gitlab—2FA双因子认证登录配置

一、2FA配置

Two-Factor Authentication(2FA)，一般称双因素认证

1）gitlab配置

2）手机端下载Authenticator

添加账户==>其他账户==>扫描二维码

3）gitlab填入pin code

4）重新登录测试

可以填入pin code或者recovery code（当无法获取pin code时）

参考文档：

https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html

https://www.cnblogs.com/wangxu01/articles/11057507.html

二、2FA禁用

2.1、思路分析

进入postgresql数据库，修改user表，将otp_required_for_login  、 require_two_factor_authentication_from_group 这两个字段，都改为false（数据库中用f表示）

2.2、操作步骤

由于我的gitlab使用docker容器起的，需要进入容器中

1）进入docker容器

[root@git ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS                                                           NAMES
3694c2292ed0        gitlab/gitlab-ce    "/assets/wrapper"   42 hours ago        Up About an hour (healthy)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:222->22/tcp   gitlab
[root@git ~]# docker exec -it gitlab /bin/sh
# 

2）查看/etc/passwd，发现gitlab-psql用户是可以登录的

[root@git ~]# docker exec -it gitlab /bin/sh
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
git:x:998:998::/var/opt/gitlab:/bin/sh
gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh
registry:x:993:993::/var/opt/gitlab/registry:/bin/sh
gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh
gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh

3）查看数据库配置信息

# cat /var/opt/gitlab/gitlab-rails/etc/database.yml
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

production:
  adapter: postgresql
  encoding: unicode
  collation: 
  database: gitlabhq_production   #要登录的数据库
  pool: 1
  username: "gitlab"
  password: 
  host: "/var/opt/gitlab/postgresql"  #登录主机
  port: 5432
  socket: 
  sslmode: 
  sslcompression: 0
  sslrootcert: 
  sslca: 
  load_balancing: {"hosts":[]}
  prepared_statements: false
  statements_limit: 1000
  fdw: 
#

4）根据上面的配置信息登陆postgresql数据库

# su - gitlab-psql
$ 

5）连接到gitlabhq_production库

$ psql  -h  /var/opt/gitlab/postgresql  -d  gitlabhq_production
psql (10.9)
Type "help" for help.

gitlabhq_production=# 

6）操作数据库

查看数据库：

查看多表：

查看users表：

gitlabhq_production=# \d users

查看users表中用户的关键信息，取4个字段：

gitlabhq_production=# SELECT name,username,otp_required_for_login,two_factor_grace_period, require_two_factor_authentication_from_group   FROM users;

修改字段：

gitlabhq_production=# UPDATE users set otp_required_for_login = 'f' WHERE username = 'root';
UPDATE 1

7）\q退出数据库，重新登录gitlab，就没要求2FA认证

参考文档：

https://www.cnblogs.com/andy9468/p/10606883.html