Hi all,
Almost 4 years have passed since the initial installation of GitLab on common-lisp.net. During that period, GitLab (the open source project) has seen tremendous growth both in user community and functionality. Our own GitLab instance has grown quite a bit as well. With almost 700 projects and nearly 500 users, it's quite a bit bigger now than the initial CVS migration which resulted in 379 projects and 395 users. (We did both the Git and Darcs migrations after that, which added to the growth.)
Originally, we decided we wanted to create our own accounts and not support account-auto-creation (based on experience shared by GitLab.com). Today, GitLab lets itself be configured to auto-create accounts from GitHub using GitHub credentials. We have long supported the possibility of allowing accounts to be tied to Google and GitHub OAuth2 for the purpose of authentication. Additionally, we support 2FA these days. I'm wondering if we can be a bit more relaxed with account creation (allowing auto-creation), but be a bit more strict on account login: i.e. require 2FA.
Do you have any opinion on the matter?
On Sun, Oct 7, 2018 at 5:55 AM Erik Huelsmann ehuels@gmail.com wrote:
Hi all,
Almost 4 years have passed since the initial installation of GitLab on common-lisp.net. During that period, GitLab (the open source project) has seen tremendous growth both in user community and functionality. Our own GitLab instance has grown quite a bit as well. With almost 700 projects and nearly 500 users, it's quite a bit bigger now than the initial CVS migration which resulted in 379 projects and 395 users. (We did both the Git and Darcs migrations after that, which added to the growth.)
Originally, we decided we wanted to create our own accounts and not support account-auto-creation (based on experience shared by GitLab.com). Today, GitLab lets itself be configured to auto-create accounts from GitHub using GitHub credentials. We have long supported the possibility of allowing accounts to be tied to Google and GitHub OAuth2 for the purpose of authentication. Additionally, we support 2FA these days. I'm wondering if we can be a bit more relaxed with account creation (allowing auto-creation), but be a bit more strict on account login: i.e. require 2FA.
Auto-creation seems nice since it lowers the barrier to entry for people wanting to create create projects or filing bugs, and there's also less work for the admins. But I thought one reason you stopped doing this was the number of spam accounts. Will this become a problem?
Are you going to require 2FA for existing accounts as well? And what 2FA methods will you support? SMS? Google Authenticator app? Security (FIDO) keys? (I'm finally going to set up 2FA for my personal accounts using security keys, so this comes at a good time. I've had to add 2FA to my github account already, using the authenticator app.)
Do you have any opinion on the matter?
-- Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
On Sun, Oct 7, 2018 at 7:02 PM Raymond Toy toy.raymond@gmail.com wrote:
On Sun, Oct 7, 2018 at 5:55 AM Erik Huelsmann ehuels@gmail.com wrote:
Hi all,
Almost 4 years have passed since the initial installation of GitLab on common-lisp.net. During that period, GitLab (the open source project) has seen tremendous growth both in user community and functionality. Our own GitLab instance has grown quite a bit as well. With almost 700 projects and nearly 500 users, it's quite a bit bigger now than the initial CVS migration which resulted in 379 projects and 395 users. (We did both the Git and Darcs migrations after that, which added to the growth.)
Originally, we decided we wanted to create our own accounts and not support account-auto-creation (based on experience shared by GitLab.com). Today, GitLab lets itself be configured to auto-create accounts from GitHub using GitHub credentials. We have long supported the possibility of allowing accounts to be tied to Google and GitHub OAuth2 for the purpose of authentication. Additionally, we support 2FA these days. I'm wondering if we can be a bit more relaxed with account creation (allowing auto-creation), but be a bit more strict on account login: i.e. require 2FA.
Auto-creation seems nice since it lowers the barrier to entry for people wanting to create create projects or filing bugs, and there's also less work for the admins. But I thought one reason you stopped doing this was the number of spam accounts. Will this become a problem?
Well, it was (at the time) mostly GitLab.com who had the experience with spam accounts. Given how much trouble our mail service gets with spam (every quarter we have at least one spam (often multiple) attack which drives the system load through the roof for days..)
Given that situation and GitLab.com's experience, I wasn't going to submit myself to a maintenance burden like that. However, now that we have 2FA and we can require accounts to be blocked until they set up 2FA, I'm thinking that's an additional barrier on entry, which I hope is enough to keep spammers out.
Are you going to require 2FA for existing accounts as well? And what 2FA methods will you support? SMS? Google Authenticator app? Security (FIDO) keys? (I'm finally going to set up 2FA for my personal accounts using security keys, so this comes at a good time. I've had to add 2FA to my github account already, using the authenticator app.)
I've actually been using my FIDO key successfully to log into the admin account for the last half year or so. While I can't force people to shell out for a Yubi key v4 or v5, I'd love for people to get a U2F key at the bare minimum. It used to be supported only by Chrome, but FireFox has U2F support now too. (And my experience over the past 6 months has been with FireFox exclusively.) U2F keys exist at reasonable prices of less than 10$.
GitLab supports Google Authenticator, but also FreeOTP. I'm not aware of SMS support. There's more on GitLab's 2FA here: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.ht...
Thanks for your response!
Regards,
On Sun, Oct 7, 2018 at 11:14 AM Erik Huelsmann ehuels@gmail.com wrote:
Given that situation and GitLab.com's experience, I wasn't going to submit myself to a maintenance burden like that. However, now that we have 2FA and we can require accounts to be blocked until they set up 2FA, I'm thinking that's an additional barrier on entry, which I hope is enough to keep spammers out.
That seems quite reasonable.
Are you going to require 2FA for existing accounts as well? And what 2FA methods will you support? SMS? Google Authenticator app? Security (FIDO) keys? (I'm finally going to set up 2FA for my personal accounts using security keys, so this comes at a good time. I've had to add 2FA to my github account already, using the authenticator app.)
I've actually been using my FIDO key successfully to log into the admin account for the last half year or so. While I can't force people to shell out for a Yubi key v4 or v5, I'd love for people to get a U2F key at the bare minimum. It used to be supported only by Chrome, but FireFox has U2F support now too. (And my experience over the past 6 months has been with FireFox exclusively.) U2F keys exist at reasonable prices of less than 10$.
That's quite reasonable for the security. It is a bit of a hassle because when I'm at home, since I won't be carrying a key with me, but I guess I should just get more keys to plug into my computers
Hi,
I just saw the announcement on the site. Thanks for following up on this.
Couple question:
o Do we have to buy some kind of hardware keys now?
o Will the 2FA affect git push & pull as well? Or just logging in to the actual website?
Thanks,
Dave
On Sun, Oct 7, 2018 at 21:34 Raymond Toy toy.raymond@gmail.com wrote:
On Sun, Oct 7, 2018 at 11:14 AM Erik Huelsmann ehuels@gmail.com wrote:
Given that situation and GitLab.com's experience, I wasn't going to submit myself to a maintenance burden like that. However, now that we have 2FA and we can require accounts to be blocked until they set up 2FA, I'm thinking that's an additional barrier on entry, which I hope is enough to keep spammers out.
That seems quite reasonable.
Are you going to require 2FA for existing accounts as well? And what 2FA methods will you support? SMS? Google Authenticator app? Security (FIDO) keys? (I'm finally going to set up 2FA for my personal accounts using security keys, so this comes at a good time. I've had to add 2FA to my github account already, using the authenticator app.)
I've actually been using my FIDO key successfully to log into the admin account for the last half year or so. While I can't force people to shell out for a Yubi key v4 or v5, I'd love for people to get a U2F key at the bare minimum. It used to be supported only by Chrome, but FireFox has U2F support now too. (And my experience over the past 6 months has been with FireFox exclusively.) U2F keys exist at reasonable prices of less than 10$.
That's quite reasonable for the security. It is a bit of a hassle because when I'm at home, since I won't be carrying a key with me, but I guess I should just get more keys to plug into my computers
Hi Dave,
Thanks for asking these questions.
o Do we have to buy some kind of hardware keys now?
You don't *have* to: the Google Authenticator App is also supported. However, I have a U2F key (available on Amazon for less than 10$) and it saves me from opening the authenticator app. That works pretty well in my experience.
o Will the 2FA affect git push & pull as well? Or just logging in to the actual website?
It will affect git push and pull over HTTPS, but not over SSH. SSH-push/pull is what I think everybody uses, so the answer would then be "no".
Regards,
-
Dave Cooper -
Erik Huelsmann -
Raymond Toy