Skip to content

Add settings for minimum key strength and allowed key type

Originally opened at !5552 (closed) by @electrickite.


What does this MR do?

This merge request adds three new application settings:

  1. rsa_key_restriction: The minimum allowed bit length of an uploaded RSA key
  2. dsa_key_restriction: The minimum allowed bit length of an uploaded DSA key
  3. ecdsa_key_restriction: The minimum allowed curve size (in bits) of an uploaded ECDSA key
  4. ed25519_key_restriction: The minimum allowed curve size (in bits) of an uploaded ED25519 key

To support these settings, it adds validations to the Key model to check length/type and four new fields to the application settings page to allow an administrator to configure them. API support is also added.

Are there points in the code the reviewer needs to double check?

Why was this MR needed?

"The admin does not have control over the key length or type for the ssh keys. This is something that could become a problem as the brute force cracking of keys becomes less difficult."

ssh-keygen allows users to create RSA keys with as few as 768 bits, which falls well below recommendations from certain standards groups (such as the US NIST). Some organizations deploying Gitlab will need to enforce minimum key strength, either to satisfy internal security policy or for regulatory compliance.

Similarly, certain standards groups recommend using RSA, ECDSA or ED25519 over the older DSA, and administrators may need to limit the allowed SSH key algorithms.

Screenshots

Application settings screen

key-restrictions

SSH key technology is not allowed error

disabled-key-type

SSH key length is too small

too-weak-key

Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Closes #17849 (closed)

Edited by Robert Speicher

Merge request reports

Loading