时间戳

首页 > 解决方案 > 2FA + openssh 安全服务器上的 Gitlab

git - 2FA + openssh 安全服务器上的 Gitlab

问题描述

System: Ubuntu 18.04.2 LTS Server 

Gitlab: 11.7.5-ee

有了一个新的本地服务器(深度学习平台),它也应该容纳 Gitlab,因为这台机器可以轻松地处理它。

服务器当然必须尽可能安全,所以我更改了服务器配置以使登录只能用于ssh-key + google 2FA(根据本教程https://www.digitalocean.com/community/tutorials/how-to-set-up-multi -factor-authentication-for-ssh-on-ubuntu-16-04

之后安装 gitlab 并导入项目,设置 CI,添加 ssh-keys。在 web 界面上,一切都运行良好,CI 也正在运行,并且 web-portal-login 再次2FA按预期工作。旁注:Gitlab 本身只能通过内部 IP 访问(预期)。

在本地,我用以下方式切换了分支:

git remote set-url origin git@IP:USERNAME/REPOSITORY.git

但是,克隆、拉动和推送现在都不起作用。我(以及所有其他用户)得到:

git@IP's password:

当然,我没有那个密码。

制造

sudo gitlab-rake gitlab:check

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
Administrator / salesbeat ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 4
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)

Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

通过 sh -Tv git@192.168.0.113 检查

sh -Tv git@192.168.0.113
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.113 [192.168.0.113] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.113:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TubIbvzKzAsDNbW4WYmmLss4Jo7q089SmJmhdvdyhl8
debug1: Host '192.168.0.113' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:8Nkt7JyhE9zQKv6EIXfSMRLgzg8dh+eSzuPqvrSgpLw /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
Authenticated with partial success.
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: password
git@192.168.0.113's password:

找不到解决方案并且没有想法。似乎检测到并提供了密钥,但随后直接进入下一个身份验证方法:密码 我能想到的唯一原因是来自服务器本身的 2FA,但由于安全原因,我显然不能禁用那个。

标签: gitgitlabssh-keysopenssh

解决方案

您的 SSH 日志表明该keyboard-interactive步骤(包括 TOTP 令牌提示)实际上没有执行任何操作,这可能意味着您的 TOTP 设置不正确或不完整。这部分由 libpam-google-authenticator 处理;您可能可以在/var/log/auth.log(或其他地方,具体取决于系统的日志记录设置)中找到其他日志。

我的预感:教程中显示的设置会创建一个 .google_authenticator 文件,确保它最终位于正确的位置(/var/opt/gitlab如果您使用的是标准位置)。

由于这是一个故障排除操作,我无法提供完整的答案,但这应该会给您提供更多检查内容。

另外,请注意,这可能无法按照您的设想进行。

GitLab 通过使用单个系统帐户git并将所有 SSH 密钥与该帐户相关联在内部工作。使用特定公钥通过 SSH 进行身份验证允许 GitLab 查找此密钥属于哪个 GitLab 用户,从而在应用程序级别(即 Git 操作)为您应用正确的身份和授权。

Google Authenticator 的 PAM 模块对此一无所知。它只能为任何系统帐户关联一个 TOTP 密钥,这意味着所有 GitLab 用户将共享相同的令牌 - 这首先大大降低了使用 TOTP 令牌的好处。

旁注,我从未见过除了 SSH 密钥身份验证之外还需要 TOTP 的 Git 服务器。这在实践中也非常烦人,因为这意味着每个 Git 操作都会提示输入令牌,而使用密钥代理的正确 SSH 密钥设置,您每天只会被提示一次(给予或接受)。您可能需要考虑降低标准并接受加密的 SSH 密钥和密钥密码短语这两个因素(这肯定比仅使用密码具有更高的安全级别)。

推荐阅读