Skip to content

Enforce SSH Certificates via Settings

Igor Drozdov requested to merge id-deploy-keys-with-ssh-certificates into master

What

Enforce SSH Certificates via Settings

Blueprint: https://docs.gitlab.com/ee/architecture/blueprints/ssh_certificates/

  • Implement an option to enforce using SSH certificates only for authentication and forbid personal SSH keys and access tokens

Related:

Why

A new boolean group setting is introduced in order to control whether SSH certificates are enforced or not. The previous approach can be safely removed later because it hasn't been released yet. A customer has noticed that with the current approach, deploy key won't be accepted as well. It shows the limitation of creating SSH certificates as a separate Git protocol.

Migration

Up:

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 57274
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: migrating =====
main: -- add_column(:namespace_settings, :enforce_ssh_certificates, :boolean, {:default=>false, :null=>false})
main:    -> 0.0035s
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: migrated (0.0069s)

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 57274

Down:

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 56818
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: reverting =====
main: -- remove_column(:namespace_settings, :enforce_ssh_certificates, :boolean, {:default=>false, :null=>false})
main:    -> 0.0039s
main: == 20231109165512 AddEnforceSshCertificatesToNamespaceSettings: reverted (0.0088s)

main: == [advisory_lock_connection] object_id: 183680, pg_backend_pid: 56818

Steps

  1. Navigate to Gitlab Org > General Settings (or any other top level group)
  2. Set the checkbox to enforce SSH certificates:

Screenshot_2023-11-09_at_19.39.30

Complex Steps

It can be also checked that the SSH certificates are indeed enforced, but it will require more complex steps and has been already checked during the previous testing: !132653 (merged). Feel free to reach out to me if you want to test it anyway.

Edited by Igor Drozdov

Merge request reports

Loading