1

I would like to ask if it's possible to disable the global 2FA policy (everyone need to activate 2FA before accessing gitlab) but I can't disable on the web interface because I can't activate it, it gives me everytime PIN code invalid. I tried to sync the server date and my Google Authenticator app but I still get the error. I installed GitLab using Omnibus. I found the following command but it only disable all users's 2FA.

gitlab-rake gitlab:two_factor:disable_for_all_users

There are currently no users with 2FA enabled.

I have full access to the gitlab server.

Here is what I get from my web interface :

enter image description here

enter image description here

I can't navigate in settings as admin user

Command:

sudo gitlab-rake gitlab:env:info

Output:

System information
System:         CentOS 7.6.1810
Current User:   git
Using RVM:      no
Ruby Version:   2.5.3p105
Gem Version:    2.7.6
Bundler Version:1.17.3
Rake Version:   12.3.2
Redis Version:  3.2.12
Git Version:    2.18.1
Sidekiq Version:5.2.5
Go Version:     unknown

GitLab information
Version:        11.10.4
Revision:       62c464651d2
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     9.6.11
URL:            https://privateurl
HTTP Clone URL: https://privateurl/some-group/some-project.git
SSH Clone URL:  git@privateurl:some-group/some-project.git
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        9.0.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Command:

sudo gitlab-rake gitlab:check SANITIZE=true

Output:

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 9.0.0 ? ... OK (9.0.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
2/3 ... yes
2/4 ... yes
2/6 ... yes
3/7 ... yes
3/10 ... yes
2/11 ... yes
3/12 ... yes
3/13 ... yes
3/19 ... yes
3/20 ... yes
3/21 ... yes
2/22 ... yes
2/23 ... yes
2/24 ... yes
2/26 ... yes
2/27 ... yes
2/28 ... yes
2/29 ... yes
2/30 ... yes
2/31 ... yes
2/32 ... yes
2/33 ... yes
2/34 ... yes
2/38 ... yes
2/40 ... yes
2/41 ... yes
2/43 ... yes
2/45 ... yes
7/47 ... yes
7/48 ... yes
7/49 ... yes
3/50 ... yes
7/51 ... yes
7/53 ... yes
7/55 ... yes
7/56 ... yes
7/57 ... yes
7/58 ... yes
7/59 ... yes
7/60 ... yes
7/61 ... yes
7/62 ... yes
7/63 ... yes
7/64 ... yes
7/65 ... yes
7/66 ... yes
3/67 ... yes
7/68 ... yes
7/70 ... yes
7/71 ... yes
3/73 ... yes
7/74 ... yes
8/78 ... yes
8/80 ... yes
8/81 ... yes
8/82 ... yes
8/83 ... yes
8/84 ... yes
7/86 ... yes
7/87 ... yes
7/88 ... yes
7/89 ... yes
7/90 ... yes
7/91 ... yes
7/92 ... yes
7/93 ... yes
7/94 ... yes
7/95 ... yes
7/96 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... no
  Try fixing it:
  mkdir ~/gitlab-check-backup-1568203251
  sudo mv /var/opt/gitlab/.ssh/id_rsa ~/gitlab-check-backup-1568203251
  sudo mv /var/opt/gitlab/.ssh/id_rsa.pub ~/gitlab-check-backup-1568203251
  For more information see:
  doc/ssh/README.md in section "SSH on the GitLab server"
  Please fix the error above and rerun the checks.
Active users: ... 2

Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished
executable
  • 197
  • 3
  • 15
  • Does `gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil, encrypted_otp_secret_iv: nil, encrypted_otp_secret_salt: nil, otp_backup_codes: nil)'` or `gitlab-rails runner 'User.find_each(&:disable_two_factor!)'` work? – Lenniey Sep 12 '19 at 08:07
  • I installed using Omnibus, I found this API command `curl --request PUT --header "PRIVATE-TOKEN: token" https://gitlab.ent.com/api/v4/application/settings?require_two_factor_authentication=false&two_factor_grace_period=0` but I have a permission error `{"message":"403 Forbidden"}` – executable Sep 12 '19 at 08:23
  • Try with your username and password, too: `curl --request PUT --header "PRIVATE-TOKEN: token" https://gitlab.ent.com/api/v4/application/settings?require_two_factor_authentication=false&two_factor_grace_period=0 -u username:password`. Careful, this will be visible in your history and logs – Lenniey Sep 12 '19 at 08:25
  • I tried using my username and password but I got the same result. How to generate an admin token if I have no access on my web interface – executable Sep 12 '19 at 08:29
  • Then your user/ token does not have global admin rights. How did you setup your user anyway, if you can't access Gitlab? – Lenniey Sep 12 '19 at 08:30
  • I have a user with an access token and an admin user but without the token. i can't generate the token because I have no access on my web interface (2FA is blocking me) using the admin user – executable Sep 12 '19 at 08:31

0 Answers0