New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
two-factor authentication #358
Comments
Bump ⬆️ |
1 similar comment
Bump ⬆️ |
TOTP or U2F would be great to have. |
👍 |
1 similar comment
👍 |
Bump ⬆️ |
Any update? |
Any update? |
+1, two-factor authentication and/or oauth 2.0 This is regrettable, Portal Docker Hub, seems built by a child, it seems thing beginner, very amateur. How can I trust my private repositories to docker Hub of security does not seem to be important for them. We are seriously thinking to migrate to another provider. Safety first!!!! |
@joeldrapper Security Docker Hub is the question here and not rancher server. |
@frekele sorry mate, I thought this might help if you were concerned about Docker Hub’s authentication for Docker Cloud. I don’t work for Docker, was just recommending Rancher as it’s more secure than Docker Cloud. I totally agree with you. Docker Hub needs to take security seriously. 2FA, oauth, enforcing long passwords, etc. is really important for this. How can we know that even the official Docker Hub images, that we rely on, are safe from attack? Personally, I'm making the best of the situation by using a ~50 character password that was generated by 1Password. That stops the brute-force threat, but can’t protect you from MITM or other possible attacks. |
@joeldrapper Exactly. |
2FA is a need |
Bump ⬆️ |
👍 |
3 similar comments
+1 |
+1 |
+1 |
Bump |
+1 |
Bump ⬆️ |
+1 |
security plz |
+1 |
3 similar comments
+1 |
+1 |
+1 |
Seems we need a community driven, security focused public docker repo (with notary and 2-factor). Do any good alternative public container repos exists? |
Github's is in beta right now https://help.github.com/en/articles/configuring-docker-for-use-with-github-package-registry |
@nijave The github package registry looks nice, thanks. Now if only my beta invite will come through... |
GitLab has a really well working registry - and it has 2fa! :) It's also available for gitlab.com accounts as per:
https://docs.gitlab.com/ee/user/project/container_registry.html |
@nijave, any idea if github supports notary? |
how is this still a thing? please add 2fa it's not that hard there are plenty of OAuth and SAML plugins |
Here's a list I found by googling: https://www.g2.com/products/docker-hub/competitors/alternatives |
@meticulous-dft is everything okay? |
Hello from September 😃 https://twitter.com/comunitius/status/1170450304849965056 |
Hello? Anyone? Bueller....? This is looooong overdue and a pretty insane lack of communication.... SO many scary potental problems that should be keeping you up at night! I'm guessing this would be a few days' work with the amount of plug-and-play solutions out there. Moving to GitLab in the meantime, which is unfortunate. :( Just got the GitHub Package beta this week so looking into that too. Please, at the very least, give us an update!!!! |
FYI #1879 |
My uptime monitoring service now supports 2FA, and Docker Hub still does not. A breach of my Uptime Robot account can't affect anything except my potential response delay when stuff goes down. It's nice to have, but I'd notice on my own a few minutes later in most cases. A breach of my Docker Hub account could theoretically poison half an ecosystem (or worse) in a few minutes, before anyone has a chance to react. Please, please give us some transparency on what's holding this up. The continued silence should embarrass everyone at Docker, Inc. |
Quick update: we released personal access token last week https://docs.docker.com/docker-hub/access-tokens/, now we are wrapping up and internal testing 2FA. It will be released in October. |
|
Sarcasm not needed - letting this security issue go on for 4 years with no comment until now is absolutely not okay. |
I'm also trying to get clarity on how secure having our own private registry is... |
@dm17 - we have opted to use Harbor for our private registry and have integrated it with Okta using OIDC for auth. That gives us enforced MFA for access to the UI at least. Pulling images still requires the use of an auth code without MFA but that’s not a requirement for us. Okta has a free developer account for up to 1000 monthly active users and Harbor is not super hard to deploy. It also comes with a Notary for signing and verifying images, which is pretty useful. |
2FA on Docker Hub was launched today. |
4 years, 4 days and 1 breach later, with little communication, we're here. Hope this can be avoided in similar occasions in the future. Again an explanation for how we got to this state would be good. :) |
I don't know all of the history as I'm new-ish to Docker but what I do know is that our team has worked and will continue to work to ensure that our platform is secure. |
thanks @shaneakr, we all appreciate your hard work! this was great news! |
https://www.docker.com/blog/designing-docker-hub-2fa/ Thank you for targeting webauthn. Hoping my bank would do the same ;) |
Closing now that it is finally launched :) |
Please add two-factor authentication people is using your service for deploying to production in continuos integration scenarios like Amazon EC2 Container Service.
The text was updated successfully, but these errors were encountered: