Tuesday 14 August 2018

Re: Requiring Launchpad 2FA from Ubuntu uploaders

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXHq+og+GMEWcyMi14n8s+EWML6QFAltzINQACgkQ4n8s+EWM
L6SegQ/+J6xhEqGOY3ZzwAVixh9g1OLPeC/87nDdCtKBnZQj61ZL08yGQvQBm9vq
K6kUxGnyuxfCXM6XAWsKJKruUGVlIrvnZCVUk3enVb5SC86Ga8V0gid9P3EJ33jd
xQvLWlqDTkg1gFuV/elhXRo5HMMfHzTgjiX6KJxSgBmw0us3831laD+7HoZpTiLF
GOyWtJR2RrhU1g0YDIF31naWvv7/3/QhJMPM/e7+0wkNg9gUvjpR9UNK3TsBjJFF
WQMbHxvp62oZqTfGAYXkpMpgnb8bayXy6eES+lqQuoqGctkpuDNIrurAnm+E26Ky
Jw8Wo29whGdyqC62V1G0+SM+267oPLIcT/J/YoiZOF7IIwwL45rRpxRMmSNQk7B9
xUrYMnSOzRQblf9y+5kkWx/7Ur+ptzZqpxFu+Rvm+pAc6qa82gszIjCqJ8XIzETq
mhrwivBai0SET/4nxSw83Jwk1ZH+cK9lGCd9ZD0wDA0fRlGrlC5p6lEVTq7oXk+b
2kMyLJaEy1iXALZhrz2GpM9ikiCjjyqS8+PxDKuECigDt3jg3P/jM65OIOlrTK86
ptnwo8PiGW0TTHscrU4guG65sJaMnOuc9Qd8r9KZ7jCPbe/EFxw3nWWKC/HTKdbe
w69eHwqTNk59a3CqMAcEqDVdJb48U9m5UhbT4uMg11+VWZ65zSI=
=w34J
-----END PGP SIGNATURE-----
Hello,

On 08/14/2018 11:34 AM, Colin Watson wrote:
> How would this work, even conceptually? Some kind of extra challenge
> when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
> timeout arrangement so that it isn't hopelessly annoying)? What about
> FTP uploads?

In my opinion, SFTP should be the default for uploads to Ubuntu*, and we
should phase out FTP. My local /etc/dput.cf has been patched to do this
for a while now, and it works fine.

If this is done, we should be able to use PAM with google-authenticator.

Thoughts on going this route?

*If I recall correctly, Debian has already done this for uploads to
security-master.

--
Simon Quigley
tsimonq2@ubuntu.com
tsimonq2 on freenode and OFTC
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4
Posted by at