[Labs-l] 2-factor shell auth (was:second attempt to request alternative login server)
Matthew Walker
mwalker at wikimedia.org
Wed Mar 6 18:19:32 UTC 2013
>
> [removed garbage about password auth being wonderful...]
I don't feel passwords are any more or less secure than keys. In some cases
keys can be even less secure if you're doing agent forwarding.
This being said -- we have two factor auth available on labsconsole; I'd
love it if two factor auth was also enabled by request for shells. I've
done this on personal servers of mine using google's solution [1]. I don't
think it would be too hard to implement on labs when time is available --
it's controlled by a file in the home directory (which might be able to be
moved, haven't looked deeply.)
[1] https://google-authenticator.googlecode.com/
~Matt Walker
Wikimedia Foundation
Fundraising Technology Team
On Wed, Mar 6, 2013 at 9:01 AM, Jeremy Baron <jeremy at tuxmachine.com> wrote:
> On Wed, Mar 6, 2013 at 4:54 PM, Petr Bena <benapetr at gmail.com> wrote:
> > okay this is third time when we have same outage... bastion2 and 3
> > were accessible for short time after bastion1's gluster died, then
> > they died as well. public keys weren't accessible on any of them so
> > basically labs were inaccessible for anyone.
>
> citation needed. I was just able to log in to both of
> bastion[23].wmflabs.org on the first try.
>
> [removed garbage about password auth being wonderful...]
>
> > Set up a cron script that sync a local folder on bastion with
> > /public/keys so that when gluster is down or that folder isn't working
> > login to bastion's still works.
>
> That might be feasible. But really the solution is don't let people
> kill the bastion. idk how we do that. and idk why the past social
> restrictions aren't sufficient. maybe we need ulimit or cgroups or
> something. :-(
>
> -Jeremy
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130306/f11e5869/attachment-0001.html>
More information about the Labs-l
mailing list