Require 2FA for all committers

[grahamc]

The Gentoo GitHub organization was hacked due to a password being leaked. We will be requiring 2FA on July 6. If your account does not have 2FA configured by that time, you will no longer have the ability to merge pull requests or push to the NixOS organization.

Once you have enabled 2FA please check the box next to your account.

If you miss the July 6 deadline, we can reinstate your access after you enable 2FA -- contact us.

Reference documentation:

• https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
• https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/

Applications:

• Google Authenticator
• Authy
• Duo Security
• FreeOTP+ on F-Droid
• pass-otp
• gopass

Hardware

If you have a FIDO / U2F token, you can use it with GitHub:

  hardware.u2f.enable = true;

and either use Google Chrome, or firefox-devedition-bin (firefox stable doesn't yet support u2f totally.) If you use firefox, visit about:config, search for security.webauth.u2f, and toggle it to true for it to work.

Accounts to go

• @antono
• @astsmtl
• @bluescreen303
• @c0bw3b
• @civodul
• @cstrahan
• @edwtjo
• @errge
• @gridaphobe
• @lethalman
• @maggesi
• @mornfall
• @MP2E
• @obadz
• @Phreedom
• @qknight

Completed

• @7c6f434c
• @AndersonTorres
• @armijnhemel
• @aszlig
• @bendlas
• @bennofs
• @chaoflow
• @cpages
• @dezgeg
• @dtzWill
• @falsifian
• @FRidh
• @gebner
• @GrahamcOfBorg
• @matejc
• @matthewbauer
• @nckx
• @nlewo
• @ocharles
• @peterhoeg
• @peti
• @rickynils
• @svanderburg
• @ts468
• @viric
• @vrthra
• @amiddelk
• @aristidb
• @bjornfor
• @pikajude
• @rushmorem
• @ttuegel
• @vbgl

Accounts to remove

• @DamienCassou: not maintaining nixpkgs anymore
• @amiddelk: not maintaining nixpkgs anymore

[grahamc]

(Ping @vbgl @viric @vrthra who I couldn't ping in the issue description due to a 50 ping limit)

[viric]

I'm using FreeOTP+ in F-Droid. Fine.

[7c6f434c]

I chose One-TimePass from F-Droid. Also installed command-line oathToolkit.

Observation. Recovery codes that are recommended to save in password manager mean that the recommended setup is almost equivalent to random passwords in password manager, but probably also breaks phishing. So keeping it on the same device but not giving the browser UID access to the secret doesn't lose any security in realistic scenatios.

[armijnhemel]

I am trying to check the box next to my name as requested, but I can't. Anyway, I set up 2FA for my account.

[7c6f434c]

Well, it's not like GitHub has access to any technology that handles any merges, I guess it lost the lock race to my edit. I was indeed able to check your box.

[7c6f434c]

Hm. And the commit tokens are better than passwords (also random data stored in password manager and allowing commit access to all repos) because git doesn't literally send password to server as plaintext, and that's all?

[7c6f434c]

(speaking of new-user checklist and «contact us») and this use of first-person plural in «contact us» means that you are also now a person who can manage the member list?

[grahamc]

I can't manage the member list, but I know a guy :)

re commit tokens, I recommend using (encrypted) SSH keys of course.

All new users will be required to have 2FA enabled and after July 6 GitHub won't let us add new users who don't have 2FA enabled.

[7c6f434c]

SSH keys are not that different from tokens unless you consider algorithm attacks…

[AndersonTorres]

2FA updated here, ok!

[andrew-d]

How do I get commit access without having a smartphone now?

If you weren't aware, GitHub supports U2F - you can buy a fairly cheap one for about $9 on Amazon and use it without a smartphone. Firefox also supports U2F now, so you're not required to use Chrome.

Additionally, while I agree that requiring two-person sign-off is by far the better solution, using 2FA provides a non-negligible security benefit for the vast majority of committers who may reuse passwords, or that have malware that's not sophisticated enough to also exfiltrate 2FA seeds. It raises the bar to attack NixOS committers, so I personally am 👍 to the proposal.

[samueldr]

You might need a QR-code reader

It isn't necessary, as github can also provide the alternate text-based methods to seed the TOTP.

[vcunat]

The point is to have at least some second factor. Most phones surely aren't terribly hard to compromise as well, but two different factors are just harder than one. If you want even better security cheaply, I suppose you'd go for a U2F token. AFAIK the second factor is only used once a very long time on each device, so it should normally be not much extra hassle. It has worked well for me for a long time and on multiple providers (not just GitHub).

[oxij]

@aszlig Turns out there's also https://github.com/tadfisher/pass-otp that does all the `oathToolkit` and `zbar` magic already. Packaged in `nixpkgs` too.

[aszlig]

@7c6f434c: Okay, then let me rephrase: You can disable HTTPS push access for your account by not generating a personal access token and enabling 2FA.

[grahamc]

I've marked most of the previous conversation as "Off Topic" due to some FUD around requirements, and to reduce confusion on this important and high-traffic issue.

[oxij]

@grahamc

I've marked most of the previous conversation as "Off Topic" due to some FUD around requirements, and to reduce confusion on this important and high-traffic issue.

I'm over the fact that most of my substantial comments on policy are usually "off-topic". But how is #42761 (comment) by @orivej and the discussion of tools is offtopic? What I see is that everything that wasn't clearly 👍 on the issue was marked as off-topic. Very impartial.

[aszlig]

I'm adding this for reference for others: Another alternative to pass-otp would be gopass, which can use the existing pass store tree format and has TOTP/HOTP-support.

[grahamc]

@orivej I believe your alter-ego @orivej-nixos has been added now.

Reminder to the following accounts about the July 6 deadline:

@amiddelk, @antono, @aristidb, @astsmtl, @bjornfor, @bluescreen303, @c0bw3b, @civodul, @cstrahan, @edwtjo, @errge, @gridaphobe, @lethalman, @maggesi, @mornfall, @MP2E, @obadz, @Phreedom, @pikajude, @qknight, @roconnor, @rushmorem, @ttuegel, @vbgl

[grahamc]

Note: I've added documentation on how to use a U2F hardware token for 2FA on NixOS: #42761

[7c6f434c]

Maybe also add pass-otp to the list?

[grahamc]

We're getting close to the cut-off, and we remain with the following people:

@amiddelk, @antono, @astsmtl, @bluescreen303, @c0bw3b, @civodul, @cstrahan, @edwtjo, @errge, @gridaphobe, @lethalman, @maggesi, @mornfall, @MP2E, @obadz, @Phreedom, @qknight

I've emailed everybody but @c0bw3b and @mornfall since I couldn't find email addresses for them.

Update: @edwtjo's email bounced.

Update: I've just now emailed @c0bw3b, after @Profpatsch pointed out I can find their email in the maintainers file.

[tadfisher]

U2F works in Firefox since commit 9595dc5, actually, thanks to @tadfisher.

That pass-otp tool by @tadfisher works pretty well too. I should buy him a beer.

[c0bw3b]

@grahamc 2FA now enabled on my account.
I checked my nickname on your list above.

[grahamc]

✔️ done! thank you, everyone!

[cstrahan]

@grahamc I've enabled 2FA -- could I be re-added to the org, please?

[edolstra]

@cstrahan Done.