OTP verification for git+ssh via gitlab-shell
This issue is a follow up of #212305 (comment 421854309)
The idea would be to implement the 2FA from CLI outside the normal Git protocol/flow.
@ifarkas proposed the following alternative:
I recently found this commit in
gitlab-shell: gitlab-shell@b8d66d79. Besides generating recovery codes,
gitlab-shell can also be used to create personal access tokens. So there's already some functionality
gitlab-shell supports outside of the scope of
git+ssh. I was wondering if we can add a new command to authenticate with OTP. The flow would be something like this:
- user issues git pull
- receives an error asking to login with OTP code first via the
ssh email@example.com login_with_2facommand. This would prompt for
OTP codeand register a
git+sshsession in GitLab which would allow any git operation for the next 15 minutes. (this probably requires to change the internal API endpoint
/allowedto check for the 'session').
- user issues git pull again and it succeeds
- We need to check how not to break the git protocol when returning a custom response that the client isn't expecting. This is in reference to the git error asking to use the custom command for the 2FA.
- Is it secure?
- It will be easier to integrate other 2FA solutions besides an OTP one
- It doesn't require to deliver binaries outside the normal way of delivering binaries by GitLab.
- It can be used with GitLab.com, and enable it for groups, instead of the PAM that requires to lock/secure the whole instance.
- It isn't used by other 2FA approaches with git so we will need to make sure that it is secure, because if we compare it to something like PAM that has been used before, we will need to make sure that it is.
- The downside is the step outside the git flow, not sure if from the user interaction point of view, we want to make the commitment to it, but it is probably the only downside to this approach.