<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=23260) </details> <!--IssueSummary end--> ### Problem to solve When GitLab is used in a mode where no SSH keys are uploaded to it, but instead only SSH certificates are used (per my ongoing PR at https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19911) you don't want users to be able to manually upload SSH keys, because this can circumvent e.g. a 2FA policy on the issued certificate signed keys. ### Proposal There should be some setting in admin settings to disable uploading an key to the `keys` table whose `type` isn't `DeployKey`, with a corresponding UI change in user setting to either hide the SSH key tab, or explain to the user that they can't upload keys. ### What does success look like, and how can we measure that? Users should get an error when trying to upload keys via the UI or API. ### Links / references