Require 2FA for GitHub organization members

PSA: You should enable 2FA on your account by following the instructions here.

In light of recent events with npm, it seems like a good time to talk about requiring two-factor authentication for our organizations.

The owners of The Foreman, Katello, and Catello organizations would need to enable this per the instructions at Members who don’t have 2FA enabled would be removed and get an e-mail, so there’s obviously got to be some notice period (30 days?). Once they enable 2FA they can be re-added to the org and it looks like all their previous access gets restored.

I don’t think this affects our general workflow, as SSH keys and tokens should all still work as normal.

This came up in the discussion about publishing automatically to Puppet Forge.

  • Require 2FA for everyone
  • Only encourage people to enable 2FA
  • Don’t require 2FA at all
  • Something else

0 voters

1 Like

I counted 54 out of 119 on theforeman Github organization currently have 2-factor authentication enabled. And 29 out of 70 on Katello.

100% agree for anyone with any kind of commit rights. People who were added to the org so that they can run tests, I’m less concerned about - but that cuts both ways, I’m not so concerned if they get removed over a lack of 2FA :slight_smile:

I do wish the control was more granular, but it doesn’t seem we can limit to permissions or teams at the moment.

2FA makes sense for committers, but not for everyone added to the org for CI purposes. I voted “something else”, and it’s a pain that GH doesn’t allow a per-team setting for this, but I think it shouldn’t be too difficult to identify members that have commit access to some repo manually and make sure they activate 2FA - it would be a bit more work than letting GH do it, but shouldn’t take more then a couple of hours of checking the lists and sending messages.

I can’t update the poll but if existing voters prefer this they can change their vote to “Something else” as well.

Owners of the respective orgs would need to do this manually (or perhaps write a script to do it), but through the UI I’m not sure it’s easy to know who has write access to a repo. The “people” list only shows team membership, and then one would need to drill down into the UI to see if a team has commit, or possibly rename the team to indicate it’s privileges.

Polls can’t be edited as changing them mid-flight would invalidate the prior results.

If I have an hour spare I’ll see if I can do something with the GitHub API to detect committers vs non-committers. suggests that we can detect it, build a list, and then cross-reference with the users API for a 2FA check.

1 Like

Based on the votes the consensus is to enable 2FA. Since “committers only” wasn’t part of the options, I think that’s also an acceptable solution if it could be automated, did you get a chance to take a look at that @Gwmngilfen?

Otherwise I think we should announce a date, and mention it during the next community demo, and then turn it on.

Very briefly yes, I think it’s possible. Haven’t actually tried to write it though. In psuedocode I think it’s just:

repos = github.api.repos('theforeman') + github.api.repos('katello')
users = []
repos.each do |repo|
  users << repo.users.where{|u| u.commit?}
users.flatten.sort.uniq.each {|user|
  puts "#{user.login} - no 2FA" unless user.2fa?

That would be enough, no? I can probably look at this on Tues.

Yes indeed, it’s not too difficult with the API. This script will do it:

An owner of the respective orgs will have to run the report. I am worried that we will only run this once and not maintain it, while the GitHub setting will actually always enforce it.


Can we set a date for 2FA requirement and make an announcement and sort out the details between now and then?

1 Like

So is there a free as in freedom 2FA app for Android? And also for CLI so I can easily show the code and copy and paste it from my console? That would do it for me. works on Android and iOS. It’s free, and maintained by someone at Red Hat. Not sure about CLI, but anything that implements the HOTP standard should work I think.

For day-to-day usage, API and SSH keys still work fine without 2FA, so it’s not something you’ll be doing frequently.

1 Like

FreeOTP is what I use too, it’s available in the F-Droid repo. I don’t have a CLI generator, but you can store/generate HOTP secrets in KeePassXC (although, of course, I would suggest in a separate wallet to the password itself :P)

I take your point about keeping the list up to date, though. I’m ok with enforcing it org-wide - 2FA is good practice and we should encourage normalising it. I suggest we start with committers (via that script) and look to enforcing it org wide in a few months. I’ll make sure it goes in the newsletter next week.

Do we have numbers on how many committers have it disabled? How many of them will enable it if we nudge them?

Owners of the Katello and Foreman org would need to run the script. I believe that’s @ehelms @Justin_Sherrill @Mike_McCune @ohadlevy

But I did check Catello and it was more than half had 2FA off.

On Katello there are only 8 committers without 2fa enabled. I’ll go
ahead and contact them directly.


I’ve executed the script against the foreman org, and found there is a bug in it - it only fetches the first page of the repo list and organization members, leading to missing a lot of results. To fix it, after initializing the client you need to add

client.auto_paginate = true

After fixing it, I’ve found there are 31 committers in the foreman org with no 2fa, I’ll start messaging all of them to ask them to enable 2fa.

I’m not sure we should enforce 2FA via github since we use org membership to allow automatic CI runs for known contributors, I don’t think we need to require all ~70 such contributors to enable it.

There is another issue with enforcing 2FA - I it will mean kicking out theforeman-bot, unless we have some way of enabling it for the bot (which needs commit access to set labels, close stale prs etc).

Update - I’ve mailed the 27 committers who’s mails I managed to find, and found 1 committer, ooVoo, which is a company that has shut down over a year ago and had commit access to foreman-xen which has been revoked.
There are 2 committers which I have not managed to find a way to e-mail. If anyone knows them please let me know how to contact them or I will have to revoke their access as well until they make contact. Their github user names are: b0e and svaclav.


The 2 committers who I didn’t manage to contact don’t seem to have been active in the last year, and have been removed from commit access, if they wish to restore it they are welcome to contact me.

There are now 14 members remaining with commit access who haven’t yet activated 2FA, and they all received my message asking them to do so. I will be revoking their access one week from today if they do not activate 2FA.