Opened 3 years ago
Closed 3 years ago
#21128 closed task (fixed)
Openstreetmap group of GitHub plans to enable 2FA
| Reported by: | stoecker | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | 21.08 |
| Component: | Git mirror | Version: | |
| Keywords: | github 2fa | Cc: | Stereo, Don-vip |
Description (last modified by )
They'll kick out anybody not switching to 2FA. This includes the "josmmirror" user as well as my account.
When "josmmirror" is kicked, then the MacOS build will be broken again.
My recommendation is to move the repo it to JOSM group instead.
Attachments (0)
Change History (13)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|
comment:2 by , 3 years ago
comment:3 by , 3 years ago
| Keywords: | github 2fa added |
|---|
comment:4 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:5 by , 3 years ago
| Milestone: | → 21.07 |
|---|
comment:6 by , 3 years ago
It would be a good idea to enable 2FA on the josm github organisation too :). I have 2FA enabled on my account, but can still push with plain ssh keys, and only need it to log in on the website from a fresh browser. The key for the 2FA can also be shared amongst trusted developers, and one-time codes generated with oathtool - the key is simply encoded in the QR code.
oathtool --tot -b JOSMISCOOL 523325
comment:7 by , 3 years ago
Oh, and automations through the github API use a token, and don't require 2FA every time. The github actions I wrote use this automatically.
comment:8 by , 3 years ago
These permanent secondary requests from more and more websites simply are troublesome. Moreso when, like for me recently, you kill your hardware.
A second factor is a good idea to protect important things. It's simply ugly when each and everything uses it.
comment:9 by , 3 years ago
Yeah, I also had a phone with all my 2FA tokens end up under bus number 16. That was fun.
The oathtool version makes it trivial to back up codes, and a wide variety of apps also let you back things up.
comment:10 by , 3 years ago
I am the bully enabling the 2FA on the @OpenStreetMap github project. Other projects have had accounts compromised and exploit commits snuck in. Applying security after a compromise is too late.
Enabling 2FA josmmirror (or any account) should not disrupt git actions in any way [1].
The 2FA is only required when login into github UI or API. If josmmirror needs access to the Github API, it should be using a Github Personal access token, which is separate and unaffected by 2FA.
Github supports saving a backup 2FA recovery key offline (print-out)? It also supports using a SMS as a backup recovery method.
The 2FA tokens are generated from a shared secret which can be decoded from the QR code from setup stage. I normally save a copy of the QR photo.
I used oathtool --totp -b *SECRET* on the command line. Share the secret with others if they also need 2FA codes, as per how you do with the josmmirror password.
1: As long as you are using SSH key for authentication in git, which you should be using.
comment:11 by , 3 years ago
| Milestone: | 21.07 → 21.08 |
|---|
comment:12 by , 3 years ago
2FA is now enforced for the Github @OpenStreetMap organisation.
Some JOSM developers were automatically removed because 2FA was not enabled on their github accounts. Please enable 2FA and message me and I'll add you back.
https://github.com/openstreetmap/josm/ mirror is currently broken, likely due to josmmirror user being removed.
comment:13 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Mirror is up and running at its new home: https://github.com/JOSM/josm
Replying to stoecker:
Agreed. Now that the GitHub mirror is officially sponsored and used by us, it does not make sense to get it hosted/managed by others.