Remove / disable password via account settings for self-managed GitLab
Description
Ability to remove a password from an account, and ability to disable passwords site-wide (for git).
Documentation blurb
- Once a password has been set, it should be possible to remove/disable that password.
- If an organization is enforcing SAML / OAUTH login, and switches from password based auth to ssh keys, the password is not being used by the user and is forgotten but is still a point of failure and would allow an attacker to gain access.
- An organization should be able to enforce that all users use ssh keys instead of passwords.
- On the
Settings -> Password
page, there should be a button to remove your password if you have logged in with an external login provider.
gitlab-foss!15223 (merged) is incomplete. It covers
- Password auth for web interface
- Password auth for Git over HTTPS
However, it does not cover other login "methods", like docker login
(when using the GitLab Docker image registry). We'll need to look for other places in GitLab where passwords can be used.
Updates
Feature Issue for GitLab.com: Add new setting for enable/disable password Aut... (#373718)
Edited by Hannah Sutor