Re: Gitlab update, 2FA now mandatory

[Jack]

On 2022.10.26 16:33, Tobias Leupold wrote:

Am Montag, 24. Oktober 2022, 01:16:30 CEST schrieb Jack:
> On 2022.10.23 02:32, Ben Cooksley wrote:
> > Hi all,
> >
> > This afternoon I updated invent.kde.org to the latest version of
> > Gitlab,
> > 15.5.
> > Release notes for this can be found at
> > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> >
> > There isn't much notable feature wise in this release, however  
there

> > have
> > been some bug fixes surrounding the "Rebase without Pipeline"
> > functionality that was introduced in an earlier update.
> >
> > As part of securing Invent against recently detected suspicious
> > activity I
> > have also enabled Mandatory 2FA, which Gitlab will ask you to
> > configure
> > next time you access it. This can be done using either a Webauthn
> > token
> > (such as a Yubikey) or TOTP (using the app of choice on your  
phone)

> >
> > Should you lose access to your 2FA device you can obtain a  
recovery

> > token
> > to log back in via SSH, see
> >  
https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.
> > html#generate-new-recovery-codes-using-ssh for more details on  
this.

> >
> > Please let us know if there are any queries on the above.
> >
> > Thanks,
> > Ben
>
> Sorry to be dense, but without a webauthn token device, it seems  
I'm at
> a total block if I don't have a phone (or don't have it with me.)   
Is

> that correct, or is there some fine manual I need to read?

Just to take this up again, possibly for the more conservative folks  
here:


I never had anything to do with Two-Factor-Authentication until now.  
But

actually, it's not so complicated as it seems to be at first glance.

After having messed with it a bit, I found out that one doesn't have  
to use a
phone to scan QR codes and such. The one-time-password used for  
GitLab 2FA is
only derived from the "secret" (or "key", as GitLab calls it) and the  
moment

in time where it should be used.

So you can e.g. store that key (it's displayed on GitLab below the QR  
code, we
don't need the other stuff) in pass's db, e.g. in  
var/invent.kde.org_2FA or

such.

With the help of a small shell script invoking pass and oathtool  
(from oath-
toolkit), you can then retrieve the one-time-password by only using  
the shell:


#!/bin/bash
secret=$(pass $1)   # Get the key from pass's  
db

secret=${secret// /}# Strip all spaces from it
valid=$((30 - 10#$(date +%S) % 30)) # Calculate the validity
otp=$(oathtool --base32 --totp $secret) # Generate the OTP
echo "$otp (valid ${valid}s)"   # Print the result

Call it e.g. with the above var/invent.kde.org_2FA as the parameter,  
and you

get (after having unlocked your PGP key of course) something like

111658 (valid 28s)

If the time the password will be valid is too short, you can simply  
call it

again after some seconds (the PGP key stays unlocked for some time).

Of course, this has no error checking or such. But this could be  
added quite
trivially. This way, we neither need some phone, nor some specialized  
device

or app to deal with that OTP stuff, but only well-known console tools.

Maybe this helps somebody ;-)

Thanks.  I might just try that.

I also found a KDE app called keysmith, but Gentoo doesn't package it,  
so I don't quite know what to think of it.  I've installed it, but not  
yet tried to use it.


Jack


Cheers, Tobias

Re: Gitlab update, 2FA now mandatory

[Tobias Leupold]

Am Montag, 24. Oktober 2022, 01:16:30 CEST schrieb Jack:
> On 2022.10.23 02:32, Ben Cooksley wrote:
> > Hi all,
> > 
> > This afternoon I updated invent.kde.org to the latest version of
> > Gitlab,
> > 15.5.
> > Release notes for this can be found at
> > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > 
> > There isn't much notable feature wise in this release, however there
> > have
> > been some bug fixes surrounding the "Rebase without Pipeline"
> > functionality that was introduced in an earlier update.
> > 
> > As part of securing Invent against recently detected suspicious
> > activity I
> > have also enabled Mandatory 2FA, which Gitlab will ask you to
> > configure
> > next time you access it. This can be done using either a Webauthn
> > token
> > (such as a Yubikey) or TOTP (using the app of choice on your phone)
> > 
> > Should you lose access to your 2FA device you can obtain a recovery
> > token
> > to log back in via SSH, see
> > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.
> > html#generate-new-recovery-codes-using-ssh for more details on this.
> > 
> > Please let us know if there are any queries on the above.
> > 
> > Thanks,
> > Ben
> 
> Sorry to be dense, but without a webauthn token device, it seems I'm at
> a total block if I don't have a phone (or don't have it with me.)  Is
> that correct, or is there some fine manual I need to read?

Just to take this up again, possibly for the more conservative folks here:

I never had anything to do with Two-Factor-Authentication until now. But 
actually, it's not so complicated as it seems to be at first glance.

After having messed with it a bit, I found out that one doesn't have to use a 
phone to scan QR codes and such. The one-time-password used for GitLab 2FA is 
only derived from the "secret" (or "key", as GitLab calls it) and the moment 
in time where it should be used.

So you can e.g. store that key (it's displayed on GitLab below the QR code, we 
don't need the other stuff) in pass's db, e.g. in var/invent.kde.org_2FA or 
such.

With the help of a small shell script invoking pass and oathtool (from oath-
toolkit), you can then retrieve the one-time-password by only using the shell:

#!/bin/bash
secret=$(pass $1)   # Get the key from pass's db
secret=${secret// /}# Strip all spaces from it
valid=$((30 - 10#$(date +%S) % 30)) # Calculate the validity
otp=$(oathtool --base32 --totp $secret) # Generate the OTP
echo "$otp (valid ${valid}s)"   # Print the result

Call it e.g. with the above var/invent.kde.org_2FA as the parameter, and you 
get (after having unlocked your PGP key of course) something like

111658 (valid 28s)

If the time the password will be valid is too short, you can simply call it 
again after some seconds (the PGP key stays unlocked for some time).

Of course, this has no error checking or such. But this could be added quite 
trivially. This way, we neither need some phone, nor some specialized device 
or app to deal with that OTP stuff, but only well-known console tools.

Maybe this helps somebody ;-)

Cheers, Tobias

> Thanks.
> 
> Jack

Re: Gitlab update, 2FA now mandatory

[Ahmad Samir]

On 25/10/22 15:06, Christoph Cullmann (cullmann.io) wrote:

On 2022-10-25 14:55, Ahmad Samir wrote:

On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:

On 2022-10-25 13:52, Ahmad Samir wrote:

On 25/10/22 13:29, Harald Sitter wrote:

On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir 
wrote:


Can a first time contributor create a fork, create multiple/100
MR's
and spin up CI jobs? if yes,
then, first time contributors can disrupt the system.

Weren't there some suspicious accounts that were using our gitlab
instance for bitcoin mining (I
could be wrong, I vaguely remember someone from Sysadmin team
talking
about something like that)?
were these first time contributors or ones with developer accounts?


I'm sure 2fa doesn't help with that (:


I am not a cyber security expert, but isn't 2FA comparable to captcha
stuff? it's not hard, but it takes some extra time. Which forum would
a
spammer target? the one with the "create account and login
immediately"
or the one with "create account, verify captcha hell, verify email
address"?


That is true, but did we have concrete issues with spam accounts?

And if yes, a one time captcha solving is a lot lower barrier the to
need to do 2fa auth for a trivial issue
Comment or merge request.

At least for any part I work on in KDE the issue is manpower.

Any step to make it more easier to help is good.
Any step to make it harder is bad.

I see the point why we not work on GitHub,
I don't like to be dependent on some random company
that in worst case can randomly pull the plug.

But I somehow don't understand why we need to enforce
this now even for new accounts without rights.

I must confess I would like it even more if 2fa
would only be required on doing some action that
Is problematic and not just on any issue or merge
request comment. But I assume that is not feasible.

Greetings
Christoph



FWIW, when I log in to GitHub, they email me a pin number that I have
to put in the web page, for me it's exactly the same level of
inconvenience:
- "check email, find pin, copy, paste"
- "check app on phone, type pin"


A mail is a lot easier on many devices,
at least for me.

My Kindle Fire can read my mails, but per default has zero otp stuff I
could use.

Same for my different work computers.
All can get mail, none had before any such application.

Therefore, yes, GitHub or the Steam Store work for me
Without any extra setup effort. A mail address was
Required anyways.

And no, not even per default KDE Plasma ships with
any obviously well integrated otp client.



In this thread Ivan said Plasma Pass has OTP support:
https://mail.kde.org/pipermail/kde-community/2022q4/007309.html

(I haven't tried it myself).

Regards,
Ahmad Samir



OpenPGP_signature
Description: OpenPGP digital signature

Re: Gitlab update, 2FA now mandatory

[Ben Cooksley]

On Wed, Oct 26, 2022 at 1:32 AM Christoph Cullmann (cullmann.io) <
christ...@cullmann.io> wrote:

> On 2022-10-25 13:52, Ahmad Samir wrote:
> > On 25/10/22 13:29, Harald Sitter wrote:
> >> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir 
> >> wrote:
> >>>
> >>> Can a first time contributor create a fork, create multiple/100 MR's
> >>> and spin up CI jobs? if yes,
> >>> then, first time contributors can disrupt the system.
> >>>
> >>> Weren't there some suspicious accounts that were using our gitlab
> >>> instance for bitcoin mining (I
> >>> could be wrong, I vaguely remember someone from Sysadmin team talking
> >>> about something like that)?
> >>> were these first time contributors or ones with developer accounts?
> >>
> >> I'm sure 2fa doesn't help with that (:
> >
> > I am not a cyber security expert, but isn't 2FA comparable to captcha
> > stuff? it's not hard, but it takes some extra time. Which forum would a
> > spammer target? the one with the "create account and login immediately"
> > or the one with "create account, verify captcha hell, verify email
> > address"?
>
> That is true, but did we have concrete issues with spam accounts?
>

2FA and CAPTCHA's try to solve two totally different problems.
Please do not try to conflate them with each other.

CAPTCHA's are designed to prevent bots (and more recently other suspicious
actors) from taking specific actions, such as registering accounts.
Often CAPTCHA's are intended to block spammers.

2FA is designed to verify that a user is who they say they are - through
confirming they are in possession of something (whether that be a TOTP
Secret, or a Webauthn hardware token).
It is intended to defeat phishing, where legitimate and innocent user
accounts are compromised and abused by bad actors.


>
> And if yes, a one time captcha solving is a lot lower barrier the to
> need to do 2fa auth for a trivial issue
> Comment or merge request.
>
> At least for any part I work on in KDE the issue is manpower.
>
> Any step to make it more easier to help is good.
> Any step to make it harder is bad.
>
> I see the point why we not work on GitHub,
> I don't like to be dependent on some random company
> that in worst case can randomly pull the plug.
>
> But I somehow don't understand why we need to enforce
> this now even for new accounts without rights.
>
> I must confess I would like it even more if 2fa
> would only be required on doing some action that
> Is problematic and not just on any issue or merge
> request comment. But I assume that is not feasible.
>

You are correct.

2FA forms part of the process of authentication - that is confirming the
user is who they say they are.
It therefore can only be applied at the time of login.


>
> Greetings
> Christoph
>
> --
> Ignorance is bliss...
> https://cullmann.io | https://kate-editor.org


Regards,
Ben

Re: Gitlab update, 2FA now mandatory

[Ben Cooksley]

On Wed, Oct 26, 2022 at 12:22 AM Ahmad Samir  wrote:

> On 25/10/22 12:11, Carl Schwan wrote:
> > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io)
>  a écrit :
> >
> >
> >> On 2022-10-23 08:32, Ben Cooksley wrote:
> >>
> >>> Hi all,
> >>>
> >>> This afternoon I updated invent.kde.org [1] to the latest version of
> >>> Gitlab, 15.5.
> >>> Release notes for this can be found at
> >>> https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> >>>
> >>> There isn't much notable feature wise in this release, however there
> >>> have been some bug fixes surrounding the "Rebase without Pipeline"
> >>> functionality that was introduced in an earlier update.
> >>>
> >>> As part of securing Invent against recently detected suspicious
> >>> activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> >>> to configure next time you access it. This can be done using either a
> >>> Webauthn token (such as a Yubikey) or TOTP (using the app of choice on
> >>> your phone)
> >>>
> >>> Should you lose access to your 2FA device you can obtain a recovery
> >>> token to log back in via SSH, see
> >>>
> https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh
> >>> for more details on this.
> >>>
> >>> Please let us know if there are any queries on the above.
> >>
> >>
> >> Hi,
> >>
> >> whereas I can see the security benefit, this raises the hurdle for one
> >> time
> >> contributors again a lot.
> >>
> >> Before you already had to register to get your merge request,
> >> now you need to setup this too (or at least soon it is mandatory).
> >>
> >> I am not sure this is such a good thing.
> >>
> >> I see a point that one wants to avoid that e.g. somebody steals my
> >> account
> >> that has enough rights to delete all branches in the Kate repository via
> >> the
> >> web frontend.
> >>
> >> Could the 2FA stuff perhaps be limited to people with developer role or
> >> such?
> >
> > Yes this would be ideal. We don't need to require 2fa for people who just
> > started contributing or want to give some feedback on a MR/ticket.
> >
> > This should be possible with the following features:
> >
> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group
> >
> > We can just require 2fa for developers because with great powers come
> great
> > responsibilities.
> >
> > Cheers,
> > Carl
> >
>
> Can a first time contributor create a fork, create multiple/100 MR's and
> spin up CI jobs? if yes,
> then, first time contributors can disrupt the system.
>

They certainly can, although it hasn't been an abuse pattern we have had to
deal with so far.


>
> Weren't there some suspicious accounts that were using our gitlab instance
> for bitcoin mining (I
> could be wrong, I vaguely remember someone from Sysadmin team talking
> about something like that)?
> were these first time contributors or ones with developer accounts?
>

Bitcoin mining no. Trying to use a Docker container on our CI nodes as
their own personal server by utilising a reverse shell, then abusing that
access to compile their own Android image, yes.
All aided by GitHub distributing the Docker image on their container
registry and ignoring our abuse reports.



>
>
> --
> Ahmad Samir
>

Regards,
Ben