username.keys

Summary

Since GitLab v6.6.0 one can retrieve the public SSH keys of a user via HTTP:

- Retrieving user ssh keys publically(github style): http://__HOST__/__USERNAME__.keys

github.com serves the pubkey completely without a comment. I think GitLab should emulate this behaviour.

Also this is afaik personally identifiable information. This way you can connect a cryptographically secure value to a name/person. This should always be up to the user!

Steps to reproduce

Options:

curl https://gitlab.com/__USERNAME__.keys 
curl https://github.com/__USERNAME__.keys
wget https://gitlab.com/__USERNAME__.keys 
wget https://github.com/__USERNAME__.keys

or open one of the URLs in your browser.

Nice to have

Give the option to the user to change this behaviour in the settings either globally or on a 'per key' basis.

Example:

Do you wish to publish your SSH public keys via http://HOST/USERNAME.keys?

[Y|n]

Yes seems to be the usual (expected?) behaviour. (Though for a long time I did not know that this feature existed. I can see that it might be very useful but still informed consent would be nice where possible.)

Do you want to add your full name to the key comment?

[y|N]

No should be the default behaviour.

PS: Could someone please give me an RTFM (including a link to the relevant documentation) because having looked at https://docs.gitlab.com/ce/ssh/README.html I cannot find a section in the documentation that mentions this feature. :-)

References:

http://www.linuxcertif.com/man/5/authorized_keys/#AUTHORIZED_KEYS_FILE_FORMAT_14h

Edited Mar 12, 2019 by Mark Fletcher