FreeIPA authentication improvements and Fedora Infrastructure part 1
The Fedora project exists because of its contributors. Their contributions shape the landscape of Linux distributions in a direct way but they also have made a significant influence on the Open Source projects themselves. Fedora contributors are not only people who participate in package maintenance, there are upstream developers, documentation writers, quality assurance engineers across multiple industries, students, volunteers and many many others. As with many other areas, this participation is bi-directional and practices established in the Fedora project may apply elsewhere too.
One area dear to me is authentication. The FreeIPA project serves as an umbrella to provide a consistent centralized identity management and authentication solution for Linux systems (in the first place, though standards-compliant, UNIX-like operating systems benefit from its use as well). FreeIPA’s core is built around Kerberos authentication protocol and SSSD daemon. It makes use of Kerberos’ features for single sign-on ease on the client side.
Many Free Software and Open Source projects use FreeIPA to deploy centralized identity management, authentication and authorization for their own contributors. Examples can be found small and large: GNOME project was one of the earliest, migrating its infrastructure to FreeIPA in 2014. The Fedora project is not an exception, it has been using FreeIPA for quite some time, though FreeIPA deployment was only handling Kerberos – user accounts were stored in a different place and synchronized with FreeIPA. The old Fedora account system was gradually rewritten to be built on top of FreeIPA and in 2021 all accounts were migrated to the new system.
Fedora accounts system allows users to login with a password and optionally to use two-factor authentication with the help of TOTP tokens. Users can also associate GnuPG or SSH public keys with themselves. These details get consumed by various Fedora applications but there are several important use cases:
- Issue Kerberos ticket which can be used to authenticate against a build system used by Fedora
- Access servers over SSH protocol, with Kerberos tickets or SSH keys
- Use Kerberos ticket or authenticate with password to Fedora Project’s identity provider and authorize Fedora applications to access user data.
FreeIPA supports more authentication methods in its Kerberos implementation but they aren’t used by the Fedora project. On the other hand, the CentOS Project shares its FreeIPA instance with Fedora and uses certificates issued by the FreeIPA CA for its authentication. These certificates can be used to obtain Kerberos tickets as well. For both projects this FreeIPA instance is maintained by the Community Platform Engineering team who looks after both communities’ needs.
Since the Fedora Project is an important gateway to Red Hat Enterprise Linux, many Fedora contributors were recently raising security concerns around secure software delivery and asking how we can improve authentication and authorization for Fedora infrastructure. For gory details, the thread about removing access of inactive packagers after Fedora 37 release has a few examples. A common agreement is that use of Webauthn and FIDO2 tokens would definitely improve the security, especially coupled with the prevention of an authentication methods’ downgrades.
Moving to Webauthn/FIDO2 would probably be relatively easy if every single application to access in the Fedora infrastructure would be a web-based. For example, OAuth2 clients could be forced to operate on specific scopes of the user data which would only be granted if strong authentication methods were used to authenticate. For SSH-based access it would also be possible to get SSH keys based on a native FIDO2 support in OpenSSH and prevent use of other key types. However, a single sign-on functionality would be lost then as currently it is not possible to convert SSH public key access to Kerberos tickets nor is it possible to use FIDO2 keys natively in Kerberos flows.
Use of FIDO2 tokens introduces another problem, though, this time a social one. Fedora Project is famous for its wide contributor base, spanning many countries and continents. Fedora Project contributors come from all kinds of backgrounds and so far the only requirement to enable their contributions from a technical point of view was internet access. Even enforcement of the two-factor authentication with the help of TOTP tokens could have been mitigated by use of a software token on a mobile device or simulated on a computer. In many countries access to mobile devices is easier than to any hardware token. It is still a cost and somebody has to pay for it. The cheapest FIDO2 token is around 10 EUR, although a single token can be used against many resources (websites). There is a cost to enforce stronger authentication methods and somebody would need to pay it if the Fedora project chooses to raise the requirements. Perhaps, companies benefiting from the secure software development processes around Fedora distribution would be willing to step up?
In the next article I will look at how FreeIPA could help with the technical side of supporting Webauthn/FIDO2 use by Fedora contributors.