diff options
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/README.md | 2 | ||||
-rw-r--r-- | doc/security/asset_proxy.md | 8 | ||||
-rw-r--r-- | doc/security/cicd_environment_variables.md | 4 | ||||
-rw-r--r-- | doc/security/crime_vulnerability.md | 2 | ||||
-rw-r--r-- | doc/security/information_exclusivity.md | 2 | ||||
-rw-r--r-- | doc/security/password_length_limits.md | 6 | ||||
-rw-r--r-- | doc/security/password_storage.md | 2 | ||||
-rw-r--r-- | doc/security/passwords_for_integrated_authentication_methods.md | 6 | ||||
-rw-r--r-- | doc/security/project_import_decompressed_archive_size_limits.md | 2 | ||||
-rw-r--r-- | doc/security/rack_attack.md | 22 | ||||
-rw-r--r-- | doc/security/rate_limits.md | 4 | ||||
-rw-r--r-- | doc/security/reset_user_password.md | 8 | ||||
-rw-r--r-- | doc/security/ssh_keys_restrictions.md | 2 | ||||
-rw-r--r-- | doc/security/two_factor_authentication.md | 46 | ||||
-rw-r--r-- | doc/security/unlock_user.md | 2 | ||||
-rw-r--r-- | doc/security/user_email_confirmation.md | 2 | ||||
-rw-r--r-- | doc/security/user_file_uploads.md | 4 | ||||
-rw-r--r-- | doc/security/webhooks.md | 16 |
18 files changed, 90 insertions, 50 deletions
diff --git a/doc/security/README.md b/doc/security/README.md index a8947ef3de9..3b64d0229ed 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments comments: false type: index --- diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 7eb6d5067e2..613743143d3 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # Proxying assets @@ -10,7 +10,7 @@ A possible security concern when managing a public facing GitLab instance is the ability to steal a users IP address by referencing images in issues, comments, etc. For example, adding `![Example image](http://example.com/example.png)` to -an issue description will cause the image to be loaded from the external +an issue description causes the image to be loaded from the external server in order to be displayed. However, this also allows the external server to log the IP address of the user. @@ -51,7 +51,7 @@ To install a Camo server as an asset proxy: | `asset_proxy_enabled` | Enable proxying of assets. If enabled, requires: `asset_proxy_url`). | | `asset_proxy_secret_key` | Shared secret with the asset proxy server. | | `asset_proxy_url` | URL of the asset proxy server. | - | `asset_proxy_whitelist` | Assets that match these domain(s) will NOT be proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. | + | `asset_proxy_whitelist` | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. | 1. Restart the server for the changes to take effect. Each time you change any values for the asset proxy, you need to restart the server. @@ -59,7 +59,7 @@ To install a Camo server as an asset proxy: ## Using the Camo server Once the Camo server is running and you've enabled the GitLab settings, any image, video, or audio that -references an external source will get proxied to the Camo server. +references an external source are proxied to the Camo server. For example, the following is a link to an image in Markdown: diff --git a/doc/security/cicd_environment_variables.md b/doc/security/cicd_environment_variables.md index b8fe14e2d3b..4d60df8e531 100644 --- a/doc/security/cicd_environment_variables.md +++ b/doc/security/cicd_environment_variables.md @@ -1,7 +1,7 @@ --- stage: Release -group: Release Management -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +group: Release +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # CI/CD Environment Variables diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 4571f0051d8..c5f8afe36ad 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md index a8c4a4e878e..a2571895e45 100644 --- a/doc/security/information_exclusivity.md +++ b/doc/security/information_exclusivity.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: concepts --- diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md index b8d329ab342..05ddb0a2823 100644 --- a/doc/security/password_length_limits.md +++ b/doc/security/password_length_limits.md @@ -1,7 +1,7 @@ --- -stage: none -group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +stage: Manage +group: Access +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index ca4d350dc06..ca39defe6b9 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index 4872f26a0ad..9b1664f0e8c 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -1,7 +1,7 @@ --- -stage: none -group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +stage: Manage +group: Access +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md index 9e50290afcc..e37191d842f 100644 --- a/doc/security/project_import_decompressed_archive_size_limits.md +++ b/doc/security/project_import_decompressed_archive_size_limits.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index a84ecc8e47d..f159b4f8e21 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- @@ -19,12 +19,12 @@ tracking. For more information on how to use these options see the [Rack Attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). -NOTE: **Note:** +NOTE: See [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md) for simpler limits that are configured in the UI. -NOTE: **Note:** +NOTE: Starting with GitLab 11.2, Rack Attack is disabled by default. If your instance is not exposed to the public internet, it is recommended that you leave Rack Attack disabled. @@ -32,10 +32,10 @@ Rack Attack disabled. ## Behavior If set up as described in the [Settings](#settings) section below, two behaviors -will be enabled: +are enabled: -- Protected paths will be throttled. -- Failed authentications for Git and container registry requests will trigger a temporary IP ban. +- Protected paths are throttled. +- Failed authentications for Git and container registry requests trigger a temporary IP ban. ### Protected paths throttle @@ -119,7 +119,7 @@ The following settings can be configured: specified time. - `findtime`: The maximum amount of time that failed requests can count against an IP before it's blacklisted (in seconds). -- `bantime`: The total amount of time that a blacklisted IP will be blocked (in +- `bantime`: The total amount of time that a blacklisted IP is blocked (in seconds). **Installations from source** @@ -142,8 +142,8 @@ taken in order to enable protection for your GitLab instance: If you want more restrictive/relaxed throttle rules, edit `config/initializers/rack_attack.rb` and change the `limit` or `period` values. -For example, more relaxed throttle rules will be if you set -`limit: 3` and `period: 1.seconds` (this will allow 3 requests per second). +For example, you can set more relaxed throttle rules with +`limit: 3` and `period: 1.seconds`, allowing 3 requests per second. You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings you must restart your GitLab instance. @@ -185,10 +185,10 @@ In case you want to remove a blocked IP, follow these steps: ### Rack attack is blacklisting the load balancer Rack Attack may block your load balancer if all traffic appears to come from -the load balancer. In that case, you will need to: +the load balancer. In that case, you must: 1. [Configure `nginx[real_ip_trusted_addresses]`](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module). - This will keep users' IPs from being listed as the load balancer IPs. + This keeps users' IPs from being listed as the load balancer IPs. 1. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings). 1. Reconfigure GitLab: diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 94cc446c804..500ec057102 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -1,13 +1,13 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- # Rate limits -NOTE: **Note:** +NOTE: For GitLab.com, please see [GitLab.com-specific rate limits](../user/gitlab_com/index.md#gitlabcom-specific-rate-limits). diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index 66e11587e96..fc808452736 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -1,7 +1,7 @@ --- -stage: none -group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +stage: Manage +group: Access +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: howto --- @@ -58,7 +58,7 @@ user.save! Exit the console, and then try to sign in with your new password. -NOTE: **Note:** +NOTE: You can also reset passwords by using the [Users API](../api/users.md#user-modification). ### Reset your root password diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md index 903a28136ad..102ba1fc370 100644 --- a/doc/security/ssh_keys_restrictions.md +++ b/doc/security/ssh_keys_restrictions.md @@ -2,7 +2,7 @@ type: reference, howto stage: Manage group: Access -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # Restrict allowed SSH key technologies and minimum length diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index 27cc2474b8a..4911cf63489 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -2,7 +2,7 @@ type: howto stage: Manage group: Access -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # Enforce Two-factor Authentication (2FA) @@ -72,7 +72,7 @@ The following are important notes about 2FA: ## Disabling 2FA for everyone -CAUTION: **Caution:** +WARNING: Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users) or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group) settings. In addition to the steps in this section, you will need to disable any enforced 2FA @@ -94,7 +94,7 @@ sudo gitlab-rake gitlab:two_factor:disable_for_all_users sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production ``` -CAUTION: **Caution:** +WARNING: This is a permanent and irreversible action. Users will have to reactivate 2FA from scratch if they want to use it again. @@ -109,3 +109,43 @@ questions that you know someone might ask. Each scenario can be a third-level heading, e.g. `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> + +## Two-factor Authentication (2FA) for Git over SSH operations + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7. +> - It's [deployed behind a feature flag](../user/feature_flags.md), disabled by default. +> - It's disabled on GitLab.com. +> - It's not recommended for production use. +> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-two-factor-authentication-2fa-for-git-operations). + +WARNING: +This feature might not be available to you. Check the **version history** note above for details. + +Two-factor authentication can be enforced for Git over SSH operations. The OTP +verification can be done via a GitLab Shell command: + +```shell +ssh git@<hostname> 2fa_verify +``` + +Once the OTP is verified, Git over SSH operations can be used for 15 minutes +with the associated SSH key. + +### Enable or disable Two-factor Authentication (2FA) for Git operations + +Two-factor Authentication (2FA) for Git operations is under development and not +ready for production use. It is deployed behind a feature flag that is +**disabled by default**. [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md) +can enable it. + +To enable it: + +```ruby +Feature.enable(:two_factor_for_cli) +``` + +To disable it: + +```ruby +Feature.disable(:two_factor_for_cli) +``` diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md index 4013bfb7cae..2a26b71071b 100644 --- a/doc/security/unlock_user.md +++ b/doc/security/unlock_user.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: howto --- diff --git a/doc/security/user_email_confirmation.md b/doc/security/user_email_confirmation.md index 6260c76bff9..cf7cb0ea4cb 100644 --- a/doc/security/user_email_confirmation.md +++ b/doc/security/user_email_confirmation.md @@ -2,7 +2,7 @@ type: howto stage: Manage group: Access -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # User email confirmation at sign-up diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md index 662e115d1ed..bce2aeb88b4 100644 --- a/doc/security/user_file_uploads.md +++ b/doc/security/user_file_uploads.md @@ -2,7 +2,7 @@ type: reference stage: Manage group: Access -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # User File Uploads @@ -18,7 +18,7 @@ notification emails, which are often read from email clients that are not authenticated with GitLab, such as Outlook, Apple Mail, or the Mail app on your mobile device. -NOTE: **Note:** +NOTE: Non-image attachments do require authentication to be viewed. <!-- ## Troubleshooting diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index 2e2fb093916..0bb8e90d38f 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -1,13 +1,13 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: concepts, reference, howto --- # Webhooks and insecure internal web services -NOTE: **Note:** +NOTE: On GitLab.com, the [maximum number of webhooks and their size](../user/gitlab_com/index.md#webhooks) per project, and per group, is limited. If you have non-GitLab web services running on your GitLab server or within its @@ -40,9 +40,9 @@ to endpoints like `http://localhost:123/some-resource/delete`. To prevent this type of exploitation from happening, starting with GitLab 10.6, all Webhook requests to the current GitLab instance server address and/or in a -private network will be forbidden by default. That means that all requests made +private network are forbidden by default. That means that all requests made to `127.0.0.1`, `::1` and `0.0.0.0`, as well as IPv4 `10.0.0.0/8`, `172.16.0.0/12`, -`192.168.0.0/16` and IPv6 site-local (`ffc0::/10`) addresses won't be allowed. +`192.168.0.0/16` and IPv6 site-local (`ffc0::/10`) addresses aren't allowed. This behavior can be overridden by enabling the option *"Allow requests to the local network from web hooks and services"* in the *"Outbound requests"* section @@ -50,7 +50,7 @@ inside the **Admin Area > Settings** (`/admin/application_settings/network`): ![Outbound requests admin settings](img/outbound_requests_section_v12_2.png) -NOTE: **Note:** +NOTE: *System hooks* are enabled to make requests to local network by default since they are set up by administrators. However, you can turn this off by disabling the **Allow requests to the local network from system hooks** option. @@ -75,9 +75,9 @@ The allowlist can hold a maximum of 1000 entries. Each entry can be a maximum of 255 characters. You can allow a particular port by specifying it in the allowlist entry. -For example `127.0.0.1:8080` will only allow connections to port 8080 on `127.0.0.1`. +For example `127.0.0.1:8080` only allows connections to port 8080 on `127.0.0.1`. If no port is mentioned, all ports on that IP/domain are allowed. An IP range -will allow all ports on all IPs in that range. +allows all ports on all IPs in that range. Example: @@ -90,7 +90,7 @@ example.com;gitlab.example.com example.com:8080 ``` -NOTE: **Note:** +NOTE: Wildcards (`*.example.com`) are not currently supported. <!-- ## Troubleshooting |