| 2-factor authentication with gitolite (deprecated) |
| ================================================== |
| |
| .. warning:: |
| |
| The preferred mechanism for 2-factor authentication is |
| via an SSH key stored on a smartcard device. See :doc:`../fido2` for |
| instructions on how to set up a FIDO2 device for this purpose. |
| |
| If you have an account on kernel.org, you qualify for a free nitrokey |
| (see :doc:`../nitrokey`). |
| |
| HOTP/TOTP ssh session push validation |
| ------------------------------------- |
| |
| .. note:: This is entirely opt-in. |
| |
| =============================== ======================================================================= |
| Command Summary |
| =============================== ======================================================================= |
| ``enroll [mode]`` Enroll with 2-factor authentication (mode=totp or yubikey) |
| ``val-session [token]`` Validate your current ssh ControlMaster session |
| ``val [token]`` Alias for val-session command |
| ``isval`` Check if your current session is validated |
| ``unenroll [token]`` Unenroll from 2-factor authentication |
| =============================== ======================================================================= |
| |
| Core concepts |
| ------------- |
| |
| Once 2-factor authentication is enabled for a git repository, any write |
| operation from ssh session that hasn't been 2-factor validated will be |
| rejected with a message like the following:: |
| |
| remote: User not enrolled with 2-factor authentication. |
| remote: FATAL: W VREF/2fa: testing mricon DENIED by VREF/2fa |
| remote: 2-factor verification failed |
| remote: |
| remote: You will need to enroll with 2-factor authentication |
| remote: before you can push to this repository. |
| remote: |
| remote: If you need more help, please see the following link: |
| remote: https://korg.wiki.kernel.org/index.php?title=Userdoc:gitolite_2fa |
| remote: |
| remote: error: hook declined to update refs/heads/master |
| |
| To allow the push to succeed, you will need to first validate your ssh |
| session with your 2-factor token, which will allow all subsequent pushes |
| to succeed. Once your ssh controlmaster session is terminated, your |
| validation will expire and you will need to re-validate it next time. |
| |
| Example:: |
| |
| ssh git@gitolite.kernel.org 2fa val XXXXXX |
| |
| Read operations should be completely unaffected. |
| |
| SSH configuration |
| ----------------- |
| |
| Before you can use this feature, you will need to make sure you enabled |
| **ssh multiplexing** in the client, by adding the following entries to |
| your gitolite.kernel.org section:: |
| |
| ControlPath ~/.ssh/cm-%r@%h:%p |
| ControlMaster auto |
| ControlPersist 30m |
| |
| You can use longer than 30m if desired. It will expire automatically or |
| whenever your network connection goes away. To manually terminate your |
| session, run:: |
| |
| ssh -O exit git@gitolite.kernel.org |
| |
| Please see :doc:`../access` for more ssh setup details. |
| |
| Supported devices |
| ----------------- |
| |
| We implement both HOTP (:RFC:`4226`) and TOTP (:RFC:`6238`) parts of the |
| OATH standard. Since TOTP soft-tokens are easiest to enroll and |
| provision to such a dispersed crowd as kernel developers -- and since |
| most kernel developers have access to a smartphone that they carry with |
| them around anyway -- TOTP is the preferred mechanism. |
| |
| TOTP apps |
| ~~~~~~~~~ |
| |
| In your smartphone's app directory, you should be able to find one of |
| the following applications (links given to Google Play store, but should |
| exist on iOS as well): |
| |
| * `FreeOTP`_ (preferred, free software) |
| * `Google Authenticator`_ (proprietary) |
| * `Authy`_ (proprietary) |
| |
| .. _`FreeOTP`: https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp |
| .. _`Google Authenticator`: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 |
| .. _`Authy`: https://play.google.com/store/apps/details?id=com.authy.authy |
| |
| HOTP devices |
| ~~~~~~~~~~~~ |
| |
| The only HOTP devices currently tested and supported are yubikeys. Any |
| of the currently listed products should support HOTP authentication. |
| |
| Laptop users may find that using the Nano form factor is more |
| comfortable. |
| |
| Provisioning your 2-factor token |
| -------------------------------- |
| |
| There is a special `2fa` command in gitolite, used to interact with the |
| 2-factor validation component. To provision, you submit a command via |
| the gitolite interface. |
| |
| TOTP soft-token apps |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| To enroll a TOTP soft-token app, such as FreeOTP or Google |
| Authenticator, run:: |
| |
| ssh git@gitolite.kernel.org 2fa enroll totp |
| |
| This command outputs the following:: |
| |
| totp enrollment mode selected |
| New token generated for user mricon |
| |
| Please make sure "qrencode" is installed. |
| Run the following commands to display your QR code: |
| unset HISTFILE |
| qrencode -tANSI -m1 -o- "otpauth://totp/mricon@gitolite.kernel.org?secret=ACHQKMJFHIXJDNRY" |
| |
| If that does not work or if you do not have access to |
| qrencode or a similar QR encoding tool, then you may |
| open an INCOGNITO/PRIVATE MODE window in your browser |
| and paste the following URL: |
| https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2Fmricon%40gitolite.kernel.org%3Fsecret%3DACHQKMJFHIXJDNRY |
| |
| Scan the resulting QR code with your TOTP app, such as |
| FreeOTP (recommended), Google Authenticator, Authy, or others. |
| Please write down/print the following 8-digit scratch tokens. |
| If you lose your device or temporarily have no access to it, you |
| will be able to use these tokens for one-time bypass. |
| |
| Scratch tokens: |
| 19489805 |
| 36196876 |
| 06341363 |
| 70324458 |
| 39448548 |
| |
| Now run the following command to verify that all went well |
| ssh git@gitolite.kernel.org 2fa val [token] |
| |
| If you need more help, please see the following link: |
| https://korg.docs.kernel.org/gitolite/2fa.html |
| |
| .. note:: Please remember to ``unset HISTFILE`` or your secret will be |
| stored in your ~/.bash_history. |
| |
| Alternatively, if you absolutely have no other way to locally generate a |
| QR code, **it is important to actually open a new "Incognito/Private |
| Mode" window to make sure that the URL containing your 2-factor secret |
| is not saved in your browser history.** Note, that if you do use the |
| Google link, you'll be giving your 2-factor secret to Google -- whatever |
| that implies. |
| |
| Yubikeys |
| ~~~~~~~~ |
| |
| To initialize a yubikey, run the following command instead. Note, that |
| you will need `ykpersonalize`_ to configure your key:: |
| |
| ssh git@gitolite.kernel.org 2fa enroll yubikey |
| |
| The output of the yubikey command is slightly different:: |
| |
| yubikey enrollment mode selected |
| New token generated for user mricon |
| |
| Please make sure "ykpersonalize" has been installed. |
| Insert your yubikey and, as root, run the following command |
| to provision the secret into slot 1 (use -2 for slot 2): |
| unset HISTFILE |
| ykpersonalize -1 -ooath-hotp -oappend-cr -a7fd554b1e4a711155d20e9f9615b0451152db3bb |
| |
| Please write down/print the following 8-digit scratch tokens. |
| If you lose your device or temporarily have no access to it, you |
| will be able to use these tokens for one-time bypass. |
| |
| Scratch tokens: |
| 88989251 |
| 08286736 |
| 73163062 |
| 90775064 |
| 59235228 |
| |
| Now run the following command to verify that all went well |
| ssh git@gitolite.kernel.org 2fa val [yubkey button press] |
| |
| If you need more help, please see the following link: |
| https://korg.docs.kernel.org/gitolite/2fa.html |
| |
| **It is important to use ``unset HISTFILE`` to make sure the secret |
| isn't saved in your ~/.bash_history.** Additionally, you may also omit |
| the -a flag and ``ykpersonalize`` should prompt you for the secret, in |
| which case paste the string that follows the ``-a`` (but not ``-a`` |
| itself). |
| |
| .. _`ykpersonalize`: https://developers.yubico.com/yubikey-personalization/ |
| |
| Testing your 2fa token |
| ---------------------- |
| |
| You can test things on the special "testing" repository:: |
| |
| git clone git@gitolite.kernel.org:testing |
| cd testing |
| git checkout -b [username] |
| |
| Edit the README file, commit, and try to push:: |
| |
| git push origin [username] |
| |
| You should get the following back:: |
| |
| Counting objects: 7, done. |
| Delta compression using up to 4 threads. |
| Compressing objects: 100% (2/2), done. |
| Writing objects: 100% (3/3), 308 bytes | 0 bytes/s, done. |
| Total 3 (delta 1), reused 0 (delta 0) |
| remote: FATAL: W VREF/2fa: testing mricon DENIED by VREF/2fa |
| remote: 2-factor verification failed |
| remote: |
| remote: Please get your 2-factor authentication token and run: |
| remote: ssh git@gitolite.kernel.org 2fa val [token] |
| remote: |
| remote: Make sure your ssh is using ControlMaster connections. |
| remote: |
| remote: If you need more help, please see the following link: |
| remote: https://korg.docs.kernel.org/gitolite/2fa.html |
| remote: |
| remote: error: hook declined to update refs/heads/mricon |
| To git@gitolite.kernel.org:testing |
| ! [remote rejected] mricon -> mricon (hook declined) |
| error: failed to push some refs to 'git@gitolite.kernel.org:testing' |
| |
| As instructed, run the following:: |
| |
| $ ssh git@gitolite.kernel.org 2fa val [token] |
| Valid TOTP token within window size used |
| |
| If you now try the push again, it will succeed:: |
| |
| $ git push origin mricon |
| Counting objects: 7, done. |
| Delta compression using up to 4 threads. |
| Compressing objects: 100% (2/2), done. |
| Writing objects: 100% (3/3), 308 bytes | 0 bytes/s, done. |
| Total 3 (delta 1), reused 0 (delta 0) |
| remote: Reading /var/lib/gitolite3/repositories/manifest.js.gz |
| remote: Updating /testing.git in the manifest |
| remote: Writing new /var/lib/gitolite3/repositories/manifest.js.gz |
| To git@gitolite.kernel.org:testing |
| 307ff91..87b27aa mricon -> mricon |
| |
| Using in scripts |
| ---------------- |
| |
| You can check if your current IP is valid from inside a script, by using |
| the ``isval`` check, e.g. like so: |
| |
| .. code-block:: bash |
| |
| echo -n "Checking if 2fa validation is current: " |
| if ! ssh git@gitolite.kernel.org 2fa isval; then |
| echo "Error: kernel.org 2fa validation expired" |
| exit 1 |
| fi |
| |
| Note that there's an inherent race condition here: your validation may |
| expire between this check and the actual git push. |
| |
| |
| Switching devices and Unenrolling |
| --------------------------------- |
| |
| Usually you would need to unenroll only when switching devices. If you |
| still have access to your current device or to the scratch-tokens, you |
| can use them to unprovision your current device by using the |
| ``unenroll`` command:: |
| |
| $ ssh git@gitolite.kernel.org 2fa unenroll [token] |
| Valid TOTP token used |
| Removing the secrets file. |
| Cleaning up state files. |
| You have been successfully unenrolled. |
| |
| You can then use the ``enroll`` command again in order to provision a |
| new device. |
| |
| If you do NOT have access to your previous 2-factor device, send a |
| signed email to helpdesk@kernel.org and we'll work to re-provision you a |
| new token (once a successfully thorough verification procedure is |
| established and followed). |
| |
| Requesting 2-factor protection for your repository |
| -------------------------------------------------- |
| |
| Send mail to helpdesk@kernel.org to request that your repository is |
| added to the 2fa list. |
