Multi-Factor Authentication for NRAO Gitlab
NRAO Gitlab will begin enforcing Multi-Factor Authentication (2FA, MFA) on January 27, 2025. Beginning on this date, all logins to NRAO Gitlab (including external collaborators) will require MFA. In addition, user account passwords will no longer be accepted for HTTPS git or API connections; deploy and personal access tokens must be used instead. SSH keys for SSH git access will continue to function as before but please read further in this notice for SSH key length requirements. Instructions for enabling MFA are available in the NRAO Gitlab page in the NRAO Computing Guide.
Supported MFA options are:
- TOTP (aka “Google Authenticator”)
- Webauthn (aka, Yubikeys)
(Duo push is not available for NRAO Gitlab, however Duo mobile does support TOTP and can be used with Gitlab)
All NRAO Gitlab users will have 4 days (96 hours) from 9AM on Jan. 27 to enable MFA on their Gitlab account in order to continue using the platform. After this 4-day grace period, you will be required to enable MFA on your account before using Gitlab again. Users who utilize OpenID Connect to log in to Gitlab using NRAO’s Microsoft Single-Signon (SSO) will still be required to perform MFA on Gitlab. Due to technical limitations of the software, it is not possible to exclude OpenID Connect logins from the MFA requirement. We apologize for this minor inconvenience.
In addition to the MFA changes, NRAO Gitlab will begin enforcing strength requirements on SSH keys as well. The following key length requirements will be in place for NRAO Gitlab starting Jan. 27.
- RSA keys: 3072 or 4096 bits (defaults to 3072 on RHEL8)
- ED25519 keys: 256 bits or higher (default on RHEL8)
- ECDSA keys: 256 bits or higher (default on RHEL8)
Note that ED25519 keys offer improved performance over RSA keys and are recommended for maximum security.
Additional information on Gitlab and SSH keys for 17.7 can be found at
(Further background info is located at https://docs.gitlab.com/17.7/ee/user/ssh.html)
NRAO guidelines and policy for SSH access can be found in the Computing Guide at
Finally, as part of the Gitlab 17.7 upgrade, the OpenSSL version moves to OpenSSL 3. Any tools, integrations, or scripts you use must be compatible with OpenSSL 3, particularly the TLS 1.2 requirement.
