[gentoo-dev] RFC: Gentoo Identity Provider

[gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

TL;DR: What if we launched id.gentoo.org, an identity provider that
provides authentication for Gentoo properties? Basically, 1 username /
password for wiki, bugs, email, forums, and any other http service[0][1].

Today Gentoo has numerous systems that mostly work in a segmented way.

 - To connect to hosts, we use ssh keys.
 - Git is authenticated via ssh keys.
 - Email uses LDAP passwords.
 - Bugzilla has its own identities, with their own passwords.
 - Wiki is separate, with its own passwords.
 - Forums are separate.
 - Infra has an additional 4 systems that use separate credentials.

Some applications support 2FA (such as wiki.)
Some applications do not support 2FA.
Applications that require 2FA have a configuration for each app, so you
have N configurations.

If we configured id.gentoo.org you would have 1 identity across all gentoo
properties.

Is this a thing people are interested in?

[0] It's unlikely operations for git via ssh would change in this rollout.
[1] Its unclear if the scope is "gentoo developers" or "any community
member." The former have LDAP accounts and @gentoo.org email addresses and
so we can manage them easily; managing 1000s of other accounts in the IDP
remains to be seem.

[-- Attachment #2: Type: text/html, Size: 1603 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Fabian Groffen]

[-- Attachment #1: Type: text/plain, Size: 1640 bytes --]

On 18-05-2020 18:42:24 -0700, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org[1], an identity provider that provides
> authentication for Gentoo properties? Basically, 1 username / password for wiki,
> bugs, email, forums, and any other http service[0][1].

I'd be in favour of SSO for all http-, imap- and smtp-based Gentoo services.

Thanks,
Fabian

> 
> Today Gentoo has numerous systems that mostly work in a segmented way.
> 
>  - To connect to hosts, we use ssh keys.
>  - Git is authenticated via ssh keys.
>  - Email uses LDAP passwords.
>  - Bugzilla has its own identities, with their own passwords.
>  - Wiki is separate, with its own passwords.
>  - Forums are separate.
>  - Infra has an additional 4 systems that use separate credentials.
> 
> Some applications support 2FA (such as wiki.)
> Some applications do not support 2FA.
> Applications that require 2FA have a configuration for each app, so you have N
> configurations.
> 
> If we configured id.gentoo.org[2] you would have 1 identity across all gentoo
> properties.
> 
> Is this a thing people are interested in?
>  
> [0] It's unlikely operations for git via ssh would change in this rollout.
> [1] Its unclear if the scope is "gentoo developers" or "any community member."
> The former have LDAP accounts and @gentoo.org[3] email addresses and so we can
> manage them easily; managing 1000s of other accounts in the IDP remains to be
> seem.
> 
> 
> References
>    1. http://id.gentoo.org
>    2. http://id.gentoo.org
>    3. http://gentoo.org

-- 
Fabian Groffen
Gentoo on a different level

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1402 bytes --]

On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org, an identity provider that
> provides authentication for Gentoo properties? Basically, 1 username /
> password for wiki, bugs, email, forums, and any other http service[0][1].
> 
> Today Gentoo has numerous systems that mostly work in a segmented way.
> 
>  - To connect to hosts, we use ssh keys.
>  - Git is authenticated via ssh keys.
>  - Email uses LDAP passwords.
>  - Bugzilla has its own identities, with their own passwords.
>  - Wiki is separate, with its own passwords.
>  - Forums are separate.
>  - Infra has an additional 4 systems that use separate credentials.
> 
> Some applications support 2FA (such as wiki.)
> Some applications do not support 2FA.
> Applications that require 2FA have a configuration for each app, so you
> have N configurations.
> 
> If we configured id.gentoo.org you would have 1 identity across all gentoo
> properties.
> 
> Is this a thing people are interested in?
> 

What a coincidence I've just archived our old identity.gentoo.org [1]
project.  And yes, we almost had this back in 2013 but Infra failed to
deploy, and it was claimed obsolete by the time I joined Infra.

Do you have any specific solution in mind?

[1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/


-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Azamat Hackimov]

вт, 19 мая 2020 г. в 09:47, Michał Górny <mgorny@gentoo.org>:
>
> On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > provides authentication for Gentoo properties? Basically, 1 username /
> > password for wiki, bugs, email, forums, and any other http service[0][1].
> >
> > Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> >  - To connect to hosts, we use ssh keys.
> >  - Git is authenticated via ssh keys.
> >  - Email uses LDAP passwords.
> >  - Bugzilla has its own identities, with their own passwords.
> >  - Wiki is separate, with its own passwords.
> >  - Forums are separate.
> >  - Infra has an additional 4 systems that use separate credentials.
> >
> > Some applications support 2FA (such as wiki.)
> > Some applications do not support 2FA.
> > Applications that require 2FA have a configuration for each app, so you
> > have N configurations.
> >
> > If we configured id.gentoo.org you would have 1 identity across all gentoo
> > properties.
> >
> > Is this a thing people are interested in?
> >
>
> What a coincidence I've just archived our old identity.gentoo.org [1]
> project.  And yes, we almost had this back in 2013 but Infra failed to
> deploy, and it was claimed obsolete by the time I joined Infra.
>
> Do you have any specific solution in mind?
>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
>
> --
> Best regards,
> Michał Górny
>

Hi there.

Maybe better to try something already stable, like KeyCloak [1]? Seem
all that you need (OpenID, LDAP, SAML2, external Identity Providers
via OpenID) is already implemented.

[1] https://www.keycloak.org/

-- 
From Siberia with Love!

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Joonas Niilola]

[-- Attachment #1.1.1: Type: text/plain, Size: 386 bytes --]


On 5/19/20 4:42 AM, Alec Warner wrote:
> TL;DR: What if we launched id.gentoo.org <http://id.gentoo.org>, an
> identity provider that provides authentication for Gentoo properties?
> Basically, 1 username / password for wiki, bugs, email, forums, and
> any other http service[0][1].
>
>
> Is this a thing people are interested in?
>  
>
Sounds good to me.

-- juippis


[-- Attachment #1.1.2: Type: text/html, Size: 1161 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 642 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]

Hi Alec,

On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:

>TL;DR: What if we launched id.gentoo.org, an identity provider that
>provides authentication for Gentoo properties? Basically, 1 username /
>password for wiki, bugs, email, forums, and any other http
>service[0][1].
>
>Today Gentoo has numerous systems that mostly work in a segmented way.
>
> - To connect to hosts, we use ssh keys.
> - Git is authenticated via ssh keys.
> - Email uses LDAP passwords.
> - Bugzilla has its own identities, with their own passwords.
> - Wiki is separate, with its own passwords.
> - Forums are separate.
> - Infra has an additional 4 systems that use separate credentials.
>
>Some applications support 2FA (such as wiki.)
>Some applications do not support 2FA.
>Applications that require 2FA have a configuration for each app, so you
>have N configurations.
>
>If we configured id.gentoo.org you would have 1 identity across all
>gentoo properties.
>
>Is this a thing people are interested in?
>
>[0] It's unlikely operations for git via ssh would change in this
>rollout. [1] Its unclear if the scope is "gentoo developers" or "any
>community member." The former have LDAP accounts and @gentoo.org email
>addresses and so we can manage them easily; managing 1000s of other
>accounts in the IDP remains to be seem.

In case 2FA won't be mandatory I find this a good idea.

Kind regards
-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Samuel Bernardo]

[-- Attachment #1.1: Type: text/plain, Size: 325 bytes --]

On 5/19/20 7:47 AM, Michał Górny wrote:
> Do you have any specific solution in mind?
>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/

I would suggest for SSO an implementation like the following with LDAP
provider:

https://github.com/Luzifer/nginx-sso/wiki/Auth-Provider-Configuration



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1817 bytes --]

On Mon, May 18, 2020 at 11:47 PM Michał Górny <mgorny@gentoo.org> wrote:

> On Mon, 2020-05-18 at 18:42 -0700, Alec Warner wrote:
> > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > provides authentication for Gentoo properties? Basically, 1 username /
> > password for wiki, bugs, email, forums, and any other http service[0][1].
> >
> > Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> >  - To connect to hosts, we use ssh keys.
> >  - Git is authenticated via ssh keys.
> >  - Email uses LDAP passwords.
> >  - Bugzilla has its own identities, with their own passwords.
> >  - Wiki is separate, with its own passwords.
> >  - Forums are separate.
> >  - Infra has an additional 4 systems that use separate credentials.
> >
> > Some applications support 2FA (such as wiki.)
> > Some applications do not support 2FA.
> > Applications that require 2FA have a configuration for each app, so you
> > have N configurations.
> >
> > If we configured id.gentoo.org you would have 1 identity across all
> gentoo
> > properties.
> >
> > Is this a thing people are interested in?
> >
>
> What a coincidence I've just archived our old identity.gentoo.org [1]
> project.  And yes, we almost had this back in 2013 but Infra failed to
> deploy, and it was claimed obsolete by the time I joined Infra.
>
> Do you have any specific solution in mind?
>

Currently we have a standalone keycloak install with LDAP user federation.
We are looking to do a domain installation for redundancy purposes.
Our existing LDAP infrastructure for example (which few services use for
Auth) has at least 3 replicas.

-A


>
> [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
>
> --
> Best regards,
> Michał Górny
>
>

[-- Attachment #2: Type: text/html, Size: 2800 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 2020 bytes --]

On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomial-c@gentoo.org>
wrote:

> Hi Alec,
>
> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
>
> >TL;DR: What if we launched id.gentoo.org, an identity provider that
> >provides authentication for Gentoo properties? Basically, 1 username /
> >password for wiki, bugs, email, forums, and any other http
> >service[0][1].
> >
> >Today Gentoo has numerous systems that mostly work in a segmented way.
> >
> > - To connect to hosts, we use ssh keys.
> > - Git is authenticated via ssh keys.
> > - Email uses LDAP passwords.
> > - Bugzilla has its own identities, with their own passwords.
> > - Wiki is separate, with its own passwords.
> > - Forums are separate.
> > - Infra has an additional 4 systems that use separate credentials.
> >
> >Some applications support 2FA (such as wiki.)
> >Some applications do not support 2FA.
> >Applications that require 2FA have a configuration for each app, so you
> >have N configurations.
> >
> >If we configured id.gentoo.org you would have 1 identity across all
> >gentoo properties.
> >
> >Is this a thing people are interested in?
> >
> >[0] It's unlikely operations for git via ssh would change in this
> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> >community member." The former have LDAP accounts and @gentoo.org email
> >addresses and so we can manage them easily; managing 1000s of other
> >accounts in the IDP remains to be seem.
>
> In case 2FA won't be mandatory I find this a good idea.
>

2FA is definitely a reason to deploy software like keycloak, but in the
first rollout I don't expect to enforce 2FA. Ideally we would deploy the
U2F support in keycloak and then, similar to our earlier program, offer
discounted or free u2f devices for Gentoo developers; this would likely be
on a 1-2 year timeframe.

Is there some reason you don't want to use 2FA?

-A


>
> Kind regards
> --
> Lars Wendler
> Gentoo package maintainer
> GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39
>

[-- Attachment #2: Type: text/html, Size: 2954 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2527 bytes --]

On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomial-c@gentoo.org>
> wrote:
> 
> > Hi Alec,
> > 
> > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > 
> > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > provides authentication for Gentoo properties? Basically, 1 username /
> > > password for wiki, bugs, email, forums, and any other http
> > > service[0][1].
> > > 
> > > Today Gentoo has numerous systems that mostly work in a segmented way.
> > > 
> > > - To connect to hosts, we use ssh keys.
> > > - Git is authenticated via ssh keys.
> > > - Email uses LDAP passwords.
> > > - Bugzilla has its own identities, with their own passwords.
> > > - Wiki is separate, with its own passwords.
> > > - Forums are separate.
> > > - Infra has an additional 4 systems that use separate credentials.
> > > 
> > > Some applications support 2FA (such as wiki.)
> > > Some applications do not support 2FA.
> > > Applications that require 2FA have a configuration for each app, so you
> > > have N configurations.
> > > 
> > > If we configured id.gentoo.org you would have 1 identity across all
> > > gentoo properties.
> > > 
> > > Is this a thing people are interested in?
> > > 
> > > [0] It's unlikely operations for git via ssh would change in this
> > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > community member." The former have LDAP accounts and @gentoo.org email
> > > addresses and so we can manage them easily; managing 1000s of other
> > > accounts in the IDP remains to be seem.
> > 
> > In case 2FA won't be mandatory I find this a good idea.
> > 
> 
> 2FA is definitely a reason to deploy software like keycloak, but in the
> first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> U2F support in keycloak and then, similar to our earlier program, offer
> discounted or free u2f devices for Gentoo developers; this would likely be
> on a 1-2 year timeframe.
> 
> Is there some reason you don't want to use 2FA?
> 

I myself would find 2FA bothersome for low importance services.  Whether
it's U2F or OTP, I would generally find it silly to have to carry
the hardware/software on me all the time or even use it when it's laying
right next to me, say, just to approve a comment on a blog.

But I guess if we go for SSO, it becomes a necessity to better protect
our passwords.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 2621 bytes --]

On Wed, 20 May 2020 00:21:37 -0700 Alec Warner wrote:

>On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomial-c@gentoo.org>
>wrote:
>
>> Hi Alec,
>>
>> On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
>>
>> >TL;DR: What if we launched id.gentoo.org, an identity provider that
>> >provides authentication for Gentoo properties? Basically, 1
>> >username / password for wiki, bugs, email, forums, and any other
>> >http service[0][1].
>> >
>> >Today Gentoo has numerous systems that mostly work in a segmented
>> >way.
>> >
>> > - To connect to hosts, we use ssh keys.
>> > - Git is authenticated via ssh keys.
>> > - Email uses LDAP passwords.
>> > - Bugzilla has its own identities, with their own passwords.
>> > - Wiki is separate, with its own passwords.
>> > - Forums are separate.
>> > - Infra has an additional 4 systems that use separate credentials.
>> >
>> >Some applications support 2FA (such as wiki.)
>> >Some applications do not support 2FA.
>> >Applications that require 2FA have a configuration for each app, so
>> >you have N configurations.
>> >
>> >If we configured id.gentoo.org you would have 1 identity across all
>> >gentoo properties.
>> >
>> >Is this a thing people are interested in?
>> >
>> >[0] It's unlikely operations for git via ssh would change in this
>> >rollout. [1] Its unclear if the scope is "gentoo developers" or "any
>> >community member." The former have LDAP accounts and @gentoo.org
>> >email addresses and so we can manage them easily; managing 1000s of
>> >other accounts in the IDP remains to be seem.
>>
>> In case 2FA won't be mandatory I find this a good idea.
>>
>
>2FA is definitely a reason to deploy software like keycloak, but in the
>first rollout I don't expect to enforce 2FA. Ideally we would deploy
>the U2F support in keycloak and then, similar to our earlier program,
>offer discounted or free u2f devices for Gentoo developers; this would
>likely be on a 1-2 year timeframe.
>
>Is there some reason you don't want to use 2FA?
>
>-A

Well, I haven't found any 2FA solution that isn't a PITA to use.
Especially Nitrokey is not easily useable for 2FA. And having some OTP
or U2F software on my mobile phone is a no-go.
I know about the value of 2FA and I use it in some places but I find it
not being the perfect solution for everything. 

>>
>> Kind regards
>> --
>> Lars Wendler
>> Gentoo package maintainer
>> GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39
>>


Cheers
-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 3699 bytes --]

On Wed, May 20, 2020 at 12:26 AM Michał Górny <mgorny@gentoo.org> wrote:

> On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> > On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomial-c@gentoo.org>
> > wrote:
> >
> > > Hi Alec,
> > >
> > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > >
> > > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > > provides authentication for Gentoo properties? Basically, 1 username
> /
> > > > password for wiki, bugs, email, forums, and any other http
> > > > service[0][1].
> > > >
> > > > Today Gentoo has numerous systems that mostly work in a segmented
> way.
> > > >
> > > > - To connect to hosts, we use ssh keys.
> > > > - Git is authenticated via ssh keys.
> > > > - Email uses LDAP passwords.
> > > > - Bugzilla has its own identities, with their own passwords.
> > > > - Wiki is separate, with its own passwords.
> > > > - Forums are separate.
> > > > - Infra has an additional 4 systems that use separate credentials.
> > > >
> > > > Some applications support 2FA (such as wiki.)
> > > > Some applications do not support 2FA.
> > > > Applications that require 2FA have a configuration for each app, so
> you
> > > > have N configurations.
> > > >
> > > > If we configured id.gentoo.org you would have 1 identity across all
> > > > gentoo properties.
> > > >
> > > > Is this a thing people are interested in?
> > > >
> > > > [0] It's unlikely operations for git via ssh would change in this
> > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > > community member." The former have LDAP accounts and @gentoo.org
> email
> > > > addresses and so we can manage them easily; managing 1000s of other
> > > > accounts in the IDP remains to be seem.
> > >
> > > In case 2FA won't be mandatory I find this a good idea.
> > >
> >
> > 2FA is definitely a reason to deploy software like keycloak, but in the
> > first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> > U2F support in keycloak and then, similar to our earlier program, offer
> > discounted or free u2f devices for Gentoo developers; this would likely
> be
> > on a 1-2 year timeframe.
> >
> > Is there some reason you don't want to use 2FA?
> >
>
> I myself would find 2FA bothersome for low importance services.  Whether
> it's U2F or OTP, I would generally find it silly to have to carry
> the hardware/software on me all the time or even use it when it's laying
> right next to me, say, just to approve a comment on a blog.
>
> But I guess if we go for SSO, it becomes a necessity to better protect
> our passwords.
>

I think each application, when it ends up integrating with keycloak, gets
to decide what security level the application wants; I think this leads to
flexibility for low-importance stuff. E.g. we may not need OTP for blogs,
or wiki. Obvious cases are apps like our AWS credentials (where theft means
financial harm for Gentoo) or the sso.gentoo.org itself (because you
probably want to require OTP to change your password, for example.)

The other common thing I've seen is some kind of longer-lived renewable
token that requires an OTP to get, but does not require an OTP to renew.
These are commonly things like "API keys" or other such credentials that
are scopeable (unlike a password) and revocable (e.g. you can go to
sso.gentoo.org and revoke your token.) This seems more common on mobile
where there is a 'setup' flow and maybe you do it once (at setup), or once
a month, or whatnot. This would mean you don't have to OTP all the time.

-A


> --
> Best regards,
> Michał Górny
>
>

[-- Attachment #2: Type: text/html, Size: 5040 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 3717 bytes --]

On Wed, 2020-05-20 at 00:59 -0700, Alec Warner wrote:
> On Wed, May 20, 2020 at 12:26 AM Michał Górny <mgorny@gentoo.org> wrote:
> 
> > On Wed, 2020-05-20 at 00:21 -0700, Alec Warner wrote:
> > > On Tue, May 19, 2020 at 1:23 AM Lars Wendler <polynomial-c@gentoo.org>
> > > wrote:
> > > 
> > > > Hi Alec,
> > > > 
> > > > On Mon, 18 May 2020 18:42:24 -0700 Alec Warner wrote:
> > > > 
> > > > > TL;DR: What if we launched id.gentoo.org, an identity provider that
> > > > > provides authentication for Gentoo properties? Basically, 1 username
> > /
> > > > > password for wiki, bugs, email, forums, and any other http
> > > > > service[0][1].
> > > > > 
> > > > > Today Gentoo has numerous systems that mostly work in a segmented
> > way.
> > > > > - To connect to hosts, we use ssh keys.
> > > > > - Git is authenticated via ssh keys.
> > > > > - Email uses LDAP passwords.
> > > > > - Bugzilla has its own identities, with their own passwords.
> > > > > - Wiki is separate, with its own passwords.
> > > > > - Forums are separate.
> > > > > - Infra has an additional 4 systems that use separate credentials.
> > > > > 
> > > > > Some applications support 2FA (such as wiki.)
> > > > > Some applications do not support 2FA.
> > > > > Applications that require 2FA have a configuration for each app, so
> > you
> > > > > have N configurations.
> > > > > 
> > > > > If we configured id.gentoo.org you would have 1 identity across all
> > > > > gentoo properties.
> > > > > 
> > > > > Is this a thing people are interested in?
> > > > > 
> > > > > [0] It's unlikely operations for git via ssh would change in this
> > > > > rollout. [1] Its unclear if the scope is "gentoo developers" or "any
> > > > > community member." The former have LDAP accounts and @gentoo.org
> > email
> > > > > addresses and so we can manage them easily; managing 1000s of other
> > > > > accounts in the IDP remains to be seem.
> > > > 
> > > > In case 2FA won't be mandatory I find this a good idea.
> > > > 
> > > 
> > > 2FA is definitely a reason to deploy software like keycloak, but in the
> > > first rollout I don't expect to enforce 2FA. Ideally we would deploy the
> > > U2F support in keycloak and then, similar to our earlier program, offer
> > > discounted or free u2f devices for Gentoo developers; this would likely
> > be
> > > on a 1-2 year timeframe.
> > > 
> > > Is there some reason you don't want to use 2FA?
> > > 
> > 
> > I myself would find 2FA bothersome for low importance services.  Whether
> > it's U2F or OTP, I would generally find it silly to have to carry
> > the hardware/software on me all the time or even use it when it's laying
> > right next to me, say, just to approve a comment on a blog.
> > 
> > But I guess if we go for SSO, it becomes a necessity to better protect
> > our passwords.
> > 
> 
> I think each application, when it ends up integrating with keycloak, gets
> to decide what security level the application wants; I think this leads to
> flexibility for low-importance stuff. E.g. we may not need OTP for blogs,
> or wiki. Obvious cases are apps like our AWS credentials (where theft means
> financial harm for Gentoo) or the sso.gentoo.org itself (because you
> probably want to require OTP to change your password, for example.)
> 

This is going only to work if you can have multiple passwords per
security level.  Otherwise, a low-level login could be used to guess
your password, then a separate attack against the second factor could be
devised.

Of course, I'm assuming that 2FA is implemented properly here, without
giving tips about each factor separately.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] RFC: Gentoo Identity Provider

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

On Tue, May 19, 2020 at 5:46 AM Samuel Bernardo <
samuelbernardo.mail@gmail.com> wrote:

> On 5/19/20 7:47 AM, Michał Górny wrote:
> > Do you have any specific solution in mind?
> >
> > [1] https://gitweb.gentoo.org/archive/proj/identity.gentoo.org.git/
>
> I would suggest for SSO an implementation like the following with LDAP
> provider:
>
> https://github.com/Luzifer/nginx-sso/wiki/Auth-Provider-Configuration


Thanks for pointing this out, we might use it for legacy apps that don't
have solid saml / openid integration.
I want to link it against keycloak though because LDAP doesn't support
newer auth standards like u2f.

-A

[-- Attachment #2: Type: text/html, Size: 1289 bytes --]