| View previous topic :: View next topic |
| Author |
Message |
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
 Posted: Sat Apr 15, 2023 6:54 pm Post subject: 2FA configuration? |
 |
|
Hi,
I miss 2 factor authentication, or have I just not looked thoroughly enough? If not yet, is it planned? If not, why?
Thanks |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54572
Location: 56N 3W
|
| Posted: Sat Apr 15, 2023 7:19 pm Post subject: |
|
|
G3nt00,
Hardware keys work. What did you have in mind for a second factor?
Anything any other distro can do, Gentoo can do too.
You only need to tell it how. Someone has to be first, if its you please contribute a Wiki page.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 3:36 am Post subject: |
|
|
| NeddySeagoon wrote: | G3nt00,
Hardware keys work. What did you have in mind for a second factor?
Anything any other distro can do, Gentoo can do too.
You only need to tell it how. |
Very true, I have the Yubikey's configured in Gentoo. But this category is dedicated to the forum, no? I was hoping I could add 2FA to my login here too. Most forums do these days, and even if false security, it is at least one more barrier to cross before gaining access...
| NeddySeagoon wrote: |
Someone has to be first, if its you please contribute a Wiki page. |
For sure. When/if I do something I feel can benefit other I will pay it forward. I have gotten so much great help and want to contribute where/when I can  |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54572
Location: 56N 3W
|
| Posted: Sun Apr 16, 2023 10:57 am Post subject: |
|
|
G3nt00,
The forums do not support 2FA. The code base in use is phpBB-2.0.23 from 2002.
Maybe phpBB-3 will?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 11:15 am Post subject: |
|
|
| NeddySeagoon wrote: | G3nt00,
The forums do not support 2FA. The code base in use is phpBB-2.0.23 from 2002.
Maybe phpBB-3 will? |
I figured as much. Will the forum be upgraded anytime soon you think? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54572
Location: 56N 3W
|
| Posted: Sun Apr 16, 2023 11:33 am Post subject: |
|
|
G3nt00,
I don't think it will happen until -infra are forced to update the php version that the forums depends on.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3404
|
| Posted: Sun Apr 16, 2023 11:34 am Post subject: |
|
|
Not until its bits rot to the point it starts falling apart under its own weight  |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5036
Location: Bavaria
|
| Posted: Sun Apr 16, 2023 11:37 am Post subject: |
|
|
| szatox wrote: | | Not until its bits rot to the point it starts falling apart under its own weight |
Never change a winning team ... ahhm ... a running system !  |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 11:46 am Post subject: |
|
|
Ah. I hear you. However I don't feel security is the strong-point here... I am not suggesting keeping everything top-notch all the time, but this is a somewhat big thing. If I'm not mistaken I also think this grand system cut my wanted password in half more or less. But true; "If it ain't broke, don't fix it..." + "Unless, there is anything to gain from it." which there seem to be here. Keeping my hope up for it anyways. Who should I nag about it?  (kidding) |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22578
|
| Posted: Sun Apr 16, 2023 4:17 pm Post subject: |
|
|
| There was an attempt a few years ago to upgrade. I think it was never formally abandoned, but as you can see, neither has it been completed. I do not recall specifically why it is not done yet, but I suspect the issue is that the key volunteers are swamped with other higher priority tasks. |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 4:46 pm Post subject: |
|
|
| Hu wrote: | | ... the key volunteers are swamped with other higher priority tasks. |
I'd bet that is it.I reckon the upgrade in itself could be rather quick, but all preparations and testing prior and after is perhaps not that trivial, I get that. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3404
|
| Posted: Sun Apr 16, 2023 6:12 pm Post subject: |
|
|
| G3nt00 wrote: | | Ah. I hear you. However I don't feel security is the strong-point here... |
Yeah, so?
it's a public forum. What's the worst thing that could happen? Russian hackers stealing your posts instead of just taking them for free?
Or is China the big bad guy now? Funny that USA keeps flying under the radar.... Anyway, you get the point: _threat_model_ |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 7:00 pm Post subject: |
|
|
| szatox wrote: | | G3nt00 wrote: | | Ah. I hear you. However I don't feel security is the strong-point here... |
Yeah, so?
it's a public forum. What's the worst thing that could happen? Russian hackers stealing your posts instead of just taking them for free?
Or is China the big bad guy now? Funny that USA keeps flying under the radar.... Anyway, you get the point: _threat_model_ |
Why even bother trying to debate? I rest my case now. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22578
|
| Posted: Sun Apr 16, 2023 7:21 pm Post subject: |
|
|
Although szatox's tone was flippant, the point is sound. Before you can argue that security is too strong or too weak, you must define your threat model, so that we can discuss whether the proposed security is appropriate to counter the perceived threat (which includes discussing whether the perceived threat is realistic enough to justify the proposed security).
To elaborate on szatox's point, I see these things as being "of value" in stealing an account:- Ability to post as that user, leveraging that user's reputation to potentially mislead others
- Ability to deface prior posts by that user
- Ability to read that user's private messages
- For privileged accounts, ability to use that privilege to deface posts by other users
These forums are readable anonymously and allow pseudonymous registration, so stealing an account has no value to someone who merely wants to read public posts here. Of those things of value, about which are you concerned? Who do you envision caring enough to bother stealing an account here? Your account is currently not privileged, so the last bullet point does not apply to an attack on your account.
I can recall only one account theft in the time I have been attentive to such things. It was never confirmed as a theft, but was suspected as such because a previously inactive account became active and started spamming, despite historically having been a legitimate contributor. The most likely explanation is that the legitimate owner lost control of the account, and the thief began abusing it to spam. |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 16, 2023 8:20 pm Post subject: |
|
|
| Hu wrote: | - Ability to post as that user, leveraging that user's reputation to potentially mislead others
- Ability to deface prior posts by that user
- Ability to read that user's private messages
- For privileged accounts, ability to use that privilege to deface posts by other users
These forums are readable anonymously and allow pseudonymous registration, so stealing an account has no value to someone who merely wants to read public posts here.
Of those things of value, about which are you concerned? |
Well, as you say, my privilege level is not an issue, but all it takes is one slip with one account that has a higher one. I often hear "it has never happened before" in other discussions, and while that may be true, if something should happen, a firmer security model would surely help some at least. These days 2FA isn't exactly uncommon, but sure, it may be debatable what good it does if someone really is motivated, but then again, here? Probably not as you just explained. It just feels a little better to know that it at least should make it harder to gain access. I would feel very uncomfortable if someone posted stuff using my account for example. Or removed or changed old posts...
Anyways, it is what it is, I love the forum and all the great help and discussions it offers. 2FA was just a though that crossed my mind, now I know. Thanks |
|
| Back to top |
|
|
|
Gentoo Forums Feedback
