This system is now up and running for both the mainline and stable Linux kernel repositories. At this time, two-factor authentication is not mandatory. Eventually, it will be.
In making this security move, the Linux Foundation is following a growing trend as more and more popular Web sites, such as Facebook, Tumblr, and Evernote, have moved to using two-factor authentication to block unwelcome intruders.