Gitlab update, 2FA now mandatory
Jack
ostroffjh at users.sourceforge.net
Wed Oct 26 21:40:36 BST 2022
On 2022.10.26 16:33, Tobias Leupold wrote:
> Am Montag, 24. Oktober 2022, 01:16:30 CEST schrieb Jack:
> > On 2022.10.23 02:32, Ben Cooksley wrote:
> > > Hi all,
> > >
> > > This afternoon I updated invent.kde.org to the latest version of
> > > Gitlab,
> > > 15.5.
> > > Release notes for this can be found at
> > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > >
> > > There isn't much notable feature wise in this release, however
> there
> > > have
> > > been some bug fixes surrounding the "Rebase without Pipeline"
> > > functionality that was introduced in an earlier update.
> > >
> > > As part of securing Invent against recently detected suspicious
> > > activity I
> > > have also enabled Mandatory 2FA, which Gitlab will ask you to
> > > configure
> > > next time you access it. This can be done using either a Webauthn
> > > token
> > > (such as a Yubikey) or TOTP (using the app of choice on your
> phone)
> > >
> > > Should you lose access to your 2FA device you can obtain a
> recovery
> > > token
> > > to log back in via SSH, see
> > >
> https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.
> > > html#generate-new-recovery-codes-using-ssh for more details on
> this.
> > >
> > > Please let us know if there are any queries on the above.
> > >
> > > Thanks,
> > > Ben
> >
> > Sorry to be dense, but without a webauthn token device, it seems
> I'm at
> > a total block if I don't have a phone (or don't have it with me.)
> Is
> > that correct, or is there some fine manual I need to read?
>
> Just to take this up again, possibly for the more conservative folks
> here:
>
> I never had anything to do with Two-Factor-Authentication until now.
> But
> actually, it's not so complicated as it seems to be at first glance.
>
> After having messed with it a bit, I found out that one doesn't have
> to use a
> phone to scan QR codes and such. The one-time-password used for
> GitLab 2FA is
> only derived from the "secret" (or "key", as GitLab calls it) and the
> moment
> in time where it should be used.
>
> So you can e.g. store that key (it's displayed on GitLab below the QR
> code, we
> don't need the other stuff) in pass's db, e.g. in
> var/invent.kde.org_2FA or
> such.
>
> With the help of a small shell script invoking pass and oathtool
> (from oath-
> toolkit), you can then retrieve the one-time-password by only using
> the shell:
>
> #!/bin/bash
> secret=$(pass $1) # Get the key from pass's
> db
> secret=${secret// /} # Strip all spaces from it
> valid=$((30 - 10#$(date +%S) % 30)) # Calculate the validity
> otp=$(oathtool --base32 --totp $secret) # Generate the OTP
> echo "$otp (valid ${valid}s)" # Print the result
>
> Call it e.g. with the above var/invent.kde.org_2FA as the parameter,
> and you
> get (after having unlocked your PGP key of course) something like
>
> 111658 (valid 28s)
>
> If the time the password will be valid is too short, you can simply
> call it
> again after some seconds (the PGP key stays unlocked for some time).
>
> Of course, this has no error checking or such. But this could be
> added quite
> trivially. This way, we neither need some phone, nor some specialized
> device
> or app to deal with that OTP stuff, but only well-known console tools.
>
> Maybe this helps somebody ;-)
Thanks. I might just try that.
I also found a KDE app called keysmith, but Gentoo doesn't package it,
so I don't quite know what to think of it. I've installed it, but not
yet tried to use it.
Jack
>
> Cheers, Tobias
More information about the kde-community
mailing list