2FA + openssh 安全服务器上的 Gitlab
Posted
技术标签:
【中文标题】2FA + openssh 安全服务器上的 Gitlab【英文标题】:Gitlab on a 2FA + openssh secured Server 【发布时间】:2019-07-16 11:19:17 【问题描述】:System: Ubuntu 18.04.2 LTS Server
Gitlab: 11.7.5-ee
有一个新的本地服务器(深度学习平台),它也应该容纳 Gitlab,因为这台机器可以轻松地处理它。
服务器当然必须尽可能安全,所以我更改了服务器配置以使登录仅适用于ssh-key + google 2FA
(根据本教程https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
之后安装 gitlab 并导入项目,设置 CI,添加 ssh-keys。在 web 界面上,一切都运行良好,CI 也正在运行,并且再次使用2FA
的 web-portal-login 正在按预期工作。旁注:Gitlab 本身只能通过内部 IP 访问(有意)。
我在本地切换了分支:
git remote set-url origin git@IP:USERNAME/REPOSITORY.git
但是,克隆、拉取和推送现在都不起作用。我(以及所有其他用户)得到:
git@IP's password:
当然我没有那个密码。
制作
sudo gitlab-rake gitlab:check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
Administrator / salesbeat ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 4
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
通过 sh -Tv git@192.168.0.113 检查
sh -Tv git@192.168.0.113
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.113 [192.168.0.113] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.113:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TubIbvzKzAsDNbW4WYmmLss4Jo7q089SmJmhdvdyhl8
debug1: Host '192.168.0.113' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:8Nkt7JyhE9zQKv6EIXfSMRLgzg8dh+eSzuPqvrSgpLw /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
Authenticated with partial success.
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: password
git@192.168.0.113's password:
找不到解决方案并且没有想法。似乎检测到并提供了密钥,但随后直接进入下一个身份验证方法:密码 我能想到的唯一原因是服务器本身的 2FA,但出于安全原因,我显然无法禁用该 2FA。
【问题讨论】:
【参考方案1】:您的 SSH 日志表明 keyboard-interactive
步骤(包括 TOTP 令牌提示)实际上没有执行任何操作,这可能意味着您的 TOTP 设置不正确或不完整。这部分由 libpam-google-authenticator 处理;您也许可以在 /var/log/auth.log
(或其他地方,具体取决于您系统的日志记录设置)中找到其他日志。
我的预感:教程中显示的设置会创建一个 .google_authenticator 文件,确保它最终位于正确的位置(/var/opt/gitlab
,如果您使用的是标准位置)。
由于这是一个故障排除操作,我无法提供完整的答案,但这应该会给您提供更多需要检查的内容。
另外,请注意,这可能无法按照您的设想实现。
GitLab 在内部使用单个系统帐户 git
并将所有 SSH 密钥与该帐户相关联。使用特定公钥通过 SSH 进行身份验证允许 GitLab 查找此密钥属于哪个 GitLab 用户,从而在应用程序级别(即 Git 操作)为您应用正确的身份和授权。
Google Authenticator 的 PAM 模块对此一无所知。它只能为任何系统帐户关联一个 TOTP 密钥,这意味着所有 GitLab 用户将共享相同的令牌 - 这首先大大降低了使用 TOTP 令牌的好处。
旁注,我从未见过除了 SSH 密钥身份验证之外还需要 TOTP 的 Git 服务器。这在实践中也非常烦人,因为这意味着每个 Git 操作都会提示输入令牌,而使用密钥代理的正确 SSH 密钥设置,您每天只会被提示一次(给予或接受)。您可能需要考虑降低标准并接受加密的 SSH 密钥和密钥密码这两个因素(这肯定比仅使用密码具有更高的安全级别)。
【讨论】:
以上是关于2FA + openssh 安全服务器上的 Gitlab的主要内容,如果未能解决你的问题,请参考以下文章