Linux Kernel Development Gets Two-Factor Authentication

Developers are now encouraged to use an additional layer of security with the introduction of two-factor authentication for code commits.

Linux development security

Linux kernel development is getting a new layer of security with the introduction of two-factor authentication for code commits. The new authentication measures come nearly three years after the site was attacked.

Konstantin Ryabitsev, director of collaborative IT services at The Linux Foundation, announced the new two-factor authentication initiative. Kernel developers had already been using secure authentication mechanisms, including SSH (Secure Shell), to gain access to code repositories, he explained.

The security breach of 2011 was a very valuable lesson to the Linux community, and many recent initiatives have been aimed at continuously improving the overall security profile, Ryabitsev told eWEEK. The move to two-factor authentication, however, is not a delayed reaction to the 2011 attack, according to Ryabitsev.

Rather, the move to two-factor authentication is in response to continuous requests from kernel developers who have expressed interest in improving the security of their own development processes.

Two-factor authentication—in which a second password (or factor) provides an additional layer of security—is being employed specifically for code commits made to the official Linux kernel repositories hosted at The system isn't just user-identity-based either.

"It is tied both to the IP address and the user identity, so when a user whitelists their IP address, it is only whitelisted for that user and not for anyone else," Ryabitsev said.

From a security auditing perspective, Ryabitsev explained that the system will generate alerts when developers log in from new geographical locations or when there are multiple sessions from different places.

"While this won't deter a very dedicated attacker, it helps discover unusual activity," Ryabitsev said.

Two-factor authentication can be supported in multiple ways, including the use of a software client or a hardware token. The kernel developers are being encouraged to use the Yubikey hardware solution from Yubico.

The Yubikey is a USB device that generates a one-time password for the kernel developers. Yubico has had its share of large-scale deployments in recent years. In February, Yubico announced that it had been selected as the two-factor technology being used by CERN.

"In our opinion, Yubico is open-source friendly as they publish all their source code on GitHub, and their hardware is standards-compliant with Java Card," Ryabitsev said. "That being said, we do support TOTP [Time-based One-time Password] soft tokens, such as FreeOTP or Google Authenticator."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.