diff options
Diffstat (limited to 'lib/gitlab/ssh_public_key.rb')
-rw-r--r-- | lib/gitlab/ssh_public_key.rb | 37 |
1 files changed, 13 insertions, 24 deletions
diff --git a/lib/gitlab/ssh_public_key.rb b/lib/gitlab/ssh_public_key.rb index e9c8e816f18..707f7f3fc0a 100644 --- a/lib/gitlab/ssh_public_key.rb +++ b/lib/gitlab/ssh_public_key.rb @@ -2,6 +2,8 @@ module Gitlab class SSHPublicKey + include Gitlab::Utils::StrongMemoize + Technology = Struct.new(:name, :key_class, :supported_sizes, :supported_algorithms) # See https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT for the list of @@ -15,29 +17,6 @@ module Gitlab Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com)) ].freeze - BANNED_SSH_KEY_FINGERPRINTS = [ - # https://github.com/rapid7/ssh-badkeys/tree/master/authorized - # banned ssh rsa keys - "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM", - "SHA256:uy5wXyEgbRCGsk23+J6f85om7G55Cu3UIPwC7oMZhNQ", - "SHA256:9prMbqhS4QteoFQ1ZRJDqSBLWoHXPyKB0iWR05Ghro4", - "SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA", - - # banned ssh dsa keys - "SHA256:/JLp6z6uGE3BPcs70RQob6QOdEWQ6nDC0xY7ejPOCc0", - "SHA256:whDP3xjKBEettbDuecxtGsfWBST+78gb6McdB9P7jCU", - "SHA256:MEc4HfsOlMqJ3/9QMTmrKn5Xj/yfnMITMW8EwfUfTww", - "SHA256:aPoYT2nPIfhqv6BIlbCCpbDjirBxaDFOtPfZ2K20uWw", - "SHA256:VtjqZ5fiaeoZ3mXOYi49Lk9aO31iT4pahKFP9JPiQPc", - - # other banned ssh keys - # https://github.com/BenBE/kompromat/commit/c8d9a05ea155a1ed609c617d4516f0ac978e8559 - "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM", - - # https://www.ctrlu.net/vuln/0006.html - "SHA256:2ewGtK7Dc8XpnfNKShczdc8HSgoEGpoX+MiJkfH2p5I" - ].to_set.freeze - def self.technologies if Gitlab::FIPS.enabled? Gitlab::FIPS::SSH_KEY_TECHNOLOGIES @@ -139,11 +118,21 @@ module Gitlab end def banned? - BANNED_SSH_KEY_FINGERPRINTS.include?(fingerprint_sha256) + return false unless valid? + + banned_ssh_keys.fetch(type.to_s, []).include?(fingerprint_sha256) end private + def banned_ssh_keys + path = Rails.root.join('config/security/banned_ssh_keys.yml') + config = YAML.load_file(path) if File.exist?(path) + + config || {} + end + strong_memoize_attr :banned_ssh_keys + def technology @technology ||= self.class.technology_for_key(key) || raise_unsupported_key_type_error |