Clean-up some confusing info from security docs

2019-07-16 07:02:20 +00:00 · 2019-07-16 07:02:20 +00:00 · 698864df12
parent 6b301c43ec
commit 698864df12
10 changed files with 56 additions and 29 deletions
--- a/doc/security/information_exclusivity.md
+++ b/doc/security/information_exclusivity.md
@ -1,6 +1,7 @@
 ---
 type: concepts
 ---
+
 # Information exclusivity

 Git is a distributed version control system (DVCS). This means that everyone
--- a/doc/security/password_length_limits.md
+++ b/doc/security/password_length_limits.md
@ -1,19 +1,31 @@
 ---
 type: reference, howto
 ---
+
 # Custom password length limits

-If you want to enforce longer user passwords you can create an extra Devise
-initializer with the steps below.
+The user password length is set to a minimum of 8 characters by default.
+To change that for installations from source:

-If you do not use the `devise_password_length.rb` initializer the password
-length is set to a minimum of 8 characters in `config/initializers/devise.rb`.
+1. Edit `devise_password_length.rb`:

-```bash
-cd /home/git/gitlab
-sudo -u git -H cp config/initializers/devise_password_length.rb.example config/initializers/devise_password_length.rb
-sudo -u git -H editor config/initializers/devise_password_length.rb   # inspect and edit the new password length limits
-```
+   ```sh
+   cd /home/git/gitlab
+   sudo -u git -H cp config/initializers/devise_password_length.rb.example config/initializers/devise_password_length.rb
+   sudo -u git -H editor config/initializers/devise_password_length.rb
+   ```
+
+1. Change the new password length limits:
+
+   ```ruby
+   config.password_length = 12..128
+   ```
+
+   In this example, the minimum length is 12 characters, and the maximum length
+   is 128 characters.
+
+1. [Restart GitLab](../administration/restart_gitlab.md#installations-from-source)
+   for the changes to take effect.

 <!-- ## Troubleshooting

--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@ -1,6 +1,7 @@
 ---
 type: reference, howto
 ---
+
 # Rack Attack

 [Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem
--- a/doc/security/reset_root_password.md
+++ b/doc/security/reset_root_password.md
@ -1,6 +1,7 @@
 ---
 type: howto
 ---
+
 # How to reset your root password

 To reset your root password, first log into your server with root privileges.
--- a/doc/security/ssh_keys_restrictions.md
+++ b/doc/security/ssh_keys_restrictions.md
@ -1,6 +1,7 @@
 ---
 type: reference, howto
 ---
+
 # Restrict allowed SSH key technologies and minimum length

 `ssh-keygen` allows users to create RSA keys with as few as 768 bits, which
--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
@ -1,6 +1,7 @@
 ---
 type: howto
 ---
+
 # Enforce Two-factor Authentication (2FA)

 Two-factor Authentication (2FA) provides an additional level of security to your
--- a/doc/security/unlock_user.md
+++ b/doc/security/unlock_user.md
@ -2,37 +2,44 @@
 type: howto
 ---

-# How to unlock a locked user
+# How to unlock a locked user from the command line

-To unlock a locked user, first log into your server with root privileges.
+After six failed login attempts a user gets in a locked state.

-Start a Ruby on Rails console with this command:
+To unlock a locked user:

-```bash
-gitlab-rails console production
-```
+1. SSH into your GitLab server.
+1. Start a Ruby on Rails console:

-Wait until the console has loaded.
+   ```sh
+   ## For Omnibus GitLab
+   sudo gitlab-rails console production

-There are multiple ways to find your user. You can search for email or username.
+   ## For installations from source
+   sudo -u git -H bundle exec rails console RAILS_ENV=production
+   ```

-```bash
-user = User.where(id: 1).first
-```
+1. Find the user to unlock. You can search by email or ID.

-or
+   ```ruby
+   user = User.find_by(email: 'admin@local.host')
+   ```

-```bash
-user = User.find_by(email: 'admin@local.host')
-```
+   or

-Unlock the user:
+   ```ruby
+   user = User.where(id: 1).first
+   ```

-```bash
-user.unlock_access!
-```
+1. Unlock the user:

-Exit the console, the user should now be able to log in again.
+   ```ruby
+   user.unlock_access!
+   ```
+
+1. Exit the console with <kbd>Ctrl</kbd>+<kbd>d</kbd>
+
+The user should now be able to log in.

 <!-- ## Troubleshooting

--- a/doc/security/user_email_confirmation.md
+++ b/doc/security/user_email_confirmation.md
@ -1,6 +1,7 @@
 ---
 type: howto
 ---
+
 # User email confirmation at sign-up

 GitLab can be configured to require confirmation of a user's email address when
--- a/doc/security/user_file_uploads.md
+++ b/doc/security/user_file_uploads.md
@ -1,6 +1,7 @@
 ---
 type: reference
 ---
+
 # User File Uploads

 Images that are attached to issues, merge requests, or comments
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@ -1,6 +1,7 @@
 ---
 type: concepts, reference, howto
 ---
+
 # Webhooks and insecure internal web services

 If you have non-GitLab web services running on your GitLab server or within its