Page MenuHomePhabricator

Enforce 2FA for GitHub members
Closed, ResolvedPublic

Tokens
"Like" token, awarded by Jdforrester-WMF."Hungry Hippo" token, awarded by zeljkofilipin."Orange Medal" token, awarded by Krinkle."Like" token, awarded by MarcoAurelio."Like" token, awarded by Krenair.
Assigned To
Authored By
Reedy, Jul 4 2018

Description

https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/

I'm very keen to turn this on ASAP for the Wikimedia organisation. Although we don't use GitHub as our primary distribution service, things like this keep happening elsewhere. It could very easily happen to us, and then someone uploads something questionable that some unsuspecting user downloads and installs...

Does anyone have any objections?

I'm happy to re-add people after they have re-added 2FA if they are already a member/admin etc

See also T179462: Audit @wikimedia GitHub org access (2017)

Event Timeline

Reedy created this task.Jul 4 2018, 6:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 4 2018, 6:42 PM
Reedy updated the task description. (Show Details)
MarcoAurelio added a subscriber: MarcoAurelio.

+1, noone using Github can reasonably object to that.

Krenair added a subscriber: Krenair.Jul 4 2018, 8:37 PM

We discussed this in #wikimedia-releng and realised that we'll need to sort out the bots, wmfgerrit and wmfphab. wmfgerrit uses SSH for actual automated actions so should be simple (someone with the password or access to the email behind it needs to go in and add MFA), wmfphab apparently uses HTTPS pushing so will need to switch to an access token I think.

Reedy updated the task description. (Show Details)Jul 4 2018, 10:02 PM

wmfphab apparently uses HTTPS pushing so will need to switch to an access token I think.

I agree that it should, but I'm not sure it blocks requiring of 2FA. I thought the 2FA applies only to log-in with the GitHub web UI? (And by extent, all actions that cannot be done over Git or API).

zeljkofilipin added a subscriber: zeljkofilipin.

FWIW, +1 from me.

Reedy updated the task description. (Show Details)Jul 5 2018, 11:19 AM
Bawolff added a subscriber: Bawolff.Jul 5 2018, 4:28 PM

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

Reedy added a comment.Jul 5 2018, 4:35 PM

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

Why is this the case?

greg added a subscriber: greg.

Supportive of this, we'll be looking into the wmfgerrit/wmfphab accounts soon.

Krenair added a comment.EditedJul 6 2018, 7:54 PM

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

Why is this the case?

I recall someone mentioning there's some obscure github restriction that means you have to have some association with a repository before the repository can claim you contributed to it. Being a member of the organisation is probably one of the options.

As far as I'm concerned, the thing that matters is the ability to write to/administrate a repository. If someone can't do that they don't need MFA.

Jdforrester-WMF added a comment.EditedJul 6 2018, 7:55 PM

Will this also affect "outside collaborators"? If not, perhaps we could shift all non-2FA people over to that status for now? Ignore me, it says it does. Oh well.

Krenair added a comment.EditedJul 6 2018, 7:56 PM

According to the screenshot at the top of this task yes. ninja'd

Bawolff moved this task from Backlog to To Follow Up on the Security-Team board.Sep 4 2018, 4:16 PM

I see there are three listed blockers for this task. Two are visible to me and are resolved. If the third one is as well, maybe we could move forward and make this mandatory? Thanks.

greg added a comment.Jan 17 2019, 8:10 PM

I see there are three listed blockers for this task. Two are visible to me and are resolved. If the third one is as well, maybe we could move forward and make this mandatory? Thanks.

It is a task tracking people without 2fa enabled and thus who would lose access if we enabled this feature (enforcement). It's not resolved :/

Reedy added a comment.Feb 10 2019, 5:38 AM

At what point do we want to just turn this on and force people out :)

greg added a comment.Feb 11 2019, 6:15 PM

At what point do we want to just turn this on and force people out :)

right.... we probably just JFDI at some point.. but I guess not *really* JFDI, we should let people know as best we can with warning.

So, that sounds like an email (from me, I suppose) to wikitech-l@, ops@, and engineering@ (my goto set of lists) laying out what will happen and when. Say, one month notice (with a reminder the week before)?

tl;dr: If you don't enable 2FA on your github account and you are a member of the "wikimedia" organization you will be kicked out on $DATE.

greg claimed this task.Feb 11 2019, 6:21 PM
greg triaged this task as Normal priority.
Reedy added a comment.Feb 11 2019, 6:43 PM

So, that sounds like an email (from me, I suppose) to wikitech-l@, ops@, and engineering@ (my goto set of lists) laying out what will happen and when. Say, one month notice (with a reminder the week before)?
tl;dr: If you don't enable 2FA on your github account and you are a member of the "wikimedia" organization you will be kicked out on $DATE.

I think this seems reasonable. Obviously worth mentioning we can/will re-add people later once they enable 2FA if they require

What about a personal email to the affected users instead to the whole lists? This is not very relevant for the majority of our subscribers :)

greg added a comment.Feb 11 2019, 9:19 PM

What about a personal email to the affected users instead to the whole lists? This is not very relevant for the majority of our subscribers :)

If there were an easy way to do that in github I would (any pointers anyone?). There's currently 28 people who would be effected. I can identify about 14 of them myself. And at least one bot who I'm not sure who manages.

Reedy added a comment.Feb 11 2019, 9:29 PM

There's some slightly scary tools like https://github.com/paulirish/github-email

greg added a comment.Feb 11 2019, 10:20 PM

Well, not too scary. I ripped out the guts of that bash script that I needed and did a run for all of the github user names that are in the wikimedia org without 2FA enabled and now have a list of emails.

greg added a comment.Feb 11 2019, 10:36 PM

Email sent. Deadline of March 11th.

greg added a comment.Feb 11 2019, 11:05 PM

Well, that script didn't work very well. A bunch of false positives (somehow caught people who do have 2fa enabled).

greg added a comment.Feb 12 2019, 3:52 AM

Email sent. Deadline of March 11th.

For the record for any curious reader: This deadline might no longer be valid due to my bad list of email addresses. I will follow-up when I can....

Jdforrester-WMF closed this task as Resolved.Mar 27 2019, 10:27 PM

This is now done. Affected members will have been removed and e-mailed by GitHub explaining the situation.

Mentioned in SAL (#wikimedia-releng) [2019-03-27T22:27:26Z] <James_F> Altered Wikimedia GitHub settings to require 2FA; see T198810

Jdforrester-WMF closed subtask Restricted Task as Resolved.Mar 27 2019, 10:28 PM
sbassett moved this task from To Follow Up to Done on the Security-Team board.Jun 11 2019, 6:09 PM