summaryrefslogtreecommitdiff
path: root/lib/gitlab/ssh_public_key.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/gitlab/ssh_public_key.rb')
-rw-r--r--lib/gitlab/ssh_public_key.rb37
1 files changed, 13 insertions, 24 deletions
diff --git a/lib/gitlab/ssh_public_key.rb b/lib/gitlab/ssh_public_key.rb
index e9c8e816f18..707f7f3fc0a 100644
--- a/lib/gitlab/ssh_public_key.rb
+++ b/lib/gitlab/ssh_public_key.rb
@@ -2,6 +2,8 @@
module Gitlab
class SSHPublicKey
+ include Gitlab::Utils::StrongMemoize
+
Technology = Struct.new(:name, :key_class, :supported_sizes, :supported_algorithms)
# See https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT for the list of
@@ -15,29 +17,6 @@ module Gitlab
Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
].freeze
- BANNED_SSH_KEY_FINGERPRINTS = [
- # https://github.com/rapid7/ssh-badkeys/tree/master/authorized
- # banned ssh rsa keys
- "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM",
- "SHA256:uy5wXyEgbRCGsk23+J6f85om7G55Cu3UIPwC7oMZhNQ",
- "SHA256:9prMbqhS4QteoFQ1ZRJDqSBLWoHXPyKB0iWR05Ghro4",
- "SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA",
-
- # banned ssh dsa keys
- "SHA256:/JLp6z6uGE3BPcs70RQob6QOdEWQ6nDC0xY7ejPOCc0",
- "SHA256:whDP3xjKBEettbDuecxtGsfWBST+78gb6McdB9P7jCU",
- "SHA256:MEc4HfsOlMqJ3/9QMTmrKn5Xj/yfnMITMW8EwfUfTww",
- "SHA256:aPoYT2nPIfhqv6BIlbCCpbDjirBxaDFOtPfZ2K20uWw",
- "SHA256:VtjqZ5fiaeoZ3mXOYi49Lk9aO31iT4pahKFP9JPiQPc",
-
- # other banned ssh keys
- # https://github.com/BenBE/kompromat/commit/c8d9a05ea155a1ed609c617d4516f0ac978e8559
- "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM",
-
- # https://www.ctrlu.net/vuln/0006.html
- "SHA256:2ewGtK7Dc8XpnfNKShczdc8HSgoEGpoX+MiJkfH2p5I"
- ].to_set.freeze
-
def self.technologies
if Gitlab::FIPS.enabled?
Gitlab::FIPS::SSH_KEY_TECHNOLOGIES
@@ -139,11 +118,21 @@ module Gitlab
end
def banned?
- BANNED_SSH_KEY_FINGERPRINTS.include?(fingerprint_sha256)
+ return false unless valid?
+
+ banned_ssh_keys.fetch(type.to_s, []).include?(fingerprint_sha256)
end
private
+ def banned_ssh_keys
+ path = Rails.root.join('config/security/banned_ssh_keys.yml')
+ config = YAML.load_file(path) if File.exist?(path)
+
+ config || {}
+ end
+ strong_memoize_attr :banned_ssh_keys
+
def technology
@technology ||=
self.class.technology_for_key(key) || raise_unsupported_key_type_error
View Lorry Controller Status