Linux kernel development is getting a new layer of security with the introduction of two-factor authentication for code commits. The new authentication measures come nearly three years after the kernel.org site was attacked.
Konstantin Ryabitsev, director of collaborative IT services at The Linux Foundation, announced the new two-factor authentication initiative. Kernel developers had already been using secure authentication mechanisms, including SSH (Secure Shell), to gain access to code repositories, he explained.
The security breach of 2011 was a very valuable lesson to the Linux community, and many recent initiatives have been aimed at continuously improving the overall security profile, Ryabitsev told eWEEK. The move to two-factor authentication, however, is not a delayed reaction to the 2011 kernel.org attack, according to Ryabitsev.
Rather, the move to two-factor authentication is in response to continuous requests from kernel developers who have expressed interest in improving the security of their own development processes.
Two-factor authentication—in which a second password (or factor) provides an additional layer of security—is being employed specifically for code commits made to the official Linux kernel repositories hosted at kernel.org. The system isn’t just user-identity-based either.
“It is tied both to the IP address and the user identity, so when a user whitelists their IP address, it is only whitelisted for that user and not for anyone else,” Ryabitsev said.
From a security auditing perspective, Ryabitsev explained that the system will generate alerts when developers log in from new geographical locations or when there are multiple sessions from different places.
“While this won’t deter a very dedicated attacker, it helps discover unusual activity,” Ryabitsev said.
Two-factor authentication can be supported in multiple ways, including the use of a software client or a hardware token. The kernel developers are being encouraged to use the Yubikey hardware solution from Yubico.
The Yubikey is a USB device that generates a one-time password for the kernel developers. Yubico has had its share of large-scale deployments in recent years. In February, Yubico announced that it had been selected as the two-factor technology being used by CERN.
“In our opinion, Yubico is open-source friendly as they publish all their source code on GitHub, and their hardware is standards-compliant with Java Card,” Ryabitsev said. “That being said, we do support TOTP [Time-based One-time Password] soft tokens, such as FreeOTP or Google Authenticator.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
