Hi Stephen
Very sorry for the long mail; got somewhat carried away.
TL;DR:
- I like the basic ides, but you seem to assume the user -> IP
mapping is a long term one (read below for why I think so),
which I don't think is true in general.
- A better method would be to have the user -> IP mapping be
recorded **somehow**, at some regular interval, and then a
simple "ACCESS_1" trigger checks that IP.
- Both the recording of the IP and the check would be very
site specific (see below for how
kernel.org does it, for
instance, as well as a generalisation of that notion I
created in a project called "totport").
----------------------------------------------------------------------
And now for the longer version :-)
I think that would be a good first level protection against some
of the issues you (and maybe others) have / could have.
While I'm not arguing against such additional protection, I have
a few thoughts.
1. You're recording the IP at the time he uploads his key.
Assuming no one is uploading the key every day or week, that
means the user -> IP mapping is kinda fixed.
This is not true in general, in fact quite the opposite.
This is the crux of my objection to the specifics of your
proposal; everything else kinda follows from that.
2. Similarly, updating the authorized_keys file *directly* is
also a non-scalable solution when you have large numbers of
users with IPs changing frequently.
3. For the general case, it needs to be something much more
dynamic.
For example, here's how
kernel.org (or rather, Konstantin
Ryabitsev) has done to add 2FA to gitolite. Broadly
speaking:
- (one time per user) provisioning each user with a TOTP
mechanism (Konstantin uses Yubikeys, but a normal TOTP
app on a phone will do fine if you want to consider
this)
- (once per day) user runs a special gitolite command,
like: "ssh git@host validate 123456". The program
validates the TOTP code and, if valid, records the IP as
being valid for this userid for the next 24 hour (or
whatever period you decide is safe).
- (anytime for the next 24 hours) user runs git push etc.
from the same IP and it all works. From a different IP,
the user is rejected. (Konstantin does this via a VREF,
because
kernel.org is all open source and he only cares
about pushes. You and I would do it in an ACCESS_1
trigger, so it covers reads *and* writes.
(Side note: The totport project I spoke of is at
https://gitolite.com/totport, and is much more generic; it
protects not just gitolite, but any arbitrary TCP-based
service on any internal host protected by a bastion host.
It uses the same broad technique outlined above.)
So what it comes down to is:
- some way to record the user's IP in a way that involves more
than just the ssh key
- some way to be able to check, given a $GL_USER and the IP
address from $SSH_CONNECTION, that this user and this IP
map to each other in our recorded list.
Both these things are very clearly site specific.
- for the recording of the IP, in your case, for example, you
have some external-to-gitolite web server that can validate
a user and record his IP. Others may go the TOTP way, or
have some other method entirely.
- even the checking can vary. For example, I can easily see
some sites saying that the IP only needs to match in the
first 3 octets for IPv4, i.e., any IP in the same /24 subnet
as the validated one is fine. So even that is not as simple
as "compare recorded IP for this user with first word of
$SSH_CONNECTION".
So now you see why I have resisted this till now. It can't be
made generic enough to put in gitolite, without gitolite going
way out of its "core competence" :-)
Finally, note that ssh-authkeys is not considered "core"; feel
free to modify it and put your modified copy in a directory
pointed by LOCAL_CODE in the rc file, and gitolite will pick up
your copy instead of the shipped one.
regards
sitaram
> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
gitolite+u...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/gitolite/CAH8BJxE%2Bpb6BbJTPi%2BJDJYqLM2CfigAX7KRrWV3dJnoa4QcLHA%40mail.gmail.com.