User Tools

Site Tools


userdoc:gitolite_2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
userdoc:gitolite_2fa [2017-05-23 20:59]
mricon
userdoc:gitolite_2fa [2018-04-27 21:08]
mricon
Line 1: Line 1:
 ====== 2-factor authentication with gitolite.kernel.org ====== ====== 2-factor authentication with gitolite.kernel.org ======
  
-**Noticeopt-in**+:!: The preferred mechanism for 2-factor authentication is via an SSH key stored on a smartcard device. If you have an account on kernel.org, you qualify for a free [[nitrokey]],​ so we strongly recommend that instead of setting up TOTP/HOTP you switch to using the Nitrokey for your ssh access instead.
  
-We are rolling out 2-factor authentication for access to gitolite.kernel.org. At this point, this feature is still in testing stage and will probably always remain ​opt-in ​instead of being required across the board.+===== HOTP/TOTP ip-based push validation ===== 
 + 
 +**Notice: ​opt-in**
  
 ^Command^Summary^ ^Command^Summary^
Line 237: Line 239:
  
 Instead of the IP address, you may also use "​myip"​ to invalidate the current IP you're connecting from, or "​all"​ to force-expire all active IP validations. If you run "inval all purge",​ this will additionally purge all your current and expired entries -- handy if you would like to leave no trace of your travel history. Instead of the IP address, you may also use "​myip"​ to invalidate the current IP you're connecting from, or "​all"​ to force-expire all active IP validations. If you run "inval all purge",​ this will additionally purge all your current and expired entries -- handy if you would like to leave no trace of your travel history.
 +
 +===== SSH session validation =====
 +If you are travelling and happen to be behind a single NAT exit point with a lot of other people, it is preferable to validate only your SSH session instead of the whole public exit point. This will also help if the exit point is not static but changes between tcp sessions (as is sometimes common in very large NAT-ed networks).
 +
 +Before you can use this feature, you will need to make sure you enabled **ssh multiplexing** in the client, by adding the following entries to your gitolite.kernel.org section:
 +
 +  ControlPath ~/​.ssh/​cm-%r@%h:​%p
 +  ControlMaster auto
 +  ControlPersist 30m
 +
 +You can use longer than 30m if necessary -- the session will be validated for up to 8 hours. Please see [[userdoc:​ssh_access]] for more ssh setup details.
  
 ===== Using in scripts ===== ===== Using in scripts =====
userdoc/gitolite_2fa.txt · Last modified: 2018-04-27 21:08 by mricon