Check for 2FA protection and enforce validation of 2FA tokens
Closed, ResolvedPublic

Description

Before Striker can modify data for existing LDAP accounts (password, ssh keys, etc) it must check for 2FA on the account and enforce token checks for 2FA enabled accounts. At the very least it must tell users with 2FA enabled that they cannot use Striker.

See also:

bd808 created this task.Sep 5 2016, 5:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2016, 5:35 AM

There are multiple possible paths to get this functionality as noted in the description. The best solution would be some internal network service (T120484 or an off-the-shelf solution like https://www.linotp.org). Implementing a new general purpose HTOP service is a bit more work than I would like to bite off just to allow Striker to manage things about a user's LDAP account like the password and ssh public keys.

When horizon needed this protection the implementation was to interact directly with the underlying database that stores the HTOP secrets for wikitech. This is problematic for a number of reasons that I won't enumerate here. The short answer is that its not a good idea to use a mysql table as a common API. My idea for storing the secrets in LDAP (T136350) is really not much better. It moves the data to a location that is already common to wikitech, horizon, and striker but it doesn't solve other problems of multiple HTOP implementations using the same secrets.

I think I have an idea for a 3rd solution that is between a stand alone service and shared secret access. A new Action API endpoint could be added to MediaWiki-extensions-OATHAuth that allowed a trusted user to:

  • query for OATH enabled/disabled status on a given account
  • validate an OATH token

These actions would need to be protected with a new permission to restrict use to highly trusted accounts. There should also be rate limiting on the validation action to limit the number of tokens that can be tried for a given MediaWiki user account per unit time.

bd808 moved this task from Backlog to Doing on the Striker board.Sep 29 2016, 11:46 PM

Change 313548 had a related patch set uploaded (by BryanDavis):
Add a query meta api option to check for OATH

https://gerrit.wikimedia.org/r/313548

Change 313549 had a related patch set uploaded (by BryanDavis):
Add an api action to validate an OATH token

https://gerrit.wikimedia.org/r/313549

Change 314221 had a related patch set uploaded (by BryanDavis):
OATHAuth: Grant oathauth-api to sysop

https://gerrit.wikimedia.org/r/314221

Change 314221 merged by jenkins-bot:
OATHAuth: Grant oathauth-api to sysop

https://gerrit.wikimedia.org/r/314221

Change 313548 merged by jenkins-bot:
Add a query meta api option to check for OATH

https://gerrit.wikimedia.org/r/313548

Change 313549 merged by jenkins-bot:
Add an api action to validate an OATH token

https://gerrit.wikimedia.org/r/313549

Change 317375 had a related patch set uploaded (by BryanDavis):
striker: Add ldapauthwiki OAuth config for oath

https://gerrit.wikimedia.org/r/317375

Change 317375 merged by jenkins-bot:
striker: Add ldapauthwiki OAuth config for oath

https://gerrit.wikimedia.org/r/317375

Change 324637 had a related patch set uploaded (by BryanDavis):
Add support for authenticated Action API use

https://gerrit.wikimedia.org/r/324637

Change 324637 merged by jenkins-bot:
Add support for authenticated Action API use

https://gerrit.wikimedia.org/r/324637

Change 327786 had a related patch set uploaded (by BryanDavis):
Check and enforce OATH account protection

https://gerrit.wikimedia.org/r/327786

@dpatrick, @Bawolff, @Reedy: It would be nice to get a quick look at the logic in https://gerrit.wikimedia.org/r/327786 from the Security-Team folks.

There are probably several additional things that could be done in follow-up commits to add more protections for 2FA users:

  • tracking a hash of the ip+ua in the session data and re-prompting on mismatch to protect against session hijacking
  • implementing some sort of timeout similar to the Google 30-day re-prompt for 2FA
  • doing something similar to Phabricator's "high security" mode that will prompt for 2FA on entry and adding that protection to things like password changes & ssh-key additions

I think for now though this protection is as secure as the existing Wikitech 2FA usage.

Change 327786 merged by jenkins-bot:
Check and enforce OATH account protection

https://gerrit.wikimedia.org/r/327786

Change 333095 had a related patch set uploaded (by BryanDavis):
Bump static and striker submodules

https://gerrit.wikimedia.org/r/333095

Change 333095 merged by jenkins-bot:
Bump static and striker submodules

https://gerrit.wikimedia.org/r/333095

Mentioned in SAL (#wikimedia-operations) [2017-01-25T18:22:23Z] <bd808@tin> Finished deploy [striker/deploy@5aa3aa8]: Update Striker to 5aa3aa8 (T144710, T147024, T144712, T144711, T153935) (duration: 00m 24s)

bd808 closed this task as "Resolved".Jan 25 2017, 7:24 PM
bd808 claimed this task.
Restricted Application added a project: User-bd808. · View Herald TranscriptJan 25 2017, 7:24 PM
bd808 moved this task from Doing to Done on the Striker board.Mar 4 2017, 3:53 AM