git - 2FA + openssh 安全服务器上的 Gitlab
问题描述
System: Ubuntu 18.04.2 LTS Server
Gitlab: 11.7.5-ee
有了一个新的本地服务器(深度学习平台),它也应该容纳 Gitlab,因为这台机器可以轻松地处理它。
服务器当然必须尽可能安全,所以我更改了服务器配置以使登录只能用于ssh-key + google 2FA
(根据本教程https://www.digitalocean.com/community/tutorials/how-to-set-up-multi -factor-authentication-for-ssh-on-ubuntu-16-04
之后安装 gitlab 并导入项目,设置 CI,添加 ssh-keys。在 web 界面上,一切都运行良好,CI 也正在运行,并且 web-portal-login 再次2FA
按预期工作。旁注:Gitlab 本身只能通过内部 IP 访问(预期)。
在本地,我用以下方式切换了分支:
git remote set-url origin git@IP:USERNAME/REPOSITORY.git
但是,克隆、拉动和推送现在都不起作用。我(以及所有其他用户)得到:
git@IP's password:
当然,我没有那个密码。
制造
sudo gitlab-rake gitlab:check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
Administrator / salesbeat ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 4
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
通过 sh -Tv git@192.168.0.113 检查
sh -Tv git@192.168.0.113
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.113 [192.168.0.113] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.113:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TubIbvzKzAsDNbW4WYmmLss4Jo7q089SmJmhdvdyhl8
debug1: Host '192.168.0.113' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:8Nkt7JyhE9zQKv6EIXfSMRLgzg8dh+eSzuPqvrSgpLw /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
Authenticated with partial success.
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: password,keyboard-interactive
debug1: Next authentication method: password
git@192.168.0.113's password:
找不到解决方案并且没有想法。似乎检测到并提供了密钥,但随后直接进入下一个身份验证方法:密码 我能想到的唯一原因是来自服务器本身的 2FA,但由于安全原因,我显然不能禁用那个。
解决方案
您的 SSH 日志表明该keyboard-interactive
步骤(包括 TOTP 令牌提示)实际上没有执行任何操作,这可能意味着您的 TOTP 设置不正确或不完整。这部分由 libpam-google-authenticator 处理;您可能可以在/var/log/auth.log
(或其他地方,具体取决于系统的日志记录设置)中找到其他日志。
我的预感:教程中显示的设置会创建一个 .google_authenticator 文件,确保它最终位于正确的位置(/var/opt/gitlab
如果您使用的是标准位置)。
由于这是一个故障排除操作,我无法提供完整的答案,但这应该会给您提供更多检查内容。
另外,请注意,这可能无法按照您的设想进行。
GitLab 通过使用单个系统帐户git
并将所有 SSH 密钥与该帐户相关联在内部工作。使用特定公钥通过 SSH 进行身份验证允许 GitLab 查找此密钥属于哪个 GitLab 用户,从而在应用程序级别(即 Git 操作)为您应用正确的身份和授权。
Google Authenticator 的 PAM 模块对此一无所知。它只能为任何系统帐户关联一个 TOTP 密钥,这意味着所有 GitLab 用户将共享相同的令牌 - 这首先大大降低了使用 TOTP 令牌的好处。
旁注,我从未见过除了 SSH 密钥身份验证之外还需要 TOTP 的 Git 服务器。这在实践中也非常烦人,因为这意味着每个 Git 操作都会提示输入令牌,而使用密钥代理的正确 SSH 密钥设置,您每天只会被提示一次(给予或接受)。您可能需要考虑降低标准并接受加密的 SSH 密钥和密钥密码短语这两个因素(这肯定比仅使用密码具有更高的安全级别)。
推荐阅读
- flutter - 如何显示 Image.memory
- request - 使用 cypress 将请求标头传递给所有请求
- tensorflow - tensorflow.python.keras 和 tensorflow.keras 有什么区别?
- chatbase - 无法从控制台中删除不需要的平台
- java - 当我编译我的程序时,我得到 Error-SampleApplet.java 使用或覆盖已弃用的 API。并使用 -xlint:deprecation 重新编译以获取详细信息
- ios - Fabric 通知我 iOS 应用程序的“稳定性警报”,而应用程序运行良好且没有任何崩溃
- java - 无法在 Linux 服务器中执行 java 代码
- python - 在 Python 中存储多个二维数组
- java - 使用大小为 30K 的数组进行测试时,使用 HashMap 实现的代码失败
- machine-learning - LSTM 机器学习熊猫