#21128 closed task (fixed)

Openstreetmap group of GitHub plans to enable 2FA

Reported by: stoecker Owned by: team
Priority: normal Milestone: 21.08
Component: Git mirror Version:
Keywords: github 2fa Cc: Stereo, Don-vip

Description (last modified by Don-vip)

They'll kick out anybody not switching to 2FA. This includes the "josmmirror" user as well as my account.

When "josmmirror" is kicked, then the MacOS build will be broken again.

My recommendation is to move the repo it to JOSM group instead.

Attachments (0)

Change History (13)

comment:1 Changed 19 months ago by stoecker

Owner: changed from simon04 to team

comment:2 in reply to:  description Changed 19 months ago by Don-vip

Replying to stoecker:

My recommendation is to move the repo it to JOSM group instead.

Agreed. Now that the GitHub mirror is officially sponsored and used by us, it does not make sense to get it hosted/managed by others.

comment:3 Changed 19 months ago by Don-vip

Keywords: github 2fa added

comment:4 Changed 19 months ago by Don-vip

Description: modified (diff)

comment:5 Changed 19 months ago by Don-vip

Milestone: 21.07

comment:6 Changed 19 months ago by Stereo

It would be a good idea to enable 2FA on the josm github organisation too :). I have 2FA enabled on my account, but can still push with plain ssh keys, and only need it to log in on the website from a fresh browser. The key for the 2FA can also be shared amongst trusted developers, and one-time codes generated with oathtool - the key is simply encoded in the QR code.

oathtool --tot -b JOSMISCOOL

comment:7 Changed 19 months ago by Stereo

Oh, and automations through the github API use a token, and don't require 2FA every time. The github actions I wrote use this automatically.

comment:8 Changed 19 months ago by stoecker

These permanent secondary requests from more and more websites simply are troublesome. Moreso when, like for me recently, you kill your hardware.

A second factor is a good idea to protect important things. It's simply ugly when each and everything uses it.

comment:9 Changed 19 months ago by Stereo

Yeah, I also had a phone with all my 2FA tokens end up under bus number 16. That was fun.

The oathtool version makes it trivial to back up codes, and a wide variety of apps also let you back things up.

comment:10 Changed 18 months ago by Firefishy

I am the bully enabling the 2FA on the @OpenStreetMap github project. Other projects have had accounts compromised and exploit commits snuck in. Applying security after a compromise is too late.

Enabling 2FA josmmirror (or any account) should not disrupt git actions in any way [1].
The 2FA is only required when login into github UI or API. If josmmirror needs access to the Github API, it should be using a Github Personal access token, which is separate and unaffected by 2FA.

Github supports saving a backup 2FA recovery key offline (print-out)? It also supports using a SMS as a backup recovery method.

The 2FA tokens are generated from a shared secret which can be decoded from the QR code from setup stage. I normally save a copy of the QR photo.

I used oathtool --totp -b *SECRET* on the command line. Share the secret with others if they also need 2FA codes, as per how you do with the josmmirror password.

1: As long as you are using SSH key for authentication in git, which you should be using.

comment:11 Changed 18 months ago by Don-vip

Milestone: 21.0721.08

comment:12 Changed 18 months ago by Firefishy

2FA is now enforced for the Github @OpenStreetMap organisation.

Some JOSM developers were automatically removed because 2FA was not enabled on their github accounts. Please enable 2FA and message me and I'll add you back. mirror is currently broken, likely due to josmmirror user being removed.

comment:13 Changed 18 months ago by Don-vip

Resolution: fixed
Status: newclosed

Mirror is up and running at its new home:

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.