Welcome to the Info TEST server!

Skip to content. | Skip to navigation

Sections
Info Services > Collaboration > Sharing source code > Multi-Factor Authentication for NRAO Gitlab

Multi-Factor Authentication for NRAO Gitlab

NRAO Gitlab will begin enforcing Multi-Factor Authentication (2FA, MFA) on January 27, 2025. Beginning on this date, all logins to NRAO Gitlab (including external collaborators) will require MFA. In addition, user account passwords will no longer be accepted for HTTPS git or API connections; deploy and personal access tokens must be used instead. SSH keys for SSH git access will continue to function as before but please read further in this notice for SSH key length requirements. Instructions for enabling MFA are available in the NRAO Gitlab page in the NRAO Computing Guide.

Supported MFA options are:

  • TOTP (aka “Google Authenticator”)
  • Webauthn (aka, Yubikeys)

All NRAO Gitlab users will have to enable MFA on their Gitlab account in order to continue using the platform. Users who utilize OpenID Connect to log in to Gitlab using NRAO’s Microsoft Single-Signon (SSO) will still be required to perform MFA on Gitlab. Due to technical limitations of the software, it is not possible to exclude OpenID Connect logins from the MFA requirement. We apologize for this minor inconvenience.

Generating MFA recovery codes

If you have functional SSH access to NRAO GitLab, you can generate new recovery codes using ssh

$ ssh gitlab@gitlab.nrao.edu 2fa_recovery_codes

You will be prompted to generate new two-factor recovery codes. Answer 'yes' to generate new codes. These codes can then be used in the web interface to reset your primary MFA method.

SSH Keys

In addition to the MFA changes, NRAO Gitlab enforces strength requirements on SSH keys as well. The following key types and minimum-lengths are permitted:

  • RSA keys: 3072 or 4096 bits (defaults to 3072 on RHEL8)
  • ED25519 keys: 256 bits or higher (default on RHEL8)
  • ECDSA keys: 256 bits or higher (default on RHEL8)

Note that ED25519 keys offer improved performance over RSA keys and are recommended for maximum security.

Additional information on Gitlab and SSH keys for 17.7 can be found at

(Further background info is located at https://docs.gitlab.com/17.7/ee/user/ssh.html)


NRAO guidelines and policy for SSH access can be found in the Computing Guide at


Finally, as part of the Gitlab 17.7 upgrade, the OpenSSL version moves to OpenSSL 3. Any tools, integrations, or scripts you use must be compatible with OpenSSL 3, particularly the TLS 1.2 requirement.

Info Services Contacts
 

Staff | Policies | Code of Conduct