Support "ecdsa-sk" and "ed25519-sk" SSH keys (!78934) · Merge requests · GitLab.org / GitLab

Merged Bogdan Denkovych requested to merge support_ecdsa-sk_and_ed25519-sk_ssh_keys into master Jan 21, 2022

What does this MR do and why?

This MR provides support "ecdsa-sk" and "ed25519-sk" SSH keys.

In !77374 (merged), !77403 (merged), !77996 (merged), !77424 (merged), and !78532 (merged) we have done the work that facilitates support "ecdsa-sk" and "ed25519-sk" SSH keys.

By adding support "ecdsa-sk" and "ed25519-sk" SSH keys, we provide a new, more secure, and easy-to-use way to strongly authenticate with Git while preventing unintended and potentially malicious access. For instance, if a user's private key file on their computer is stolen, it would be useless without the user's security key.

Read:

OpenSSH 8.2 release notes: https://www.openssh.com/releasenotes.html#8.2
OpenSSH's support for U2F/FIDO security keys: https://github.com/openssh/openssh-portable/blob/8a0848cdd3b25c049332cd56034186b7853ae754/PROTOCOL.u2f
https://cloud.google.com/compute/docs/tutorials/ssh-with-sk
https://www.yubico.com/blog/github-now-supports-ssh-security-keys/
https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/

Changelog: added

Screenshots or screen recordings

Demo: Using "ecdsa-sk" and "ed25519-sk" SSH keys - https://www.youtube.com/watch?v=DtmZEVguN7g

Database changes

AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings migration is reversible:

bogdanvlviv@lenovo:~/gitlab-development-kit/gitlab$ bin/rails db:migrate
== 20220128093756 AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings: migrating
-- add_column(:application_settings, :ecdsa_sk_key_restriction, :integer, {:default=>0, :null=>false})
   -> 0.0020s
-- add_column(:application_settings, :ed25519_sk_key_restriction, :integer, {:default=>0, :null=>false})
   -> 0.0016s
== 20220128093756 AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings: migrated (0.0037s)

bogdanvlviv@lenovo:~/gitlab-development-kit/gitlab$ bin/rails db:rollback
== 20220128093756 AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings: reverting
-- remove_column(:application_settings, :ed25519_sk_key_restriction, :integer, {:default=>0, :null=>false})
   -> 0.0018s
-- remove_column(:application_settings, :ecdsa_sk_key_restriction, :integer, {:default=>0, :null=>false})
   -> 0.0013s
== 20220128093756 AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings: reverted (0.0044s)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 02, 2022 by Bogdan Denkovych