From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: "lilinchao@oschina.cn" <lilinchao@oschina.cn>,
git <git@vger.kernel.org>, Jeff King <peff@peff.net>
Subject: Re: [QUESTION]Is it possible that git would support two-factor authentication?
Date: Fri, 13 Aug 2021 22:56:54 +0000 [thread overview]
Message-ID: <YRb4tkINrABgaHGu@camp.crustytoothpaste.net> (raw)
In-Reply-To: <20210811135055.tqdblurgk3vw5lgm@nitro.local>
[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]
On 2021-08-11 at 13:50:55, Konstantin Ryabitsev wrote:
> 2-factor authentication does not make sense in the first three cases (you
> already have access to all the objects with 1 and 2, and the git:// protocol
> is public and anonymous by design). For the ssh/https scheme, 2fa is already
> supported by the underlying protocol, so it does not make sense for git to
> implement it again on the application level.
To expand on this a little bit, you can absolutely set up a Git server
with OpenSSH and require 2FA with OpenSSH. That should work just fine.
You could also leverage a custom credential helper for HTTPS to require
a 2FA code, send it to a server, which would issue a one-time token for
Basic auth. All of this is achievable with existing tooling that we
have today or tooling that can be easily built.
One note here is that as a practical matter, many people require
automated cloning of repositories, such as to use their CI systems.
Those systems generally cannot practically use 2FA and the security
would not be improved if they did, so some solution that allows for that
to work is going to be required.
Also, in workflows that require many repositories to be cloned, it can
be kind of a hassle to wait for one clone to complete, enter the 2FA
code (or touch the YubiKey) for the second clone, wait for it to
complete, do 2FA for the third clone, and so on. So while you can do
this, it's important to keep in mind that there are some user experience
tradeoffs here that need to be considered as well.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2021-08-13 22:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 11:00 [QUESTION]Is it possible that git would support two-factor authentication? lilinchao
2021-08-11 13:50 ` Konstantin Ryabitsev
2021-08-11 15:23 ` Theodore Ts'o
2021-08-13 22:56 ` brian m. carlson [this message]
2021-08-11 13:54 ` Derrick Stolee
[not found] ` <9b199de2faab11eba548a4badb2c2b1195555@gmail.com>
2021-08-13 7:49 ` lilinchao
2021-08-14 22:02 ` Johannes Schindelin
[not found] ` <BEBB4A79-9773-4701-A8C5-06C20AB42686@github.com>
[not found] ` <1F2C610F-8800-466A-A0CA-7A6068A14805@github.com>
[not found] ` <D8CFA50F-266A-4995-8058-D29A2D490D5F@github.com>
2021-08-17 10:19 ` Matthew Cheetham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YRb4tkINrABgaHGu@camp.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=git@vger.kernel.org \
--cc=konstantin@linuxfoundation.org \
--cc=lilinchao@oschina.cn \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.