Add settings for minimum key strength and allowed key type

This is an amalgamation of:

* Cory Hinshaw: Initial implementation !5552
* Rémy Coutable: Updates !9350
* Nick Thomas: Resolve conflicts and add ED25519 support !13712

4 files changed, 36 insertions, 2 deletions

diff --git a/doc/api/settings.md b/doc/api/settings.md
index 94a9f8265fb..a43e13e6217 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -48,7 +48,12 @@ Example response:
    "plantuml_enabled": false,
    "plantuml_url": null,
    "terminal_max_session_time": 0,
-   "polling_interval_multiplier": 1.0
+   "polling_interval_multiplier": 1.0,
+   "minimum_rsa_bits": 1024,
+   "minimum_dsa_bits": 1024,
+   "minimum_ecdsa_bits": 256,
+   "minimum_ed25519_bits": 256,
+   "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"]
 }
 ```
 
@@ -88,6 +93,11 @@ PUT /application/settings
 | `plantuml_url` | string | yes (if `plantuml_enabled` is `true`) |  The PlantUML instance URL for integration. |
 | `terminal_max_session_time` | integer | no | Maximum time for web terminal websocket connection (in seconds). Set to 0 for unlimited time. |
 | `polling_interval_multiplier` | decimal | no | Interval multiplier used by endpoints that perform polling. Set to 0 to disable polling. |
+| `minimum_rsa_bits` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `1024`.
+| `minimum_dsa_bits` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `1024`.
+| `minimum_ecdsa_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `256`.
+| `minimum_ed25519_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `256`.
+| `allowed_key_types` | array of strings | no | Array of SSH key types accepted by the application. Allowed values are: `rsa`, `dsa`, `ecdsa`, and `ed25519`. Default is `["rsa", "dsa", "ecdsa", "ed25519"]`.
 
 ```bash
 curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/application/settings?signup_enabled=false&default_project_visibility=internal
@@ -125,6 +135,11 @@ Example response:
   "plantuml_enabled": false,
   "plantuml_url": null,
   "terminal_max_session_time": 0,
-  "polling_interval_multiplier": 1.0
+  "polling_interval_multiplier": 1.0,
+  "minimum_rsa_bits": 1024,
+  "minimum_dsa_bits": 1024,
+  "minimum_ecdsa_bits": 256,
+  "minimum_ed25519_bits": 256,
+  "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"]
 }
 ```
diff --git a/doc/security/README.md b/doc/security/README.md
index 38706e48ec5..1f54948d113 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -1,6 +1,7 @@
 # Security
 
 - [Password length limits](password_length_limits.md)
+- [Restrict allowed SSH key technologies and minimum length](ssh_keys_restrictions.md)
 - [Rack attack](rack_attack.md)
 - [Webhooks and insecure internal web services](webhooks.md)
 - [Information exclusivity](information_exclusivity.md)
diff --git a/doc/security/img/ssh_keys_restrictions_settings.png b/doc/security/img/ssh_keys_restrictions_settings.png
new file mode 100644
index 00000000000..b62bfc2f7e0
--- /dev/null
+++ b/doc/security/img/ssh_keys_restrictions_settings.png
diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md
new file mode 100644
index 00000000000..32ca7dacab3
--- /dev/null
+++ b/doc/security/ssh_keys_restrictions.md
@@ -0,0 +1,18 @@
+# Restrict allowed SSH key technologies and minimum length
+
+`ssh-keygen` allows users to create RSA keys with as few as 768 bits, which
+falls well below recommendations from certain standards groups (such as the US
+NIST). Some organizations deploying Gitlab will need to enforce minimum key
+strength, either to satisfy internal security policy or for regulatory
+compliance.
+
+Similarly, certain standards groups recommend using RSA or ECDSA over the older
+DSA and administrators may need to limit the allowed SSH key algorithms.
+
+GitLab allows you to restrict the allowed SSH key technology as well as specify
+the minimum key length for each technology.
+
+In the Admin area under **Settings** (`/admin/application_settings`), look for
+the "Visibility and Access Controls" area:
+
+![SSH keys restriction admin settings](img/ssh_keys_restrictions_settings.png)