From b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Mon, 21 Aug 2017 11:30:03 +0100 Subject: Add settings for minimum key strength and allowed key type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is an amalgamation of: * Cory Hinshaw: Initial implementation !5552 * Rémy Coutable: Updates !9350 * Nick Thomas: Resolve conflicts and add ED25519 support !13712 --- doc/security/README.md | 1 + doc/security/img/ssh_keys_restrictions_settings.png | Bin 0 -> 41803 bytes doc/security/ssh_keys_restrictions.md | 18 ++++++++++++++++++ 3 files changed, 19 insertions(+) create mode 100644 doc/security/img/ssh_keys_restrictions_settings.png create mode 100644 doc/security/ssh_keys_restrictions.md (limited to 'doc/security') diff --git a/doc/security/README.md b/doc/security/README.md index 38706e48ec5..1f54948d113 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -1,6 +1,7 @@ # Security - [Password length limits](password_length_limits.md) +- [Restrict allowed SSH key technologies and minimum length](ssh_keys_restrictions.md) - [Rack attack](rack_attack.md) - [Webhooks and insecure internal web services](webhooks.md) - [Information exclusivity](information_exclusivity.md) diff --git a/doc/security/img/ssh_keys_restrictions_settings.png b/doc/security/img/ssh_keys_restrictions_settings.png new file mode 100644 index 00000000000..b62bfc2f7e0 Binary files /dev/null and b/doc/security/img/ssh_keys_restrictions_settings.png differ diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md new file mode 100644 index 00000000000..32ca7dacab3 --- /dev/null +++ b/doc/security/ssh_keys_restrictions.md @@ -0,0 +1,18 @@ +# Restrict allowed SSH key technologies and minimum length + +`ssh-keygen` allows users to create RSA keys with as few as 768 bits, which +falls well below recommendations from certain standards groups (such as the US +NIST). Some organizations deploying Gitlab will need to enforce minimum key +strength, either to satisfy internal security policy or for regulatory +compliance. + +Similarly, certain standards groups recommend using RSA or ECDSA over the older +DSA and administrators may need to limit the allowed SSH key algorithms. + +GitLab allows you to restrict the allowed SSH key technology as well as specify +the minimum key length for each technology. + +In the Admin area under **Settings** (`/admin/application_settings`), look for +the "Visibility and Access Controls" area: + +![SSH keys restriction admin settings](img/ssh_keys_restrictions_settings.png) -- cgit v1.2.1 From 6847060266792471c9c14518a5106e0f622cd6c5 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Fri, 25 Aug 2017 14:08:48 +0100 Subject: Rework the permissions model for SSH key restrictions `allowed_key_types` is removed and the `minimum__bits` fields are renamed to `_key_restriction`. A special sentinel value (`-1`) signifies that the key type is disabled. This also feeds through to the UI - checkboxes per key type are out, inline selection of "forbidden" and "allowed" (i.e., no restrictions) are in. As with the previous model, unknown key types are disallowed, even if the underlying ssh daemon happens to support them. The defaults have also been changed from the lowest known bit size to "no restriction". So if someone does happen to have a 768-bit RSA key, it will continue to work on upgrade, at least until the administrator restricts them. --- doc/security/img/ssh_keys_restrictions_settings.png | Bin 41803 -> 13698 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'doc/security') diff --git a/doc/security/img/ssh_keys_restrictions_settings.png b/doc/security/img/ssh_keys_restrictions_settings.png index b62bfc2f7e0..7b8bbb05bce 100644 Binary files a/doc/security/img/ssh_keys_restrictions_settings.png and b/doc/security/img/ssh_keys_restrictions_settings.png differ -- cgit v1.2.1 From b84ca08e351fc9238bef4e6b4bf74158d25d4f1d Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Mon, 28 Aug 2017 21:33:35 +0100 Subject: Address review comments --- doc/security/README.md | 2 +- doc/security/ssh_keys_restrictions.md | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'doc/security') diff --git a/doc/security/README.md b/doc/security/README.md index 1f54948d113..0fea6be8b55 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -1,7 +1,7 @@ # Security - [Password length limits](password_length_limits.md) -- [Restrict allowed SSH key technologies and minimum length](ssh_keys_restrictions.md) +- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) - [Rack attack](rack_attack.md) - [Webhooks and insecure internal web services](webhooks.md) - [Information exclusivity](information_exclusivity.md) diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md index 32ca7dacab3..213fa5bfef5 100644 --- a/doc/security/ssh_keys_restrictions.md +++ b/doc/security/ssh_keys_restrictions.md @@ -2,12 +2,13 @@ `ssh-keygen` allows users to create RSA keys with as few as 768 bits, which falls well below recommendations from certain standards groups (such as the US -NIST). Some organizations deploying Gitlab will need to enforce minimum key +NIST). Some organizations deploying GitLab will need to enforce minimum key strength, either to satisfy internal security policy or for regulatory compliance. -Similarly, certain standards groups recommend using RSA or ECDSA over the older -DSA and administrators may need to limit the allowed SSH key algorithms. +Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over +the older DSA, and administrators may need to limit the allowed SSH key +algorithms. GitLab allows you to restrict the allowed SSH key technology as well as specify the minimum key length for each technology. -- cgit v1.2.1 From 29b40db58944a32db6cf1ae9906653a2e5f4be9d Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Wed, 30 Aug 2017 21:20:00 +0100 Subject: More review comments --- doc/security/img/ssh_keys_restrictions_settings.png | Bin 13698 -> 68496 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'doc/security') diff --git a/doc/security/img/ssh_keys_restrictions_settings.png b/doc/security/img/ssh_keys_restrictions_settings.png index 7b8bbb05bce..2e918fd4b3f 100644 Binary files a/doc/security/img/ssh_keys_restrictions_settings.png and b/doc/security/img/ssh_keys_restrictions_settings.png differ -- cgit v1.2.1