2FA (Two Factor Authentication) -> TOTP (Time-limited One-Time Password)
Many sites are trying to tighten up security, for good reason. I access GitHub and GitLab using SSH. I think that that is unaffected because SSH Public Key Cryptosystem is secure in a way that password system are not. But I also want to github them via the HTTPS interface. GitHub is forcing me to go to TOTP for 2FA next month to access their web interface. (ssh ought to continue working since it's authentication is solid). Sadly, I know little about TOTP. Sites try to make it so easy that it is hard to understand what they want. There is a strong push to put The Thing (authenticator? Client?) on you mobile phone. I don't really want to because (1) I take my phone outside my house, and (2) my phone software isn't open source. I want The Thing to run on my Linux desktop. ==> What do you guys do? GNOME's "Software" program finds 3 progams: OTPClient - most used - download size: 348.1 MB! Probably because it is a flatpak - when I run it it says "memlock value to low" <https://github.com/paolostivanin/OTPClient/wiki/Secure-Memory-Limitations> That suggests that you need to have a memlock limit greater than 67108864 KB (larger than 67 GB). That's the amount of memory that programs can lock into RAM. Nonsense: how many machines even have 67 GB of physical RAM, let alone RAM you want to dedicate to an accessory. The diagnostic seems to be a known error with flatpak version <https://github.com/paolostivanin/OTPClient/issues/372> In fact, that points out multiple problems with the flatpak version, which is what I was delivered. ABANDON, with a comment. <https://github.com/paolostivanin/OTPClient/issues/384> Authenticator - download size: only 32.8 MB Numberstation - download size: only 28.4 KB Python, I think. EPIPHANY: I want a CLI-based Thing since I'd like to access it via SSH. So looking in the GNOME repos was a mistake. To be continued...
On Sun, 27 Oct 2024 at 02:12, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
==> What do you guys do?
For GitHub, and any other site that supports one, I use a physical FIDO security key. (Mine's a Google Titan). https://store.google.com/ca/product/titan_security_key For TOTP on my PCs I use KeePassXC. On my Android devices I use Google Authenticator. I keep them all in sync so they generate the same codes, so I can use any one of them at any time. https://keepassxc.org/ https://play.google.com/store/apps/details?id=com.google.android.apps.authen... -- Scott
On 10/27/24 9:14 AM, Scott Allen via talk wrote:
On Sun, 27 Oct 2024 at 02:12, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
==> What do you guys do? For GitHub, and any other site that supports one, I use a physical FIDO security key. (Mine's a Google Titan). https://store.google.com/ca/product/titan_security_key
For TOTP on my PCs I use KeePassXC. On my Android devices I use Google Authenticator. I keep them all in sync so they generate the same codes, so I can use any one of them at any time. https://keepassxc.org/ https://play.google.com/store/apps/details?id=com.google.android.apps.authen...
More questions on the same subject. On FIDO keys. Is the Google Titan a completely stand alone device with a documented interface? For anybody in the know are the Yubikey products standalone or tied to a service/proprietary interface? on TOTP. I used Authey in the past because it worked on my android devices along with my PC and even as an app in my browser. Now it only works on my phone. Not keen on ending up in the same place somewhere down the line with a new product. I like the idea of a password manager but would like something that is Open Source and deployable directly on my system as opposed to a Flappack or Snap. any suggestions? -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Sun, 27 Oct 2024 at 10:10, Alvin Starr via talk <talk@gtalug.org> wrote:
On FIDO keys. Is the Google Titan a completely stand alone device with a documented interface? For anybody in the know are the Yubikey products standalone or tied to a service/proprietary interface?
Both are standalone and use the FIDO interface/standard. Some products from Yubikey support other protocols, as well. There are also other manufacturers of FIDO compatible keys. For Goggle Titan keys (at least my older models) are actually made by Feitian Technologies. https://ftsafe.us/ Also, I have a Ledger Nano hardware cryptocurrency wallet. One of the apps available for it makes it behave as a FIDO key. https://shop.ledger.com/pages/hardware-wallet
I like the idea of a password manager but would like something that is Open Source and deployable directly on my system
KeePassXC is open source and there appears to be native compiles for many Linux distributions. I use the PPA for my Ubuntu systems. -- Scott
For cli there are several scripts that generate the token given the key. I've seen python and PHP scripts that do so. TOTP is a simple thing, basically they concatenate the key with the current timestamp rounded down to half minute, take a hash and truncate to the last n digits. It's useful because of you reuse passwords and one service leaks them, an attacker cannot access other services that use the same password. You should never reuse passwords and use a password manager, but it's another security factor. A hardware key is better but OTP is free. KeepassXC is a good password manager, and Bitwarden have a free option too. On Sun, Oct 27, 2024, 11:37 Scott Allen via talk <talk@gtalug.org> wrote:
On Sun, 27 Oct 2024 at 10:10, Alvin Starr via talk <talk@gtalug.org> wrote:
On FIDO keys. Is the Google Titan a completely stand alone device with a documented interface? For anybody in the know are the Yubikey products standalone or tied to a service/proprietary interface?
Both are standalone and use the FIDO interface/standard. Some products from Yubikey support other protocols, as well.
There are also other manufacturers of FIDO compatible keys. For Goggle Titan keys (at least my older models) are actually made by Feitian Technologies. https://ftsafe.us/
Also, I have a Ledger Nano hardware cryptocurrency wallet. One of the apps available for it makes it behave as a FIDO key. https://shop.ledger.com/pages/hardware-wallet
I like the idea of a password manager but would like something that is Open Source and deployable directly on my system
KeePassXC is open source and there appears to be native compiles for many Linux distributions. I use the PPA for my Ubuntu systems.
-- Scott --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2024-10-27 02:12, D. Hugh Redelmeier via talk wrote:
==> What do you guys do?
I've used a bunch of different tools , some listed by other folks in this thread. I have since migrated to pass and it's ecosystem. Pass is a commandline tool for managing passwords based on PGP encrypted files. It integrates git for automatic version control. I then layer qtpass as a gui when used with my linux desktops. This paired with the pass-otp extension to handle storage of totp secrets and generations of codes. pass - https://www.passwordstore.org/ qtpass - https://qtpass.org/ pass-otp - https://github.com/tadfisher/pass-otp#readme -- Scott Sullivan
On Sun, 27 Oct 2024 at 14:17, Scott Sullivan via talk <talk@gtalug.org> wrote:
On 2024-10-27 02:12, D. Hugh Redelmeier via talk wrote:
==> What do you guys do?
I've used a bunch of different tools , some listed by other folks in this thread.
I have since migrated to pass and it's ecosystem.
Pass is a commandline tool for managing passwords based on PGP encrypted files. It integrates git for automatic version control. I then layer qtpass as a gui when used with my linux desktops. This paired with the pass-otp extension to handle storage of totp secrets and generations of codes.
pass - https://www.passwordstore.org/
qtpass - https://qtpass.org/
pass-otp - https://github.com/tadfisher/pass-otp#readme
-- Scott Sullivan
I'll second the recommendation for `pass`. It's a PITA to set up, but once set up it's excellent. You'll need to have a reasonably good handle on using GPG keys, because you need your own key and local GPG setup to encrypt/decrypt your secrets. `pass` can even handle multiple users, although setting that up is even more of a pain as you have to encrypt to multiple GPG keys - but it does work (did it at work for a year and a half). All three packages Scott recommended are available in mainline Debian. I'll be investigating "pass-otp" just as soon as I have time - thanks for the recommendation. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On Sun, 27 Oct 2024 02:12:26 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
Many sites are trying to tighten up security, for good reason.
this is something that has been happening forever :) the largest challenges has always been poor user habits and the many user related failures. Poor site(s) protocols and systems has been the second largest thing and the other reasons all follow these two.
I access GitHub and GitLab using SSH. I think that that is unaffected because SSH Public Key Cryptosystem is secure in a way that password system are not.
imnsho, not so much. There are quite a few differentials but the common ones are that the key sizes are usually much larger, anyway, depending on the attack vector(s), ssh brute force is a sub optimal approach (even if you have access to x MM bot control), social/malw/etc is the more easy way to get keys (but brute is not 'as' ruled out on keys, as many think they are)
But I also want to github them via the HTTPS interface.
GitHub is forcing me to go to TOTP for 2FA next month to access their web interface. (ssh ought to continue working since it's authentication is solid). Sadly, I know little about TOTP. Sites try to make it so easy that it is hard to understand what they want.
it is important for Linux users to understand the reasons properly as the decisions tech peeps are making today will/may/could come back and bite the planet in very bad ways. imnsho, the main reasons are because on most 'secure' sites the 'users' of the 'sites' have issues because of user type issues. very common issues are : users re-use the same password over multiple platforms (sites can change this user habit by setting passwords themselves) users use the same password forever. (sites can change this by self expiring passwords) user accounts become compromised and nobody knows (sites can track user habits and flag exceptions)
There is a strong push to put The Thing (authenticator? Client?) on you mobile phone. I don't really want to because
so.. for a while now (decade or so) mobile phones has been the goto for 2f. then, also a while ago, external, additional and other devices (dongles, key generators, usb devices and more) has also seen lots of growth. as we all know : at the end of all this, there could probably be one, two or maybe three different main tech solutions. but imnsho, this will be bad for society and for many reasons of which, if anyone thinks about that for a second, there are quite a few obvious one's... anyway, so text messages, google auth, yubikey and hundreds of other otp type systems are supposed to work 'with' passwords.... what is starting to happen is that users are slowly 'losing' all control (like a lobster in a pot) as various sites are starting to think that to be 'secure' -> control needs to be removed from 'users'
(1) I take my phone outside my house, and (2) my phone software isn't open source.
indeed. for many though, the 'phone' also has the password(s), the 2f and well everything... - so, effectively ending up with the same thing as just a single password and somewhat pointless.
I want The Thing to run on my Linux desktop.
==> What do you guys do?
I tossed smartphones a few years ago, so my use case is challenging as i will not be using a 'smart phone' again, ever. imo, it is important to understand three things : WHY, HOW and WHAT the why i already mentioned above: users are lazy, pathetic, stupid, ignorant and they do not care. many platforms have more focus on user ease and being 'liked' than providing real security. the how is also easy: all 2f and otp systems work exactly the same way in terms of a third party either generating or transporting a 'secret' between the platform and the user. for the short term, personally, i rely on platforms and sites still supporting text messages, these are becoming fewer though and is beng phased out. it looks as if sites and users WILL be using/trusting an exchange where both the user and the 'site' are both connected to the exchange and a one time secret (number or even key or even password) is displayed to the user while being automagically fed into the platform using encryption) so the what right now is still an ongoing war, which is a good thing as one or two dominating 3rd parties controlling all 2f on the plant would be a very bad thing...
GNOME's "Software" program finds 3 progams:
OTPClient - most used - download size: 348.1 MB! Probably because it is a flatpak - when I run it it says "memlock value to low" <https://github.com/paolostivanin/OTPClient/wiki/Secure-Memory-Limitations> That suggests that you need to have a memlock limit greater than 67108864 KB (larger than 67 GB). That's the amount of memory that programs can lock into RAM. Nonsense: how many machines even have 67 GB of physical RAM, let alone RAM you want to dedicate to an accessory. The diagnostic seems to be a known error with flatpak version <https://github.com/paolostivanin/OTPClient/issues/372> In fact, that points out multiple problems with the flatpak version, which is what I was delivered. ABANDON, with a comment. <https://github.com/paolostivanin/OTPClient/issues/384>
Authenticator - download size: only 32.8 MB
Numberstation - download size: only 28.4 KB Python, I think.
EPIPHANY: I want a CLI-based Thing since I'd like to access it via SSH.
So looking in the GNOME repos was a mistake.
To be continued...
indeed :)
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
I access GitHub and GitLab using SSH. I think that that is unaffected [snip] GitHub is forcing me to go to TOTP for 2FA next month to access their web interface. (ssh ought to continue working since it's authentication is solid).
Sadly, I know little about TOTP. Sites try to make it so easy that it is hard to understand what they want. Pushing and pulling code still works using existing SSH keys you have in
On 2024-10-27 02:12, D. Hugh Redelmeier via talk wrote: place. 2FA on github is partially broken. I was forced to use it and now my account is so secure the only way I can get in is via a rescue key. They really want you to use a cell phone. I don't have one but github gave me the option of using totp. That was fine. During setup they showed me a QR code to scan and some long string of characters below it. I C&Ped the string of text in to a totp I installed on my machine from the repos of the distro I use. I passed the program the string of chars, got a shorter string, and entered that in to github and all was well, or so I thought. When I try to log in now that github is happy that I have 2FA setup github asks me to enter a code (that shorter string of chars). The problem is it doesn't show me the long string that I need to feed to my totp program so I can never git it the code it wants. As a result I can no longer use github as I did before. I have copied all my projects to gitlab. I have gone in and marked a few of my projects on github as archived and will be marking the rest the same. I'll be creating a new account on github just so I can use the bug tracking features of other projects as long as it doesn't again want me to set up 2FA. -- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
On Mon, Oct 28, 2024 at 10:57:55AM -0400, Kevin Cozens via talk wrote:
Pushing and pulling code still works using existing SSH keys you have in place. 2FA on github is partially broken. I was forced to use it and now my account is so secure the only way I can get in is via a rescue key.
They really want you to use a cell phone. I don't have one but github gave me the option of using totp. That was fine. During setup they showed me a QR code to scan and some long string of characters below it. I C&Ped the string of text in to a totp I installed on my machine from the repos of the distro I use. I passed the program the string of chars, got a shorter string, and entered that in to github and all was well, or so I thought.
When I try to log in now that github is happy that I have 2FA setup github asks me to enter a code (that shorter string of chars). The problem is it doesn't show me the long string that I need to feed to my totp program so I can never git it the code it wants.
As a result I can no longer use github as I did before. I have copied all my projects to gitlab. I have gone in and marked a few of my projects on github as archived and will be marking the rest the same. I'll be creating a new account on github just so I can use the bug tracking features of other projects as long as it doesn't again want me to set up 2FA.
The long string would be the setup code I believe. You should only need that once to setup TOTP. From then on it should stay working on your machine unless you deleted the configuration. You do not want it to offer a new code to setup another 2FA each time you login. That would not make sense. Your program for 2FA should simply display codes when run using what was already setup, which you enter to login. It is time based for synchronization. -- Len Sorensen
I will recommend `pass` too, and recommend installing passmenu ( https://git.zx2c4.com/password-store/tree/contrib/dmenu/passmenu). It uses dmenu to show the entries to pass on a hud-like fashion, so you wire it to a hotkey (I use ctrl-alt-p), and it makes your life easier. This video (https://www.youtube.com/watch?v=_rd4CeDgdF8) is a great, short tutorial on how to set pass and passmenu. Mauro https://www.maurosouza.com - registered Linux User: 294521 Scripture is both history, and a love letter from God. On Mon, Oct 28, 2024 at 12:54 PM Lennart Sorensen via talk <talk@gtalug.org> wrote:
On Mon, Oct 28, 2024 at 10:57:55AM -0400, Kevin Cozens via talk wrote:
Pushing and pulling code still works using existing SSH keys you have in place. 2FA on github is partially broken. I was forced to use it and now my account is so secure the only way I can get in is via a rescue key.
They really want you to use a cell phone. I don't have one but github gave me the option of using totp. That was fine. During setup they showed me a QR code to scan and some long string of characters below it. I C&Ped the string of text in to a totp I installed on my machine from the repos of the distro I use. I passed the program the string of chars, got a shorter string, and entered that in to github and all was well, or so I thought.
When I try to log in now that github is happy that I have 2FA setup github asks me to enter a code (that shorter string of chars). The problem is it doesn't show me the long string that I need to feed to my totp program so I can never git it the code it wants.
As a result I can no longer use github as I did before. I have copied all my projects to gitlab. I have gone in and marked a few of my projects on github as archived and will be marking the rest the same. I'll be creating a new account on github just so I can use the bug tracking features of other projects as long as it doesn't again want me to set up 2FA.
The long string would be the setup code I believe. You should only need that once to setup TOTP. From then on it should stay working on your machine unless you deleted the configuration.
You do not want it to offer a new code to setup another 2FA each time you login. That would not make sense.
Your program for 2FA should simply display codes when run using what was already setup, which you enter to login. It is time based for synchronization.
-- Len Sorensen --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
participants (9)
-
ac -
Alvin Starr -
D. Hugh Redelmeier -
Giles Orr -
Kevin Cozens -
Lennart Sorensen -
Mauro Souza -
Scott Allen -
Scott Sullivan