wxiaoguang
commented
2 years ago Git should use SSH key or generated token. Git doesn't use the password. Setup token/ssh key in the account settings.
Open ccmsi opened 2 years ago
wxiaoguang
commented
2 years ago Git should use SSH key or generated token. Git doesn't use the password. Setup token/ssh key in the account settings.
ccmsi
commented
2 years ago Git doesn't use the password.
Appears to use password for non 2FA users. No one uses token currently. However only 2FA LDAP users appear affected.
Just for clarification: using git via https:// protocol not git:// protocol
ie for test purposes locally: git clone http://localhost:3000/XXX/YYY.git
wxiaoguang
commented
2 years ago Hmm, then let's keep the issue open to see if there are other opinions about the git + ldap-2fa system. The auth system is pretty complex at the moment.
rmbleeker
commented
2 years ago I've spend some time testing since it was quiet at work. Enabled 2FA on my FreeIPA account in our test environment and tried to clone, push and pull over https.
git pull however appears to successfully authenticate.
I'm not sure how you came to this conclusion. It is indeed the case that, when there are no changes while doing a git pull, git successfully returns Already up to date.. However when there are new commits to pull down, I get the same error as when trying a git clone or git push with 2FA enabled:
Username for 'https://xxx.yyy.zzz': ********
Password for 'https://********@xxx.yyy.zzz':
error: RPC failed; HTTP 401 curl 22 The requested URL returned error: 401
fatal: the remote end hung up unexpectedlyHowever there's nothing in the Gitea log for me, perhaps I need to increase the log level for this?
Far be it from me to tell you how to do things, but I do agree with @wxiaoguang that you should probably switch to tokens or ssh keys for git authentication. Github.com does not even allow you to use account passwords anymore when authenticating git operations and I'm sure others will follow. If you were using 2FA on Github, you were already required to use tokens. Using tokens or ssh keys has several security advantages.
You can easily use ssh keys throughout your environment by having users generate the key pair, then add the public part to their account in FreeIPA or have them do that themselves. Then in Gitea, in the FreeIPA authentication source configuration, set ipaSshPubKey as the value for Public SSH Key Attribute and sync all users so Gitea pulls in all the public keys. You'll have to change the remote URL for all your repositories to ssh:// or git@gitea style URLs, but you should be able to copy the correct URL from the repository page in Gitea.
edit: added link to the Github blog post concerning the topic.
wxiaoguang
commented
2 years ago Related to https://github.com/go-gitea/gitea/issues/17350 (or I'd like to say they are the same problem)
I'm using FreeIPA as a central user management system. We provide users with 2FA tokens activated in FreeIPA, so users have dynamic passwords (the 2FA token is appended to the static user password)
i can successfully log in on web UI using an LDAP account, with 2FA enabled in FreeIPA (not the gitea 2FA).
however, that same account fails to authenicate when accessing via git (clone, push). git pull however appears to successfully authenticate.
no issues arise when accessing via git with accounts that are not enabled for 2FA using static passwords.
Error in debug log when accessing using git with an account that has 2FA enabled:
2022/04/06 10:05:15 ...dules/git/command.go:143:RunWithContext() [D] /home/gitea/repos/sipcall/bfl.git: /usr/bin/git -c credential.helper= -c protocol.version=2 -c uploadpack.allowfilter=true -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= upload-pack --stateless-rpc --advertise-refs . 2022/04/06 10:05:15 ...dap/source_search.go:141:bindUser() [D] LDAP auth. failed for uid=**,dc=admin, reason: LDAP Result Code 49 "Invalid Credentials":