[QUESTION]Is it possible that git would support two-factor authentication?

[QUESTION]Is it possible that git would support two-factor authentication?

[lilinchao]

Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
When client clone something, they need  input username and password, it is like a website login process. For security, we can
enable  2FA during this process.

Re: [QUESTION]Is it possible that git would support two-factor authentication?

[Konstantin Ryabitsev]

On Wed, Aug 11, 2021 at 07:00:50PM +0800, lilinchao@oschina.cn wrote:
> Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
> When client clone something, they need  input username and password, it is like a website login process. For security, we can
> enable  2FA during this process.

As you well know, "cloning" a repository can be done via any number of
mechanisms:

1. locally from another repository on disk
2. locally, from a git bundle file
3. remotely, using the anonymous git:// protocol
4. remotely, using ssh or http(s) protocols

2-factor authentication does not make sense in the first three cases (you
already have access to all the objects with 1 and 2, and the git:// protocol
is public and anonymous by design). For the ssh/https scheme, 2fa is already
supported by the underlying protocol, so it does not make sense for git to
implement it again on the application level.

Hope this helps.

-K

Re: [QUESTION]Is it possible that git would support two-factor authentication?

[Theodore Ts'o]

On Wed, Aug 11, 2021 at 09:50:55AM -0400, Konstantin Ryabitsev wrote:
> On Wed, Aug 11, 2021 at 07:00:50PM +0800, lilinchao@oschina.cn wrote:
> > Many websites support two-factor authentication(2FA) to log in,
> > like Github, I wander if we can support it in application layer.
> > When client clone something, they need  input username and
> > password, it is like a website login process. For security, we can
> > enable  2FA during this process.
> 
> As you well know, "cloning" a repository can be done via any number of
> mechanisms:
> 
> 1. locally from another repository on disk
> 2. locally, from a git bundle file
> 3. remotely, using the anonymous git:// protocol
> 4. remotely, using ssh or http(s) protocols
> 
> 2-factor authentication does not make sense in the first three cases (you
> already have access to all the objects with 1 and 2, and the git:// protocol
> is public and anonymous by design). For the ssh/https scheme, 2fa is already
> supported by the underlying protocol, so it does not make sense for git to
> implement it again on the application level.

It might be helpful to be explicit about what *kind* of two-factor
authentication you are interested in.  There are multiple different
kinds of 2FA systems, including ssh keys stored on a hardware token
such as a smartcard or a Yuibikey, U2F Fido systems using a security
key, TOTP or HOTP otp systems, etc.

Each of these systems have different tradeoffs in terms of ease of use
from the user perspective (both from the point of view of initial
setup and day-to-day use after getting set up), security against MITM
attacks, and ease of integration/deployment from the system
administrator's perspective.

Cheers,

						- Ted

Re: [QUESTION]Is it possible that git would support two-factor authentication?

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

On 2021-08-11 at 13:50:55, Konstantin Ryabitsev wrote:
> 2-factor authentication does not make sense in the first three cases (you
> already have access to all the objects with 1 and 2, and the git:// protocol
> is public and anonymous by design). For the ssh/https scheme, 2fa is already
> supported by the underlying protocol, so it does not make sense for git to
> implement it again on the application level.

To expand on this a little bit, you can absolutely set up a Git server
with OpenSSH and require 2FA with OpenSSH.  That should work just fine.
You could also leverage a custom credential helper for HTTPS to require
a 2FA code, send it to a server, which would issue a one-time token for
Basic auth.  All of this is achievable with existing tooling that we
have today or tooling that can be easily built.

One note here is that as a practical matter, many people require
automated cloning of repositories, such as to use their CI systems.
Those systems generally cannot practically use 2FA and the security
would not be improved if they did, so some solution that allows for that
to work is going to be required.

Also, in workflows that require many repositories to be cloned, it can
be kind of a hassle to wait for one clone to complete, enter the 2FA
code (or touch the YubiKey) for the second clone, wait for it to
complete, do 2FA for the third clone, and so on.  So while you can do
this, it's important to keep in mind that there are some user experience
tradeoffs here that need to be considered as well.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [QUESTION]Is it possible that git would support two-factor authentication?

[Derrick Stolee]

On 8/11/2021 7:00 AM, lilinchao@oschina.cn wrote:
> Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
> When client clone something, they need  input username and password, it is like a website login process. For security, we can
> enable  2FA during this process.

Typically, this is handled at the credential helper layer, which
is a tool outside of the Git codebase that can more closely work
with such 2FA/MFA requirements. For example, GCM Core [1] supports
2FA with GitHub, Azure DevOps, and BitBucket.

[1] https://github.com/microsoft/Git-Credential-Manager-Core

The mechanism is that Git attempts an operation and gets an error
code, so it asks for a credential from the helper. The helper
then communicates with the server to do whatever authentication
is required, including possibly performing multi-factor auth.
All of these details are hidden from Git, which is good.

I've CC'd Matthew Cheetham who is the maintainer of GCM Core to
correct me if I misstated anything here.

Thanks,
-Stolee

Re: Re: [QUESTION]Is it possible that git would support two-factor authentication?

[lilinchao]

>On 8/11/2021 7:00 AM, lilinchao@oschina.cn wrote:
>> Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
>> When client clone something, they need  input username and password, it is like a website login process. For security, we can
>> enable  2FA during this process.
>
>Typically, this is handled at the credential helper layer, which
>is a tool outside of the Git codebase that can more closely work
>with such 2FA/MFA requirements. For example, GCM Core [1] supports
>2FA with GitHub, Azure DevOps, and BitBucket.
>
>[1] https://github.com/microsoft/Git-Credential-Manager-Core
>
>The mechanism is that Git attempts an operation and gets an error
>code, so it asks for a credential from the helper. The helper
>then communicates with the server to do whatever authentication
>is required, including possibly performing multi-factor auth.
>All of these details are hidden from Git, which is good.
>
Indeed, this is good, I've experienced this tool these days at WSL and Windows,
but finally I hope these features can be supported by Git itself, and then the user end can easily configure it.

>I've CC'd Matthew Cheetham who is the maintainer of GCM Core to
>correct me if I misstated anything here.

Thanks.

Re: Re: [QUESTION]Is it possible that git would support two-factor authentication?

[Johannes Schindelin]

[-- Attachment #1: Type: text/plain, Size: 1463 bytes --]

Hi,

On Fri, 13 Aug 2021, lilinchao@oschina.cn wrote:

> >On 8/11/2021 7:00 AM, lilinchao@oschina.cn wrote:
> >> Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
> >> When client clone something, they need  input username and password, it is like a website login process. For security, we can
> >> enable  2FA during this process.
> >
> >Typically, this is handled at the credential helper layer, which
> >is a tool outside of the Git codebase that can more closely work
> >with such 2FA/MFA requirements. For example, GCM Core [1] supports
> >2FA with GitHub, Azure DevOps, and BitBucket.
> >
> >[1] https://github.com/microsoft/Git-Credential-Manager-Core
> >
> >The mechanism is that Git attempts an operation and gets an error
> >code, so it asks for a credential from the helper. The helper
> >then communicates with the server to do whatever authentication
> >is required, including possibly performing multi-factor auth.
> >All of these details are hidden from Git, which is good.
> >
> Indeed, this is good, I've experienced this tool these days at WSL and Windows,
> but finally I hope these features can be supported by Git itself, and then the user end can easily configure it.

The problem here is that 2FA is highly provider-specific. And that's why
Git itself refuses to implement it. Hence the credential helper layer.

Ciao,
Johannes

Re: [QUESTION]Is it possible that git would support two-factor authentication?

[Matthew Cheetham]

(Re-sending, this time without HTML)

Hello!

> On 14 Aug 2021, at 11:02 pm, Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> 
> Hi,
> 
> On Fri, 13 Aug 2021, lilinchao@oschina.cn wrote:
> 
>>> On 8/11/2021 7:00 AM, lilinchao@oschina.cn wrote:
>>>> Many websites support two-factor authentication(2FA) to log in, like Github, I wander if we can support it in application layer.
>>>> When client clone something, they need  input username and password, it is like a website login process. For security, we can
>>>> enable  2FA during this process.
>>> 
>>> Typically, this is handled at the credential helper layer, which
>>> is a tool outside of the Git codebase that can more closely work
>>> with such 2FA/MFA requirements. For example, GCM Core [1] supports
>>> 2FA with GitHub, Azure DevOps, and BitBucket.
>>> 
>>> [1] https://github.com/microsoft/Git-Credential-Manager-Core
>>> 
>>> The mechanism is that Git attempts an operation and gets an error
>>> code, so it asks for a credential from the helper. The helper
>>> then communicates with the server to do whatever authentication
>>> is required, including possibly performing multi-factor auth.
>>> All of these details are hidden from Git, which is good.
>>> 
>> Indeed, this is good, I've experienced this tool these days at WSL and Windows,
>> but finally I hope these features can be supported by Git itself, and then the user end can easily configure it.
> 
> The problem here is that 2FA is highly provider-specific. And that's why
> Git itself refuses to implement it. Hence the credential helper layer.
> 
> Ciao,
> Johannes


Johannes and Derrick are correct. Sadly, there is no standard “modern" authentication/authorization stack that Git could support in practice.

You may think of OAuth2.0 as being a good choice, and you’d be right for the most part! However there are several shortcomings today.
Plenty of vendors implement OAuth2 in different ways (technically they’re not following RFC 6749 [1]), or have extensions to the specification that end up being required for most use.

At the same time there’s no standard discovery mechanism for the various required endpoints to avoid having the Git project “hardcode” this configuration for each provider - the Git project should be agnostic.

OpenID Connect [2] extends OAuth2 with some useful things like endpoint discovery [3], but that is also optional to implement and still requires some server-side registration and administration (that is vendor specific).

There’s also the question of user interaction. Often this is tied to specific, opinionated choices like: user agent (browser), operating system integrations, YubiKey or custom multi-factor authentication solutions (SMS? biometrics? OTP apps?).

There may be more that Git can do to surface authN/Z challenges to a credential helper (such at Git Credential Manager [4]) that might help in making auth in a post-password world less painful. The project is open to contributions to any vendor or auth stack.

[1] https://datatracker.ietf.org/doc/html/rfc6749
[2] https://openid.net/specs/openid-connect-core-1_0.html
[3] https://openid.net/specs/openid-connect-discovery-1_0.html
[4] https://aka.ms/gcmcore

Thanks,
Matthew