Recent searches
Search options
Oh no! a wild security feature for @forgejo has appeared that even Github doesn't have! https://codeberg.org/forgejo/forgejo/pulls/4662
Codeberg.org[SEC] Add `totp_recovery_code` as SSH command- When a person loses access to their TOTP (e.g. phone wiped) and didn't properly save their TOTP's scratch code they have to; they have to rely on the instance admins to authenticate with them that it is really their account, this can be a quite difficult and lengthy process to safely verify thi...
@Gusted @forgejo
> Something that has come up in these situations is that such people usually have a (verified) SSH key added to their account and could use that to prove they are the owner of the account, by the possession of such SSH key.
okay so what's the point of enforcing any TOTP if it's basically defeated by possessing a verified SSH key?
> Something that has come up in these situations is that such people usually have a (verified) SSH key added to their account and could use that to prove they are the owner of the account, by the possession of such SSH key.
okay so what's the point of enforcing any TOTP if it's basically defeated by possessing a verified SSH key?
@sun @forgejo @Gusted you're misunderstanding; with this change to Forgejo if an attacker targets a developer and is successful in intercepting their password and scoop up their SSH key from their $HOME you can defeat the TOTP on their account by using the SSH key you just stole
So the TOTP is now functionally useless when you're the target of an attack because the average developer is too stupid to password protect it and in 2024 you're not forced to password protect your keys
OpenSSH should not come with the capability to remove the passphrase from an SSH key. Sure, it's technically possible for anyone to write a tool that can do it, but it should refuse to support it. We can't just hope people will make better decisions, we need to force them in the right direction even if it's painful.
And then they can learn how to use their tools properly, like using ssh-agent so the key stays unlocked in memory during their session...
So the TOTP is now functionally useless when you're the target of an attack because the average developer is too stupid to password protect it and in 2024 you're not forced to password protect your keys
OpenSSH should not come with the capability to remove the passphrase from an SSH key. Sure, it's technically possible for anyone to write a tool that can do it, but it should refuse to support it. We can't just hope people will make better decisions, we need to force them in the right direction even if it's painful.
And then they can learn how to use their tools properly, like using ssh-agent so the key stays unlocked in memory during their session...
I mean, is this meaningfully worse than a totp recovery code that also can't be forced to be password protected? Is the problem just that ssh keys are stored in known locations that would make it easier for an attacker to find?
@nicholas @sun @Gusted absolutely, you'll just attack the user from their browser or email client or something and use that to read the contents of their home directory.
Sneak in a git hook into a branch you need them to help you with and have that steal their files and post them somewhere with Curl silently in the background
there's an infinite amount of clever ideas waiting to be utilized
Sneak in a git hook into a branch you need them to help you with and have that steal their files and post them somewhere with Curl silently in the background
there's an infinite amount of clever ideas waiting to be utilized
@feld @forgejo @sun @Gusted Even in the event that ssh-agent is used, you could still get the TOTP recovery codes from the target. All you have to do is to wait until the computer isn't used for X amount of time and quickly launch a terminal session. And since ssh-agent/gpg-agent isn't usually locked when the screen is locked... Of course you would need remote access to the computer, but since you already can have a password and an SSH key there's almost nothing stopping the attacker from doing so. To some extent it even makes it easier with ssh-agent.
This basically sidesteps the usage of TOTP as a second factor (likely on a separate device, or a hardware key), because there's no second factor. Sure, the attacker can write whatever they want to my repos, but they can't lock the target out when they eventually find out and try to revoke the key from another device.
This basically sidesteps the usage of TOTP as a second factor (likely on a separate device, or a hardware key), because there's no second factor. Sure, the attacker can write whatever they want to my repos, but they can't lock the target out when they eventually find out and try to revoke the key from another device.
Modern IT will be the downfall of major countries.
This is what happens when you get your degree from the college of business instead it's own specialized college or engineering.
Had a "network expert" try to bullshit me with some 10 page mops that were clearly generated from chatgpt for just adding a new vlan to only 2 switches.
This is what happens when you get your degree from the college of business instead it's own specialized college or engineering.
Had a "network expert" try to bullshit me with some 10 page mops that were clearly generated from chatgpt for just adding a new vlan to only 2 switches.
