Re: Gitlab update, 2FA now mandatory
Kevin Kofler wrote: > What am I expected to use with my PinePhone? Does > https://apps.kde.org/keysmith/ work? To answer my own question: Yes, Keysmith works, both on the desktop (and notebook) and on the PinePhone. It is also easily possible to synchronize the keyring between different devices using Keysmith just by copying ~/.config/org.kde.keysmith/Keysmith.conf to the other device over SFTP. Then any of the devices can be used to generate the TOTP. (They will generate the exact same one-time passwords, I can see it by running both instances in parallel.) GNOME Secrets (formerly known as Password Safe) also works on the PinePhone (which is useful because that app can also store the permanent password, and is mobile-friendly unlike KWalletManager, though I presume it will also work fine on desktops/notebooks). If I enter the same secret there, it also generates the exact same one-time passwords. Kevin Kofler
Re: Gitlab update, 2FA now mandatory
Kevin Kofler wrote: > What am I expected to use with my PinePhone? Does > https://apps.kde.org/keysmith/ work? To answer my own question: Yes, Keysmith works, both on the desktop (and notebook) and on the PinePhone. It is also easily possible to synchronize the keyring between different devices using Keysmith just by copying ~/.config/org.kde.keysmith/Keysmith.conf to the other device over SFTP. Then any of the devices can be used to generate the TOTP. (They will generate the exact same one-time passwords, I can see it by running both instances in parallel.) GNOME Secrets (formerly known as Password Safe) also works on the PinePhone (which is useful because that app can also store the permanent password, and is mobile-friendly unlike KWalletManager, though I presume it will also work fine on desktops/notebooks). If I enter the same secret there, it also generates the exact same one-time passwords. Kevin Kofler
Re: Gitlab update, 2FA now mandatory
Ingo Klöcker wrote: > You are the only person in this thread (on kde-core-devel) who has voiced > their disagreement with using 2FA and who demand its immediate > deactivation. Why do you think a single person (you) who isn't tasked with > keeping our infrastructure and the data stored thereon secure should be > able to decide this? To be honest, I am genuinely surprised that there are not more complaints about that. I would have expected lots more. (On kde-community, there are a few posts by Christoph Cullmann worrying about the impact on new contributors, but even he does not seem to be opposed to 2FA for KDE developers. Other than that, I do not see any kind of criticism either.) Unfortunately, it seems that people have learned to put up with pretty much any annoyance in the name of "security". (I blame airport "security".) > I for one applaud the requirement to use 2FA on invent. I would love to > see this on more websites. That just confirms that this is NOT actually an "industry standard best practice" as Ben Cooksley is claiming, but a completely non-standard PITA that only a handful websites dare imposing on their users. (Invent is the ONLY website that I use that requires this. Note that I do not use online banking, and the ever-increasing security theater banks are imposing is the main reason why. There is a reason mandatory 2FA has not caught on outside of the banking sector.) A lot of websites allow users to opt into 2FA (letting the security nerds have their toy to play around with without bothering the rest of the world), but forcing it down our throat is a wholely different matter. > And, for what it's worth, since invent keeps personal information and > since the GDPR requires using state-of-the-art technology to protect > personal information, using 2FA is, in my opinion (but I'm not a lawyer), > a must for any website that stores personal information. See above, almost nobody else does this, so that interpretation of the GDPR is pure nonsense. Kevin Kofler
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 11:56 PM Raghavendra Kamath wrote: > On Sunday, 23 October, 2022 12:02:23 PM IST Ben Cooksley wrote: > > I > > have also enabled Mandatory 2FA, which Gitlab will ask you to configure > > next time you access it. > > Is the 2FA in KDE identity website same as this. The KDE identity shows a > grid > based system where you combine the grid and your password for 2FA. > > I have also already enabled 2FA for KDE identity with totp, does this > supersede it? > Gitlab will be replacing KDE Identity for authentication, so this 2FA setup supersedes that yes. Cheers, Ben > > > -- > Raghavendra Kamath > emblik.studio > > >
Re: Gitlab update, 2FA now mandatory
On Sunday, 23 October, 2022 12:02:23 PM IST Ben Cooksley wrote: > I > have also enabled Mandatory 2FA, which Gitlab will ask you to configure > next time you access it. Is the 2FA in KDE identity website same as this. The KDE identity shows a grid based system where you combine the grid and your password for 2FA. I have also already enabled 2FA for KDE identity with totp, does this supersede it? -- Raghavendra Kamath emblik.studio
Re: Gitlab update, 2FA now mandatory
On Montag, 24. Oktober 2022 01:37:23 CEST Kevin Kofler wrote: > In short, the 2FA requirement is unacceptable and needs to be disabled > immediately. You are the only person in this thread (on kde-core-devel) who has voiced their disagreement with using 2FA and who demand its immediate deactivation. Why do you think a single person (you) who isn't tasked with keeping our infrastructure and the data stored thereon secure should be able to decide this? I for one applaud the requirement to use 2FA on invent. I would love to see this on more websites. And, for what it's worth, since invent keeps personal information and since the GDPR requires using state-of-the-art technology to protect personal information, using 2FA is, in my opinion (but I'm not a lawyer), a must for any website that stores personal information. Regards, Ingo signature.asc Description: This is a digitally signed message part.
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 12:37 PM Kevin Kofler wrote: > Ben Cooksley wrote: > > On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler > > wrote: > >> IMHO, this is both an absolutely unacceptable barrier to entry and a > >> constant annoyance each time one has to log in. > > > > You shouldn't have any issues with remaining logged in as long as your > > browser remains open. > > I wrote "each time one has to log in", not "remaining logged in". > > I sure hope that I just have to jump through the 2FA hoops only once per > log > in and not several times. But that is still one time too many. > > And "as long as your browser remains open" is at most one day. I turn the > computer off while I sleep. So if this change forces me to log in each > time > I restart the browser, and hence at least each time I restart the computer > (which is currently *not* the case, I can remain logged in for days > throughout hundreds of browser sessions), that would mean going through > the > 2FA procedure at least every day. > The 2FA prompt (for normal users) is only applied on login yes. Note that I can't examine your experience exactly as admins get prompted to reauthenticate more frequently, especially when undertaking sensitive actions. See https://gitlab.com/gitlab-org/gitlab/-/issues/16656 for more surrounding 2FA on each login. With respect to logins being remembered, I have just performed a test using a vanilla version of Firefox as shipped by OpenSUSE. Logging into invent.kde.org (with the "Remember me" box ticked), completing 2FA authentication, performing a few actions and then closing the browser followed by reopening it a few moments later led to the result I expected - that I was still logged into Gitlab. > > I did not supply a list of applications that people should be using as > > there is a diverse range of devices and appstore ecosystems in use by > > different people, and I don't have access to hardware such as a PinePhone > > to validate any of that. > > So you are single-handedly forcing a new requirement on everyone, but are > not willing to help us in any way with it, even just by telling us how to > fulfill it. That is very unhelpful. > I could have provided links to a few applications. They wouldn't have suited everyone though, so I opted not to do so on the basis that there are dozens of apps that support handling TOTP. > > And you conveniently evaded my main questions: > * why such a change can be decided by one person suddenly on a Sunday > morning, with no warning (well, the software "gracefully" gives us 2 days > to > comply… only two days!), let alone (transparent) discussion. > As mentioned in my initial email - securing us against suspicious activity that has been detected. This is also why there was no discussion in advance. One of the responsibilities that Sysadmin is charged with is ensuring our data is protected and kept safe. That is exactly what I am doing - using industry standard best practices. > * what the point of two-factor is at all considering that you have no way > to > prevent the developer from storing the password and the OTP generator on > the > same device. > ** Caution - a strawman argument has been detected ** The point of 2FA is to prevent stolen credentials from being misused by an attacker. If your device is compromised, 2FA isn't going to stop anything because they can just wait (or otherwise prompt) for you to login to the site and steal your session to do whatever it is they want to do. > > In short, the 2FA requirement is unacceptable and needs to be disabled > immediately. > On that we disagree fundamentally. Regards, Ben > > Kevin Kofler > > PS/OT: > > > For most people the set of addresses they will be logging in from won't > > change much (given that the vast majority of people use always-on > internet > > connections now, which means IP addresses - even if theoretically dynamic > > - are in practice fairly static). > > "fairly static" does not mean it never changes, as in my case. But we need > not discuss this tangent any further. The mandatory 2FA nonsense is the > real > issue, let us please focus on that. >
Re: Gitlab update, 2FA now mandatory
On Sun, Oct 23, 2022 at 7:37 PM Kevin Kofler wrote: > * what the point of two-factor is at all considering that you have no way to > prevent the developer from storing the password and the OTP generator on the > same device. The point is to add an authentication factor that isn't of any value if it is accidentally shared, phished, or intercepted. The window of opportunity for the reuse of a TOTP code is typically only 30 seconds, and it's rather time intensive to derive the secret key from previous codes for the account. You only need to see the secret key during initial setup, so future logins aren't vulnerable to shoulder surfing. Reuse of the secret key is unlikely, because services typically only use the ones they generate. Having more than one device able to authenticate is mostly a matter of convenience, especially in the event of a hardware failure. Someone having access to your single device sufficient to capture the password and the secret key for the account is - hopefully - unlikely.
Re: Gitlab update, 2FA now mandatory
Ben Cooksley wrote: > On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler > wrote: >> IMHO, this is both an absolutely unacceptable barrier to entry and a >> constant annoyance each time one has to log in. > > You shouldn't have any issues with remaining logged in as long as your > browser remains open. I wrote "each time one has to log in", not "remaining logged in". I sure hope that I just have to jump through the 2FA hoops only once per log in and not several times. But that is still one time too many. And "as long as your browser remains open" is at most one day. I turn the computer off while I sleep. So if this change forces me to log in each time I restart the browser, and hence at least each time I restart the computer (which is currently *not* the case, I can remain logged in for days throughout hundreds of browser sessions), that would mean going through the 2FA procedure at least every day. > I did not supply a list of applications that people should be using as > there is a diverse range of devices and appstore ecosystems in use by > different people, and I don't have access to hardware such as a PinePhone > to validate any of that. So you are single-handedly forcing a new requirement on everyone, but are not willing to help us in any way with it, even just by telling us how to fulfill it. That is very unhelpful. And you conveniently evaded my main questions: * why such a change can be decided by one person suddenly on a Sunday morning, with no warning (well, the software "gracefully" gives us 2 days to comply… only two days!), let alone (transparent) discussion. * what the point of two-factor is at all considering that you have no way to prevent the developer from storing the password and the OTP generator on the same device. In short, the 2FA requirement is unacceptable and needs to be disabled immediately. Kevin Kofler PS/OT: > For most people the set of addresses they will be logging in from won't > change much (given that the vast majority of people use always-on internet > connections now, which means IP addresses - even if theoretically dynamic > - are in practice fairly static). "fairly static" does not mean it never changes, as in my case. But we need not discuss this tangent any further. The mandatory 2FA nonsense is the real issue, let us please focus on that.
Re: Gitlab update, 2FA now mandatory
On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler wrote: > Hi, > Hi Kevin, > > Ben Cooksley wrote: > > As part of securing Invent against recently detected suspicious activity > > What kind of suspicious activity would that be? Yesterday, Invent even > considered it "suspicious" enough to send a warning e-mail that my semi- > static IP address (TV-cable broadband ISP) has changed after several > months. > Dynamic IP addresses are not exactly unusual. > It was likely just flagging that you were logging in from a different IP address to your usual address. For most people the set of addresses they will be logging in from won't change much (given that the vast majority of people use always-on internet connections now, which means IP addresses - even if theoretically dynamic - are in practice fairly static). The suspicious activity is not related to static/dynamic IP addresses, and as it is an ongoing matter i'd prefer not to comment until it is satisfactorily resolved. > > > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure > > next time you access it. > > IMHO, this is both an absolutely unacceptable barrier to entry and a > constant annoyance each time one has to log in. > You shouldn't have any issues with remaining logged in as long as your browser remains open. If this is not the behaviour you are seeing then please check the browser addons/extensions you are using as these can often break functionality in unexpected ways. This is especially when they claim to offer benefits relating to privacy or security (the EFF's HTTPS Everywhere extension several years back broke links for some KDE sites by completely changing the subdomain) > > > This can be done using either a Webauthn token (such as a Yubikey) or > TOTP > > (using the app of choice on your phone) > > What am I expected to use with my PinePhone? Does > https://apps.kde.org/keysmith/ work? > Please see the other responses to this thread. I did not supply a list of applications that people should be using as there is a diverse range of devices and appstore ecosystems in use by different people, and I don't have access to hardware such as a PinePhone to validate any of that. > > And how do you intend to prevent users from running the TOTP app on the > same > device as the web browser (both on the smartphone or even both on the > desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can > be > emulated in software.) Two-factor is a farce. > Kevin Kofler > Regards, Ben
Re: Gitlab update, 2FA now mandatory
PS: Kevin Kofler wrote: > Ben Cooksley wrote: >> I have also enabled Mandatory 2FA, which Gitlab will ask you to configure >> next time you access it. > > IMHO, this is both an absolutely unacceptable barrier to entry and a > constant annoyance each time one has to log in. Why is such a major policy change that affects all KDE developers taken overnight by a single person, with no discussion or vote of any kind? Kevin Kofler
Re: Gitlab update, 2FA now mandatory
Hi, Ben Cooksley wrote: > As part of securing Invent against recently detected suspicious activity What kind of suspicious activity would that be? Yesterday, Invent even considered it "suspicious" enough to send a warning e-mail that my semi- static IP address (TV-cable broadband ISP) has changed after several months. Dynamic IP addresses are not exactly unusual. > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure > next time you access it. IMHO, this is both an absolutely unacceptable barrier to entry and a constant annoyance each time one has to log in. > This can be done using either a Webauthn token (such as a Yubikey) or TOTP > (using the app of choice on your phone) What am I expected to use with my PinePhone? Does https://apps.kde.org/keysmith/ work? And how do you intend to prevent users from running the TOTP app on the same device as the web browser (both on the smartphone or even both on the desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can be emulated in software.) Two-factor is a farce. Kevin Kofler
Gitlab update, 2FA now mandatory
Hi all, This afternoon I updated invent.kde.org to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Thanks, Ben
