Enabling Fortinet 2FA CLI integration produces authentication failure for 'git clone'
Summary
After enabling the Fortinet 2FA CLI integration doing a git clone
produces an Authentication failed
error.
Steps to reproduce
- Follow PAM installation/configuration instructions
- Follow OTP instructions
- Clone sample project:
git clone git@<IP>:liur/build_scripts.git
Example Project
Not possible as the integration requires changes to linux system files.
What is the current bug behavior?
After enabling the Fortinet 2FA CLI integration doing a git clone
produces the following error:
[liur@cm-jump proj]$ git clone git@<IP>:liur/build_scripts.git
Cloning into 'build_scripts'...
Received disconnect from <IP> port 22:2: no authentication methods enabled
Authentication failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
What is the expected correct behavior?
Without the integration git clone
completes as expected:
[liur@cm-jump proj]$ git clone git@<IP>:liur/build_scripts.git
Cloning into 'build_scripts'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), 269 bytes | 0 bytes/s, done.
Relevant logs and/or screenshots
root@gitlab-ee-106:~# service sshd status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-11-06 15:27:55 PST; 31s ago
Process: 55771 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 55778 (sshd)
Tasks: 1 (limit: 19660)
CGroup: /system.slice/ssh.service
└─55778 /usr/sbin/sshd -D
Nov 06 15:27:55 gitlab-ee-106 sshd[55778]: Server listening on 0.0.0.0 port 22.
Nov 06 15:27:55 gitlab-ee-106 sshd[55778]: Server listening on :: port 22.
Nov 06 15:27:55 gitlab-ee-106 systemd[1]: Started OpenBSD Secure Shell server.
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive"
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: error: No AuthenticationMethods left after eliminating disabled methods
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" [preauth]
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping [preauth]
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: error: No AuthenticationMethods left after eliminating disabled methods [preauth]
Nov 06 15:28:12 gitlab-ee-106 sshd[55837]: Disconnecting authenticating user git <IP> port 40922: no authentication methods enabled [preauth]
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
root@gitlab-ee-106:~# gitlab-rake gitlab:env:info System information System: Ubuntu 18.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.6p146 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.9 Git Version: 2.28.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.5.0-ee Revision: 2f8ec2ebf58 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.9 URL: http:// HTTP Clone URL: http:///some-group/some-project.git SSH Clone URL: git@:some-group/some-project.git Elasticsearch: no Geo: yes Geo node: Primary Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.10.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Identified issues
git+ssh
authentication does not go through keyboard-interactive
authentication
1. Solution: make sure there is ChallengeResponseAuthentication yes
in /etc/ssh/sshd_config
, and there's no other line with ChallengeResponseAuthentication no
git+ssh
authentication asks for a password during keyboard-interactive
authentication
2. Workaround: disable the following line in /etc/pam.d/sshd
# Standard Un*x authentication.
#@include common-auth
publickey
info
3. PAM module not able to find Workaround: upgrade to at least OpenSSH 7.8
A bit more detail:
Code relies on 2 PAM environment variables, both were introduced in OpenSSH 7.6
:
-
SSH_AUTH_INFO_0
is exposed to PAM, but due to a bug inOpenSSH 7.6
it requiresOpenSSH 7.8
or up, which includes the fix. -
SSH_USER_AUTH
is exosed ifExposeAuthInfo yes
is set in/etc/ssh/sshd_config
. However,- this is not exposed to PAM
- unlike
SSH_AUTH_INFO_0
which contains the details of completed authentication,SSH_USER_AUTH
holds a path to file - but they are treated the same way
So this seems to be a bug in the code.
4. request is not made to GitLab internal API
This is a blocker and cannot be fixed without a major rewrite. The C shared library built using go
cannot be used in a way we need to use it. More details: #277454 (comment 456262044)