Commit 6fea2cb7 authored by Evan Read's avatar Evan Read

Add deprecation notice to SSH key info

parent a2d53b3f
...@@ -33,7 +33,7 @@ The following is an example of the Credentials inventory page: ...@@ -33,7 +33,7 @@ The following is an example of the Credentials inventory page:
If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table: If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table:
| Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#optional-non-enforcement-of-personal-access-token-expiration) | Show Revoke button? | Comments | | Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#do-not-enforce-personal-access-token-expiration) | Show Revoke button? | Comments |
|-------------|------------------------|--------------------|----------------------------------------------------------------------------| |-------------|------------------------|--------------------|----------------------------------------------------------------------------|
| Active | Yes | Yes | Allows administrators to revoke the PAT, such as for a compromised account | | Active | Yes | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
| Active | No | Yes | Allows administrators to revoke the PAT, such as for a compromised account | | Active | No | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
......
...@@ -50,7 +50,7 @@ You can set a global prefix for all generated Personal Access Tokens. ...@@ -50,7 +50,7 @@ You can set a global prefix for all generated Personal Access Tokens.
A prefix can help you identify PATs visually, as well as with automation tools. A prefix can help you identify PATs visually, as well as with automation tools.
### Setting a prefix ### Set a prefix
Only a GitLab administrator can set the prefix, which is a global setting applied Only a GitLab administrator can set the prefix, which is a global setting applied
to any PAT generated in the system by any user: to any PAT generated in the system by any user:
...@@ -148,7 +148,7 @@ To set a limit on how long these sessions are valid: ...@@ -148,7 +148,7 @@ To set a limit on how long these sessions are valid:
1. Fill in the **Session duration for Git operations when 2FA is enabled (minutes)** field. 1. Fill in the **Session duration for Git operations when 2FA is enabled (minutes)** field.
1. Click **Save changes**. 1. Click **Save changes**.
## Limiting lifetime of personal access tokens **(ULTIMATE SELF)** ## Limit the lifetime of personal access tokens **(ULTIMATE SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab Ultimate 12.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab Ultimate 12.6.
...@@ -160,7 +160,7 @@ Personal access tokens are the only tokens needed for programmatic access to Git ...@@ -160,7 +160,7 @@ Personal access tokens are the only tokens needed for programmatic access to Git
However, organizations with security requirements may want to enforce more protection by However, organizations with security requirements may want to enforce more protection by
requiring the regular rotation of these tokens. requiring the regular rotation of these tokens.
### Setting a lifetime ### Set a lifetime
Only a GitLab administrator can set a lifetime. Leaving it empty means Only a GitLab administrator can set a lifetime. Leaving it empty means
there are no restrictions. there are no restrictions.
...@@ -180,12 +180,16 @@ Once a lifetime for personal access tokens is set, GitLab: ...@@ -180,12 +180,16 @@ Once a lifetime for personal access tokens is set, GitLab:
allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
or remove it, before revocation takes place. or remove it, before revocation takes place.
## Optional enforcement of SSH key expiration **(ULTIMATE SELF)** ## Enforce SSH key expiration **(ULTIMATE SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
By default, expired SSH keys **can still be used**. By default, expired SSH keys **can still be used**.
You can prevent the use of expired SSH keys with the following steps:
WARNING:
Allowing use of expired SSH keys by default is deprecated and scheduled to change in GitLab 14.0.
To prevent the use of expired SSH keys:
1. Navigate to **Admin Area > Settings > General**. 1. Navigate to **Admin Area > Settings > General**.
1. Expand the **Account and limit** section. 1. Expand the **Account and limit** section.
...@@ -195,7 +199,7 @@ Enforcing SSH key expiration immediately disables all expired SSH keys. ...@@ -195,7 +199,7 @@ Enforcing SSH key expiration immediately disables all expired SSH keys.
For more information, see the following issue on [SSH key expiration](https://gitlab.com/gitlab-org/gitlab/-/issues/320970). For more information, see the following issue on [SSH key expiration](https://gitlab.com/gitlab-org/gitlab/-/issues/320970).
## Optional non-enforcement of Personal Access Token expiration **(ULTIMATE SELF)** ## Do not enforce Personal Access Token expiration **(ULTIMATE SELF)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab Ultimate 13.1. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab Ultimate 13.1.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9.
...@@ -209,7 +213,7 @@ To do this: ...@@ -209,7 +213,7 @@ To do this:
1. Expand the **Account and limit** section. 1. Expand the **Account and limit** section.
1. Uncheck the **Enforce personal access token expiration** checkbox. 1. Uncheck the **Enforce personal access token expiration** checkbox.
## Disabling user profile name changes **(PREMIUM SELF)** ## Disable user profile name changes **(PREMIUM SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24605) in GitLab 12.7. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24605) in GitLab 12.7.
......
...@@ -104,9 +104,11 @@ This expiration date is not a requirement, and can be set to any arbitrary date. ...@@ -104,9 +104,11 @@ This expiration date is not a requirement, and can be set to any arbitrary date.
Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens. Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
### Setting a limit ### Set a limit
Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens) on the lifetime of personal access tokens apply. Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field
is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens)
on the lifetime of personal access tokens apply.
To set a limit on how long personal access tokens are valid for users in a group managed account: To set a limit on how long personal access tokens are valid for users in a group managed account:
......
...@@ -79,8 +79,10 @@ Personal access tokens expire on the date you define, at midnight UTC. ...@@ -79,8 +79,10 @@ Personal access tokens expire on the date you define, at midnight UTC.
- GitLab runs a check at 01:00 AM UTC every day to identify personal access tokens that expire in the next seven days. The owners of these tokens are notified by email. - GitLab runs a check at 01:00 AM UTC every day to identify personal access tokens that expire in the next seven days. The owners of these tokens are notified by email.
- GitLab runs a check at 02:00 AM UTC every day to identify personal access tokens that expire on the current date. The owners of these tokens are notified by email. - GitLab runs a check at 02:00 AM UTC every day to identify personal access tokens that expire on the current date. The owners of these tokens are notified by email.
- In GitLab Ultimate, administrators can [limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens). - In GitLab Ultimate, administrators can
- In GitLab Ultimate, administrators can choose whether or not to [enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#optional-non-enforcement-of-personal-access-token-expiration). [limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens).
- In GitLab Ultimate, administrators can choose whether or not to
[enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#do-not-enforce-personal-access-token-expiration).
## Create a personal access token programmatically **(FREE SELF)** ## Create a personal access token programmatically **(FREE SELF)**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment