Enforce SSH key expiration by default
- Personal Access Tokens (PATs) have an optional expiration date. This expiration is enforced by default.
- SSH keys have an optional expiration date. This expiration is NOT enforced by default.
Problem to solve
There are 2 problems with opposite expiration enforcement for PATs and SSK keys:
- UX: We don't want similar features behaving differently, and currently the only difference between PATs and SSH keys is whether expiration is enforced by default (see differences below).
- Security: More complexity in code and documentation tends to create more security problems.
- SSH key expiration should be enforced by default, the same as PAT expiration, starting in 14.0 (because breaking changes should be included in major releases).
- Users with soon-expiring SSH keys should:
- The documentation should be updated:
- "The expiration date is informational only, and does not prevent you from using the key."
- Add db migration to change default value for
- Updating default value will not change the value for existing instances. For existing database instances, add a data migration to update the column
Differences between PATs and SSS keys
Related feature history
|Expiration date (Core)||e5cf527f without enforcement (enforcement by default added later)||#36243 (closed) without enforcement|
|Lifetime (Ultimate)||#3649 (closed)||#1007|
|Enforcement (Ultimate)||#214723 (closed) allows enforcement to be disabled||#320970 will allow enforcement to be enabled|