Tuesday, 14 August 2018

Re: Requiring Launchpad 2FA from Ubuntu uploaders

On Tue, Aug 14, 2018 at 05:18:38PM +0200, Philipp Kern wrote:
> - u2f support.

I agree that would be useful
Maybe somebody with skills in this area could look into
lp:canonical-identity-provider and see what's involved in adding it?

> Getting out the HOTP token (I guess I enrolled too early for TOTP) is
> annoying.

If I'm understanding you right, you can easily just add a TOTP device to
your SSO account.

> But I guess a Launchpad session is pretty permanent, so you don't
> actually need to reauth on the same device, right? (Which might also
> be a bad thing.)

I didn't think they were quite permanent, but that bit of LP is very
stable code and I've never had to dig into it to find out. There are
certain operations that require a fresh SSO login (editing SSH keys, GPG
keys, or email addresses).

> - It only protects access to Launchpad, not access to the keys that sign the
> uploads and ultimately control what gets put into the archive. Shouldn't
> there be a way behind 2fa to contribute to Ubuntu as well? :)

How would this work, even conceptually? Some kind of extra challenge
when doing SFTP uploads or git/bzr pushes to ask for 2FA (and some
timeout arrangement so that it isn't hopelessly annoying)? What about
FTP uploads?

Colin Watson [cjwatson@ubuntu.com]

ubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel