I work in a bitcoin startup , my fucking boss really wants everyone to use ubuntu because of security and all , the bad thing is i am the only guy who knows how to install and deal with it , so when any one joins or has some problem he always bugs me and the thing is i am an android developer not a sys admin and now he fucking want to get 2 factor in ubuntu desktops when they log in

I hope you get paid well! You are a jack of all trades at a startup after all

Nothing wrong with being multi skilled.

Dont limit yourself.

@spl0 exactly, but don't get taken advantage of either.

Healthy balance is easier said than done

yeah apart from this i love working in a startup, in spite of being an android developer i manage 5 aws servers, regularly work on node and php for automating various daily tasks

Does everyone get root on those Ubuntu instances? If so 2-factor is pointless. Try to figure out what problem your boss is trying to solve. If 2-factor is the solution there is a PAM module that uses Google Authenticator for auth in addition to a standard password.

no they don't get root access , i did it using duo which also relies on pam
, cool thing about it is you get 2 factor even you type sudo.
also the reason to do 2 factor was that everyone was shitty passwords like companyname123 which anyone could guess.

@dhruvil so are you protecting developers from eachother?

@spl0 no i think he is paranoid something like mr. robot might happen where the girls hacks fbi by logging into an unprotected computer.

@dhruvil Paging Eliot ...

@binhex Plug this usb drive in and restart the computer.

but seriously this is hackable, a usb drive with a init script to bypass 2fa along with a chroot to launch the os where nobody will know the difference by looking at the computer in passing. unless the kernel alerts a central authority when a usb device is plugged in that it doesn't know this will work, but this falls under the rule "if they have physical access all bets are off"

Yep, physical access is equivalent to root, if not even worse because you can emulate the rest. I highly recommend Yubikeys, generate your private keys on them, use for GPG+SSH+x509+OTP+U2F pam with set pin AND admin pin. Three tries and it wipes itself. Boom.

Don't trust 2fa services, they're only waiting to get hacked.

@trevorj same problem as my above reply but yours does give a start for a full lockdown if they use an encrypted home directory and maybe use a custom kernel to decrypt the harddrive but now I'm talking way out of 'normal' developers programing skill. you would have to be around Linus understanding of the kernel to get that to be effective and dale grible parnoid to do that

all the usb ports are disabled ,there is no cd rom and bios is locked , so one cannot simply just walk to computer and do something , they will need a good amount of time to get through.

@jckimble Assume nothing is secure if you have physical access to the hardware.

Computer security assumes physical security.

@spl0 yeah I know, doesn't mean failsafes can't be put in place to mitigate risk though. while I know if my laptop is stolen there's very little chance of someone getting in it cause of silk-guardian, dm-crypt with wipe password, usb boot turned off, bios/efi locked, restrictive iptables, and has to be in range of my phone or bluetooth headset. while there are still ways to bypass all of it you would need to know my system to have half a chance of cracking it even with physical access, it's way overboard by any standards but I'm not risking law suits if a clients idea gets out where I signed a nda. thinking about it I probably should add a remote wipe beacon to it just in case they manage to get through it with a cold boot attack or something