Commit 47ab3dd0 authored by Alex Pooley's avatar Alex Pooley

Merge branch 'support_ecdsa-sk_and_ed25519-sk_ssh_keys' into 'master'

Support "ecdsa-sk" and "ed25519-sk" SSH keys

See merge request gitlab-org/gitlab!78934
parents 1bf766cd 782a634c
...@@ -234,7 +234,9 @@ module ApplicationSettingsHelper ...@@ -234,7 +234,9 @@ module ApplicationSettingsHelper
:outbound_local_requests_allowlist_raw, :outbound_local_requests_allowlist_raw,
:dsa_key_restriction, :dsa_key_restriction,
:ecdsa_key_restriction, :ecdsa_key_restriction,
:ecdsa_sk_key_restriction,
:ed25519_key_restriction, :ed25519_key_restriction,
:ed25519_sk_key_restriction,
:eks_integration_enabled, :eks_integration_enabled,
:eks_account_id, :eks_account_id,
:eks_access_key_id, :eks_access_key_id,
......
...@@ -69,7 +69,9 @@ module ApplicationSettingImplementation ...@@ -69,7 +69,9 @@ module ApplicationSettingImplementation
domain_allowlist: Settings.gitlab['domain_allowlist'], domain_allowlist: Settings.gitlab['domain_allowlist'],
dsa_key_restriction: 0, dsa_key_restriction: 0,
ecdsa_key_restriction: 0, ecdsa_key_restriction: 0,
ecdsa_sk_key_restriction: 0,
ed25519_key_restriction: 0, ed25519_key_restriction: 0,
ed25519_sk_key_restriction: 0,
eks_access_key_id: nil, eks_access_key_id: nil,
eks_account_id: nil, eks_account_id: nil,
eks_integration_enabled: false, eks_integration_enabled: false,
......
# frozen_string_literal: true
class AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings < Gitlab::Database::Migration[1.0]
enable_lock_retries!
def change
add_column :application_settings, :ecdsa_sk_key_restriction, :integer, default: 0, null: false
add_column :application_settings, :ed25519_sk_key_restriction, :integer, default: 0, null: false
end
end
787b1be4b69ef0eeb049ee6a3d7126dc75094b79fba18f469fffe78b16fce6a3
\ No newline at end of file
...@@ -10617,6 +10617,8 @@ CREATE TABLE application_settings ( ...@@ -10617,6 +10617,8 @@ CREATE TABLE application_settings (
runner_token_expiration_interval integer, runner_token_expiration_interval integer,
group_runner_token_expiration_interval integer, group_runner_token_expiration_interval integer,
project_runner_token_expiration_interval integer, project_runner_token_expiration_interval integer,
ecdsa_sk_key_restriction integer DEFAULT 0 NOT NULL,
ed25519_sk_key_restriction integer DEFAULT 0 NOT NULL,
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)), CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
...@@ -65,6 +65,8 @@ Example response: ...@@ -65,6 +65,8 @@ Example response:
"dsa_key_restriction": 0, "dsa_key_restriction": 0,
"ecdsa_key_restriction": 0, "ecdsa_key_restriction": 0,
"ed25519_key_restriction": 0, "ed25519_key_restriction": 0,
"ecdsa_sk_key_restriction": 0,
"ed25519_sk_key_restriction": 0,
"first_day_of_week": 0, "first_day_of_week": 0,
"enforce_terms": true, "enforce_terms": true,
"terms": "Hello world!", "terms": "Hello world!",
...@@ -166,6 +168,8 @@ Example response: ...@@ -166,6 +168,8 @@ Example response:
"dsa_key_restriction": 0, "dsa_key_restriction": 0,
"ecdsa_key_restriction": 0, "ecdsa_key_restriction": 0,
"ed25519_key_restriction": 0, "ed25519_key_restriction": 0,
"ecdsa_sk_key_restriction": 0,
"ed25519_sk_key_restriction": 0,
"first_day_of_week": 0, "first_day_of_week": 0,
"enforce_terms": true, "enforce_terms": true,
"terms": "Hello world!", "terms": "Hello world!",
...@@ -268,7 +272,9 @@ listed in the descriptions of the relevant settings. ...@@ -268,7 +272,9 @@ listed in the descriptions of the relevant settings.
| `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
| `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
| `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
| `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. |
| `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. | | `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
| `ed25519_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519_SK key. Default is `0` (no restriction). `-1` disables ED25519_SK keys. |
| `eks_access_key_id` | string | no | AWS IAM access key ID. | | `eks_access_key_id` | string | no | AWS IAM access key ID. |
| `eks_account_id` | string | no | Amazon account ID. | | `eks_account_id` | string | no | Amazon account ID. |
| `eks_integration_enabled` | boolean | no | Enable integration with Amazon EKS. | | `eks_integration_enabled` | boolean | no | Enable integration with Amazon EKS. |
......
...@@ -172,7 +172,7 @@ Files blocked by this rule are listed below. For a complete list of criteria, se ...@@ -172,7 +172,7 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
- `id_dsa` - `id_dsa`
- `.id_dsa` - `.id_dsa`
- Private ed25519 SSH keys: - Private ED25519 SSH keys:
- `/ssh/id_ed25519` - `/ssh/id_ed25519`
- `/.ssh/personal_ed25519` - `/.ssh/personal_ed25519`
...@@ -188,6 +188,22 @@ Files blocked by this rule are listed below. For a complete list of criteria, se ...@@ -188,6 +188,22 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
- `id_ecdsa` - `id_ecdsa`
- `.id_ecdsa` - `.id_ecdsa`
- Private ECDSA_SK SSH keys (GitLab 14.8 and later):
- `/ssh/id_ecdsa_sk`
- `/.ssh/personal_ecdsa_sk`
- `/config/server_ecdsa_sk`
- `id_ecdsa_sk`
- `.id_ecdsa_sk`
- Private ED25519_SK SSH keys (GitLab 14.8 and later):
- `/ssh/id_ed25519_sk`
- `/.ssh/personal_ed25519_sk`
- `/config/server_ed25519_sk`
- `id_ed25519_sk`
- `.id_ed25519_sk`
- Any files ending with these suffixes: - Any files ending with these suffixes:
- `*.pem` - `*.pem`
......
...@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key ...@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key
strength, either to satisfy internal security policy or for regulatory strength, either to satisfy internal security policy or for regulatory
compliance. compliance.
Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over Similarly, certain standards groups recommend using RSA, ECDSA, ED25519,
the older DSA, and administrators may need to limit the allowed SSH key ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to
algorithms. limit the allowed SSH key algorithms.
GitLab allows you to restrict the allowed SSH key technology as well as specify GitLab allows you to restrict the allowed SSH key technology as well as specify
the minimum key length for each technology: the minimum key length for each technology:
...@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the ...@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the
- DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)). - DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
- ECDSA SSH keys are allowed. - ECDSA SSH keys are allowed.
- ED25519 SSH keys are allowed. - ED25519 SSH keys are allowed.
- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
<!-- ## Troubleshooting <!-- ## Troubleshooting
......
...@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again. ...@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again.
WARNING: WARNING:
This feature might not be available to you. Check the **version history** note above for details. This feature might not be available to you. Check the **version history** note above for details.
Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP) Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using
verification can be done via a GitLab Shell command: [ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead.
The one-time password (OTP) verification can be done using a command:
```shell ```shell
ssh git@<hostname> 2fa_verify ssh git@<hostname> 2fa_verify
......
...@@ -28,6 +28,8 @@ To view the version of SSH installed on your system, run `ssh -V`. ...@@ -28,6 +28,8 @@ To view the version of SSH installed on your system, run `ssh -V`.
To communicate with GitLab, you can use the following SSH key types: To communicate with GitLab, you can use the following SSH key types:
- [ED25519](#ed25519-ssh-keys) - [ED25519](#ed25519-ssh-keys)
- [ED25519_SK](#ed25519_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [ECDSA_SK](#ecdsa_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [RSA](#rsa-ssh-keys) - [RSA](#rsa-ssh-keys)
- DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.) - DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.)
- ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.) - ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.)
...@@ -42,6 +44,20 @@ suggests that [ED25519](https://ed25519.cr.yp.to/) keys are more secure and perf ...@@ -42,6 +44,20 @@ suggests that [ED25519](https://ed25519.cr.yp.to/) keys are more secure and perf
OpenSSH 6.5 introduced ED25519 SSH keys in 2014 and they should be available on most OpenSSH 6.5 introduced ED25519 SSH keys in 2014 and they should be available on most
operating systems. operating systems.
### ED25519_SK SSH keys
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ED25519_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
### ECDSA_SK SSH keys
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ECDSA_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
### RSA SSH keys ### RSA SSH keys
Available documentation suggests that ED25519 is more secure than RSA. Available documentation suggests that ED25519 is more secure than RSA.
...@@ -64,6 +80,8 @@ Before you create a key pair, see if a key pair already exists. ...@@ -64,6 +80,8 @@ Before you create a key pair, see if a key pair already exists.
| Algorithm | Public key | Private key | | Algorithm | Public key | Private key |
| --------- | ---------- | ----------- | | --------- | ---------- | ----------- |
| ED25519 (preferred) | `id_ed25519.pub` | `id_ed25519` | | ED25519 (preferred) | `id_ed25519.pub` | `id_ed25519` |
| ED25519_SK | `id_ed25519_sk.pub` | `id_ed25519_sk` |
| ECDSA_SK | `id_ecdsa_sk.pub` | `id_ecdsa_sk` |
| RSA (at least 2048-bit key size) | `id_rsa.pub` | `id_rsa` | | RSA (at least 2048-bit key size) | `id_rsa.pub` | `id_rsa` |
| DSA (deprecated) | `id_dsa.pub` | `id_dsa` | | DSA (deprecated) | `id_dsa.pub` | `id_dsa` |
| ECDSA | `id_ecdsa.pub` | `id_ecdsa` | | ECDSA | `id_ecdsa.pub` | `id_ecdsa` |
...@@ -177,6 +195,67 @@ OpenSSH format. ...@@ -177,6 +195,67 @@ OpenSSH format.
ssh-keygen -o -t rsa -b 4096 -C "<comment>" ssh-keygen -o -t rsa -b 4096 -C "<comment>"
``` ```
## Generate an SSH key pair for a FIDO/U2F hardware security key
To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later.
1. Insert a hardware security key into your computer.
1. Open a terminal.
1. Type `ssh-keygen -t` followed by the key type and an optional comment.
This comment is included in the `.pub` file that's created.
You may want to use an email address for the comment.
For example, for ED25519_SK:
```shell
ssh-keygen -t ed25519-sk -C "<comment>"
```
For ECDSA_SK:
```shell
ssh-keygen -t ecdsa-sk -C "<comment>"
```
If your security key supports FIDO2 resident keys, you can enable this when
creating your SSH key:
```shell
ssh-keygen -t ed25519-sk -O resident -C "<comment>"
```
`-O resident` indicates that the key should be stored on the FIDO authenticator itself.
Resident key is easier to import to a new computer because it can be loaded directly
from the security key by [`ssh-add -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-add.1#K)
or [`ssh-keygen -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-keygen#K).
1. Select Enter. Output similar to the following is displayed:
```plaintext
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
```
1. Touch the button on the hardware security key.
1. Accept the suggested filename and directory:
```plaintext
Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
```
1. Specify a [passphrase](https://www.ssh.com/academy/ssh/passphrase):
```plaintext
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```
1. A confirmation is displayed, including information about where your files are stored.
A public and private key are generated.
[Add the public SSH key to your GitLab account](#add-an-ssh-key-to-your-gitlab-account).
## Add an SSH key to your GitLab account ## Add an SSH key to your GitLab account
To use SSH with GitLab, copy your public key to your GitLab account. To use SSH with GitLab, copy your public key to your GitLab account.
...@@ -210,7 +289,8 @@ To use SSH with GitLab, copy your public key to your GitLab account. ...@@ -210,7 +289,8 @@ To use SSH with GitLab, copy your public key to your GitLab account.
1. On the left sidebar, select **SSH Keys**. 1. On the left sidebar, select **SSH Keys**.
1. In the **Key** box, paste the contents of your public key. 1. In the **Key** box, paste the contents of your public key.
If you manually copied the key, make sure you copy the entire key, If you manually copied the key, make sure you copy the entire key,
which starts with `ssh-ed25519` or `ssh-rsa`, and may end with a comment. which starts with `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`,
`ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, or `sk-ssh-ed25519@openssh.com`, and may end with a comment.
1. In the **Title** box, type a description, like `Work Laptop` or 1. In the **Title** box, type a description, like `Work Laptop` or
`Home Workstation`. `Home Workstation`.
1. Optional. In the **Expires at** box, select an expiration date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36243) in GitLab 12.9.) 1. Optional. In the **Expires at** box, select an expiration date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36243) in GitLab 12.9.)
...@@ -318,7 +398,8 @@ on the files make them readable to you but not accessible to others. ...@@ -318,7 +398,8 @@ on the files make them readable to you but not accessible to others.
## Configure two-factor authentication (2FA) ## Configure two-factor authentication (2FA)
You can set up two-factor authentication (2FA) for You can set up two-factor authentication (2FA) for
[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations). [Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations). We recommend using
[ED25519_SK](#ed25519_sk-ssh-keys) or [ECDSA_SK](#ecdsa_sk-ssh-keys) SSH keys.
## Use EGit on Eclipse ## Use EGit on Eclipse
......
...@@ -280,7 +280,7 @@ NOTE: ...@@ -280,7 +280,7 @@ NOTE:
SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
other related settings. other related settings.
## Configure defaults for RSA, DSA, ECDSA, ED25519 SSH keys ## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
These options specify the permitted types and lengths for SSH keys. These options specify the permitted types and lengths for SSH keys.
......
...@@ -7,13 +7,15 @@ ...@@ -7,13 +7,15 @@
- aws\/credentials$ - aws\/credentials$
# RSA DSA ECSDA and ED25519 SSH keys # RSA, DSA, ECSDA, ED25519, ECDSA_SK, ED25519_SK SSH keys
- (ssh|config)\/(personal|server)_(rsa|dsa|ed\d+|ecdsa) - (ssh|config)\/(personal|server)_(rsa|dsa|ed25519|ecdsa|ecdsa_sk|ed25519_sk)
- id_rsa$ - id_rsa$
- id_dsa$ - id_dsa$
- id_ed25519$ - id_ed25519$
- id_ecdsa$ - id_ecdsa$
- id_ecdsa_sk$
- id_ed25519_sk$
# privatekey.pem and secret.key # privatekey.pem and secret.key
......
...@@ -10,7 +10,9 @@ module Gitlab ...@@ -10,7 +10,9 @@ module Gitlab
Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w(ssh-rsa)), Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w(ssh-rsa)),
Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w(ssh-dss)), Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w(ssh-dss)),
Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)), Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)),
Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)) Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)),
Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w(sk-ecdsa-sha2-nistp256@openssh.com)),
Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
].freeze ].freeze
def self.technology(name) def self.technology(name)
...@@ -98,6 +100,10 @@ module Gitlab ...@@ -98,6 +100,10 @@ module Gitlab
key.openssl.group.order.num_bits key.openssl.group.order.num_bits
when :ed25519 when :ed25519
256 256
when :ecdsa_sk
256
when :ed25519_sk
256
end end
end end
......
...@@ -148,5 +148,24 @@ FactoryBot.define do ...@@ -148,5 +148,24 @@ FactoryBot.define do
KEY KEY
end end
end end
factory :ecdsa_sk_key_256 do
key do
<<~KEY.delete("\n")
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyN
TZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDZ+f5tSRhlB7EN39f93SscTN5PUv
bD3UQsNrlE1ZdbwPMMRul2zlPiUvwAvnJitW0jlD/vwZOW2YN+q+iZ5c0MAAAAEc3NoOg== dummy@gitlab.com
KEY
end
end
factory :ed25519_sk_key_256 do
key do
<<~KEY.delete("\n")
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tA
AAAIEX/dQ0v4127bEo8eeG1EV0ApO2lWbSnN6RWusn/NjqIAAAABHNzaDo= dummy@gitlab.com
KEY
end
end
end end
end end
...@@ -85,6 +85,8 @@ RSpec.describe 'Admin updates settings' do ...@@ -85,6 +85,8 @@ RSpec.describe 'Admin updates settings' do
select 'Are allowed', from: 'DSA SSH keys' select 'Are allowed', from: 'DSA SSH keys'
select 'Must be at least 384 bits', from: 'ECDSA SSH keys' select 'Must be at least 384 bits', from: 'ECDSA SSH keys'
select 'Are forbidden', from: 'ED25519 SSH keys' select 'Are forbidden', from: 'ED25519 SSH keys'
select 'Are forbidden', from: 'ECDSA_SK SSH keys'
select 'Are forbidden', from: 'ED25519_SK SSH keys'
click_on 'Save changes' click_on 'Save changes'
end end
...@@ -95,6 +97,8 @@ RSpec.describe 'Admin updates settings' do ...@@ -95,6 +97,8 @@ RSpec.describe 'Admin updates settings' do
expect(find_field('DSA SSH keys').value).to eq('0') expect(find_field('DSA SSH keys').value).to eq('0')
expect(find_field('ECDSA SSH keys').value).to eq('384') expect(find_field('ECDSA SSH keys').value).to eq('384')
expect(find_field('ED25519 SSH keys').value).to eq(forbidden) expect(find_field('ED25519 SSH keys').value).to eq(forbidden)
expect(find_field('ECDSA_SK SSH keys').value).to eq(forbidden)
expect(find_field('ED25519_SK SSH keys').value).to eq(forbidden)
end end
it 'change Account and Limit Settings' do it 'change Account and Limit Settings' do
......
...@@ -49,7 +49,12 @@ RSpec.describe 'Profile > SSH Keys' do ...@@ -49,7 +49,12 @@ RSpec.describe 'Profile > SSH Keys' do
context 'when only DSA and ECDSA keys are allowed' do context 'when only DSA and ECDSA keys are allowed' do
before do before do
forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
stub_application_setting(rsa_key_restriction: forbidden, ed25519_key_restriction: forbidden) stub_application_setting(
rsa_key_restriction: forbidden,
ed25519_key_restriction: forbidden,
ecdsa_sk_key_restriction: forbidden,
ed25519_sk_key_restriction: forbidden
)
end end
it 'shows a validation error' do it 'shows a validation error' do
......
...@@ -17,9 +17,9 @@ RSpec.describe SshKeysHelper do ...@@ -17,9 +17,9 @@ RSpec.describe SshKeysHelper do
end end
it 'returns only allowed algorithms' do it 'returns only allowed algorithms' do
expect(ssh_key_allowed_algorithms).to match('ed25519') expect(ssh_key_allowed_algorithms).to match('rsa')
stub_application_setting(ed25519_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE) stub_application_setting(rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
expect(ssh_key_allowed_algorithms).not_to match('ed25519') expect(ssh_key_allowed_algorithms).not_to match('rsa')
end end
end end
end end
...@@ -12,7 +12,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -12,7 +12,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
end end
where(:name) do where(:name) do
[:rsa, :dsa, :ecdsa, :ed25519] [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
end end
with_them do with_them do
...@@ -24,7 +24,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -24,7 +24,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
describe '.supported_types' do describe '.supported_types' do
it 'returns array with the names of supported technologies' do it 'returns array with the names of supported technologies' do
expect(described_class.supported_types).to eq( expect(described_class.supported_types).to eq(
[:rsa, :dsa, :ecdsa, :ed25519] [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
) )
end end
end end
...@@ -35,7 +35,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -35,7 +35,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa, [1024, 2048, 3072, 4096]], [:rsa, [1024, 2048, 3072, 4096]],
[:dsa, [1024, 2048, 3072]], [:dsa, [1024, 2048, 3072]],
[:ecdsa, [256, 384, 521]], [:ecdsa, [256, 384, 521]],
[:ed25519, [256]] [:ed25519, [256]],
[:ecdsa_sk, [256]],
[:ed25519_sk, [256]]
] ]
end end
...@@ -53,6 +55,8 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -53,6 +55,8 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
ssh-dss ssh-dss
ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
ssh-ed25519 ssh-ed25519
sk-ecdsa-sha2-nistp256@openssh.com
sk-ssh-ed25519@openssh.com
) )
) )
end end
...@@ -64,7 +68,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -64,7 +68,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa, %w(ssh-rsa)], [:rsa, %w(ssh-rsa)],
[:dsa, %w(ssh-dss)], [:dsa, %w(ssh-dss)],
[:ecdsa, %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)], [:ecdsa, %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)],
[:ed25519, %w(ssh-ed25519)] [:ed25519, %w(ssh-ed25519)],
[:ecdsa_sk, %w(sk-ecdsa-sha2-nistp256@openssh.com)],
[:ed25519_sk, %w(sk-ssh-ed25519@openssh.com)]
] ]
end end
...@@ -122,7 +128,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -122,7 +128,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
rsa_key_8192 rsa_key_8192
dsa_key_2048 dsa_key_2048
ecdsa_key_256 ecdsa_key_256
ed25519_key_256) ed25519_key_256
ecdsa_sk_key_256
ed25519_sk_key_256)
end end
with_them do with_them do
...@@ -201,7 +209,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -201,7 +209,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_2048, :rsa], [:rsa_key_2048, :rsa],
[:dsa_key_2048, :dsa], [:dsa_key_2048, :dsa],
[:ecdsa_key_256, :ecdsa], [:ecdsa_key_256, :ecdsa],
[:ed25519_key_256, :ed25519] [:ed25519_key_256, :ed25519],
[:ecdsa_sk_key_256, :ecdsa_sk],
[:ed25519_sk_key_256, :ed25519_sk]
] ]
end end
...@@ -231,7 +241,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -231,7 +241,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 8192], [:rsa_key_8192, 8192],
[:dsa_key_2048, 2048], [:dsa_key_2048, 2048],
[:ecdsa_key_256, 256], [:ecdsa_key_256, 256],
[:ed25519_key_256, 256] [:ed25519_key_256, 256],
[:ecdsa_sk_key_256, 256],
[:ed25519_sk_key_256, 256]
] ]
end end
...@@ -261,7 +273,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -261,7 +273,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 'fb:53:7f:e9:2f:f7:17:aa:c8:32:52:06:8e:05:e2:82'], [:rsa_key_8192, 'fb:53:7f:e9:2f:f7:17:aa:c8:32:52:06:8e:05:e2:82'],
[:dsa_key_2048, 'c8:85:1e:df:44:0f:20:00:3c:66:57:2b:21:10:5a:27'], [:dsa_key_2048, 'c8:85:1e:df:44:0f:20:00:3c:66:57:2b:21:10:5a:27'],
[:ecdsa_key_256, '67:a3:a9:7d:b8:e1:15:d4:80:40:21:34:bb:ed:97:38'], [:ecdsa_key_256, '67:a3:a9:7d:b8:e1:15:d4:80:40:21:34:bb:ed:97:38'],
[:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73'] [:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73'],
[:ecdsa_sk_key_256, '56:b9:bc:99:3d:2f:cf:63:6b:70:d8:f9:40:7e:09:4c'],
[:ed25519_sk_key_256, 'f9:a0:64:0b:4b:72:72:0e:62:92:d7:04:14:74:1c:c9']
] ]
end end
...@@ -289,7 +303,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do ...@@ -289,7 +303,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 'SHA256:CtHFQAS+9Hb8z4vrv4gVQPsHjNN0WIZhWODaB1mQLs4'], [:rsa_key_8192, 'SHA256:CtHFQAS+9Hb8z4vrv4gVQPsHjNN0WIZhWODaB1mQLs4'],
[:dsa_key_2048, 'SHA256:+a3DQ7cU5GM+gaYOfmc0VWNnykHQSuth3VRcCpWuYNI'], [:dsa_key_2048, 'SHA256:+a3DQ7cU5GM+gaYOfmc0VWNnykHQSuth3VRcCpWuYNI'],
[:ecdsa_key_256, 'SHA256:C+I5k3D+IGeM6k5iBR1ZsphqTKV+7uvL/XZ5hcrTr7g'], [:ecdsa_key_256, 'SHA256:C+I5k3D+IGeM6k5iBR1ZsphqTKV+7uvL/XZ5hcrTr7g'],
[:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0'] [:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0'],
[:ecdsa_sk_key_256, 'SHA256:N0sNKBgWKK8usPuPegtgzHQQA9vQ/dRhAEhwFDAnLA4'],
[:ed25519_sk_key_256, 'SHA256:U8IKRkIHed6vFMTflwweA3HhIf2DWgZ8EFTm9fgwOUk']
] ]
end end
......
...@@ -20,6 +20,8 @@ RSpec.describe Key, :mailer do ...@@ -20,6 +20,8 @@ RSpec.describe Key, :mailer do
it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) } it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) } it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) } it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ecdsa_sk_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ed25519_sk_key_256)[:key]).for(:key) }
it { is_expected.not_to allow_value('foo-bar').for(:key) } it { is_expected.not_to allow_value('foo-bar').for(:key) }
context 'key format' do context 'key format' do
...@@ -187,10 +189,12 @@ RSpec.describe Key, :mailer do ...@@ -187,10 +189,12 @@ RSpec.describe Key, :mailer do
forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
[ [
[:rsa_key_2048, 0, true], [:rsa_key_2048, 0, true],
[:dsa_key_2048, 0, true], [:dsa_key_2048, 0, true],
[:ecdsa_key_256, 0, true], [:ecdsa_key_256, 0, true],
[:ed25519_key_256, 0, true], [:ed25519_key_256, 0, true],
[:ecdsa_sk_key_256, 0, true],
[:ed25519_sk_key_256, 0, true],
[:rsa_key_2048, 1024, true], [:rsa_key_2048, 1024, true],
[:rsa_key_2048, 2048, true], [:rsa_key_2048, 2048, true],
...@@ -206,10 +210,18 @@ RSpec.describe Key, :mailer do ...@@ -206,10 +210,18 @@ RSpec.describe Key, :mailer do
[:ed25519_key_256, 256, true], [:ed25519_key_256, 256, true],
[:ed25519_key_256, 384, false], [:ed25519_key_256, 384, false],
[:rsa_key_2048, forbidden, false], [:ecdsa_sk_key_256, 256, true],
[:dsa_key_2048, forbidden, false], [:ecdsa_sk_key_256, 384, false],
[:ecdsa_key_256, forbidden, false],
[:ed25519_key_256, forbidden, false] [:ed25519_sk_key_256, 256, true],
[:ed25519_sk_key_256, 384, false],
[:rsa_key_2048, forbidden, false],
[:dsa_key_2048, forbidden, false],
[:ecdsa_key_256, forbidden, false],
[:ed25519_key_256, forbidden, false],
[:ecdsa_sk_key_256, forbidden, false],
[:ed25519_sk_key_256, forbidden, false]
] ]
end end
......
...@@ -32,6 +32,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do ...@@ -32,6 +32,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
expect(json_response['dsa_key_restriction']).to eq(0) expect(json_response['dsa_key_restriction']).to eq(0)
expect(json_response['ecdsa_key_restriction']).to eq(0) expect(json_response['ecdsa_key_restriction']).to eq(0)
expect(json_response['ed25519_key_restriction']).to eq(0) expect(json_response['ed25519_key_restriction']).to eq(0)
expect(json_response['ecdsa_sk_key_restriction']).to eq(0)
expect(json_response['ed25519_sk_key_restriction']).to eq(0)
expect(json_response['performance_bar_allowed_group_id']).to be_nil expect(json_response['performance_bar_allowed_group_id']).to be_nil
expect(json_response['allow_local_requests_from_hooks_and_services']).to be(false) expect(json_response['allow_local_requests_from_hooks_and_services']).to be(false)
expect(json_response['allow_local_requests_from_web_hooks_and_services']).to be(false) expect(json_response['allow_local_requests_from_web_hooks_and_services']).to be(false)
...@@ -111,6 +113,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do ...@@ -111,6 +113,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
dsa_key_restriction: 2048, dsa_key_restriction: 2048,
ecdsa_key_restriction: 384, ecdsa_key_restriction: 384,
ed25519_key_restriction: 256, ed25519_key_restriction: 256,
ecdsa_sk_key_restriction: 256,
ed25519_sk_key_restriction: 256,
enforce_terms: true, enforce_terms: true,
terms: 'Hello world!', terms: 'Hello world!',
performance_bar_allowed_group_path: group.full_path, performance_bar_allowed_group_path: group.full_path,
...@@ -163,6 +167,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do ...@@ -163,6 +167,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
expect(json_response['dsa_key_restriction']).to eq(2048) expect(json_response['dsa_key_restriction']).to eq(2048)
expect(json_response['ecdsa_key_restriction']).to eq(384) expect(json_response['ecdsa_key_restriction']).to eq(384)
expect(json_response['ed25519_key_restriction']).to eq(256) expect(json_response['ed25519_key_restriction']).to eq(256)
expect(json_response['ecdsa_sk_key_restriction']).to eq(256)
expect(json_response['ed25519_sk_key_restriction']).to eq(256)
expect(json_response['enforce_terms']).to be(true) expect(json_response['enforce_terms']).to be(true)
expect(json_response['terms']).to eq('Hello world!') expect(json_response['terms']).to eq('Hello world!')
expect(json_response['performance_bar_allowed_group_id']).to eq(group.id) expect(json_response['performance_bar_allowed_group_id']).to eq(group.id)
......
...@@ -90,8 +90,8 @@ RSpec.describe 'profiles/keys/_key.html.haml' do ...@@ -90,8 +90,8 @@ RSpec.describe 'profiles/keys/_key.html.haml' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:valid, :expiry, :result) do where(:valid, :expiry, :result) do
false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519' false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
false | 2.days.ago | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519' false | 2.days.ago | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
true | 2.days.ago | 'Key usable beyond expiration date.' true | 2.days.ago | 'Key usable beyond expiration date.'
true | 2.days.from_now | '' true | 2.days.from_now | ''
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment