Skip to content

Increment failed attempts when OTP via ssh fails

Jessie Young requested to merge jy-rate-limit-ssh-2fa into master

What does this MR do and why?

Increment failed attempts when OTP via ssh fails

With this change, each failed OTP attempt for git over SSH operations is logged and the failed attempt is tracked. After the maximum number of attempts (10 by default, 3 if the require_email_verification flag is enabled) is reached, the user account is locked. This ensures that an attacker could not brute force the 2nd factor by making unlimited attempts for OTP codes via SSH.

OTP verification for git over SSH operations is available behind the two_factor_for_cli feature flag and is disabled by default. Also, a Premium or Ultimate license needs to be used to take advantage of this feature.

Screenshots or screen recordings

Copied from terminal after local testing:

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error
% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
500 Internal Server Error

% ssh git@127.0.0.1 -p 2222 2fa_verify
OTP: 123

OTP validation failed.
Your account is locked

How to set up and validate locally

  1. Enable the feature flag two_factor_for_cli (also a Premium or Ultimate license needs to be used)
  2. Attempt to 2fa verify via SSH (ssh git@127.0.0.1 -p 2222 2fa_verify
  3. After the wrong OTP has been entered 10 times, your account will be locked.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jessie Young

Merge request reports