Auth via SSH certificates
## Summary On GitLab.com customers obtain their own top-level group (later organization). In comparison to self-managed, they have to manage organization-wide settings at this level. Currently, the provided Git access control options on SaaS (SSH, HTTPS) rely on credentials (access tokens, SSH keys) setup in the user profile. As the user profile is out of control of the organization, there is no way for a customer to assess whether the key is kept confidential or whether the expiry date is meeting policies. Also, there’s very little that can be done for damage control in case the keys are leaked as well as a customer cannot enforce MFA on Git access flows. Customers may have processes in place, where developers on a daily basis can, via MFA, request a temporary SSH certificate which gives them access to internal systems. To enable the same way of working on SaaS, we would need a way to share public Certificate Authority (CA) files with GitLab.com SaaS for the purpose of Git access control. ## Motivation - Enable users to share public Certificate Authority (CA) files with GitLab.com SaaS for the purpose of Git access control. - Fill the product gap between GitLab and competitive products that already support authentication via SSH certificates. ## Architecture It's a joint effort of ~"group::source code" and ~"group::authentication and authorization" because ~"group::source code" is responsible for [Gitlab Shell](https://gitlab.com/gitlab-org/gitlab-shell) project and ~"group::authentication and authorization" owns Authentication topic Blueprint: https://docs.gitlab.com/ee/architecture/blueprints/ssh_certificates/ ```mermaid sequenceDiagram User->>+GitLab Shell: Auth using SSH Certificate GitLab Shell->>+GitLab Rails: /authorized_certs?key=fingerprint-of-signing-key&user_identity=username-or-primary-email GitLab Rails-->>-GitLab Shell: responds with the namespace that configures the CA and the username of the user GitLab Shell-->>User: Authenticated successfully User->>+GitLab Shell: Git command to a specific project GitLab Shell->>+GitLab Rails: /allowed [namespace=namespace] GitLab Rails-->>-GitLab Shell: responds that the user is allowed to access a project in this namespace GitLab Shell-->>User: success ```
epic