Skip to content

Optional enforcement of SSH key expiration

Release notes

Problem to solve

The SSH key expiration introduced in #36243 (closed) is never enforced, implying the key is always active even after the expiration.

Similar to Optional PAT enforcement, this issue aims to allow an administrator to configure whether key expiration should be enforced or not.

To be in line with current implementation, the default behavior can be to not enforce the expiry.

This might especially be useful for organizations that prefer a hard enforcement for token rotations.

Intended users

Proposal

Add a checkbox in the Admin Dashboard (Settings -> General -> Account and limit)

  • Enforce SSH key expiration

When enabled, the keys will become un-usable after expiration.

Implementation details

backend - 2

  • Add migration to create a new column enforce_ssh_key_expiration in application_settings
  • Changes to ee/app/helpers/ee/application_settings_helper.rb to include the above column to the list of visible attributes
  • When SSH key expiration is enforced:

frontend - 1

  • Add checkbox in Admin dashboard

Note: The optional PAT expiration MR can be handly for implementing most of the changes.

Documentation

Add documentation to Account and Limit Settings page.

Edited by Dan Jensen