Enforce SSH Certificates via Settings

What

Enforce SSH Certificates via Settings

Blueprint: https://docs.gitlab.com/ee/architecture/blueprints/ssh_certificates/

• Implement an option to enforce using SSH certificates only for authentication and forbid personal SSH keys and access tokens

Related:

• Enforce auth via SSH certificates for Git access (!132653 - merged)
• Enforce authentication via SSH certificates for... (#421917 - closed)

Why

A new boolean group setting is introduced in order to control whether SSH certificates are enforced or not. The previous approach can be safely removed later because it hasn't been released yet. A customer has noticed that with the current approach, deploy key won't be accepted as well. It shows the limitation of creating SSH certificates as a separate Git protocol.

Migration

Up:

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 57274
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: migrating =====
main: -- add_column(:namespace_settings, :enforce_ssh_certificates, :boolean, {:default=>false, :null=>false})
main:    -> 0.0035s
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: migrated (0.0069s)

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 57274

Down:

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 56818
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: reverting =====
main: -- remove_column(:namespace_settings, :enforce_ssh_certificates, :boolean, {:default=>false, :null=>false})
main:    -> 0.0039s
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: reverted (0.0088s)

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 56818

Steps

1. Navigate to Gitlab Org > General Settings (or any other top level group)
2. Set the checkbox to enforce SSH certificates:

Complex Steps

It can be also checked that the SSH certificates are indeed enforced, but it will require more complex steps and has been already checked during the previous testing: !132653 (merged). Feel free to reach out to me if you want to test it anyway.