Commit 043b8415 authored by charlie ablett's avatar charlie ablett

Merge branch '320970-enforce-ssh-key-expiration-by-default' into 'master'

Enforce SSH key expiration by default

See merge request gitlab-org/gitlab!62432
parents 583b94e6 f023457f
%p %p
= _('Hi %{username}!') % { username: sanitize_name(@user.name) } = _('Hi %{username}!') % { username: sanitize_name(@user.name) }
%p %p
= _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:') = _('SSH keys with the following fingerprints have expired and can no longer be used:')
%table %table
%tbody %tbody
- @fingerprints.each do |fingerprint| - @fingerprints.each do |fingerprint|
......
<%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %> <%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>
<%= _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:') %> <%= _('SSH keys with the following fingerprints have expired and can no longer be used:') %>
<% @fingerprints.each do |fingerprint| %> <% @fingerprints.each do |fingerprint| %>
- <%= fingerprint %> - <%= fingerprint %>
......
<%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %> <%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>
<%= _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:') %> <%= _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:') %>
<% @fingerprints.each do |fingerprint| %> <% @fingerprints.each do |fingerprint| %>
- <%= fingerprint %> - <%= fingerprint %>
......
%p %p
= _('Hi %{username}!') % { username: sanitize_name(@user.name) } = _('Hi %{username}!') % { username: sanitize_name(@user.name) }
%p %p
= _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:') = _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:')
%table %table
%tbody %tbody
- @fingerprints.each do |fingerprint| - @fingerprints.each do |fingerprint|
......
# frozen_string_literal: true
class DefaultEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
def change
change_column_default(:application_settings, :enforce_ssh_key_expiration, from: false, to: true)
end
end
# frozen_string_literal: true
class EnableEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
class ApplicationSetting < ActiveRecord::Base
self.table_name = 'application_settings'
end
def up
ApplicationSetting.reset_column_information
ApplicationSetting.where.not(enforce_ssh_key_expiration: false).each do |application_setting|
application_setting.update!(enforce_ssh_key_expiration: true)
end
end
end
e569b99998d9c670af17ec747e37726671601ba06fa97da83373649adb3aab31
\ No newline at end of file
38dcfcd162a3b49a9b16b45b2f9818275807bf419880729b5c552bccb0d4dc9e
\ No newline at end of file
...@@ -9488,7 +9488,7 @@ CREATE TABLE application_settings ( ...@@ -9488,7 +9488,7 @@ CREATE TABLE application_settings (
rate_limiting_response_text text, rate_limiting_response_text text,
invisible_captcha_enabled boolean DEFAULT false NOT NULL, invisible_captcha_enabled boolean DEFAULT false NOT NULL,
container_registry_cleanup_tags_service_max_list_size integer DEFAULT 200 NOT NULL, container_registry_cleanup_tags_service_max_list_size integer DEFAULT 200 NOT NULL,
enforce_ssh_key_expiration boolean DEFAULT false NOT NULL, enforce_ssh_key_expiration boolean DEFAULT true NOT NULL,
git_two_factor_session_expiry integer DEFAULT 15 NOT NULL, git_two_factor_session_expiry integer DEFAULT 15 NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL, keep_latest_artifact boolean DEFAULT true NOT NULL,
notes_create_limit integer DEFAULT 300 NOT NULL, notes_create_limit integer DEFAULT 300 NOT NULL,
...@@ -38,7 +38,7 @@ When you [add files to a repository](../../project/repository/web_editor.md#crea ...@@ -38,7 +38,7 @@ When you [add files to a repository](../../project/repository/web_editor.md#crea
through the web UI, the maximum **attachment** size is the limiting factor, through the web UI, the maximum **attachment** size is the limiting factor,
because the [web server](../../../development/architecture.md#components) because the [web server](../../../development/architecture.md#components)
must receive the file before GitLab can generate the commit. must receive the file before GitLab can generate the commit.
Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository. Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository.
## Max import size ## Max import size
...@@ -189,22 +189,18 @@ Once a lifetime for personal access tokens is set, GitLab: ...@@ -189,22 +189,18 @@ Once a lifetime for personal access tokens is set, GitLab:
## Enforce SSH key expiration **(ULTIMATE SELF)** ## Enforce SSH key expiration **(ULTIMATE SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/320970) in GitLab 14.0.
By default, expired SSH keys **can still be used**. By default, expired SSH keys **are not usable**.
WARNING: To allow the use of expired SSH keys:
Allowing use of expired SSH keys by default is deprecated and scheduled to change in GitLab 14.0.
To prevent the use of expired SSH keys:
1. Navigate to **Admin Area > Settings > General**. 1. Navigate to **Admin Area > Settings > General**.
1. Expand the **Account and limit** section. 1. Expand the **Account and limit** section.
1. Select the **Enforce SSH key expiration** checkbox. 1. Uncheck the **Enforce SSH key expiration** checkbox.
Enforcing SSH key expiration immediately disables all expired SSH keys.
For more information, see the following issue on [SSH key expiration](https://gitlab.com/gitlab-org/gitlab/-/issues/320970). Disabling SSH key expiration immediately enables all expired SSH keys.
## Do not enforce Personal Access Token expiration **(ULTIMATE SELF)** ## Do not enforce Personal Access Token expiration **(ULTIMATE SELF)**
......
...@@ -28342,6 +28342,12 @@ msgstr "" ...@@ -28342,6 +28342,12 @@ msgstr ""
msgid "SSH keys allow you to establish a secure connection between your computer and GitLab." msgid "SSH keys allow you to establish a secure connection between your computer and GitLab."
msgstr "" msgstr ""
msgid "SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:"
msgstr ""
msgid "SSH keys with the following fingerprints have expired and can no longer be used:"
msgstr ""
msgid "SSH public key" msgid "SSH public key"
msgstr "" msgstr ""
...@@ -37638,12 +37644,6 @@ msgstr "" ...@@ -37638,12 +37644,6 @@ msgstr ""
msgid "Your SSH keys (%{count})" msgid "Your SSH keys (%{count})"
msgstr "" msgstr ""
msgid "Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:"
msgstr ""
msgid "Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:"
msgstr ""
msgid "Your To-Do List" msgid "Your To-Do List"
msgstr "" msgstr ""
......
...@@ -264,7 +264,7 @@ RSpec.describe Emails::Profile do ...@@ -264,7 +264,7 @@ RSpec.describe Emails::Profile do
include_examples 'valid use case' include_examples 'valid use case'
it_behaves_like 'has the correct subject', /Your SSH key has expired/ it_behaves_like 'has the correct subject', /Your SSH key has expired/
it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints have expired/ it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints have expired/
end end
context 'when invalid' do context 'when invalid' do
...@@ -291,7 +291,7 @@ RSpec.describe Emails::Profile do ...@@ -291,7 +291,7 @@ RSpec.describe Emails::Profile do
include_examples 'valid use case' include_examples 'valid use case'
it_behaves_like 'has the correct subject', /Your SSH key is expiring soon/ it_behaves_like 'has the correct subject', /Your SSH key is expiring soon/
it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints are scheduled to expire soon/ it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints are scheduled to expire soon/
end end
context 'when invalid' do context 'when invalid' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment