diff options
Diffstat (limited to 'doc/security')
| -rw-r--r-- | doc/security/asset_proxy.md | 4 | ||||
| -rw-r--r-- | doc/security/crime_vulnerability.md | 2 | ||||
| -rw-r--r-- | doc/security/index.md | 4 | ||||
| -rw-r--r-- | doc/security/information_exclusivity.md | 2 | ||||
| -rw-r--r-- | doc/security/password_length_limits.md | 2 | ||||
| -rw-r--r-- | doc/security/password_storage.md | 22 | ||||
| -rw-r--r-- | doc/security/passwords_for_integrated_authentication_methods.md | 2 | ||||
| -rw-r--r-- | doc/security/project_import_decompressed_archive_size_limits.md | 2 | ||||
| -rw-r--r-- | doc/security/rate_limits.md | 2 | ||||
| -rw-r--r-- | doc/security/reset_user_password.md | 15 | ||||
| -rw-r--r-- | doc/security/responding_to_security_incidents.md | 2 | ||||
| -rw-r--r-- | doc/security/ssh_keys_restrictions.md | 2 | ||||
| -rw-r--r-- | doc/security/token_overview.md | 4 | ||||
| -rw-r--r-- | doc/security/two_factor_authentication.md | 2 | ||||
| -rw-r--r-- | doc/security/unlock_user.md | 4 | ||||
| -rw-r--r-- | doc/security/user_email_confirmation.md | 2 | ||||
| -rw-r--r-- | doc/security/user_file_uploads.md | 2 | ||||
| -rw-r--r-- | doc/security/webhooks.md | 2 |
18 files changed, 52 insertions, 25 deletions
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 1ccc9bfd9be..cde377cbb73 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Proxying assets **(FREE SELF)** @@ -11,7 +11,7 @@ the ability to steal a user's IP address by referencing images in issues and com For example, adding `` to an issue description causes the image to be loaded from the external -server in order to be displayed. However, this also allows the external server +server to be displayed. However, this also allows the external server to log the IP address of the user. One way to mitigate this is by proxying any external images to a server you diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 5a6578f218b..e2aa4b5d4ab 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/index.md b/doc/security/index.md index 9e05621333b..ff0769e0d93 100644 --- a/doc/security/index.md +++ b/doc/security/index.md @@ -1,14 +1,14 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments comments: false type: index --- # Security **(FREE)** -- [Password storage](password_storage.md) +- [Passwords and OAuth tokens storage](password_storage.md) - [Password length limits](password_length_limits.md) - [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md) - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md index 2eeb436316f..37a9fdfdd81 100644 --- a/doc/security/information_exclusivity.md +++ b/doc/security/information_exclusivity.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: concepts --- diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md index 57466d1ed5d..fe51022eea7 100644 --- a/doc/security/password_length_limits.md +++ b/doc/security/password_length_limits.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index d3db8cbe4f6..6b20f8619ae 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -1,11 +1,15 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- -# Password storage **(FREE)** +# Password and OAuth token storage **(FREE)** + +GitLab administrators can configure how passwords and OAuth tokens are stored. + +## Password storage > PBKDF2 and SHA512 [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/360658) in GitLab 15.2 [with flags](../administration/feature_flags.md) named `pbkdf2_password_encryption` and `pbkdf2_password_encryption_write`. Disabled by default. @@ -17,8 +21,8 @@ library to hash user passwords. Created password hashes have these attributes: - **Hashing**: - **BCrypt**: By default, the [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt) hashing - function is used to generate the hash of the provided password. This is a - strong, industry-standard cryptographic hashing function. + function is used to generate the hash of the provided password. This cryptographic hashing function is + strong and industry-standard. - **PBKDF2 and SHA512**: Starting in GitLab 15.2, PBKDF2 and SHA512 are supported behind the following feature flags (disabled by default): - `pbkdf2_password_encryption` - Enables reading and comparison of PBKDF2 + SHA512 @@ -37,3 +41,13 @@ library to hash user passwords. Created password hashes have these attributes: is added to each password to harden against pre-computed hash and dictionary attacks. To increase security, each salt is randomly generated for each password, with no two passwords sharing a salt. + +## OAuth access token storage + +> - PBKDF2+SHA512 [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/364110) in GitLab 15.3 [with flag](../administration/feature_flags.md) named `hash_oauth_tokens`. +> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/98242) in GitLab 15.5. + +Depending on your version of GitLab and configuration, OAuth access tokens are stored in the database in PBKDF2+SHA512 format. For version information, see +the relevant [OAuth provider documentation](../integration/oauth_provider.md#hashed-oauth-tokens). + +As with PBKDF2+SHA512 password storage, access token values are [stretched](https://en.wikipedia.org/wiki/Key_stretching) 20,000 times to harden against brute-force attacks. diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index d4eb16c07e7..961d147871e 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md index 5082d917748..4358e0a5566 100644 --- a/doc/security/project_import_decompressed_archive_size_limits.md +++ b/doc/security/project_import_decompressed_archive_size_limits.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index e48a9999a06..20a81ed0c30 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index 992a8585a47..248737fc908 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: howto --- @@ -14,6 +14,8 @@ You can reset user passwords by using a Rake task, a Rails console, or the To reset a user password, you must be an administrator of a self-managed GitLab instance. +The user's new password must meet all [password requirements](../user/profile/user_passwords.md#password-requirements). + ## Use a Rake task > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52347) in GitLab 13.9. @@ -120,6 +122,11 @@ To reset the root password, follow the steps listed previously. ## Troubleshooting +Use the following information to troubleshoot issues when resetting a +user's password. + +### Email confirmation issues + If the new password doesn't work, it might be [an email confirmation issue](../user/upgrade_email_bypass.md). You can attempt to fix this issue in a Rails console. For example, if a new `root` password isn't working: @@ -132,3 +139,9 @@ attempt to fix this issue in a Rails console. For example, if a new `root` passw ``` 1. Attempt to sign in again. + +### Unmet password requirements + +The password might be too short, too weak, or not meet complexity +requirements. Ensure the password you are attempting to set meets all +[password requirements](../user/profile/user_passwords.md#password-requirements). diff --git a/doc/security/responding_to_security_incidents.md b/doc/security/responding_to_security_incidents.md index b3bce785695..fb35c389583 100644 --- a/doc/security/responding_to_security_incidents.md +++ b/doc/security/responding_to_security_incidents.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md index 138ebb9858a..5a8450bb8e7 100644 --- a/doc/security/ssh_keys_restrictions.md +++ b/doc/security/ssh_keys_restrictions.md @@ -2,7 +2,7 @@ type: reference, howto stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Restrict allowed SSH key technologies and minimum length **(FREE SELF)** diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index e585f2caeca..0c9734cad36 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- @@ -129,7 +129,7 @@ This table shows available scopes per token. Scopes can be limited further on to also generally logged by proxies and application servers, which makes those credentials visible to system administrators. Instead, pass API calls an access token using headers like [the `Private-Token` header](../api/index.md#personalprojectgroup-access-tokens). - Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage). -- Tokens should not be committed to your source code. Instead, consider an approach such as [using external secrets in CI](../ci/secrets/index.md). +- Tokens must not be committed to your source code. Instead, consider an approach such as [using external secrets in CI](../ci/secrets/index.md). - When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token. - When creating a token, consider setting a token that expires when your task is complete. For example, if performing a one-off import, set the token to expire after a few hours or a day. This reduces the impact of a token that is accidentally leaked because it is useless when it expires. diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index c808cf4e321..cc06e824d14 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -2,7 +2,7 @@ type: howto stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Enforce two-factor authentication **(FREE)** diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md index 041527f18af..4eded22ddaa 100644 --- a/doc/security/unlock_user.md +++ b/doc/security/unlock_user.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: howto --- @@ -56,7 +56,7 @@ To unlock a locked user: 1. Exit the console with <kbd>Control</kbd>+<kbd>d</kbd> -The user should now be able to log in. +The user should now be able to sign in. <!-- ## Troubleshooting diff --git a/doc/security/user_email_confirmation.md b/doc/security/user_email_confirmation.md index 172e26db618..3f7c66b311b 100644 --- a/doc/security/user_email_confirmation.md +++ b/doc/security/user_email_confirmation.md @@ -2,7 +2,7 @@ type: howto stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # User email confirmation at sign-up **(FREE SELF)** diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md index ddb8392d2be..63a5e51e3b5 100644 --- a/doc/security/user_file_uploads.md +++ b/doc/security/user_file_uploads.md @@ -2,7 +2,7 @@ type: reference stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # User file uploads **(FREE)** diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index e1daa705355..49ab4215ea5 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -1,7 +1,7 @@ --- stage: Manage group: Authentication and Authorization -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: concepts, reference, howto --- |