Restrict creation of Personal Access Tokens with an SSH key
The ability to generate personal access tokens using an SSH key can pose multiple risks to an organization's security policies around multi-factor authentication:
- Users can bypass security policies requiring web-login via multi-factor authentication every X days by creating a PAT with an SSH key (currently single-factor for PAT creation)
- Using an SSH key, users can create PATs that have wider scopes than what is possible with GitLab shell (again allowing bypass of MFA policies that would be satisfied by users going through a web-login to create the PAT)
- While not unique to PATs generated via SSH keys, users can create a PAT through a single-factor authentication method, then indefinitely rotate the PAT via the API.
To address these concerns, admins should be able to configure settings that could either:
- Enable/disable the ability to create PATs using an SSH key
- Require MFA for creating a PAT using an SSH key
- Configure which PAT scopes are allowable to generate using an SSH key
A proposed solution can be found in gitlab-shell!1053
Edited by Ross Cain