Add settings for minimum key strength and allowed key type
Originally opened at !5552 (closed) by @electrickite.
What does this MR do?
This merge request adds three new application settings:
-
rsa_key_restriction
: The minimum allowed bit length of an uploaded RSA key -
dsa_key_restriction
: The minimum allowed bit length of an uploaded DSA key -
ecdsa_key_restriction
: The minimum allowed curve size (in bits) of an uploaded ECDSA key -
ed25519_key_restriction
: The minimum allowed curve size (in bits) of an uploaded ED25519 key
To support these settings, it adds validations to the Key
model to check length/type and four new fields to the application settings page to allow an administrator to configure them. API support is also added.
Are there points in the code the reviewer needs to double check?
Why was this MR needed?
"The admin does not have control over the key length or type for the ssh keys. This is something that could become a problem as the brute force cracking of keys becomes less difficult."
ssh-keygen
allows users to create RSA keys with as few as 768 bits, which falls well below recommendations from certain standards groups (such as the US NIST). Some organizations deploying Gitlab will need to enforce minimum key strength, either to satisfy internal security policy or for regulatory compliance.
Similarly, certain standards groups recommend using RSA, ECDSA or ED25519 over the older DSA, and administrators may need to limit the allowed SSH key algorithms.
Screenshots
Application settings screen
SSH key technology is not allowed error
SSH key length is too small
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Backend
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together
What are the relevant issue numbers?
Closes #17849 (closed)