►
From YouTube: SmartCard Authentication (Manage 201)
Description
The Manage team at GitLab is giving talks to share knowledge on particular topics. The aim is to make it easier for others to contribute, both within the team and beyond.
This presentation introduces the SmartCard Authentication feature in GitLab, shipping in 11.6.
Slides are linked to from https://gitlab.com/gitlab-org/manage/issues/9, along with details of upcoming 201 sessions.
---------------
Read more about our product vision: http://bit.ly/2IyXDOX
Learn about FOSS & GitLab: http://bit.ly/2KegFjx
Get in touch with Sales: http://bit.ly/2IygR7z
A
So
smart
card
temptation
is
shipping
in
gitlab,
11.6
and
I
can
give
a
short
demo.
So
we
need
a
1.6
if
you,
if
you
enable
the
smart
card
authentication.
This
is
how
the
login
screen
will
look
like
that.
There
will
be
a
new
tab
for
smart
cards,
saying
that
we'll
be
in
with
smart
card,
and
when
you
hit
that
button
Delhi,
it
will
actually
look
into
gitlab.
A
A
So
what
is
a
smart
card?
Why?
It
is
is
why
it's
smart,
so
basically
smart
cards
where
they
are
in
the
in
your
phone
as
the
SIM
card,
and
also
your
credit
cards
are
also
smart
cards,
so
they
have
a
thin
processor
and
secure
storage
and
secure
storage
is
obviously
needed.
If
you
are
going
to
store
certificates
on
them
and
because
I
mentioned
they
had
a
microprocessor,
they
are
programmable,
they
have
an
embedded
operating
system,
the
most
common
ones
are
dotn
abased,
and
but
there
are
also
other
ones
there.
A
Java
based
operating
systems
and
custom
ones,
and
so
as
they
are
programmable,
they
provide
a
way
for
certificate
storage
and
to
access
those
certificates
and
additional
features.
So
some
smart
cards,
you
can
have
automatic
creation
which
which
really
helps,
but
that's
what
we
are
most
interested
in.
A
A
What
worked
for
me
is
a
Yubikey,
because
it
also
supports
and
has
a
smart
card
capabilities,
and
it
was
pretty
easy
for
me
to
set
it
up
and
start
using
so
I
used
for
the
whole
time
a
Yubikey
to
to
develop
and
and
test
this
feature,
so
the
workflow.
How?
So
the
question
is
how
we
get
the
client
certificate
from
the
smart
card
to
get
lab,
and
we
can
speed
that
workflow
into
two.
So
we
have
the
we.
A
We
can
have
the
smart
card
reader
to
the
browser,
that's
one
half
of
it
and
the
second
half
is
from
the
browser
to
get
lab
and
we
make
this
distinction
because
the
first
part
it
doesn't
require
anything
from
from
our
side
from
github
side.
It's
purely
the
responsibility
for
the
user
or
the
system
administration,
its
system
administrator
of
the
user.
To
set
set
up
the
the
operating
system
correctly
so
setup,
the
driver
and
the
middle
over
for
the
smart
card
reader
and
also
configure
the
browser,
but
the
second
part
on
the
reserve
to
get
lamb.
A
We
want
to
configure
the
web
server
and
we
want
to
verify
the
kind
certificate
so,
as
I
mentioned,
the
first
part
getting
the
certificate
from
the
reader
to
the
browser.
So
this
is
how
a
smart
card
reader
looks
it
connect
to
your
laptop
or
computer
by
a
USB,
and
you
can
like
put
a
smart
column
and
it
will
read
the
certificate
and
the
you
also
need
the
middle
of
our
which,
which
needs
to
be
installed
on
your
machine.
A
The
one
middle
bar
I
use
this
open
SC
and,
as
you
can
guess,
from
the
name,
it's
an
open
source
solution
and
it
supports
multiple
smart
cards.
It's
basically
it's
a
provide,
an
API
for
a
bunch
of
smart
cards
and
not
all
of
them,
because
most
of
them
are
proprietary,
but
the
more
one
might
be
supported
by
out
open
SC.
A
As
for
example,
the
Yubikey
I
mean
there
are
multiple
api's,
but
the
one
we
are
interested
in
is
actually
in
in
open
SC
for
you
Vicky,
and
you
need
to
configure
the
browser
to
work
with
the
middle
of
ur.
So
here's
how
I
configure
the
Firefox
there's
actually
in
privacy
and
security
settings,
there's
the
security
part
and
I
highlighted
the
security
devices.
Actually,
both
buttons
are
important
for
us
few
certificates
and
the
security
devices.
So
if
you,
if
you
click
on
the
security
devices,
you
will
need
to
add
the
open
SC
as
a
security
device.
A
So
you
might
not
be,
if
you
don't
have
a
Yubikey,
you
might
still
be
able
to
use
the
smart
card
authentication
in
the
browser
I
haven't
tested
today,
but
if
you
import
the
certificate
in
Firefox,
it
might
be
available
to
select
it
when
the
client-side
certificate
pops
up.
So
here
it's
actually
not
not
an
imported
certificate.
It's
the
one!
The
five
my
Firefox
can
see
on
the
Yubikey,
oh
by
the
way.
If
you
have
any
question
just
just
asking
the
group
chat
or
just
at
the
end
and
ask
the
question.
A
A
The
first
we
need
to
configure
the
the
web
server,
since
only
bus
is
using
nginx.
I
will
be
mostly
talking
about
it.
So
this
is
how
you
require
the
client-side
certificate
in
the
nginx
config.
You
basically
just
set
the
root
certificate
and
there's
SSL
verify
client,
which
has
three
options:
on/off
or
optional.
A
We
don't
we
always
I
like
the
the
client-side
certificate.
If
you
have
a
if
you
set
it
to
optional
the
little
windows,
still
pops
up
for
the
user
to
select
the
certificate
or
an
a
certificate,
but
if
they
want
to
use
a
different
authentication
method,
it
might
be
really
annoying
to
like
always
having
that
screen.
A
Here
ID
put
configuration
how
you
need
to
set
up
the
server
certificate
when
you
want
to
use
HTTP
versus
the
client
certificate,
so
the
the
top
one
is
how
you
set
up
HTTP
for
for
it
for
example.com
and
the
bottom.
One
is
how
we'll
use
the
clients.
How
do
you
request
the
client
certificate
from
the
browser
and
since
I
mentioned,
that
nginx
need
to
require
the
client-side
certificate?
It
needs
to
run
on
a
different
port.
So
we,
for
example,
with
apache
HTTP.
A
So
what
we've
done
in
omnibus
is
running
the
same
server
pretty
much
the
same
server
or
on
a
different
port,
but
this
requires
the
client-side
certificate
and
when
I
hit
a
button
in
github
to
log
in
with
smart
card,
it
actually
forwarded
me
to
this
second
port
required
the
client-side
certificate
and
forwarded
back
to
the
original
github
port,
and
you
also
who
set
the
header
to
be
forwarded
to
the
key
trebius
application.
And
this
is
how
you've
done
it.
The
first
is
the
name
and
SSRI
and
escape.
Third
is
the
name
of
the
nginx
Moriah.
A
Actually
we
had
a
regression
related
to
this
recently
because
we
figured
that
omnibus
only
has
nginx
version,
I
think
one
point
12,
but
SSRI
and
Eastgate
sort
was
introduced
in
one
point
13
or
something
like
that,
and
previously
only
SSRI
and
certificate
existed,
which
is
now
deprecated,
but
it
returns.
The
client
certificate
is
no
it'll,
be
different
format,
and
so
we
need
to
make
sure
that
both
are
supported
in
each
lab
Rios.
A
So
this
is
just
putting
the
pieces
together
in
the
nginx
config.
This
is
still
just
a
short
example
is
deleted.
Most
of
the
actual
configuration
we
have,
the
server
run
in
a
different
port.
We
require
the
client
certificate
and
we
verify
against
this
root
certificate
and
forward
it
forward
the
client
certificate
as
a
client
certificate
to
the
rails,
application
and,
finally,
in
github
rails.
This
is
how
we
do
the
the
verification.
A
So
in
the
github
configuration
you
can
have
the
smartcard
CF
file,
which
will
be
loaded
to
an
open,
SSL
certificate
store,
and
basically
we
just
verify
against
that
store
or
the
the
certificate
header
we
are
receiving
from
nginx.
So
this
is
how
the
the
pieces
fit
together
and
when
you
visit
github
example.com
on
the
port,
which
actually
requires
the
the
client-side
certificate.
A
This
is
the
pop-up,
the
unlocks
the
smart
card
and
lets
you
then
select
which
certificate
you
want
to
use
on
this
side,
so
I
actually
have
only
one
certificate
on
my
wiki,
and
so
actually
the
the
pop-up
is
is
only
populated
with
one
item.
So
previously,
when
I
showed
the
example.
You
didn't
see
these
two
windows
because
I
already
used
and
selected
this
certificate
and
I
hit
a
remember
this
decision.
So
when
I
previously
used
the
demonstrated
he'll
give
me
the
smart
card.
These
windows
didn't
show
up
so
a
few
words
about
the
certificates
itself.
A
So
this
is
an
example
from
Wikipedia
there's
a
few
important
details
and
we
are
interested
in
in
the
certificate.
So,
for
example,
it
has
a
serial
number.
This
is
usually,
if
you
generate
it
with
OpenSSL,
it
will
be
auto-generated,
you
can.
You
can
set
it
manually,
but
it's
much
easier
because
it
needs
to
be
unique.
There's
the
issuer,
which
just
signs
your
ticket,
there's
a
few
information,
be
sure
and
the
subject
is,
is
actually
details
about
the
holder
of
the
certificate
and,
as
you
can
see,
there's
a
few
field.
A
For
example,
C
is
for
country,
always
the
organisation
which
you
can
see
for
both
days
sure
and
the
subject
as
well,
and
there
are
other
supported
fields
here,
there's
a
list
of
them.
There's
the
country,
the
state
organization,
organization,
unit
and
so
on.
We
are
mostly
interested
in
the
common
name
because
we
are
using
that
or
we
are
actually
deriving
the
user,
her
name
in
github
from
from
the
common
name
and
there's
also
another
one.
A
The
email
address,
which
we
also
use
fer
gittin,
because
we
occasionally
send
out
emails,
and
we
need
that
in
the
in
the
subject
field.
So
there
are
different
formats.
How
you
can
have
the
certificates.
I
will
now
show
you
an
example
we
which
uses
the
standard
and
for
but
for
example,
if
you
are
to
import
your
certificate
in
Firefox,
you
might
need
to
convert
it
to
pkcs
11
format,
which
is
a
bit
different
and
then
the
standard
BAM
and
by
the
way,
the
pkc
assistance
for
public
key
cryptography
standard.
A
So
it's
a
standard
which
defines
how
how
the
format
should
look
like
for
the
certificate
and
now
I
will
just
discuss
shortly,
how
you
can
create
a
certificate
with
the
Yubikey.
Of
course,
these
steps
are
are
also
applicable
for
for
other
devices.
If
you
want
to
play
with
with
a
smart
card
and
and
also
useful,
because
you
can
see
that
what
are
the
components
and
which
are
required
to
to
create
the
certificate.
A
A
This
is
pretty
much
in
the
same
format,
but
you
can
now
see
that
the
issue
is
random
corporation
and
because
it's
salsa
and
certificate,
if
the
subject
is
also
the
random
corporation.
So
this
is
the
one
we
are
going
to
use
to
create
and
sign
the
certificate
for
de
wiki,
and
so,
if
you
search
the
internet,
how
to
create
a
keeper
for
the
Yubikey,
you
might
find
the
different
guides
because
you'll
be
cool.
The
company
behind
Yubikey
is
in
the
process
of
refactoring
their
tooling,
and
most
of
the
documentation
still
mentions
the
the
previous
tool.
A
I
think
it
was
called
what
you
be
PIV
tool
or
something
like
that.
But
it
Nora
there
supports
all
the
features
of
the
newer
you
bikies,
for
example,
I
have
a
wiki
for
and
I
found,
some
incompatibilities,
which
didn't
work
out
with
the
previous
tool,
but
they
still
haven't
migrated
all
the
codes
to
this
new
tool
and
the
documentation
is
still
not
updated.
So
you
might
be
need
to
need
to
check
it
twice.
A
A
Which
we
are
going
to
sign
with
the
root
CA
we
created
in
the
first
few
steps,
so
here
you
can
see
we
provide
the
CAC,
a
pen
and
the
CA
a
key
with
the
cidade
key
file.
We
are
using
OpenSSL
to
generate
the
cereal
for
this
certificate,
and
now
it
put
fear,
be
there.
The
whoops
tell
you
week
he
certificate
file.
A
Right
and
then
pretty
much,
the
last
step
is
to
import
the
certificate
to
your
Yubikey
and
we
are
importing
it
to
the
same
slot
and
any,
and
then
you
can
check
and
this
that
was
here.
You
can
see
all
the
details
of
the
here's,
the
subject
and
the
issuer
distinguished
name
and
all
the
details
we
provided
the
CM
for
the
subject
is
each
web
user
and
zero
one
and
the
universe
is
already
set,
and
you
can
see
I
can.
I
still
the
pin
tries
left
is
still
three
and
so
for
the
next
steps.
A
A
So
these
are
the
trends,
and
you
can
see
there's
a
few
questions
in
the
group
chat,
so
can
I
can
be
created
on
first
looking
bit
smart
card.
So
yes,
so
actually
now,
if
you,
if
you
try
to
sign
in
with
a
smart
card
which
you
haven't
used
previously,
it
will
automatically
create
a
new
user
for
the
claw
game.
A
So
a
new
user
will
be
created
and
it
will
be
saved
as
Karla
identity
and
next
time
when
we
are
trying
to
log
in
with
the
user,
better
user
will
be
found
and
logged
in
again
and
the
second
question
nginx
config
made
it
sound
like
the
client
certificates
need
to
be
valid.
Yes,
yes,
that's
right.
There
crying
certificate
need
to
be
worried,
otherwise,
the
nginx
we
have
through
an
error.
B
Had
again
go
ahead,
is
this
intended
for
primarily
for
like
on-premise
customers,
because
it
seems
like
if
you
were
added
on
like
gitlab
comm?
There
could
be
things
where
someone
somehow
gets
a
valid
certificate
with
a
email
address
of
someone
else,
or
something
like
that.
Like
is
the
plan
to
be
mostly
on-premise
customers?
Yes,.
A
A
B
A
A
A
B
A
Probably
it
will
be
better
when
we
add,
subject
alternative
name
extension,
because
I
think
there's
also
option
to
like
I
that
might
be
even
a
more
stand,
their
solution
to
define
their
email
address
for
the
user
in
that
extension.
But
now
we
support
both
of
the
format
that
that
that
is
applicable
to
the
subject
field.
Mmm-Hmm.
B
A
B
Imagine
I
can
imagine
it's
a
big
requirement
for
them
that
they
would
be
one
of
the
groups
pushing
for
it
because
I
just
remember
like
you
know,
that's
what
they
were
doing
with.
Basically
everything
if
it
didn't
support
smart
card
it
had
too
soon
so,
but
it
looks
like
it
looks
like
a
good
work
so
far
and
I
like
that
you're
using
the
the
client
certificates,
because
then
you
you
have
that
mutual
authentication
for
the
encrypted
tunnel
as
well.
B
A
Yes,
yes,
yeah!
So
far,
we
actually
used
to
only
authenticate
in
nginx
and,
like
just
forward
the
end
result
to
get
lab
riyals,
but
as
we
figured
out,
that
might
not
be
the
most
secure
solution
because
we
can
just
forwards
the
header
to
get
grabbed
rails
itself
without
nginx
and
that
could
still
authenticate
the
user,
which
we
don't
want.
So
we
added
the
verification
to
to
the
rear
side
as
well.
Yeah.