1 files changed, 27 insertions, 0 deletions

diff --git a/lib/gitlab/ssh_public_key.rb b/lib/gitlab/ssh_public_key.rb
index 78682a89655..e9c8e816f18 100644
--- a/lib/gitlab/ssh_public_key.rb
+++ b/lib/gitlab/ssh_public_key.rb
@@ -15,6 +15,29 @@ module Gitlab
       Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
     ].freeze
 
+    BANNED_SSH_KEY_FINGERPRINTS = [
+      # https://github.com/rapid7/ssh-badkeys/tree/master/authorized
+      # banned ssh rsa keys
+      "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM",
+      "SHA256:uy5wXyEgbRCGsk23+J6f85om7G55Cu3UIPwC7oMZhNQ",
+      "SHA256:9prMbqhS4QteoFQ1ZRJDqSBLWoHXPyKB0iWR05Ghro4",
+      "SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA",
+
+      # banned ssh dsa keys
+      "SHA256:/JLp6z6uGE3BPcs70RQob6QOdEWQ6nDC0xY7ejPOCc0",
+      "SHA256:whDP3xjKBEettbDuecxtGsfWBST+78gb6McdB9P7jCU",
+      "SHA256:MEc4HfsOlMqJ3/9QMTmrKn5Xj/yfnMITMW8EwfUfTww",
+      "SHA256:aPoYT2nPIfhqv6BIlbCCpbDjirBxaDFOtPfZ2K20uWw",
+      "SHA256:VtjqZ5fiaeoZ3mXOYi49Lk9aO31iT4pahKFP9JPiQPc",
+
+      # other banned ssh keys
+      # https://github.com/BenBE/kompromat/commit/c8d9a05ea155a1ed609c617d4516f0ac978e8559
+      "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM",
+
+      # https://www.ctrlu.net/vuln/0006.html
+      "SHA256:2ewGtK7Dc8XpnfNKShczdc8HSgoEGpoX+MiJkfH2p5I"
+    ].to_set.freeze
+
     def self.technologies
       if Gitlab::FIPS.enabled?
         Gitlab::FIPS::SSH_KEY_TECHNOLOGIES
@@ -115,6 +138,10 @@ module Gitlab
       end
     end
 
+    def banned?
+      BANNED_SSH_KEY_FINGERPRINTS.include?(fingerprint_sha256)
+    end
+
     private
 
     def technology