[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-community
Subject: Re: Gitlab update, 2FA now mandatory
From: Ben Cooksley <bcooksley () kde ! org>
Date: 2022-10-26 9:40:38
Message-ID: CA+XidOHmuDzewMB63k=m20iGRjQ8TftjKfDiG=uFx0C13VK_uQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Oct 26, 2022 at 12:22 AM Ahmad Samir <a.samirh78@gmail.com> wrote:
> On 25/10/22 12:11, Carl Schwan wrote:
> > Le dimanche 23 octobre 2022 =C3=A0 5:55 PM, Christoph Cullmann (cullman=
n.io)
> <christoph@cullmann.io> a =C3=A9crit :
> >
> >
> >> On 2022-10-23 08:32, Ben Cooksley wrote:
> >>
> >>> Hi all,
> >>>
> >>> This afternoon I updated invent.kde.org [1] to the latest version of
> >>> Gitlab, 15.5.
> >>> Release notes for this can be found at
> >>> https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> >>>
> >>> There isn't much notable feature wise in this release, however there
> >>> have been some bug fixes surrounding the "Rebase without Pipeline"
> >>> functionality that was introduced in an earlier update.
> >>>
> >>> As part of securing Invent against recently detected suspicious
> >>> activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> >>> to configure next time you access it. This can be done using either a
> >>> Webauthn token (such as a Yubikey) or TOTP (using the app of choice o=
n
> >>> your phone)
> >>>
> >>> Should you lose access to your 2FA device you can obtain a recovery
> >>> token to log back in via SSH, see
> >>>
> https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication=
.html#generate-new-recovery-codes-using-ssh
> >>> for more details on this.
> >>>
> >>> Please let us know if there are any queries on the above.
> >>
> >>
> >> Hi,
> >>
> >> whereas I can see the security benefit, this raises the hurdle for one
> >> time
> >> contributors again a lot.
> >>
> >> Before you already had to register to get your merge request,
> >> now you need to setup this too (or at least soon it is mandatory).
> >>
> >> I am not sure this is such a good thing.
> >>
> >> I see a point that one wants to avoid that e.g. somebody steals my
> >> account
> >> that has enough rights to delete all branches in the Kate repository v=
ia
> >> the
> >> web frontend.
> >>
> >> Could the 2FA stuff perhaps be limited to people with developer role o=
r
> >> such?
> >
> > Yes this would be ideal. We don't need to require 2fa for people who ju=
st
> > started contributing or want to give some feedback on a MR/ticket.
> >
> > This should be possible with the following features:
> >
> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforc=
e-2fa-for-all-users-in-a-group
> >
> > We can just require 2fa for developers because with great powers come
> great
> > responsibilities.
> >
> > Cheers,
> > Carl
> >
>
> Can a first time contributor create a fork, create multiple/100 MR's and
> spin up CI jobs? if yes,
> then, first time contributors can disrupt the system.
>
They certainly can, although it hasn't been an abuse pattern we have had to
deal with so far.
>
> Weren't there some suspicious accounts that were using our gitlab instanc=
e
> for bitcoin mining (I
> could be wrong, I vaguely remember someone from Sysadmin team talking
> about something like that)?
> were these first time contributors or ones with developer accounts?
>
Bitcoin mining no. Trying to use a Docker container on our CI nodes as
their own personal server by utilising a reverse shell, then abusing that
access to compile their own Android image, yes.
All aided by GitHub distributing the Docker image on their container
registry and ignoring our abuse reports.
>
>
> --
> Ahmad Samir
>
Regards,
Ben
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr">On Wed, Oct 26, 2022 at 12:22 AM Ahmad Samir <<a \
href="mailto:a.samirh78@gmail.com">a.samirh78@gmail.com</a>> wrote:<br></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 25/10/22 12:11, \
Carl Schwan wrote:<br> > Le dimanche 23 octobre 2022 Ã 5:55 PM, Christoph \
Cullmann (<a href="http://cullmann.io" rel="noreferrer" \
target="_blank">cullmann.io</a>) <<a href="mailto:christoph@cullmann.io" \
target="_blank">christoph@cullmann.io</a>> a écrit :<br> > <br>
> <br>
>> On 2022-10-23 08:32, Ben Cooksley wrote:<br>
>><br>
>>> Hi all,<br>
>>><br>
>>> This afternoon I updated <a href="http://invent.kde.org" \
rel="noreferrer" target="_blank">invent.kde.org</a> [1] to the latest version of<br> \
>>> Gitlab, 15.5.<br> >>> Release notes for this can be found \
at<br> >>> <a \
href="https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/" \
rel="noreferrer" target="_blank">https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/</a><br>
>>><br>
>>> There isn't much notable feature wise in this release, however \
there<br> >>> have been some bug fixes surrounding the "Rebase without \
Pipeline"<br> >>> functionality that was introduced in an earlier \
update.<br> >>><br>
>>> As part of securing Invent against recently detected suspicious<br>
>>> activity I have also enabled Mandatory 2FA, which Gitlab will ask \
you<br> >>> to configure next time you access it. This can be done using \
either a<br> >>> Webauthn token (such as a Yubikey) or TOTP (using the app \
of choice on<br> >>> your phone)<br>
>>><br>
>>> Should you lose access to your 2FA device you can obtain a recovery<br>
>>> token to log back in via SSH, see<br>
>>> <a href="https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh" \
rel="noreferrer" target="_blank">https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh</a><br>
>>> for more details on this.<br>
>>><br>
>>> Please let us know if there are any queries on the above.<br>
>><br>
>><br>
>> Hi,<br>
>><br>
>> whereas I can see the security benefit, this raises the hurdle for one<br>
>> time<br>
>> contributors again a lot.<br>
>><br>
>> Before you already had to register to get your merge request,<br>
>> now you need to setup this too (or at least soon it is mandatory).<br>
>><br>
>> I am not sure this is such a good thing.<br>
>><br>
>> I see a point that one wants to avoid that e.g. somebody steals my<br>
>> account<br>
>> that has enough rights to delete all branches in the Kate repository via<br>
>> the<br>
>> web frontend.<br>
>><br>
>> Could the 2FA stuff perhaps be limited to people with developer role or<br>
>> such?<br>
> <br>
> Yes this would be ideal. We don't need to require 2fa for people who \
just<br> > started contributing or want to give some feedback on a MR/ticket.<br>
> <br>
> This should be possible with the following features:<br>
> <a href="https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group" \
rel="noreferrer" target="_blank">https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group</a><br>
> <br>
> We can just require 2fa for developers because with great powers come great<br>
> responsibilities.<br>
> <br>
> Cheers,<br>
> Carl<br>
> <br>
<br>
Can a first time contributor create a fork, create multiple/100 MR's and spin up \
CI jobs? if yes, <br> then, first time contributors can disrupt the \
system.<br></blockquote><div><br></div><div>They certainly can, although it \
hasn't been an abuse pattern we have had to deal with so far.</div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"> <br>
Weren't there some suspicious accounts that were using our gitlab instance for \
bitcoin mining (I <br> could be wrong, I vaguely remember someone from Sysadmin team \
talking about something like that)? <br> were these first time contributors or ones \
with developer accounts?<br></blockquote><div><br></div><div>Bitcoin mining no. \
Trying to use a Docker container on our CI nodes as their own personal server by \
utilising a reverse shell, then abusing that access to compile their own Android \
image, yes.</div><div>All aided by GitHub distributing the Docker image on their \
container registry and ignoring our abuse reports.</div><div><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"> <br>
<br>
-- <br>
Ahmad Samir<br></blockquote><div><br></div><div>Regards,</div><div>Ben \
</div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic