Add support for security key/FIDO2-based ssh keys
Problem to solve
Openssh supports using a FIDO2 based security key to store the private key of an ssh key pair. I would like to use this feature, as I use such a security token for 2FA already (on gitlab as well), but these keys have a new key type which is not supported by the gitlab UI for adding ssh keys currently
Developers, anyone else pushing/pulling git repositories
Storing the ssh private key on a security key is a convenient way of securing your ssh access. It allows the secure use of a single ssh key even when switching between computers, since the private key doesn't have to be copied to every machine, or multiple private keys created for the machines. These security keys are also used for secure phishing-resistant 2FA on gitlab already, so a user could use their token for both 2FA and ssh.
An example of such a public key:
email@example.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBHYsEOLfc3STGIU5I3vi8xIDewxg72BnkHozNfXxc+2CL1e9Mkr3Kn8jMS+ZxF2q5kY8oT6x3G+omFZPc51aszcAAAAEc3NoOg== comment
The current UI doesn't consider this a proper ssh public key.
This feature is supported since openssh 8.2. Implementation might need an update of the openssh server software, and changes to the ssh key handling.
Permissions and Security
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Openssh 8.2 release notes: http://www.openssh.com/txt/release-8.2