LWN: Comments on "GitLab 10.0 Released"

GitLab 10.0 Released

nix — Mon, 25 Sep 2017 11:16:19 +0000

> My yubikey I always carry with me and I use it for logging into everything - basic linux login with pam with the yubikey in Challenge-Response mode, and then everything else oath mode.

Likewise, only I have extra rules:

- two yubikeys, in case I lose one: one at home, hidden, the other on my keyring. The one on my keyring is obviously equivalent to physical access to my house, so I can do things like log in to home servers as root with it. Spare key in wallet not on keyring because if your keyring is plugged into a USB port you might well leave it behind by mistake

- authentication to home systems via OTP, communicating with a home-run yubiserver (it's not that I don't trust the yubicloud, it's just that if my net connection goes down I still want to be able to log in.)

- authentication to systems I run that are *not* home systems via HMAC-SHA1 challenge-response mode, as you do for everything: the benefit of this is principally that you don't need a connection to the auth server; the downside is that it dumps the next expected response in local storage: not to be done where $HOME is on NFS, at least not storing the response in the default place

- other authentication (disk decryption, etc) mostly via challenges to the HMAC-SHA1.

- plus a bit of U2F here and there (very rare in my usage).

I have never managed to get PGP token storage or PIV SSH key storage working. They all break for good the first time you use the key for anything else, and I use it for a *lot*.

GitLab 10.0 Released

flussence — Sun, 24 Sep 2017 17:27:50 +0000

I appreciate the tip, but my gripe here wasn't that it takes 8 seconds to enter a PIN code - it's that I have to see GitLab's login screen an order of magnitude more frequently than every other site I use combined.

Firefox and U2F support

iarenaza — Sun, 24 Sep 2017 16:13:49 +0000

Firefox nightly already has beta support for FIDO U2F and AFAIK, the intention is to ship stable support in FF 57. If you want to keep an eye on this, follow https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

GitLab 10.0 Released

dsommers — Sun, 24 Sep 2017 13:03:05 +0000

With U2F, the browser talks directly with the USB token - so neither you nor the the site implementing U2F authentication will ever have direct access to the key used to authenticate you. While with TOTP/HOTP "mode" is based on a shared key between user and server which is easily accessible at least when configuring it.

For U2F to function, the browser needs to support it. Google Chrome/Chromium supports it out-of-the-box, while with Firefox this add-on[1] works most of the time (not with Atlassian's login for some reaon)

[1] https://addons.mozilla.org/en-GB/firefox/addon/u2f-suppor...

More details on U2F can be found here:
https://developers.yubico.com/U2F/

GitLab 10.0 Released

ms — Sun, 24 Sep 2017 11:13:41 +0000

My yubikey I always carry with me and I use it for logging into everything - basic linux login with pam with the yubikey in Challenge-Response mode, and then everything else oath mode. Any site that works with google authenticator or similar will work with yubikey oath - the algorithm is the same (aiui). So github, google, etc etc. This is though the Yubikey Neo 4 - I'm not sure how the U2F products differ.

GitLab 10.0 Released

tialaramex — Sun, 24 Sep 2017 08:50:09 +0000

Does U2F have a little "click this to learn more" type logo which sites could add so you realise they offer this? I wasn't even aware that U2F was a thing until Adam Langley mentioned it on ImperialViolet.

Tiny USB touch tokens probably are the right thing for me (I have no idea if they suit flussence) if I can use them with lots of sites. I could, it seems, buy one that works with my phone as well as my PC. But if they're a passing fad for the same half dozen sites that embrace every new authentication idea then I shouldn't bother wasting my $10, I can wait until the next fad is free. And seeing the logo is one way I'd estimate if that's the situation

GitLab 10.0 Released

dsommers — Sat, 23 Sep 2017 20:44:20 +0000

You should try FIDO U2F login instead ;-)

Those USB tokens exists in various prices with different features:
https://www.yubico.com/products/yubikey-hardware/compare-...
https://shop.nitrokey.com/shop/product/nitrokey-fido-u2f-20
https://www.amazon.com/fido-token/s?ie=UTF8&page=1&...

GitLab 10.0 Released

flussence — Sat, 23 Sep 2017 06:44:23 +0000

I notice their main site now has a "Remember Me" checkbox for openid logins, so hopefully my main gripe is finally fixed (all login sessions time out way too quickly). Real PITA when I have to pull out my phone to enter a 2FA code every day I want to use the site…