Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 12:37 PM Kevin Kofler wrote: > Ben Cooksley wrote: > > On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler > > wrote: > >> IMHO, this is both an absolutely unacceptable barrier to entry and a > >> constant annoyance each time one has to log in. > > > > You shouldn't have any issues with remaining logged in as long as your > > browser remains open. > > I wrote "each time one has to log in", not "remaining logged in". > > I sure hope that I just have to jump through the 2FA hoops only once per > log > in and not several times. But that is still one time too many. > > And "as long as your browser remains open" is at most one day. I turn the > computer off while I sleep. So if this change forces me to log in each > time > I restart the browser, and hence at least each time I restart the computer > (which is currently *not* the case, I can remain logged in for days > throughout hundreds of browser sessions), that would mean going through > the > 2FA procedure at least every day. > The 2FA prompt (for normal users) is only applied on login yes. Note that I can't examine your experience exactly as admins get prompted to reauthenticate more frequently, especially when undertaking sensitive actions. See https://gitlab.com/gitlab-org/gitlab/-/issues/16656 for more surrounding 2FA on each login. With respect to logins being remembered, I have just performed a test using a vanilla version of Firefox as shipped by OpenSUSE. Logging into invent.kde.org (with the "Remember me" box ticked), completing 2FA authentication, performing a few actions and then closing the browser followed by reopening it a few moments later led to the result I expected - that I was still logged into Gitlab. > > I did not supply a list of applications that people should be using as > > there is a diverse range of devices and appstore ecosystems in use by > > different people, and I don't have access to hardware such as a PinePhone > > to validate any of that. > > So you are single-handedly forcing a new requirement on everyone, but are > not willing to help us in any way with it, even just by telling us how to > fulfill it. That is very unhelpful. > I could have provided links to a few applications. They wouldn't have suited everyone though, so I opted not to do so on the basis that there are dozens of apps that support handling TOTP. > > And you conveniently evaded my main questions: > * why such a change can be decided by one person suddenly on a Sunday > morning, with no warning (well, the software "gracefully" gives us 2 days > to > comply… only two days!), let alone (transparent) discussion. > As mentioned in my initial email - securing us against suspicious activity that has been detected. This is also why there was no discussion in advance. One of the responsibilities that Sysadmin is charged with is ensuring our data is protected and kept safe. That is exactly what I am doing - using industry standard best practices. > * what the point of two-factor is at all considering that you have no way > to > prevent the developer from storing the password and the OTP generator on > the > same device. > ** Caution - a strawman argument has been detected ** The point of 2FA is to prevent stolen credentials from being misused by an attacker. If your device is compromised, 2FA isn't going to stop anything because they can just wait (or otherwise prompt) for you to login to the site and steal your session to do whatever it is they want to do. > > In short, the 2FA requirement is unacceptable and needs to be disabled > immediately. > On that we disagree fundamentally. Regards, Ben > > Kevin Kofler > > PS/OT: > > > For most people the set of addresses they will be logging in from won't > > change much (given that the vast majority of people use always-on > internet > > connections now, which means IP addresses - even if theoretically dynamic > > - are in practice fairly static). > > "fairly static" does not mean it never changes, as in my case. But we need > not discuss this tangent any further. The mandatory 2FA nonsense is the > real > issue, let us please focus on that. >
Re: Gitlab update, 2FA now mandatory
On Sun, Oct 23, 2022 at 7:37 PM Kevin Kofler wrote: > * what the point of two-factor is at all considering that you have no way to > prevent the developer from storing the password and the OTP generator on the > same device. The point is to add an authentication factor that isn't of any value if it is accidentally shared, phished, or intercepted. The window of opportunity for the reuse of a TOTP code is typically only 30 seconds, and it's rather time intensive to derive the secret key from previous codes for the account. You only need to see the secret key during initial setup, so future logins aren't vulnerable to shoulder surfing. Reuse of the secret key is unlikely, because services typically only use the ones they generate. Having more than one device able to authenticate is mostly a matter of convenience, especially in the event of a hardware failure. Someone having access to your single device sufficient to capture the password and the secret key for the account is - hopefully - unlikely.
Re: Gitlab update, 2FA now mandatory
Ben Cooksley wrote: > On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler > wrote: >> IMHO, this is both an absolutely unacceptable barrier to entry and a >> constant annoyance each time one has to log in. > > You shouldn't have any issues with remaining logged in as long as your > browser remains open. I wrote "each time one has to log in", not "remaining logged in". I sure hope that I just have to jump through the 2FA hoops only once per log in and not several times. But that is still one time too many. And "as long as your browser remains open" is at most one day. I turn the computer off while I sleep. So if this change forces me to log in each time I restart the browser, and hence at least each time I restart the computer (which is currently *not* the case, I can remain logged in for days throughout hundreds of browser sessions), that would mean going through the 2FA procedure at least every day. > I did not supply a list of applications that people should be using as > there is a diverse range of devices and appstore ecosystems in use by > different people, and I don't have access to hardware such as a PinePhone > to validate any of that. So you are single-handedly forcing a new requirement on everyone, but are not willing to help us in any way with it, even just by telling us how to fulfill it. That is very unhelpful. And you conveniently evaded my main questions: * why such a change can be decided by one person suddenly on a Sunday morning, with no warning (well, the software "gracefully" gives us 2 days to comply… only two days!), let alone (transparent) discussion. * what the point of two-factor is at all considering that you have no way to prevent the developer from storing the password and the OTP generator on the same device. In short, the 2FA requirement is unacceptable and needs to be disabled immediately. Kevin Kofler PS/OT: > For most people the set of addresses they will be logging in from won't > change much (given that the vast majority of people use always-on internet > connections now, which means IP addresses - even if theoretically dynamic > - are in practice fairly static). "fairly static" does not mean it never changes, as in my case. But we need not discuss this tangent any further. The mandatory 2FA nonsense is the real issue, let us please focus on that.
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler wrote: > Hi, > Hi Kevin, > > Ben Cooksley wrote: > > As part of securing Invent against recently detected suspicious activity > > What kind of suspicious activity would that be? Yesterday, Invent even > considered it "suspicious" enough to send a warning e-mail that my semi- > static IP address (TV-cable broadband ISP) has changed after several > months. > Dynamic IP addresses are not exactly unusual. > It was likely just flagging that you were logging in from a different IP address to your usual address. For most people the set of addresses they will be logging in from won't change much (given that the vast majority of people use always-on internet connections now, which means IP addresses - even if theoretically dynamic - are in practice fairly static). The suspicious activity is not related to static/dynamic IP addresses, and as it is an ongoing matter i'd prefer not to comment until it is satisfactorily resolved. > > > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure > > next time you access it. > > IMHO, this is both an absolutely unacceptable barrier to entry and a > constant annoyance each time one has to log in. > You shouldn't have any issues with remaining logged in as long as your browser remains open. If this is not the behaviour you are seeing then please check the browser addons/extensions you are using as these can often break functionality in unexpected ways. This is especially when they claim to offer benefits relating to privacy or security (the EFF's HTTPS Everywhere extension several years back broke links for some KDE sites by completely changing the subdomain) > > > This can be done using either a Webauthn token (such as a Yubikey) or > TOTP > > (using the app of choice on your phone) > > What am I expected to use with my PinePhone? Does > https://apps.kde.org/keysmith/ work? > Please see the other responses to this thread. I did not supply a list of applications that people should be using as there is a diverse range of devices and appstore ecosystems in use by different people, and I don't have access to hardware such as a PinePhone to validate any of that. > > And how do you intend to prevent users from running the TOTP app on the > same > device as the web browser (both on the smartphone or even both on the > desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can > be > emulated in software.) Two-factor is a farce. > Kevin Kofler > Regards, Ben
kde-inotify-survey in kdereview
https://invent.kde.org/system/kde-inotify-survey simple kded that watches inotify resources and informs the user when limits are getting hit (along with a way to bump them slightly) thanks for your time! HS
Re: Gitlab update, 2FA now mandatory
PS: Kevin Kofler wrote: > Ben Cooksley wrote: >> I have also enabled Mandatory 2FA, which Gitlab will ask you to configure >> next time you access it. > > IMHO, this is both an absolutely unacceptable barrier to entry and a > constant annoyance each time one has to log in. Why is such a major policy change that affects all KDE developers taken overnight by a single person, with no discussion or vote of any kind? Kevin Kofler
Re: Gitlab update, 2FA now mandatory
Hi, Ben Cooksley wrote: > As part of securing Invent against recently detected suspicious activity What kind of suspicious activity would that be? Yesterday, Invent even considered it "suspicious" enough to send a warning e-mail that my semi- static IP address (TV-cable broadband ISP) has changed after several months. Dynamic IP addresses are not exactly unusual. > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure > next time you access it. IMHO, this is both an absolutely unacceptable barrier to entry and a constant annoyance each time one has to log in. > This can be done using either a Webauthn token (such as a Yubikey) or TOTP > (using the app of choice on your phone) What am I expected to use with my PinePhone? Does https://apps.kde.org/keysmith/ work? And how do you intend to prevent users from running the TOTP app on the same device as the web browser (both on the smartphone or even both on the desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can be emulated in software.) Two-factor is a farce. Kevin Kofler
Re: KJournald in KDE-Review
Hi, just a short update: Thank you for the comments! Nearly all of them are already fixed. For a very few I created invent.k.o issues instead, because they are mostly a maintainability concern and make sense to fix together with planned features (e.g. removal of fixed colors when refactoring integration with desktop color scheme). If you have more comments please raise them. In case nobody finds a blocker, I will ask sysadmins at the end of the week to move kjournald to the "system" module. Cheers, Andreas
Gitlab update, 2FA now mandatory
Hi all, This afternoon I updated invent.kde.org to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Thanks, Ben