Project

General

Profile

Actions
Copy link

action #127688

closed

Make 2FA mandatory for os-autoinst GitHub org size:M

Added by okurz over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Low
Assignee:
mkittler
Category:
Organisational
Target version:
Ready
Start date:
2023-04-15
Due date:
2023-05-12
% Done:

0%

Estimated time:

Description

Motivation

bmwiedemann asked me if we could enforce 2FA for os-autoinst org

Suggestions

  • Inform existing active users that don't have 2FA enabled
  • Enforce it in the settings
Actions
Copy link
 #1

Updated by osukup over 1 year ago

from 13.3 is 2FA begin mandatory for all active github accounts.. ( rolled out in steps ..) -> https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/

Actions
Copy link
 #2

Updated by mkittler over 1 year ago

  • Status changed from New to Feedback
  • Assignee set to mkittler

Just to be sure, I'm asking whether everyone has 2FA enabled. I have it at this point.

Then I'll enable it under https://github.com/organizations/os-autoinst/settings/security.

Actions
Copy link
 #3

Updated by mkittler over 1 year ago

I've tried to reach affected users via Slack/Matrix. This leaves the bot accounts "opensuseqa-pusher" and "openqa-git-sync". I suppose we best setup TOTP for them and add the TOTP-URL with the secret on https://gitlab.suse.de/openqa/password/-/blob/main/password. Is that ok or do you have an idea to make it more secure (within our current "infrastructure")?

Actions
Copy link
 #4

Updated by okurz over 1 year ago

That sounds good to me

Actions
Copy link
 #5

Updated by shukui over 1 year ago

I've already enabled Two-factor authentication before. Don't know why I am informed.

Actions
Copy link
 #6

Updated by mkittler over 1 year ago

Likely I mapped a GitHub name wrongly to your Slack account. This "mapping" involved a bit of guessing :-)

Actions
Copy link
 #7

Updated by mkittler over 1 year ago

MR for enabling 2FA for "openqa-git-sync": https://gitlab.suse.de/openqa/password/-/merge_requests/6

I've asked Ludwig about enabling 2FA for "opensuseqa-pusher" and said he could also change the account's e-mail address to o3-admins@suse.de or osd-admins@suse.de so we can access it as well.

Actions
Copy link
 #8

Updated by livdywan over 1 year ago

  • Subject changed from Make 2FA mandatory for os-autoinst GitHub org to Make 2FA mandatory for os-autoinst GitHub org size:M
  • Due date set to 2023-05-12

So let's make this mandatory from May 12 to give people time to enable 2FA

Actions
Copy link
 #9

Updated by mkittler over 1 year ago

  • Status changed from Feedback to Resolved

Not many people were affected anymore so I enabled 2FA.

The bot account for the OBS workflow was kicked out so I enabled 2FA auth for it (https://gitlab.suse.de/openqa/password/-/merge_requests/7) and reinstated its membership.

So we can consider this done.

Actions
Copy link

Also available in: Atom PDF