Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,812
    • Issues 43,812
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,380
    • Merge requests 1,380
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #250480
Closed
Open
Created Sep 16, 2020 by Aishwarya Subramanian@aishbuildsContributor0 of 1 task completed0/1 task

Optional enforcement of SSH key expiration

Release notes

Problem to solve

The SSH key expiration introduced in #36243 (closed) is never enforced, implying the key is always active even after the expiration.

Similar to Optional PAT enforcement, this issue aims to allow an administrator to configure whether key expiration should be enforced or not.

To be in line with current implementation, the default behavior can be to not enforce the expiry.

This might especially be useful for organizations that prefer a hard enforcement for token rotations.

Intended users

  • Cameron (Compliance Manager)
  • Sidney (Systems Administrator)

Proposal

Add a checkbox in the Admin Dashboard (Settings -> General -> Account and limit)

  • Enforce SSH key expiration

When enabled, the keys will become un-usable after expiration.

Implementation details

backend - 2

  • Add migration to create a new column enforce_ssh_key_expiration in application_settings
  • Changes to ee/app/helpers/ee/application_settings_helper.rb to include the above column to the list of visible attributes
  • When SSH key expiration is enforced:
    • Return forbidden error when key has expired

frontend - 1

  • Add checkbox in Admin dashboard

Note: The optional PAT expiration MR can be handly for implementing most of the changes.

Documentation

Add documentation to Account and Limit Settings page.

Edited Nov 17, 2020 by Dan Jensen
Assignee
Assign to
Time tracking