Skip to content

Look up SSH keys by SHA256 fingerprint, not MD5 fingerprint

Nick Thomas requested to merge 195668-key-lookup-sha256-fingerprint into master

What does this MR do?

This change takes GitLab one step closer to being FIPS-compliant, and means git operations over SSH can work in a FIPS-enforcing environment.

GitLab Shell sends the full SSH key to GitLab, and we have the SHA256 fingerprint stored in the database already, so which fingerprint we use to look up the key is an implementation detail; the tests (correctly, IMO) don't mandate a particular form.

The next step for FIPS compliance on this feature is to stop generating MD5 fingerprints when SSH keys are added.

Screenshots or Screencasts (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Related to #195668 (closed)

Edited by Nick Thomas

Merge request reports

Loading