Enforce SSH key expiration by default
Facts
- Personal Access Tokens (PATs) have an optional expiration date. This expiration is enforced by default.
- SSH keys have an optional expiration date. This expiration is NOT enforced by default.
Problem to solve
There are 2 problems with opposite expiration enforcement for PATs and SSK keys:
- UX: We don't want similar features behaving differently, and currently the only difference between PATs and SSH keys is whether expiration is enforced by default (see differences below).
- Security: More complexity in code and documentation tends to create more security problems.
Proposal
- SSH key expiration should be enforced by default, the same as PAT expiration, starting in 14.0 (because breaking changes should be included in major releases).
- Users with soon-expiring SSH keys should:
- See a warning in the UI, the same as PAT expiration warnings.
- Receive a notification email, the same as PAT notification emails.
- The documentation should be updated:
- "The expiration date is informational only, and does not prevent you from using the key."
Technical implementation
- Add db migration to change default value for
enforce_ssh_key_expirationfromfalsetotrue - Updating default value will not change the value for existing instances. For existing database instances, add a data migration to update the column
enforce_ssh_key_expirationtotrue
Differences between PATs and SSS keys
^ courtesy of @asubramanian1 in #299598 (comment 513436846)
Related feature history
| Feature | PAT | SSH |
|---|---|---|
| Expiration date (Core) | e5cf527f without enforcement (enforcement by default added later) | #36243 (closed) without enforcement |
| Lifetime (Ultimate) | #3649 (closed) | #1007 |
| Enforcement (Ultimate) | #214723 (closed) allows enforcement to be disabled | #320970 will allow enforcement to be enabled |