Automate fetching SSH fingerprints of keys to ban
The following discussions from !87541 (merged) should be addressed:
-
@splattael started a discussion: (+2 comments) Question (non-blocking)
Do we have a way of updating those banned ssh key fingerprint automatically via a script?
🤔 I've seen @bwill's script in !87541 (comment 947857329) and thought to turn this into rake task which generates a YAML.
@kyrie.31415926535 @bwill Thoughts? We could easily follow-up on this (hence "non-blocking")
💪 -
@splattael started a discussion: Suggestion (non-blocking)
Note that we are using the same keys twice: Here and in the spec below.
I was wondering if we could extract them into a "shared context" for now.
Later, if we decide to automate/streamline the download of banned keys and saving them into YAML we could use this very YAML as single source truth avoid duplication.
WDYT?
Implementation Guide
- Create a new configuration file at
config/security/banned_ssh_keys.yml
which contains a list of the banned SSH key fingerprints - Update
app/models/key.rb
so that it reads the list of banned key fingerprints from this YAML file - Add a new rake task in
lib/gitlab/tasks/security/
which is able to download keys from a remote source and then add the fingerprints to the YAML file. This task could:- receive a git repository URI
- clone it
- load the key fingerprints from the YAML file as a Set
- recursively search the git repository for public keys
- Calculate the fingerprint of each key found and add it to the set
- Write the set back to the YAML file
- Delete the git repository