Quick links
User Documentation
Torproject Sysadmin Team
Howtos
Meeting
Policies
Providers
Roadmaps
Sandbox
Service
Need help?
Tails
Doc
- git, shell, ldap, etc. accounts
- sys admin and service admin tasks
- Bits and pieces of Tor Project infrastructure information
- When using extra.tpo
- Hardware requirements
- How to get help
- Lektor website development environment on macOS
- Naming scheme
- How to report email problems
- Running non-root services
- learning how to do an ssh jump host on tpo
- How make website changes
- Getting an SVN account
Howto
- Web Key Directory
- Apu
- Benchmark
- Build and upload Debian packages
- Cache
- Conference
- Create a new user
- Cumin
- Dns
- Drbd
- Fabric
- Ganeti
- Git
- Gitlab
- RETIRED
- Grafana
- Incident response
- Ipsec
- Creating a tunnel with HE.net
- Irc
- Reference
- Dealing with messed up consoles
- Kvm
- Ldap
- Lektor
- Letsencrypt
- Logging
- LVM cheat sheet
- Nagios
- New machine cymru
- New machine hetzner cloud
- New machine hetzner robot
- New machine mandos
- Billing and ordering
- New machine
- How to get a new Tor System Administrator (with web developer duties) on board
- Nftables
- Openpgp
- Manual web-based OpenStack configuration
- Postgresql
- Puppet
- Raid
- Reboots
- Rename a host
- Rename a user
- Decommissioning a host
- Retire a user
- Rt
- Static component
- Submission
- How-to
- Tls
- Trac
- Upgrades
- YubiKey documentation
- Upgrades
  - Bookworm
  - Bullseye
  - Buster
  - Trixie
Meeting
- Agenda
- 2019 04 08
- 2019 05 06
- 2019 06 03
- 2019 07 01
- 2019 09 09
- 2019 10 07
- 2019 11 04
- 2019 11 25
- 2020 01 13
- 2020 02 03
- 2020 03 09
- Roll call: who's there and emergencies
- 2020 05 11
- Roll call: who's there and emergencies
- 2020 07 01
- Roll call: who's there and emergencies
- 2020 12 02
- 2021 01 19
- 2021 01 26
- Roll call: who's there and emergencies
- 2021 03 02
- 2021 04 07
- 2021 05 03
- 2021 06 02
- 2021 06 14
- 2021 09 07
- Roll call: who's there and emergencies
- 2021 11 01
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2022 01 24
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2023 12 11
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 Q1 Roadmap meeting
- 2025 02 10
- 2025 03 10
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 05 12
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Template
Policy
- Template
- Tpa rfc 1 policy
- Tpa rfc 10 jenkins retirement
- Tpa rfc 11 svn retirement
- Tpa rfc 12 triage and office hours
- Tpa rfc 13 okrs for roadmap
- Tpa rfc 14 gitlab artifacts
- Tpa rfc 15 email services
- Tpa rfc 16 replacing lektor i18n plugin
- Tpa rfc 17 disaster recovery
- Tpa rfc 18 security policy
- Tpa rfc 19 gitlab labels
- Tpa rfc 2 support
- Tpa rfc 20 bullseye upgrades
- Tpa rfc 21 uninstall svn
- Tpa rfc 22 rename irc
- Tpa rfc 23 retire ipv6only
- Tpa rfc 24 extend merge permissions web
- Tpa rfc 25 btcpay replacement
- Tpa rfc 26 limesurvey upgrade
- Tpa rfc 27 python2 eol
- Tpa rfc 28 alphabetical triage
- Tpa rfc 29 lektor scss plugin
- Tpa rfc 3 tools
- Tpa rfc 30 change lego plugins
- Tpa rfc 31 outsource email
- Tpa rfc 32 nextcloud root level folders migration
- Tpa rfc 33 monitoring
- Tpa rfc 34 office hours ends
- Tpa rfc 35 gitlab email address changes
- Tpa rfc 36 gitolite gitweb retirement
- Tpa rfc 37 lektor replacement
- Tpa rfc 38 new wiki service
- Tpa rfc 39 nextcloud account policy
- Tpa rfc 4 prometheus disk
- Tpa rfc 40 cymru migration
- Tpa rfc 41 schleuder retirement
- Tpa rfc 42 roadmap 2023
- Tpa rfc 43 cymru migration plan
- Tpa rfc 44 email emergency recovery
- Tpa rfc 45 mail architecture
- Tpa rfc 46 gitlab 2fa
- Tpa rfc 47 email account retirement
- Tpa rfc 48 enable new gitlab web ide
- Tpa rfc 5 gitlab
- Tpa rfc 50 private gitlab pages
- Tpa rfc 51 improve l10n review ci workflow
- Tpa rfc 52 cymru migration timeline
- Tpa rfc 53 security keys
- Tpa rfc 54 build boxes retirement
- Tpa rfc 55 swap file policy
- Tpa rfc 56 large file storage
- Tpa rfc 57 bookworm upgrades
- Tpa rfc 58 podman runner
- Tpa rfc 59 ssh jump host aliases
- Tpa rfc 6 naming convention
- Tpa rfc 60 gitlab 2fa enforcement
- Tpa rfc 61 roadmap 2024
- Tpa rfc 62 tpa password manager
- Tpa rfc 63 storage server budget
- Tpa rfc 64 puppet tls certificates
- Tpa rfc 65 postgresql backups
- Tpa rfc 66 gitlab ultimate program
- Tpa rfc 67 retire mini nag
- Tpa rfc 68 idle canary servers
- Tpa rfc 69 civicrm http basic auth
- Tpa rfc 7 root
- Tpa rfc 70 move tails sysadmin issues
- Tpa rfc 71 emergency email deployments round 2
- Tpa rfc 72 migrate donate 01 to gnt dal cluster
- Tpa rfc 73 tails infra merge roadmap
- Tpa rfc 74 gitlab ci retention policy
- Tpa rfc 75 new office hours
- Tpa rfc 76 puppet merge request workflow
- Tails and TPA Puppet codebase merge
- Tpa rfc 78 dangerzone retirement
- Tpa rfc 79 general merge request workflows
- Tpa rfc 8 gitlab ci libvirt
- Tpa rfc 80 debian trixie upgrade schedule
- Tpa rfc 81 gitlab access
- Tpa rfc 82 merge tor and tails support policies
- Tpa rfc 83 mail log retention
- Tpa rfc 84 minio backups and scaling
- Tpa rfc 85 invite only internal irc channels
- Tpa rfc 86 identity access management
- Tpa rfc 87 container image lifecycle
- Background
- Tpa rfc 89 gitaly migration
- Tpa rfc 89 gitlab encrypted confidential notifications
- Tpa rfc 9 proposed process
- Tpa rfc 90 signed commits
- Tpa rfc 91 incident response
- Tpa rfc 92 emergency bbb hosting provider change
Provider
- Autistici / Inventati
- PUSCII
- Quintex
Roadmap
- 2020
- 2021
- 2022
- 2023
- Priorities for 2025
- Tails merge
Service
- BTCpayserver
- Anon ticket
- Backup and restore procedures
- Blog
- Cdn
- Ci
- Crm
- Dangerzone
- Debian archive
- Documentation
- Donate
- Email
- Forum
- Jenkins
- Lists
- Nextcloud
- Object storage
- Onion
- Password manager
- Prometheus
- Schleuder
- Static shim
- Status
- Styleguide
- Support Portal
- Survey
- Template
- Tor weather
- Vault
Tails
- How tos
- Processes
- Tails Sysadmins role description
- Scripts
- Services managed by Tails Sysadmins
- Systems
- How tos
- Processes
  - Improve the infrastructure behind Tails
  - Onboarding new Tails sysadmins
- Scripts
  - Managing mirrors
- Services
- Systems
  - Boot times
  - Chameleon
    - OOB access
  - Dragon
    - Rebooting Dragon
    - Hardware
  - Ecours
    - Information
  - Gecko
    - Information
  - Iguana
    - Hardware
  - Lizard
    - Boot
    - Parts details
    - Setup
  - Skink
    - Skink
    - Usage policy for skink.tails.net
  - Stone
    - Hardware
    - Information
  - Teels
    - Information

title: TPA-RFC-60: GitLab 2-factor authentication enforcement costs: None approval: GitLab admins affected users: members of the tpo namespace deadline: 2024-02-05, then 48h grace period status: standard discussion: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41473

[[TOC]]

Summary: This RFC seeks to enable 2-factor authentication (2fa) enforcement on the GitLab tpo group and subgroups. If your Tor Project GitLab account already has 2fa enabled, you will be unaffected by this policy.

Background

On January 11 2024, GitLab released a security update to address a vulnerability (CVE-2023-7028) allowing malicious actors to take over a GitLab account using the password reset mechanism. Our instance was immediately updated and subsequently audited for exploits of this flaw and no evidence of compromise was found.

Accounts configured for 2-factor authentication were never susceptible to this vulnerability.

Proposal

Reinforce the security of our GitLab instance by enforcing 2-factor authentication for all project members under the tpo namespace.

This means changing these two options under the groups Settings / Permissions and group features section:

Check All users in this group must set up two-factor authentication
Uncheck Subgroups can set up their own two-factor authentication rules

Goals

Improve the security of privileged GitLab contributor accounts.

Scope

All GitLab accounts that are members of projects under the tpo namespace, including projects in sub-groups (eg. tpo/web/tpo).

Affected users

The vast majority of affects users already have 2-factor authentication enabled. This will affect those that haven't yet set it up, and accounts that may be created and granted privileges in the future.

An automated listing of tpo sub-group and sub-project members not being available, a manual count of users without 2fa enabled was done for all direct subgroups of tpo: 17 accounts were found with 2fa disabled.

References

See discussion ticket at https://gitlab.torproject.org/tpo/tpa/team/-/issues/41473

The GitLab feature allowing 2-factor authentication enforcement for groups is documented at https://gitlab.torproject.org/help/security/two_factor_authentication#enforce-2fa-for-all-users-in-a-group

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search