Re: Gitlab update, 2FA now mandatory
Am Montag, 24. Oktober 2022, 01:16:30 CEST schrieb Jack: > On 2022.10.23 02:32, Ben Cooksley wrote: > > Hi all, > > > > This afternoon I updated invent.kde.org to the latest version of > > Gitlab, > > 15.5. > > Release notes for this can be found at > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > There isn't much notable feature wise in this release, however there > > have > > been some bug fixes surrounding the "Rebase without Pipeline" > > functionality that was introduced in an earlier update. > > > > As part of securing Invent against recently detected suspicious > > activity I > > have also enabled Mandatory 2FA, which Gitlab will ask you to > > configure > > next time you access it. This can be done using either a Webauthn > > token > > (such as a Yubikey) or TOTP (using the app of choice on your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token > > to log back in via SSH, see > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication. > > html#generate-new-recovery-codes-using-ssh for more details on this. > > > > Please let us know if there are any queries on the above. > > > > Thanks, > > Ben > > Sorry to be dense, but without a webauthn token device, it seems I'm at > a total block if I don't have a phone (or don't have it with me.) Is > that correct, or is there some fine manual I need to read? There is (at least) OTPClient on linux, and 2Fast on windows that can both manage your 2FA keys for you in the same way that an app on a phone would. I'm in fact using them both, and keep my keys in sync by importing exports from FreeOTP+ which I use on my phone. Cheers MH -- Mathias Homann mathias.hom...@opensuse.org Jabber (XMPP): le...@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102 signature.asc Description: This is a digitally signed message part.
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 12:16 PM Jack wrote: > On 2022.10.23 02:32, Ben Cooksley wrote: > > Hi all, > > > > This afternoon I updated invent.kde.org to the latest version of > > Gitlab, > > 15.5. > > Release notes for this can be found at > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > There isn't much notable feature wise in this release, however there > > have > > been some bug fixes surrounding the "Rebase without Pipeline" > > functionality that was introduced in an earlier update. > > > > As part of securing Invent against recently detected suspicious > > activity I > > have also enabled Mandatory 2FA, which Gitlab will ask you to > > configure > > next time you access it. This can be done using either a Webauthn > > token > > (such as a Yubikey) or TOTP (using the app of choice on your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token > > to log back in via SSH, see > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > > for more details on this. > > > > Please let us know if there are any queries on the above. > > > > Thanks, > > Ben > Sorry to be dense, but without a webauthn token device, it seems I'm at > a total block if I don't have a phone (or don't have it with me.) Is > that correct, or is there some fine manual I need to read? > This will depend on whether it is a one-off situation or not. If it is a one-off situation, you can use one of your recovery codes (and if needed, obtain a fresh set of those via SSH as documented above) to login to Gitlab. If it is something that will happen on a more regular basis then setting up the TOTP application on a device you have regular access to (or obtaining a Webauthn token) would be recommended. > > Thanks. > > Jack > Thanks, Ben
Re: Gitlab update, 2FA now mandatory
On 2022-10-23 19:16, Jack wrote: > On 2022.10.23 02:32, Ben Cooksley wrote: > > As part of securing Invent against recently detected suspicious > > activity I > > have also enabled Mandatory 2FA, which Gitlab will ask you to > > configure > > next time you access it. This can be done using either a Webauthn > > token > > (such as a Yubikey) or TOTP (using the app of choice on your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token > > to log back in via SSH, see > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > > for more details on this. > > > > Please let us know if there are any queries on the above. > > > > Thanks, > > Ben > Sorry to be dense, but without a webauthn token device, it seems I'm at > a total block if I don't have a phone (or don't have it with me.) Is > that correct, or is there some fine manual I need to read? You can generate TOTP codes using KeePassXC.
Re: Gitlab update, 2FA now mandatory
On 2022.10.23 02:32, Ben Cooksley wrote: Hi all, This afternoon I updated invent.kde.org to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Thanks, Ben Sorry to be dense, but without a webauthn token device, it seems I'm at a total block if I don't have a phone (or don't have it with me.) Is that correct, or is there some fine manual I need to read? Thanks. Jack
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 4:55 AM Christoph Cullmann (cullmann.io) < christ...@cullmann.io> wrote: > On 2022-10-23 08:32, Ben Cooksley wrote: > > Hi all, > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > Gitlab, 15.5. > > Release notes for this can be found at > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > There isn't much notable feature wise in this release, however there > > have been some bug fixes surrounding the "Rebase without Pipeline" > > functionality that was introduced in an earlier update. > > > > As part of securing Invent against recently detected suspicious > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > to configure next time you access it. This can be done using either a > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token to log back in via SSH, see > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > > for more details on this. > > > > Please let us know if there are any queries on the above. > > Hi, > Hi Christoph, > > whereas I can see the security benefit, this raises the hurdle for one > time > contributors again a lot. > > Before you already had to register to get your merge request, > now you need to setup this too (or at least soon it is mandatory). > > I am not sure this is such a good thing. > I see a point that one wants to avoid that e.g. somebody steals my > account > that has enough rights to delete all branches in the Kate repository via > the > web frontend. > That is something you actually can't do - at least not entirely :) Release branches are marked as protected within Gitlab, meaning that destructive operations will be blocked by Gitlab itself. Even if this was to be permitted by Gitlab, our hooks would intervene and ensure a backup of the branch was taken immediately before it was deleted - making the damage an inconvenience only as nothing would be lost. (See refs/backups/ in any Git repository on invent.kde.org, these refs are also protected by the hooks so they cannot be harmed) > > Could the 2FA stuff perhaps be limited to people with developer role or > such? It is technically possible to only apply the mandatory 2FA rules to only certain groups as Developer accounts are simply membership in teams/kde-developers. See https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group for the documentation on this. Given that we are using Invent for authenticating our various other services and the users of those aren't necessarily developers (while still having access to sensitive information) it seemed more prudent to enforce 2FA for everyone to ensure all our systems have a minimum baseline of industry best practice protection in place. This also avoids any issue when people are granted a developer account and suddenly find themselves subject to a new requirement. Thanks, Ben > > Greetings > Christoph > > > > > Thanks, > > Ben > > > > Links: > > -- > > [1] http://invent.kde.org > > -- > Ignorance is bliss... > https://cullmann.io | https://kate-editor.org >
Re: Gitlab update, 2FA now mandatory
Personally I'd recommend Aegis (https://f-droid.org/packages/com.beemdevelopment.aegis/) over FreeOTP(+) due to the possibility to disable screencaps, the privacy focussed settings such as tap to reveal and encrypted exports (afaik FreeOTP only does unencrypted) and the possibility to import entries from Google Authenticator, which will make the migration a lot easier. In either case, any of them will work. Kind regards, Christian Am Sonntag, 23. Oktober 2022, 21:18:27 CEST schrieb Bernie Innocenti: > I was going to recommend andOTP for Android, but sadly the author no > longer has time to maintain it: > >https://github.com/andOTP/andOTP > > Looks like FreeOTP+ is actively maintained, so I'll look into migrating > to it. > > On 24/10/2022 03.38, Sune Vuorela wrote: > > On 2022-10-23, Ben Cooksley wrote: > >> (such as a Yubikey) or TOTP (using the app of choice on your phone) > > > > There seems to be some questions about what possible "app of choice" is > > available. > > > > kde has keysmith > > f-droid have freeotp+ > > sailfish has sailotp somewhere > > > > In the less privacy oriented ecosphere, but should not actually use this > > data for their nefarious purposes, > > > > - microsoft has a authenticator > > - google has a authenticator > > - github has a authenticator > > > > There is probably others in both the google and apple stores and maybe > > also other stores. > > > > /Sune
Re: Gitlab update, 2FA now mandatory
Am Sonntag, 23. Oktober 2022, 21:18:27 CEST schrieb Bernie Innocenti: > I was going to recommend andOTP for Android, but sadly the author no > longer has time to maintain it: > >https://github.com/andOTP/andOTP > > Looks like FreeOTP+ is actively maintained, so I'll look into migrating > to it. I've been using FreeOTP+ for quite some time now - the best part about it is that it can export your 2FA keys in a format that can be imported into OTPClient on Linux, and into 2Fast on Windows - and of course the export is a pretty damn fine backup, too. Cheers MH -- Mathias Homann mathias.hom...@opensuse.org Jabber (XMPP): le...@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102 signature.asc Description: This is a digitally signed message part.
Re: Gitlab update, 2FA now mandatory
I highly recommend Aegis authenticator, it's on f-droid as well: https://getaegis.app/ - Akseli On Sunday, 23 October 2022 22.18.27 EEST Bernie Innocenti wrote: > I was going to recommend andOTP for Android, but sadly the author no > longer has time to maintain it: > >https://github.com/andOTP/andOTP > > Looks like FreeOTP+ is actively maintained, so I'll look into migrating > to it. > > On 24/10/2022 03.38, Sune Vuorela wrote: > > On 2022-10-23, Ben Cooksley wrote: > >> (such as a Yubikey) or TOTP (using the app of choice on your phone) > > > > There seems to be some questions about what possible "app of choice" is > > available. > > > > kde has keysmith > > f-droid have freeotp+ > > sailfish has sailotp somewhere > > > > In the less privacy oriented ecosphere, but should not actually use this > > data for their nefarious purposes, > > > > - microsoft has a authenticator > > - google has a authenticator > > - github has a authenticator > > > > There is probably others in both the google and apple stores and maybe > > also other stores. > > > > /Sune signature.asc Description: This is a digitally signed message part.
Re: Gitlab update, 2FA now mandatory
On 2022-10-23, Ben Cooksley wrote: > (such as a Yubikey) or TOTP (using the app of choice on your phone) There seems to be some questions about what possible "app of choice" is available. kde has keysmith f-droid have freeotp+ sailfish has sailotp somewhere In the less privacy oriented ecosphere, but should not actually use this data for their nefarious purposes, - microsoft has a authenticator - google has a authenticator - github has a authenticator There is probably others in both the google and apple stores and maybe also other stores. /Sune
Re: Gitlab update, 2FA now mandatory
On 2022-10-23 08:32, Ben Cooksley wrote: Hi all, This afternoon I updated invent.kde.org [1] to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Hi, whereas I can see the security benefit, this raises the hurdle for one time contributors again a lot. Before you already had to register to get your merge request, now you need to setup this too (or at least soon it is mandatory). I am not sure this is such a good thing. I see a point that one wants to avoid that e.g. somebody steals my account that has enough rights to delete all branches in the Kate repository via the web frontend. Could the 2FA stuff perhaps be limited to people with developer role or such? Greetings Christoph Thanks, Ben Links: -- [1] http://invent.kde.org -- Ignorance is bliss... https://cullmann.io | https://kate-editor.org
Gitlab update, 2FA now mandatory
Hi all, This afternoon I updated invent.kde.org to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Thanks, Ben