OTP verification for git+ssh via gitlab-shell
This issue is a follow up of #212305 (comment 421854309)
The idea would be to implement the 2FA from CLI outside the normal Git protocol/flow.
@ifarkas proposed the following alternative:
As an alternative approach (and also somewhat similar to what @dblessing described in a previous thread), we could use a separate command for authenticating with OTP
.
I recently found this commit in gitlab-shell
: gitlab-shell@b8d66d79. Besides generating recovery codes, gitlab-shell
can also be used to create personal access tokens. So there's already some functionality gitlab-shell
supports outside of the scope of git+ssh
. I was wondering if we can add a new command to authenticate with OTP. The flow would be something like this:
- user issues git pull
- receives an error asking to login with OTP code first via the
ssh git@gitlab.com login_with_2fa
command. This would prompt forOTP code
and register agit+ssh
session in GitLab which would allow any git operation for the next 15 minutes. (this probably requires to change the internal API endpoint/allowed
to check for the 'session'). - user issues git pull again and it succeeds
Questions:
- We need to check how not to break the git protocol when returning a custom response that the client isn't expecting. This is in reference to the git error asking to use the custom command for the 2FA.
- Is it secure?
PROS:
- It will be easier to integrate other 2FA solutions besides an OTP one
- It doesn't require to deliver binaries outside the normal way of delivering binaries by GitLab.
- It can be used with GitLab.com, and enable it for groups, instead of the PAM that requires to lock/secure the whole instance.
CONS:
- It isn't used by other 2FA approaches with git so we will need to make sure that it is secure, because if we compare it to something like PAM that has been used before, we will need to make sure that it is.
- The downside is the step outside the git flow, not sure if from the user interaction point of view, we want to make the commitment to it, but it is probably the only downside to this approach.
Edited by Imre Farkas