summaryrefslogtreecommitdiff
path: root/doc/security
diff options
context:
space:
mode:
authorNick Thomas <nick@gitlab.com>2017-08-21 11:30:03 +0100
committerNick Thomas <nick@gitlab.com>2017-08-30 20:50:44 +0100
commitb0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 (patch)
tree0d76c74fb6260de1e3c9694a8501491b2eb486ef /doc/security
parent81f08d30e641dc1a6666022ab1f5d36dbcdced7e (diff)
downloadgitlab-ce-b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01.tar.gz
Add settings for minimum key strength and allowed key type
This is an amalgamation of: * Cory Hinshaw: Initial implementation !5552 * Rémy Coutable: Updates !9350 * Nick Thomas: Resolve conflicts and add ED25519 support !13712
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/README.md1
-rw-r--r--doc/security/img/ssh_keys_restrictions_settings.pngbin0 -> 41803 bytes
-rw-r--r--doc/security/ssh_keys_restrictions.md18
3 files changed, 19 insertions, 0 deletions
diff --git a/doc/security/README.md b/doc/security/README.md
index 38706e48ec5..1f54948d113 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -1,6 +1,7 @@
# Security
- [Password length limits](password_length_limits.md)
+- [Restrict allowed SSH key technologies and minimum length](ssh_keys_restrictions.md)
- [Rack attack](rack_attack.md)
- [Webhooks and insecure internal web services](webhooks.md)
- [Information exclusivity](information_exclusivity.md)
diff --git a/doc/security/img/ssh_keys_restrictions_settings.png b/doc/security/img/ssh_keys_restrictions_settings.png
new file mode 100644
index 00000000000..b62bfc2f7e0
--- /dev/null
+++ b/doc/security/img/ssh_keys_restrictions_settings.png
Binary files differ
diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md
new file mode 100644
index 00000000000..32ca7dacab3
--- /dev/null
+++ b/doc/security/ssh_keys_restrictions.md
@@ -0,0 +1,18 @@
+# Restrict allowed SSH key technologies and minimum length
+
+`ssh-keygen` allows users to create RSA keys with as few as 768 bits, which
+falls well below recommendations from certain standards groups (such as the US
+NIST). Some organizations deploying Gitlab will need to enforce minimum key
+strength, either to satisfy internal security policy or for regulatory
+compliance.
+
+Similarly, certain standards groups recommend using RSA or ECDSA over the older
+DSA and administrators may need to limit the allowed SSH key algorithms.
+
+GitLab allows you to restrict the allowed SSH key technology as well as specify
+the minimum key length for each technology.
+
+In the Admin area under **Settings** (`/admin/application_settings`), look for
+the "Visibility and Access Controls" area:
+
+![SSH keys restriction admin settings](img/ssh_keys_restrictions_settings.png)