Commit f023457f authored by Tan Le's avatar Tan Le

Enforce SSH key expiration by default

This change sets the default value of `enforce_ssh_key_expiration` on
the `application_settings` table to be `true`. We also update existing
settings to be `true`. Users will no longer be able to use expired SSH
keys to authenticate to GitLab.

Changelog: changed
parent c1ac8fd2
%p
= _('Hi %{username}!') % { username: sanitize_name(@user.name) }
%p
= _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:')
= _('SSH keys with the following fingerprints have expired and can no longer be used:')
%table
%tbody
- @fingerprints.each do |fingerprint|
......
<%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>
<%= _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:') %>
<%= _('SSH keys with the following fingerprints have expired and can no longer be used:') %>
<% @fingerprints.each do |fingerprint| %>
- <%= fingerprint %>
......
<%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>
<%= _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:') %>
<%= _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:') %>
<% @fingerprints.each do |fingerprint| %>
- <%= fingerprint %>
......
%p
= _('Hi %{username}!') % { username: sanitize_name(@user.name) }
%p
= _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:')
= _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:')
%table
%tbody
- @fingerprints.each do |fingerprint|
......
# frozen_string_literal: true
class DefaultEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
def change
change_column_default(:application_settings, :enforce_ssh_key_expiration, from: false, to: true)
end
end
# frozen_string_literal: true
class EnableEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
class ApplicationSetting < ActiveRecord::Base
self.table_name = 'application_settings'
end
def up
ApplicationSetting.reset_column_information
ApplicationSetting.where.not(enforce_ssh_key_expiration: false).each do |application_setting|
application_setting.update!(enforce_ssh_key_expiration: true)
end
end
end
e569b99998d9c670af17ec747e37726671601ba06fa97da83373649adb3aab31
\ No newline at end of file
38dcfcd162a3b49a9b16b45b2f9818275807bf419880729b5c552bccb0d4dc9e
\ No newline at end of file
......@@ -9488,7 +9488,7 @@ CREATE TABLE application_settings (
rate_limiting_response_text text,
invisible_captcha_enabled boolean DEFAULT false NOT NULL,
container_registry_cleanup_tags_service_max_list_size integer DEFAULT 200 NOT NULL,
enforce_ssh_key_expiration boolean DEFAULT false NOT NULL,
enforce_ssh_key_expiration boolean DEFAULT true NOT NULL,
git_two_factor_session_expiry integer DEFAULT 15 NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
notes_create_limit integer DEFAULT 300 NOT NULL,
......@@ -38,7 +38,7 @@ When you [add files to a repository](../../project/repository/web_editor.md#crea
through the web UI, the maximum **attachment** size is the limiting factor,
because the [web server](../../../development/architecture.md#components)
must receive the file before GitLab can generate the commit.
Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository.
Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository.
## Max import size
......@@ -189,22 +189,18 @@ Once a lifetime for personal access tokens is set, GitLab:
## Enforce SSH key expiration **(ULTIMATE SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/320970) in GitLab 14.0.
By default, expired SSH keys **can still be used**.
By default, expired SSH keys **are not usable**.
WARNING:
Allowing use of expired SSH keys by default is deprecated and scheduled to change in GitLab 14.0.
To prevent the use of expired SSH keys:
To allow the use of expired SSH keys:
1. Navigate to **Admin Area > Settings > General**.
1. Expand the **Account and limit** section.
1. Select the **Enforce SSH key expiration** checkbox.
Enforcing SSH key expiration immediately disables all expired SSH keys.
1. Uncheck the **Enforce SSH key expiration** checkbox.
For more information, see the following issue on [SSH key expiration](https://gitlab.com/gitlab-org/gitlab/-/issues/320970).
Disabling SSH key expiration immediately enables all expired SSH keys.
## Do not enforce Personal Access Token expiration **(ULTIMATE SELF)**
......
......@@ -28357,6 +28357,12 @@ msgstr ""
msgid "SSH keys allow you to establish a secure connection between your computer and GitLab."
msgstr ""
msgid "SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:"
msgstr ""
msgid "SSH keys with the following fingerprints have expired and can no longer be used:"
msgstr ""
msgid "SSH public key"
msgstr ""
......@@ -37647,12 +37653,6 @@ msgstr ""
msgid "Your SSH keys (%{count})"
msgstr ""
msgid "Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:"
msgstr ""
msgid "Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:"
msgstr ""
msgid "Your To-Do List"
msgstr ""
......
......@@ -264,7 +264,7 @@ RSpec.describe Emails::Profile do
include_examples 'valid use case'
it_behaves_like 'has the correct subject', /Your SSH key has expired/
it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints have expired/
it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints have expired/
end
context 'when invalid' do
......@@ -291,7 +291,7 @@ RSpec.describe Emails::Profile do
include_examples 'valid use case'
it_behaves_like 'has the correct subject', /Your SSH key is expiring soon/
it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints are scheduled to expire soon/
it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints are scheduled to expire soon/
end
context 'when invalid' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment