Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
infra
infra
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 68
    • Issues 68
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Analytics
    • Analytics
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards
  • alpine
  • infra
  • infrainfra
  • Issues
  • #9064

Closed
Open
Opened Jul 07, 2018 by Dave Hall@skwashd
  • Report abuse
  • New issue
Report abuse New issue

[SECURITY] Password based auth is available on git.alpinelinux.org

After the gentoo breach I have been looking at how the various distros I use secure their infrastructure. I know you use github as a mirror of git.alpinelinux.org and that the build servers don’t use github.

I decided to check if git.alpinelinux.org allows any authentication method other than keys. It turns out it allows password based auth:

```
$ ssh -v clandmeter@git.alpinelinux.org
+OpenSSH_7.6p1, LibreSSL 2.6.2
[…]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```

I know that tools such as fail2ban can be used to prevent brute force attacks. At the same time it doesn’t sit well with me having password auth enabled for public facing SSH.

Sorry if this is the wrong place for this ticket. Someone told me it was the best place to raise it.

(from redmine: issue id 9064, created on 2018-07-07, closed on 2018-08-20)

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
4
Labels
Bug Closed Normal Source repositories
Assign labels
  • View project labels
Reference: alpine/infra/infra#9064