The recent compromise of
ua-parser-js has put the security and trust of published packages at the top of my mind lately.
In order to mitigate the risk of any Ruby Gems I manage from being hijacked, I enabled 2FA on my RubyGems.org account.
This means that whenever I publish a Ruby Gem, I have to enter a one time passcode.
I have to admit, I find this to be a pain. Whenever I do a release of Rails, I have to enter a passcode over and over again because you can only push one Gem at a time.
Finally I’ve found a way to deal with this. I can maintain account security and also not be hassled with OTP codes again, thanks to my YubiKey.
This is just a short post about how to set up your YubiKey as an authenticator for RubyGems.org, and how to publish Gems without getting an OTP prompt.
ykman is a command line utility for interacting with your YubiKey. I installed
it on my Mac with Homebrew:
$ brew install ykman
Set up 2FA as usual
If you already have 2FA enabled, you’ll have to temporarily disable it.
Just go through the normal 2FA setup process and when you’re presented with a QR code, you’ll use the text key to configure your YubiKey.
$ ykman oath accounts add -t -o TOTP rubygems.org:firstname.lastname@example.org 123456
But use your email address and replace 123456 with the code you got from RubyGems.org.
-t flag will require you to touch the YubiKey when you want to generate an
Generate an OTP
You can now generate an OTP like this:
$ ykman oath accounts code -s rubygems.org
Publishing a Gem without OTP Prompts
You can supply an OTP code to the
gem interface via an environment variable
or a command line argument.
The environment variable version is like this:
$ GEM_HOST_OTP_CODE=$(ykman oath accounts code -s rubygems.org) gem push cool-gem-0.0.0.gem
The command line argument is like this:
$ gem push cool-gem-0.0.0.gem --otp $(ykman oath accounts code -s rubygems.org)
I’ve used the environment variable version, but not the command line argument though.
I also did this for NPM, but I haven’t tried pushing a package yet so I’ll see how that goes.
I don’t really have any other thoughts except that everyone should enable 2FA so that we can prevent situations like
I’m not particularly interested in installing someone’s Bitcoin miner on my machine, and I’m also not interested in being hassled because my package was hijacked.
Everyone, please stay safe and enable 2FA!