Linux Foundation to Secure Kernel Repository with Two-Factor Authentication

The Linux Foundation will introduce two-factor authentication for developers who have access to the Linux kernel source code. The so-called YubiKey token is used for this, among other things. The move comes three years after a Kernel.org break-in.

In September 2011, Kernel.org, the website where the source code for the Linux kernel is posted, was hacked. In addition, OpenSSH files were modified and a trojan was installed. The cleaning operation by the administrators took a lot of time and it was decided to significantly increase the security level.

A first step was to enter ssh keys instead of passwords, but the Linux Foundation wanted to take another step in security by introducing two-factor authentication for developers who directly commit code to the Linux kernel in the git repositories from Kernel.org. For this, the YubiKey was chosen, a hardware token that is comparable to, for example, the SecurID key from RSA. The manufacturer of the YubiKey has donated 100 tokens to the Linux Foundation. The implementation of two-factor authentication has now picked up steam and will soon be mandatory, reports ZDnet.

Kernel.org also uses software two-factor authentication. Both the hardware and software security layers are based on open IETF protocols, such as the one-time password algorithm and the totp standard. To avoid having to keep entering passwords and codes, kernel developers can whitelist their IP address for up to 30 days.