Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
2FA configuration?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sat Apr 15, 2023 6:54 pm    Post subject: 2FA configuration? Reply with quote

Hi,

I miss 2 factor authentication, or have I just not looked thoroughly enough? If not yet, is it planned? If not, why?

Thanks
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54577
Location: 56N 3W

PostPosted: Sat Apr 15, 2023 7:19 pm    Post subject: Reply with quote

G3nt00,

Hardware keys work. What did you have in mind for a second factor?

Anything any other distro can do, Gentoo can do too.
You only need to tell it how. Someone has to be first, if its you please contribute a Wiki page.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 3:36 am    Post subject: Reply with quote

NeddySeagoon wrote:
G3nt00,

Hardware keys work. What did you have in mind for a second factor?

Anything any other distro can do, Gentoo can do too.
You only need to tell it how.

Very true, I have the Yubikey's configured in Gentoo. But this category is dedicated to the forum, no? I was hoping I could add 2FA to my login here too. Most forums do these days, and even if false security, it is at least one more barrier to cross before gaining access...


NeddySeagoon wrote:

Someone has to be first, if its you please contribute a Wiki page.

For sure. When/if I do something I feel can benefit other I will pay it forward. I have gotten so much great help and want to contribute where/when I can :)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54577
Location: 56N 3W

PostPosted: Sun Apr 16, 2023 10:57 am    Post subject: Reply with quote

G3nt00,

The forums do not support 2FA. The code base in use is phpBB-2.0.23 from 2002.
Maybe phpBB-3 will?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 11:15 am    Post subject: Reply with quote

NeddySeagoon wrote:
G3nt00,

The forums do not support 2FA. The code base in use is phpBB-2.0.23 from 2002.
Maybe phpBB-3 will?

I figured as much. Will the forum be upgraded anytime soon you think?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54577
Location: 56N 3W

PostPosted: Sun Apr 16, 2023 11:33 am    Post subject: Reply with quote

G3nt00,

I don't think it will happen until -infra are forced to update the php version that the forums depends on.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3424

PostPosted: Sun Apr 16, 2023 11:34 am    Post subject: Reply with quote

Not until its bits rot to the point it starts falling apart under its own weight :lol:
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5094
Location: Bavaria

PostPosted: Sun Apr 16, 2023 11:37 am    Post subject: Reply with quote

szatox wrote:
Not until its bits rot to the point it starts falling apart under its own weight :lol:

Never change a winning team ... ahhm ... a running system ! 8)
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 11:46 am    Post subject: Reply with quote

Ah. I hear you. However I don't feel security is the strong-point here... I am not suggesting keeping everything top-notch all the time, but this is a somewhat big thing. If I'm not mistaken I also think this grand system cut my wanted password in half more or less. But true; "If it ain't broke, don't fix it..." + "Unless, there is anything to gain from it." which there seem to be here. Keeping my hope up for it anyways. Who should I nag about it? ;) (kidding)
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22625

PostPosted: Sun Apr 16, 2023 4:17 pm    Post subject: Reply with quote

There was an attempt a few years ago to upgrade. I think it was never formally abandoned, but as you can see, neither has it been completed. I do not recall specifically why it is not done yet, but I suspect the issue is that the key volunteers are swamped with other higher priority tasks.
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 4:46 pm    Post subject: Reply with quote

Hu wrote:
... the key volunteers are swamped with other higher priority tasks.

I'd bet that is it.I reckon the upgrade in itself could be rather quick, but all preparations and testing prior and after is perhaps not that trivial, I get that.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3424

PostPosted: Sun Apr 16, 2023 6:12 pm    Post subject: Reply with quote

G3nt00 wrote:
Ah. I hear you. However I don't feel security is the strong-point here...
Yeah, so?
it's a public forum. What's the worst thing that could happen? Russian hackers stealing your posts instead of just taking them for free?
Or is China the big bad guy now? Funny that USA keeps flying under the radar.... Anyway, you get the point: _threat_model_
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 7:00 pm    Post subject: Reply with quote

szatox wrote:
G3nt00 wrote:
Ah. I hear you. However I don't feel security is the strong-point here...
Yeah, so?
it's a public forum. What's the worst thing that could happen? Russian hackers stealing your posts instead of just taking them for free?
Or is China the big bad guy now? Funny that USA keeps flying under the radar.... Anyway, you get the point: _threat_model_

Why even bother trying to debate? I rest my case now.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22625

PostPosted: Sun Apr 16, 2023 7:21 pm    Post subject: Reply with quote

Although szatox's tone was flippant, the point is sound. Before you can argue that security is too strong or too weak, you must define your threat model, so that we can discuss whether the proposed security is appropriate to counter the perceived threat (which includes discussing whether the perceived threat is realistic enough to justify the proposed security).

To elaborate on szatox's point, I see these things as being "of value" in stealing an account:
  • Ability to post as that user, leveraging that user's reputation to potentially mislead others
  • Ability to deface prior posts by that user
  • Ability to read that user's private messages
  • For privileged accounts, ability to use that privilege to deface posts by other users
These forums are readable anonymously and allow pseudonymous registration, so stealing an account has no value to someone who merely wants to read public posts here. Of those things of value, about which are you concerned? Who do you envision caring enough to bother stealing an account here? Your account is currently not privileged, so the last bullet point does not apply to an attack on your account.

I can recall only one account theft in the time I have been attentive to such things. It was never confirmed as a theft, but was suspected as such because a previously inactive account became active and started spamming, despite historically having been a legitimate contributor. The most likely explanation is that the legitimate owner lost control of the account, and the thief began abusing it to spam.
Back to top
View user's profile Send private message
G3nt00
Guru
Guru


Joined: 09 Apr 2023
Posts: 337

PostPosted: Sun Apr 16, 2023 8:20 pm    Post subject: Reply with quote

Hu wrote:
  • Ability to post as that user, leveraging that user's reputation to potentially mislead others
  • Ability to deface prior posts by that user
  • Ability to read that user's private messages
  • For privileged accounts, ability to use that privilege to deface posts by other users
These forums are readable anonymously and allow pseudonymous registration, so stealing an account has no value to someone who merely wants to read public posts here.

Of those things of value, about which are you concerned?

Well, as you say, my privilege level is not an issue, but all it takes is one slip with one account that has a higher one. I often hear "it has never happened before" in other discussions, and while that may be true, if something should happen, a firmer security model would surely help some at least. These days 2FA isn't exactly uncommon, but sure, it may be debatable what good it does if someone really is motivated, but then again, here? Probably not as you just explained. It just feels a little better to know that it at least should make it harder to gain access. I would feel very uncomfortable if someone posted stuff using my account for example. Or removed or changed old posts...

Anyways, it is what it is, I love the forum and all the great help and discussions it offers. 2FA was just a though that crossed my mind, now I know. :) Thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum