On 2022.10.26 16:33, Tobias Leupold wrote:
Am Montag, 24. Oktober 2022, 01:16:30 CEST schrieb Jack:
> On 2022.10.23 02:32, Ben Cooksley wrote:
> > Hi all,
> >
> > This afternoon I updated invent.kde.org to the latest version of
> > Gitlab,
> > 15.5.
> > Release notes for this can be found at
> > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> >
> > There isn't much notable feature wise in this release, however
there
> > have
> > been some bug fixes surrounding the "Rebase without Pipeline"
> > functionality that was introduced in an earlier update.
> >
> > As part of securing Invent against recently detected suspicious
> > activity I
> > have also enabled Mandatory 2FA, which Gitlab will ask you to
> > configure
> > next time you access it. This can be done using either a Webauthn
> > token
> > (such as a Yubikey) or TOTP (using the app of choice on your
phone)
> >
> > Should you lose access to your 2FA device you can obtain a
recovery
> > token
> > to log back in via SSH, see
> >
https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.
> > html#generate-new-recovery-codes-using-ssh for more details on
this.
> >
> > Please let us know if there are any queries on the above.
> >
> > Thanks,
> > Ben
>
> Sorry to be dense, but without a webauthn token device, it seems
I'm at
> a total block if I don't have a phone (or don't have it with me.)
Is
> that correct, or is there some fine manual I need to read?
Just to take this up again, possibly for the more conservative folks
here:
I never had anything to do with Two-Factor-Authentication until now.
But
actually, it's not so complicated as it seems to be at first glance.
After having messed with it a bit, I found out that one doesn't have
to use a
phone to scan QR codes and such. The one-time-password used for
GitLab 2FA is
only derived from the "secret" (or "key", as GitLab calls it) and the
moment
in time where it should be used.
So you can e.g. store that key (it's displayed on GitLab below the QR
code, we
don't need the other stuff) in pass's db, e.g. in
var/invent.kde.org_2FA or
such.
With the help of a small shell script invoking pass and oathtool
(from oath-
toolkit), you can then retrieve the one-time-password by only using
the shell:
#!/bin/bash
secret=$(pass $1) # Get the key from pass's
db
secret=${secret// /} # Strip all spaces from it
valid=$((30 - 10#$(date +%S) % 30)) # Calculate the validity
otp=$(oathtool --base32 --totp $secret) # Generate the OTP
echo "$otp (valid ${valid}s)" # Print the result
Call it e.g. with the above var/invent.kde.org_2FA as the parameter,
and you
get (after having unlocked your PGP key of course) something like
111658 (valid 28s)
If the time the password will be valid is too short, you can simply
call it
again after some seconds (the PGP key stays unlocked for some time).
Of course, this has no error checking or such. But this could be
added quite
trivially. This way, we neither need some phone, nor some specialized
device
or app to deal with that OTP stuff, but only well-known console tools.
Maybe this helps somebody ;-)
Thanks. I might just try that.
I also found a KDE app called keysmith, but Gentoo doesn't package it,
so I don't quite know what to think of it. I've installed it, but not
yet tried to use it.
Jack
Cheers, Tobias
