Add support for security key/FIDO2-based ssh keys
Problem to solve
Openssh supports using a FIDO2 based security key to store the private key of an ssh key pair. I would like to use this feature, as I use such a security token for 2FA already (on gitlab as well), but these keys have a new key type which is not supported by the gitlab UI for adding ssh keys currently
Intended users
Developers, anyone else pushing/pulling git repositories
Further details
Storing the ssh private key on a security key is a convenient way of securing your ssh access. It allows the secure use of a single ssh key even when switching between computers, since the private key doesn't have to be copied to every machine, or multiple private keys created for the machines. These security keys are also used for secure phishing-resistant 2FA on gitlab already, so a user could use their token for both 2FA and ssh.
An example of such a public key:
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBHYsEOLfc3STGIU5I3vi8xIDewxg72BnkHozNfXxc+2CL1e9Mkr3Kn8jMS+ZxF2q5kY8oT6x3G+omFZPc51aszcAAAAEc3NoOg== comment
The current UI doesn't consider this a proper ssh public key.
Proposal
This feature is supported since openssh 8.2. Implementation might need an update of the openssh server software, and changes to the ssh key handling.
Permissions and Security
Documentation
Availability & Testing
Add e2e test for git operations with FIDO2-based ssh keys: gitlab-org/quality/testcases#2445 (closed)
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Openssh 8.2 release notes: http://www.openssh.com/txt/release-8.2
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.