Oh no! a wild security feature for @forgejo has appeared that even Github doesn't have! https://codeberg.org/forgejo/forgejo/pulls/4662
Conversation
Notices
-
Embed this notice
Gusted (gusted@social.linux.pizza)'s status on Wednesday, 24-Jul-2024 22:34:01 JST 
Gusted
-
Embed this notice
Drew DeVault (drewdevault@fosstodon.org)'s status on Wednesday, 24-Jul-2024 22:35:54 JST 
Drew DeVault
@Gusted @forgejo we can allocate a PTY (it's more involved but forgejo could do this also)
But I think what's more likely is that we'll issue new recovery codes via SSH, then you'll have to log in with user/pw normally to use them
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Drew DeVault (drewdevault@fosstodon.org)'s status on Wednesday, 24-Jul-2024 22:35:55 JST
Drew DeVault
@Gusted @forgejo nice, been putting off doing the same feature for sourcehut for years
-
Embed this notice
Gusted (gusted@social.linux.pizza)'s status on Wednesday, 24-Jul-2024 22:35:55 JST
Gusted
@drewdevault @forgejo I hope you don't have to make the same sacrifice as Forgejo does, password being echoed back because PTY allocations are disabled for SSH sessions.
-
Embed this notice
Sick Sun (sun@shitposter.world)'s status on Wednesday, 24-Jul-2024 23:09:55 JST 
Sick Sun
@feld @forgejo @Gusted as a third party I can't verify a ssh key is password protected so it doesn't count as 2 factor as far as I'm concerned. -
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 24-Jul-2024 23:09:56 JST 
feld
@Gusted @forgejo My SSH keys can't leak, they're all on HSMs. And it shouldn't even be possible to make an SSH key that isn't password protected, but here we are in 2024 with people in charge of our security tools continuing to make terrible decisions -
Embed this notice
Gusted (gusted@social.linux.pizza)'s status on Wednesday, 24-Jul-2024 23:09:57 JST
Gusted
@feld @forgejo Having a verified SSH key is also a form of 2FA. For both occasions, you still need to know the password, so if your SSH key is leaked, it won't give anyone instant access to your account.
-
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 24-Jul-2024 23:09:58 JST
feld
@Gusted @forgejo
> Something that has come up in these situations is that such people usually have a (verified) SSH key added to their account and could use that to prove they are the owner of the account, by the possession of such SSH key.
okay so what's the point of enforcing any TOTP if it's basically defeated by possessing a verified SSH key? -
Embed this notice
feld (feld@bikeshed.party)'s status on Wednesday, 24-Jul-2024 23:19:57 JST
feld
@sun @forgejo @Gusted you're misunderstanding; with this change to Forgejo if an attacker targets a developer and is successful in intercepting their password and scoop up their SSH key from their $HOME you can defeat the TOTP on their account by using the SSH key you just stole
So the TOTP is now functionally useless when you're the target of an attack because the average developer is too stupid to password protect it and in 2024 you're not forced to password protect your keys
OpenSSH should not come with the capability to remove the passphrase from an SSH key. Sure, it's technically possible for anyone to write a tool that can do it, but it should refuse to support it. We can't just hope people will make better decisions, we need to force them in the right direction even if it's painful.
And then they can learn how to use their tools properly, like using ssh-agent so the key stays unlocked in memory during their session...Sick Sun likes this.
-
Embed this notice
All GNU social JP content and data are available under the