Linux kernel source code repositories get better security

Linux kernel source code repositories get better security

Summary: The Linux Foundation is strengthening the walls around the Linux kernel's source code Git repositories.

SHARE:
TOPICS: Security, Linux
12

CHICAGO – Almost three years ago, crackers broke into the kernel.org, Linux's most important site. While no damage was done, it was still worrisome. So, at the Linux Kernel Summit, the Linux Foundation announced that it was securing Linux's Git source code repositories with two-factor authentication.

yubico
Some Linux kernel developers will be using YubiKeys to secure their log-ins to the Linux master source code repositories.

Immediately after the 2011 break-in, the Linux Foundation began "mandating a fairly strict authentication policy for those developers who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org." That's good, but it's not enough.

As Konstantin Ryabitsev, ‎a senior systems and network administrator at The Linux Foundation, explained: "While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands -- for example if the developer's workstation is compromised or if someone manages to access some poorly secured backups. … Keeping that in mind, we wanted to further tighten our access requirements, but without causing undue difficulties for the kernel developers."

So, the Foundation has moved on to using two-factor authentication. In two-factor authentication, instead of simply having a user ID and password, an additional step is added. With Google and Twitter, for example, it works by requiring both a password and entering a numeric code texted to your phone number. If any one part doesn't work, you can't get into your account.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Because this is all done by software (except for your phone), this is called "soft-token" authentication. If you have to use an actual physical object, such as a RSA SecurID key fob or a YubiKey, you're using "hard-token" authentication.

For Linux's Git, a distributed revision control and source code management (SCM) system, the Linux Foundation is giving its top developers a choice of using soft or hard tokens. True, as Ryabitsev observed, hard tokens are inherently more secure, but even a "soft token is still dramatically more secure than no two-factor authentication at all."

To encourage the use of hard tokens, "Yubico went well above and beyond a simple discount and offered to donate a hundred yubikeys to all Linux kernel developers who currently hold accounts at kernel.org."

Either way, the Linux source files will be protected by the Initiative For Open Authentication (OATH)'s HMAC-based One-time Password Algorithm and Time-Based One-Time Password Algorithm (TOTP). Both are Internet Engineering Task Force (IETF) security standards.

Programmers probably don't want to enter passwords and new random six digit codes every time they log in. Therefore, Ryabitsev explained, they've set their version of the Git management tool, gitolite, so that once a developer has been allowed into the system, the system will allow them to write to git by white-listing their user-name and current remote Internet Protocol (IP) address.

So, "Once this is done, all future git operations from that IP address for that particular user would succeed until the validation expires after 24 hours. Developers may optionally validate their IP address for an extended period of time -- up to a max of 30 days -- which is handy if someone mostly works from the same location."

This system is now up and running for both the mainline and stable Linux kernel repositories. At this time, two-factor authentication is not mandatory. Eventually, it will be.

In making this security move, the Linux Foundation is following a growing trend as more and more popular Web sites, such as Facebook, Tumblr, and Evernote, have moved to using two-factor authentication to block unwelcome intruders. 

Related Stories:

Topics: Security, Linux

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Open Source

    Unline Linux, there exists various options in using open source software platforms. People take it always in a different set of logic that open source always a lesser secure than a solely held product. I have also wrote a blog entry here: http://www.pereless.net/blog/2014/8/18/open-source-software-and-technology-by-john-pereless
    perelessjohn
    • remarkable really

      Hi :)
      Yes, despite constant and highly noticeable evidence to the contrary people still sometimes believe the opposite of reality.

      Proprietary systems have to try to lock-down and protect themselves, and provide a stream of constant security updates and yet still need additional software such as anti-virus, anti-spam and so on. When people find a flaw in a proprietary system it is often difficult to report it and once reported it's often to a profit-making company. There is often more profit in increasing security of a newer system that is due to be sold rather than updating one that has already been sold. So it's not about fixing systems but about making the most profit from fixing broken security.

      OpenSource approaches it from the other angle. There is no profit to be made from with-holding a security update so they get pushed out faster and wider. More people get to see the code so even if there is not a security flaw it is still embarrasing to write bad code and it might be bad for a career prospects. So people have more reason to write elegant code and less chance of getting away with kludgy spaghetti.


      The most recent example of an OpenSource issue was in the 12 year old, heavily under-resourced packaged used by millions of hefty profit-making organisations, none of which contributed a dime towards it's running costs. The Linux Foundation have stepped in to make sure it and other such projects have at least sufficient resources.

      The most recent example of a proprietary issue is the daily finding of malware on Win7 and even probably Win8 systems (and MS Office programs on those platforms) despite those system being heavily resourced by one of the top profit-making organisations in the world.

      Regards from
      Tom :)
      Tom6
  • Kernel.org adds 2-factor security and also a way to circumvent it?

    Just to make sure I'm reading this correctly:
    - Kernel.org now requires 2-factor authentication for every transaction
    - Users can consistently circumvent this secure system (for a limited time, up to 30 days!)

    For something as critical as the core Linux source code, I'd force 2-factor for every commit. Enabling any kind of workaround, even temporarily, undermines their security.

    My takeaway from this article: We're serious about security, but it's too much of a burden on our users to properly implement it.
    R_Connelie
    • Validation of IP

      I wondered about that too. But, if I read this correctly, the GIT connection is restricted to one IP once it is validated, which validation can be extended for up to 30 days. A hacker would not be able to take over that connection unless it is from the programmers computer.

      It isn't quite an unsecured feature, would be difficult to hack, but yeah - why not enforce the highest security possible by default in regards to the kernel?
      Mr.B.
    • It's a bit more complicated than that

      The two-factor authentication authenticates the IP address. By default the authentication is good for 5 days, but that limit can be raised to 30 days. When you're done (i.e., when you leave a particular site) you can invalidate the authorization early.

      That's not the only security, though. Linus requires that developers who submit pull requests digitally sign the git commit with a signed tag. This signature is validated by Linus before he accepts the pull request, and the signed tag is saved in the merge commit. This means that other people can independently validate the provenance of code which has been sent to Linus back to the subsystem maintainer:

      % git show --show-signature f8409abdc59
      commit f8409abdc592e13cefbe4e4a24a84b3d5741e85f
      merged tag 'ext4_for_linus'
      gpg: Signature made Sat 07 Jun 2014 11:46:03 PM EDT using RSA key ID C11804F0
      gpg: Good signature from "Theodore Ts'o " [ultimate]
      gpg: aka "Theodore Ts'o " [ultimate]
      gpg: aka "Theodore Ts'o " [ultimate]
      Merge: b20dcab bd9db17
      Author: Linus Torvalds
      Date: Sun Jun 8 13:03:35 2014 -0700

      Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
      ....

      Now personally, I store my GPG key on a OpenPGP smart card, so even if my laptop is pwned, my GPG private key can't be stolen by an attacker, and when I leave my laptop, the smartcard is pulled out and kept in my wallet or my corporate badge holder. Not everyone is at paranoid as I am, but the fact remains that in order to get code into the mainline kernel tree, it's a lot more complicated than just compromising the 2FA.

      The 2FA is useful for protecting more casual git tree pushes, but uploads to ftp.kernel.org or pull requests for Linus's tree also requires a GPG signature.

      Cheers,

      -- Ted
      tytso
  • It's about time

    Linux got serious about security.
    harry_dyke
    • Read the article

      “repositories get better security”
      Linux code is secure.

      What are you hiding from.....
      daikon
    • serious?

      Hi :)
      Linux almost never gets compromised despite being run on the vast majority of mission-critical machines and in places where being compromised could cause the most damage.

      Windows is only used much on desktop machines and small company servers and even then needs hefty additional security from 3rd parties and STILL suffers from being heavily compromised on an almost daily baises.

      So is Linux really not serious about security?
      Regards from
      Tom :)
      Tom6
  • Good news....

    ....considering that the Linux kernel bears the distinction of having the most exploits of any single piece of software ever written. Every little bit helps.
    Ekwensu214
    • Source/Link?

      “..considering that the Linux kernel bears the distinction of having the most exploits of any single piece of software ever written”

      You don't have any, that's what I thought.
      daikon
    • anti-virus anyone?

      Hi :)
      How often have you heard of Linux, BSD, Solaris or any other non-Windows system being compromised? Now how often do you hear about the need for antivirus with Windows?
      Regards from
      Tom :)
      Tom6
  • Consider trolls of that sort, Tom6 and daikon...

    ...like the mastiff - out with his owner for a walk - who soils your lawn. He doesn't return to inspect his work or the results. Neither do they.
    Robynsveil