@techknowlogick : Thx for answering to my issue. My focus is on the provider side:
- I’m providing a gitea instance
- It is based on LDAP users
- I’d like require the users to use a hardware token
- I want do be sure: Once a user has no hardware token, he/she will not be able to access the instance any more
- Ask the users to login using their LDAP credentials
- Ask them to activate a 2nd factor
- Handle the 2nd factor via a temporary solution (I don’t want them to install a special app on their mobiles)
- Activate the hardware token
- Verify: LDAP credentials plus hardware token are OK for accessing Gitea
- Report this to the gitea admin
Now the gitea admin looks into the users overview and verifies the hook on “2FA”. If it is there, the user as at least partly completed the procedure.
Now I’m modifying the database tables:
- create a copy of two_factor → two_factor_backup
- copy the user’s record to two_factor_backup (just in case I need it later)
- destroy the values of secret, scratch_salt, scratch_hash for the user within two_factor
At this point, the user cannot login via the TOTP token any more. The hardware token still works.
The emergency password doesn’t work too (hopefully, not checked so far).
These issues still exist:
- Access with SSH keys - maybe allow only SK keys? There is a patch for SK keys and it works but it accepts “all” SSH keys, easy to change
- Access with an application token - completely open
- The user might delete his/her account and start over since without an existing account, a new one will probably created based on the LDAP credentials - I could remove the part “delete account” from gitea