Skip to content

Prevent users from adding known, weak keys

nobody requested to merge jgao1025/gitlab:24614 into master

What does this MR do and why?

Part of #24614 (closed)

This MR request got the list of bad ssh public keys from here: https://github.com/rapid7/ssh-badkeys/tree/master/authorized. Put these keys into a keys.txt file. Then use the following script to change these keys to sha256 fingerprint.

require_relative 'config/environment'

keys = IO.readlines('keys.txt', chomp: true)

keys.each do |key|
  pub = Gitlab::SSHPublicKey.new(key)
  puts pub.fingerprint_sha256
end

When a user tries to add the ssh public key to their profile page at /-/profile/keys, additional validation check will confirm if the public is on the bad public key list or not.

Screenshots or screen recordings

banned_key

How to set up and validate locally

Run spec tests locally

cd gitlab-development-kit/gitlab
bin/rspec spec/lib/gitlab/ssh_public_key_spec.rb
bin/rspec spec/models/key_spec.rb

Test in web interface

Test if the feature is working or not for a user

  1. enable root user feature on rails console
[13] pry(main)> rootuser =  User.find_by_username('root')
=> #<User id:1 @root>
[14] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false
[15] pry(main)> Feature.enable(:ssh_banned_key, rootuser)
=> true
  1. go to http://localhost:3000/-/profile/keys, and upload all the bad key one by one to check that the key is not accepted and the result should be like screenshot above.

  2. test a good ssh key and it is added normally.

  3. close feature and test again.

bin/rails console

[18] pry(main)> Feature.disable(:ssh_banned_key, rootuser)
=> true
[19] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false
  1. go to http://localhost:3000/-/profile/keys`, and upload all the bad key one by one to check that the banned key can now be able to upload successfully.

Test if the feature is working or not for a user while another user enabled the feature

  1. impersonate user lashawnda

  2. enable user feature on rails console

[9] pry(main)> user = User.find_by_username('lashawnda')
=> #<User id:9 @lashawnda>
=> true
[11] pry(main)> Feature.enabled?(:ssh_banned_key, user)
=> true
  1. go to http://localhost:3000/-/profile/keys, and upload all the bad keys one by one to check that the key is not accepted and the result should be like screenshot.

  2. go back to root user, and go to http://localhost:3000/-/profile/keys, then try to upload a bad ssh key. The banned ssh key should be accepted by the root user while the feature of :ssh_banned_key is enabled for the suer lashawnda.

Test if deploy key is working for a project

  1. impersonate as lashawnda

  2. enable feature for lashawnda only.

[15] pry(main)> Feature.enable(:ssh_banned_key, user)
=> true
[16] pry(main)> Feature.enabled?(:ssh_banned_key,user)
=> true
  1. try to upload a bad ssh key as a deploy key for every project that lashawnda can upload. Find out that only gnuwget/Wget2, and lashawnda/gitlab-shell can allow lashawnda upload a key, then go to http://localhost:3000/gnuwget/Wget2/-/settings/repository#js-deploy-keys-settings and add a bad ssh key.

  2. it rejects to upload the key. The error message is like below.

Screen_Shot_2022-06-05_at_9.45.37_pm

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Peter Leitzen

Merge request reports

Loading