Prevent users from adding known, weak keys (!87541) · Merge requests · GitLab.org / GitLab

nobody requested to merge jgao1025/gitlab:24614 into master May 13, 2022

What does this MR do and why?

This MR request got the list of bad ssh public keys from here: https://github.com/rapid7/ssh-badkeys/tree/master/authorized. Put these keys into a keys.txt file. Then use the following script to change these keys to sha256 fingerprint.

require_relative 'config/environment'

keys = IO.readlines('keys.txt', chomp: true)

keys.each do |key|
  pub = Gitlab::SSHPublicKey.new(key)
  puts pub.fingerprint_sha256
end

When a user tries to add the ssh public key to their profile page at /-/profile/keys, additional validation check will confirm if the public is on the bad public key list or not.

Screenshots or screen recordings

How to set up and validate locally

Run spec tests locally

cd gitlab-development-kit/gitlab
bin/rspec spec/lib/gitlab/ssh_public_key_spec.rb
bin/rspec spec/models/key_spec.rb

Test in web interface

Test if the feature is working or not for a user

enable root user feature on rails console

[13] pry(main)> rootuser =  User.find_by_username('root')
=> #<User id:1 @root>
[14] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false
[15] pry(main)> Feature.enable(:ssh_banned_key, rootuser)
=> true

go to http://localhost:3000/-/profile/keys, and upload all the bad key one by one to check that the key is not accepted and the result should be like screenshot above.
test a good ssh key and it is added normally.
close feature and test again.

bin/rails console

[18] pry(main)> Feature.disable(:ssh_banned_key, rootuser)
=> true
[19] pry(main)> Feature.enabled?(:ssh_banned_key, rootuser)
=> false

go to http://localhost:3000/-/profile/keys`, and upload all the bad key one by one to check that the banned key can now be able to upload successfully.

Test if the feature is working or not for a user while another user enabled the feature

impersonate user lashawnda
enable user feature on rails console

[9] pry(main)> user = User.find_by_username('lashawnda')
=> #<User id:9 @lashawnda>
=> true
[11] pry(main)> Feature.enabled?(:ssh_banned_key, user)
=> true

go to http://localhost:3000/-/profile/keys, and upload all the bad keys one by one to check that the key is not accepted and the result should be like screenshot.
go back to root user, and go to http://localhost:3000/-/profile/keys, then try to upload a bad ssh key. The banned ssh key should be accepted by the root user while the feature of :ssh_banned_key is enabled for the suer lashawnda.

Test if deploy key is working for a project

impersonate as lashawnda
enable feature for lashawnda only.

[15] pry(main)> Feature.enable(:ssh_banned_key, user)
=> true
[16] pry(main)> Feature.enabled?(:ssh_banned_key,user)
=> true

try to upload a bad ssh key as a deploy key for every project that lashawnda can upload. Find out that only gnuwget/Wget2, and lashawnda/gitlab-shell can allow lashawnda upload a key, then go to http://localhost:3000/gnuwget/Wget2/-/settings/repository#js-deploy-keys-settings and add a bad ssh key.
it rejects to upload the key. The error message is like below.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 10, 2022 by Peter Leitzen

Prevent users from adding known, weak keys