Prevent users from adding known, weak keys
What does this MR do and why?
Part of #24614 (closed)
This MR request got the list of bad ssh public keys from here: https://github.com/rapid7/ssh-badkeys/tree/master/authorized. Put these keys into a keys.txt
file. Then use the following script to change these keys to sha256 fingerprint.
require_relative 'config/environment'
keys = IO.readlines('keys.txt', chomp: true)
keys.each do |key|
pub = Gitlab::SSHPublicKey.new(key)
puts pub.fingerprint_sha256
end
When a user tries to add the ssh public key to their profile page at /-/profile/keys
, additional validation check will confirm if the public is on the bad public key list or not.
Screenshots or screen recordings
How to set up and validate locally
Run spec tests locally
cd gitlab-development-kit/gitlab
bin/rspec spec/lib/gitlab/ssh_public_key_spec.rb
bin/rspec spec/models/key_spec.rb
Test in web interface
Test if the feature is working or not for a user
- enable root user feature on rails console
[13] pry(main)> rootuser = User.find_by_username('root')
=> #<User id:1 @root>
[14] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false
[15] pry(main)> Feature.enable(:ssh_banned_key, rootuser)
=> true
-
go to
http://localhost:3000/-/profile/keys
, and upload all the bad key one by one to check that the key is not accepted and the result should be like screenshot above. -
test a good ssh key and it is added normally.
-
close feature and test again.
bin/rails console
[18] pry(main)> Feature.disable(:ssh_banned_key, rootuser)
=> true
[19] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false
- go to http://localhost:3000/-/profile/keys`, and upload all the bad key one by one to check that the banned key can now be able to upload successfully.
Test if the feature is working or not for a user while another user enabled the feature
-
impersonate user lashawnda
-
enable user feature on rails console
[9] pry(main)> user = User.find_by_username('lashawnda')
=> #<User id:9 @lashawnda>
=> true
[11] pry(main)> Feature.enabled?(:ssh_banned_key, user)
=> true
-
go to
http://localhost:3000/-/profile/keys
, and upload all the bad keys one by one to check that the key is not accepted and the result should be like screenshot. -
go back to root user, and go to
http://localhost:3000/-/profile/keys
, then try to upload a bad ssh key. The banned ssh key should be accepted by the root user while the feature of:ssh_banned_key
is enabled for the suerlashawnda
.
Test if deploy key is working for a project
-
impersonate as lashawnda
-
enable feature for lashawnda only.
[15] pry(main)> Feature.enable(:ssh_banned_key, user)
=> true
[16] pry(main)> Feature.enabled?(:ssh_banned_key,user)
=> true
-
try to upload a bad ssh key as a deploy key for every project that lashawnda can upload. Find out that only
gnuwget/Wget2
, andlashawnda/gitlab-shell
can allow lashawnda upload a key, then go tohttp://localhost:3000/gnuwget/Wget2/-/settings/repository#js-deploy-keys-settings
and add a bad ssh key. -
it rejects to upload the key. The error message is like below.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.