Merge branch 'support_ecdsa-sk_and_ed25519-sk_ssh_keys' into 'master'

Support "ecdsa-sk" and "ed25519-sk" SSH keys

See merge request gitlab-org/gitlab!78934

app/helpers/application_settings_helper.rb

@@ -234,7 +234,9 @@ module ApplicationSettingsHelper
       :outbound_local_requests_allowlist_raw,
       :dsa_key_restriction,
       :ecdsa_key_restriction,
+      :ecdsa_sk_key_restriction,
       :ed25519_key_restriction,
+      :ed25519_sk_key_restriction,
       :eks_integration_enabled,
       :eks_account_id,
       :eks_access_key_id,

app/models/application_setting_implementation.rb

@@ -69,7 +69,9 @@ module ApplicationSettingImplementation
         domain_allowlist: Settings.gitlab['domain_allowlist'],
         dsa_key_restriction: 0,
         ecdsa_key_restriction: 0,
+        ecdsa_sk_key_restriction: 0,
         ed25519_key_restriction: 0,
+        ed25519_sk_key_restriction: 0,
         eks_access_key_id: nil,
         eks_account_id: nil,
         eks_integration_enabled: false,

db/migrate/20220128093756_add_ecdsa_sk_and_ed25519_sk_key_restrictions_to_application_settings.rb

+# frozen_string_literal: true
+
+class AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings < Gitlab::Database::Migration[1.0]
+  enable_lock_retries!
+
+  def change
+    add_column :application_settings, :ecdsa_sk_key_restriction, :integer, default: 0, null: false
+    add_column :application_settings, :ed25519_sk_key_restriction, :integer, default: 0, null: false
+  end
+end

db/schema_migrations/20220128093756

+787b1be4b69ef0eeb049ee6a3d7126dc75094b79fba18f469fffe78b16fce6a3
\ No newline at end of file

db/structure.sql

@@ -10617,6 +10617,8 @@ CREATE TABLE application_settings (
     runner_token_expiration_interval integer,
     group_runner_token_expiration_interval integer,
     project_runner_token_expiration_interval integer,
+    ecdsa_sk_key_restriction integer DEFAULT 0 NOT NULL,
+    ed25519_sk_key_restriction integer DEFAULT 0 NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
     CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),

doc/api/settings.md

@@ -65,6 +65,8 @@ Example response:
   "dsa_key_restriction": 0,
   "ecdsa_key_restriction": 0,
   "ed25519_key_restriction": 0,
+  "ecdsa_sk_key_restriction": 0,
+  "ed25519_sk_key_restriction": 0,
   "first_day_of_week": 0,
   "enforce_terms": true,
   "terms": "Hello world!",
@@ -166,6 +168,8 @@ Example response:
   "dsa_key_restriction": 0,
   "ecdsa_key_restriction": 0,
   "ed25519_key_restriction": 0,
+  "ecdsa_sk_key_restriction": 0,
+  "ed25519_sk_key_restriction": 0,
   "first_day_of_week": 0,
   "enforce_terms": true,
   "terms": "Hello world!",
@@ -268,7 +272,9 @@ listed in the descriptions of the relevant settings.
 | `domain_allowlist`                       | array of strings | no                                   | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
 | `dsa_key_restriction`                    | integer          | no                                   | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
 | `ecdsa_key_restriction`                  | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
+| `ecdsa_sk_key_restriction`               | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. |
 | `ed25519_key_restriction`                | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
+| `ed25519_sk_key_restriction`             | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519_SK key. Default is `0` (no restriction). `-1` disables ED25519_SK keys. |
 | `eks_access_key_id`                      | string           | no                                   | AWS IAM access key ID. |
 | `eks_account_id`                         | string           | no                                   | Amazon account ID. |
 | `eks_integration_enabled`                | boolean          | no                                   | Enable integration with Amazon EKS. |

doc/push_rules/push_rules.md

@@ -172,7 +172,7 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
   - `id_dsa`
   - `.id_dsa`
 
-- Private ed25519 SSH keys:
+- Private ED25519 SSH keys:
 
   - `/ssh/id_ed25519`
   - `/.ssh/personal_ed25519`
@@ -188,6 +188,22 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
   - `id_ecdsa`
   - `.id_ecdsa`
 
+- Private ECDSA_SK SSH keys (GitLab 14.8 and later):
+
+  - `/ssh/id_ecdsa_sk`
+  - `/.ssh/personal_ecdsa_sk`
+  - `/config/server_ecdsa_sk`
+  - `id_ecdsa_sk`
+  - `.id_ecdsa_sk`
+
+- Private ED25519_SK SSH keys (GitLab 14.8 and later):
+
+  - `/ssh/id_ed25519_sk`
+  - `/.ssh/personal_ed25519_sk`
+  - `/config/server_ed25519_sk`
+  - `id_ed25519_sk`
+  - `.id_ed25519_sk`
+
 - Any files ending with these suffixes:
 
   - `*.pem`

doc/security/ssh_keys_restrictions.md

@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key
 strength, either to satisfy internal security policy or for regulatory
 compliance.
 
-Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
-the older DSA, and administrators may need to limit the allowed SSH key
-algorithms.
+Similarly, certain standards groups recommend using RSA, ECDSA, ED25519,
+ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to
+limit the allowed SSH key algorithms.
 
 GitLab allows you to restrict the allowed SSH key technology as well as specify
 the minimum key length for each technology:
@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the
 - DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
 - ECDSA SSH keys are allowed.
 - ED25519 SSH keys are allowed.
+- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
+- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
 
 <!-- ## Troubleshooting
 

doc/security/two_factor_authentication.md

@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again.
 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.
 
-Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP)
-verification can be done via a GitLab Shell command:
+Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using
+[ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead.
+
+The one-time password (OTP) verification can be done using a command:
 
 ```shell
 ssh git@<hostname> 2fa_verify

doc/ssh/index.md

@@ -28,6 +28,8 @@ To view the version of SSH installed on your system, run `ssh -V`.
 To communicate with GitLab, you can use the following SSH key types:
 
 - [ED25519](#ed25519-ssh-keys)
+- [ED25519_SK](#ed25519_sk-ssh-keys) (Available in GitLab 14.8 and later.)
+- [ECDSA_SK](#ecdsa_sk-ssh-keys) (Available in GitLab 14.8 and later.)
 - [RSA](#rsa-ssh-keys)
 - DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.)
 - ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.)
@@ -42,6 +44,20 @@ suggests that [ED25519](https://ed25519.cr.yp.to/) keys are more secure and perf
 OpenSSH 6.5 introduced ED25519 SSH keys in 2014 and they should be available on most
 operating systems.
 
+### ED25519_SK SSH keys
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
+
+To use ED25519_SK SSH keys on GitLab, your local client and GitLab server
+must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
+
+### ECDSA_SK SSH keys
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
+
+To use ECDSA_SK SSH keys on GitLab, your local client and GitLab server
+must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
+
 ### RSA SSH keys
 
 Available documentation suggests that ED25519 is more secure than RSA.
@@ -64,6 +80,8 @@ Before you create a key pair, see if a key pair already exists.
    | Algorithm | Public key | Private key |
    | --------- | ---------- | ----------- |
    |  ED25519 (preferred)  | `id_ed25519.pub` | `id_ed25519` |
+   |  ED25519_SK | `id_ed25519_sk.pub` | `id_ed25519_sk` |
+   |  ECDSA_SK | `id_ecdsa_sk.pub` | `id_ecdsa_sk` |
    |  RSA (at least 2048-bit key size)     | `id_rsa.pub` | `id_rsa` |
    |  DSA (deprecated)      | `id_dsa.pub` | `id_dsa` |
    |  ECDSA    | `id_ecdsa.pub` | `id_ecdsa` |
@@ -177,6 +195,67 @@ OpenSSH format.
    ssh-keygen -o -t rsa -b 4096 -C "<comment>"
    ```
 
+## Generate an SSH key pair for a FIDO/U2F hardware security key
+
+To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later.
+
+1. Insert a hardware security key into your computer.
+1. Open a terminal.
+1. Type `ssh-keygen -t` followed by the key type and an optional comment.
+   This comment is included in the `.pub` file that's created.
+   You may want to use an email address for the comment.
+
+   For example, for ED25519_SK:
+
+   ```shell
+   ssh-keygen -t ed25519-sk -C "<comment>"
+   ```
+
+   For ECDSA_SK:
+
+   ```shell
+   ssh-keygen -t ecdsa-sk -C "<comment>"
+   ```
+
+   If your security key supports FIDO2 resident keys, you can enable this when
+   creating your SSH key:
+
+   ```shell
+   ssh-keygen -t ed25519-sk -O resident -C "<comment>"
+   ```
+
+   `-O resident` indicates that the key should be stored on the FIDO authenticator itself.
+   Resident key is easier to import to a new computer because it can be loaded directly
+   from the security key by [`ssh-add -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-add.1#K)
+   or  [`ssh-keygen -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-keygen#K).
+
+1. Select Enter. Output similar to the following is displayed:
+
+   ```plaintext
+   Generating public/private ed25519-sk key pair.
+   You may need to touch your authenticator to authorize key generation.
+   ```
+
+1. Touch the button on the hardware security key.
+
+1. Accept the suggested filename and directory:
+
+   ```plaintext
+   Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
+   ```
+
+1. Specify a [passphrase](https://www.ssh.com/academy/ssh/passphrase):
+
+   ```plaintext
+   Enter passphrase (empty for no passphrase):
+   Enter same passphrase again:
+   ```
+
+1. A confirmation is displayed, including information about where your files are stored.
+
+A public and private key are generated.
+[Add the public SSH key to your GitLab account](#add-an-ssh-key-to-your-gitlab-account).
+
 ## Add an SSH key to your GitLab account
 
 To use SSH with GitLab, copy your public key to your GitLab account.
@@ -210,7 +289,8 @@ To use SSH with GitLab, copy your public key to your GitLab account.
 1. On the left sidebar, select **SSH Keys**.
 1. In the **Key** box, paste the contents of your public key.
    If you manually copied the key, make sure you copy the entire key,
-   which starts with `ssh-ed25519` or `ssh-rsa`, and may end with a comment.
+   which starts with `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`,
+   `ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, or `sk-ssh-ed25519@openssh.com`, and may end with a comment.
 1. In the **Title** box, type a description, like `Work Laptop` or
    `Home Workstation`.
 1. Optional. In the **Expires at** box, select an expiration date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36243) in GitLab 12.9.)
@@ -318,7 +398,8 @@ on the files make them readable to you but not accessible to others.
 ## Configure two-factor authentication (2FA)
 
 You can set up two-factor authentication (2FA) for
-[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations).
+[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations). We recommend using
+[ED25519_SK](#ed25519_sk-ssh-keys) or [ECDSA_SK](#ecdsa_sk-ssh-keys) SSH keys.
 
 ## Use EGit on Eclipse
 

doc/user/admin_area/settings/visibility_and_access_controls.md

@@ -280,7 +280,7 @@ NOTE:
 SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
 other related settings.
 
-## Configure defaults for RSA, DSA, ECDSA, ED25519 SSH keys
+## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
 
 These options specify the permitted types and lengths for SSH keys.
 

ee/lib/gitlab/checks/files_denylist.yml

@@ -7,13 +7,15 @@
 
 - aws\/credentials$
 
-# RSA DSA ECSDA and ED25519 SSH keys
+# RSA, DSA, ECSDA, ED25519, ECDSA_SK, ED25519_SK SSH keys
 
-- (ssh|config)\/(personal|server)_(rsa|dsa|ed\d+|ecdsa)
+- (ssh|config)\/(personal|server)_(rsa|dsa|ed25519|ecdsa|ecdsa_sk|ed25519_sk)
 - id_rsa$
 - id_dsa$
 - id_ed25519$
 - id_ecdsa$
+- id_ecdsa_sk$
+- id_ed25519_sk$
 
 # privatekey.pem and secret.key
 

lib/gitlab/ssh_public_key.rb

@@ -10,7 +10,9 @@ module Gitlab
       Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w(ssh-rsa)),
       Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w(ssh-dss)),
       Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)),
-      Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519))
+      Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)),
+      Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w(sk-ecdsa-sha2-nistp256@openssh.com)),
+      Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
     ].freeze
 
     def self.technology(name)
@@ -98,6 +100,10 @@ module Gitlab
         key.openssl.group.order.num_bits
       when :ed25519
         256
+      when :ecdsa_sk
+        256
+      when :ed25519_sk
+        256
       end
     end
 

spec/factories/keys.rb

@@ -148,5 +148,24 @@ FactoryBot.define do
         KEY
       end
     end
+
+    factory :ecdsa_sk_key_256 do
+      key do
+        <<~KEY.delete("\n")
+          sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyN
+          TZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDZ+f5tSRhlB7EN39f93SscTN5PUv
+          bD3UQsNrlE1ZdbwPMMRul2zlPiUvwAvnJitW0jlD/vwZOW2YN+q+iZ5c0MAAAAEc3NoOg== dummy@gitlab.com
+        KEY
+      end
+    end
+
+    factory :ed25519_sk_key_256 do
+      key do
+        <<~KEY.delete("\n")
+          sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tA
+          AAAIEX/dQ0v4127bEo8eeG1EV0ApO2lWbSnN6RWusn/NjqIAAAABHNzaDo= dummy@gitlab.com
+        KEY
+      end
+    end
   end
 end

spec/features/admin/admin_settings_spec.rb

@@ -85,6 +85,8 @@ RSpec.describe 'Admin updates settings' do
           select 'Are allowed', from: 'DSA SSH keys'
           select 'Must be at least 384 bits', from: 'ECDSA SSH keys'
           select 'Are forbidden', from: 'ED25519 SSH keys'
+          select 'Are forbidden', from: 'ECDSA_SK SSH keys'
+          select 'Are forbidden', from: 'ED25519_SK SSH keys'
           click_on 'Save changes'
         end
 
@@ -95,6 +97,8 @@ RSpec.describe 'Admin updates settings' do
         expect(find_field('DSA SSH keys').value).to eq('0')
         expect(find_field('ECDSA SSH keys').value).to eq('384')
         expect(find_field('ED25519 SSH keys').value).to eq(forbidden)
+        expect(find_field('ECDSA_SK SSH keys').value).to eq(forbidden)
+        expect(find_field('ED25519_SK SSH keys').value).to eq(forbidden)
       end
 
       it 'change Account and Limit Settings' do

spec/features/profiles/keys_spec.rb

@@ -49,7 +49,12 @@ RSpec.describe 'Profile > SSH Keys' do
     context 'when only DSA and ECDSA keys are allowed' do
       before do
         forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
-        stub_application_setting(rsa_key_restriction: forbidden, ed25519_key_restriction: forbidden)
+        stub_application_setting(
+          rsa_key_restriction: forbidden,
+          ed25519_key_restriction: forbidden,
+          ecdsa_sk_key_restriction: forbidden,
+          ed25519_sk_key_restriction: forbidden
+        )
       end
 
       it 'shows a validation error' do

spec/helpers/ssh_keys_helper_spec.rb

@@ -17,9 +17,9 @@ RSpec.describe SshKeysHelper do
     end
 
     it 'returns only allowed algorithms' do
-      expect(ssh_key_allowed_algorithms).to match('ed25519')
-      stub_application_setting(ed25519_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
-      expect(ssh_key_allowed_algorithms).not_to match('ed25519')
+      expect(ssh_key_allowed_algorithms).to match('rsa')
+      stub_application_setting(rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
+      expect(ssh_key_allowed_algorithms).not_to match('rsa')
     end
   end
 end

spec/lib/gitlab/ssh_public_key_spec.rb

@@ -12,7 +12,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
     end
 
     where(:name) do
-      [:rsa, :dsa, :ecdsa, :ed25519]
+      [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
     end
 
     with_them do
@@ -24,7 +24,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
   describe '.supported_types' do
     it 'returns array with the names of supported technologies' do
       expect(described_class.supported_types).to eq(
-        [:rsa, :dsa, :ecdsa, :ed25519]
+        [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
       )
     end
   end
@@ -35,7 +35,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa, [1024, 2048, 3072, 4096]],
         [:dsa, [1024, 2048, 3072]],
         [:ecdsa, [256, 384, 521]],
-        [:ed25519, [256]]
+        [:ed25519, [256]],
+        [:ecdsa_sk, [256]],
+        [:ed25519_sk, [256]]
       ]
     end
 
@@ -53,6 +55,8 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         ssh-dss
         ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
         ssh-ed25519
+        sk-ecdsa-sha2-nistp256@openssh.com
+        sk-ssh-ed25519@openssh.com
         )
       )
     end
@@ -64,7 +68,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa, %w(ssh-rsa)],
         [:dsa, %w(ssh-dss)],
         [:ecdsa, %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)],
-        [:ed25519, %w(ssh-ed25519)]
+        [:ed25519, %w(ssh-ed25519)],
+        [:ecdsa_sk, %w(sk-ecdsa-sha2-nistp256@openssh.com)],
+        [:ed25519_sk, %w(sk-ssh-ed25519@openssh.com)]
       ]
     end
 
@@ -122,7 +128,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
            rsa_key_8192
            dsa_key_2048
            ecdsa_key_256
-           ed25519_key_256)
+           ed25519_key_256
+           ecdsa_sk_key_256
+           ed25519_sk_key_256)
       end
 
       with_them do
@@ -201,7 +209,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa_key_2048, :rsa],
         [:dsa_key_2048, :dsa],
         [:ecdsa_key_256, :ecdsa],
-        [:ed25519_key_256, :ed25519]
+        [:ed25519_key_256, :ed25519],
+        [:ecdsa_sk_key_256, :ecdsa_sk],
+        [:ed25519_sk_key_256, :ed25519_sk]
       ]
     end
 
@@ -231,7 +241,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa_key_8192, 8192],
         [:dsa_key_2048, 2048],
         [:ecdsa_key_256, 256],
-        [:ed25519_key_256, 256]
+        [:ed25519_key_256, 256],
+        [:ecdsa_sk_key_256, 256],
+        [:ed25519_sk_key_256, 256]
       ]
     end
 
@@ -261,7 +273,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa_key_8192, 'fb:53:7f:e9:2f:f7:17:aa:c8:32:52:06:8e:05:e2:82'],
         [:dsa_key_2048, 'c8:85:1e:df:44:0f:20:00:3c:66:57:2b:21:10:5a:27'],
         [:ecdsa_key_256, '67:a3:a9:7d:b8:e1:15:d4:80:40:21:34:bb:ed:97:38'],
-        [:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73']
+        [:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73'],
+        [:ecdsa_sk_key_256, '56:b9:bc:99:3d:2f:cf:63:6b:70:d8:f9:40:7e:09:4c'],
+        [:ed25519_sk_key_256, 'f9:a0:64:0b:4b:72:72:0e:62:92:d7:04:14:74:1c:c9']
       ]
     end
 
@@ -289,7 +303,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
         [:rsa_key_8192, 'SHA256:CtHFQAS+9Hb8z4vrv4gVQPsHjNN0WIZhWODaB1mQLs4'],
         [:dsa_key_2048, 'SHA256:+a3DQ7cU5GM+gaYOfmc0VWNnykHQSuth3VRcCpWuYNI'],
         [:ecdsa_key_256, 'SHA256:C+I5k3D+IGeM6k5iBR1ZsphqTKV+7uvL/XZ5hcrTr7g'],
-        [:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0']
+        [:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0'],
+        [:ecdsa_sk_key_256, 'SHA256:N0sNKBgWKK8usPuPegtgzHQQA9vQ/dRhAEhwFDAnLA4'],
+        [:ed25519_sk_key_256, 'SHA256:U8IKRkIHed6vFMTflwweA3HhIf2DWgZ8EFTm9fgwOUk']
       ]
     end
 

spec/models/key_spec.rb

@@ -20,6 +20,8 @@ RSpec.describe Key, :mailer do
     it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
     it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
     it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ecdsa_sk_key_256)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ed25519_sk_key_256)[:key]).for(:key) }
     it { is_expected.not_to allow_value('foo-bar').for(:key) }
 
     context 'key format' do
@@ -187,10 +189,12 @@ RSpec.describe Key, :mailer do
       forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
 
       [
-        [:rsa_key_2048,    0, true],
-        [:dsa_key_2048,    0, true],
-        [:ecdsa_key_256,   0, true],
-        [:ed25519_key_256, 0, true],
+        [:rsa_key_2048,       0, true],
+        [:dsa_key_2048,       0, true],
+        [:ecdsa_key_256,      0, true],
+        [:ed25519_key_256,    0, true],
+        [:ecdsa_sk_key_256,   0, true],
+        [:ed25519_sk_key_256, 0, true],
 
         [:rsa_key_2048, 1024, true],
         [:rsa_key_2048, 2048, true],
@@ -206,10 +210,18 @@ RSpec.describe Key, :mailer do
         [:ed25519_key_256, 256, true],
         [:ed25519_key_256, 384, false],
 
-        [:rsa_key_2048,    forbidden, false],
-        [:dsa_key_2048,    forbidden, false],
-        [:ecdsa_key_256,   forbidden, false],
-        [:ed25519_key_256, forbidden, false]
+        [:ecdsa_sk_key_256, 256, true],
+        [:ecdsa_sk_key_256, 384, false],
+
+        [:ed25519_sk_key_256, 256, true],
+        [:ed25519_sk_key_256, 384, false],
+
+        [:rsa_key_2048,       forbidden, false],
+        [:dsa_key_2048,       forbidden, false],
+        [:ecdsa_key_256,      forbidden, false],
+        [:ed25519_key_256,    forbidden, false],
+        [:ecdsa_sk_key_256,   forbidden, false],
+        [:ed25519_sk_key_256, forbidden, false]
       ]
     end
 

spec/requests/api/settings_spec.rb

@@ -32,6 +32,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
       expect(json_response['dsa_key_restriction']).to eq(0)
       expect(json_response['ecdsa_key_restriction']).to eq(0)
       expect(json_response['ed25519_key_restriction']).to eq(0)
+      expect(json_response['ecdsa_sk_key_restriction']).to eq(0)
+      expect(json_response['ed25519_sk_key_restriction']).to eq(0)
       expect(json_response['performance_bar_allowed_group_id']).to be_nil
       expect(json_response['allow_local_requests_from_hooks_and_services']).to be(false)
       expect(json_response['allow_local_requests_from_web_hooks_and_services']).to be(false)
@@ -111,6 +113,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
             dsa_key_restriction: 2048,
             ecdsa_key_restriction: 384,
             ed25519_key_restriction: 256,
+            ecdsa_sk_key_restriction: 256,
+            ed25519_sk_key_restriction: 256,
             enforce_terms: true,
             terms: 'Hello world!',
             performance_bar_allowed_group_path: group.full_path,
@@ -163,6 +167,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
         expect(json_response['dsa_key_restriction']).to eq(2048)
         expect(json_response['ecdsa_key_restriction']).to eq(384)
         expect(json_response['ed25519_key_restriction']).to eq(256)
+        expect(json_response['ecdsa_sk_key_restriction']).to eq(256)
+        expect(json_response['ed25519_sk_key_restriction']).to eq(256)
         expect(json_response['enforce_terms']).to be(true)
         expect(json_response['terms']).to eq('Hello world!')
         expect(json_response['performance_bar_allowed_group_id']).to eq(group.id)

spec/views/profiles/keys/_key.html.haml_spec.rb

@@ -90,8 +90,8 @@ RSpec.describe 'profiles/keys/_key.html.haml' do
       using RSpec::Parameterized::TableSyntax
 
       where(:valid, :expiry, :result) do
-        false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
-        false | 2.days.ago      | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
+        false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
+        false | 2.days.ago      | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
         true  | 2.days.ago      | 'Key usable beyond expiration date.'
         true  | 2.days.from_now | ''
       end