Merge branch 'support_ecdsa-sk_and_ed25519-sk_ssh_keys' into 'master'

Support "ecdsa-sk" and "ed25519-sk" SSH keys See merge request gitlab-org/gitlab!78934

Merge branch 'support_ecdsa-sk_and_ed25519-sk_ssh_keys' into 'master'
Support "ecdsa-sk" and "ed25519-sk" SSH keys See merge request gitlab-org/gitlab!78934
47ab3dd0 · Alex Pooley · 1bf766cd · 782a634c · 47ab3dd0 · 47ab3dd0
Commit 47ab3dd0 authored Feb 04, 2022 by Alex Pooley
21 changed files
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -234,7 +234,9 @@ module ApplicationSettingsHelper
      :outbound_local_requests_allowlist_raw,
      :dsa_key_restriction,
      :ecdsa_key_restriction,
+      :ecdsa_sk_key_restriction,
      :ed25519_key_restriction,
+      :ed25519_sk_key_restriction,
      :eks_integration_enabled,
      :eks_account_id,
      :eks_access_key_id,

--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -69,7 +69,9 @@ module ApplicationSettingImplementation
        domain_allowlist: Settings.gitlab['domain_allowlist'],
        dsa_key_restriction: 0,
        ecdsa_key_restriction: 0,
+        ecdsa_sk_key_restriction: 0,
        ed25519_key_restriction: 0,
+        ed25519_sk_key_restriction: 0,
        eks_access_key_id: nil,
        eks_account_id: nil,
        eks_integration_enabled: false,

--- a/db/migrate/20220128093756_add_ecdsa_sk_and_ed25519_sk_key_restrictions_to_application_settings.rb
+++ b/db/migrate/20220128093756_add_ecdsa_sk_and_ed25519_sk_key_restrictions_to_application_settings.rb
+# frozen_string_literal: true
+class AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings < Gitlab::Database::Migration[1.0]
+  enable_lock_retries!
+  def change
+    add_column :application_settings, :ecdsa_sk_key_restriction, :integer, default: 0, null: false
+    add_column :application_settings, :ed25519_sk_key_restriction, :integer, default: 0, null: false
+  end
+end
--- a/db/schema_migrations/20220128093756
+++ b/db/schema_migrations/20220128093756
+787b1be4b69ef0eeb049ee6a3d7126dc75094b79fba18f469fffe78b16fce6a3
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -10617,6 +10617,8 @@ CREATE TABLE application_settings (
    runner_token_expiration_interval integer,
    group_runner_token_expiration_interval integer,
    project_runner_token_expiration_interval integer,
+    ecdsa_sk_key_restriction integer DEFAULT 0 NOT NULL,
+    ed25519_sk_key_restriction integer DEFAULT 0 NOT NULL,
    CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
    CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
    CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -65,6 +65,8 @@ Example response:
  "dsa_key_restriction": 0,
  "ecdsa_key_restriction": 0,
  "ed25519_key_restriction": 0,
+  "ecdsa_sk_key_restriction": 0,
+  "ed25519_sk_key_restriction": 0,
  "first_day_of_week": 0,
  "enforce_terms": true,
  "terms": "Hello world!",
@@ -166,6 +168,8 @@ Example response:
  "dsa_key_restriction": 0,
  "ecdsa_key_restriction": 0,
  "ed25519_key_restriction": 0,
+  "ecdsa_sk_key_restriction": 0,
+  "ed25519_sk_key_restriction": 0,
  "first_day_of_week": 0,
  "enforce_terms": true,
  "terms": "Hello world!",
@@ -268,7 +272,9 @@ listed in the descriptions of the relevant settings.
 | `domain_allowlist`                       | array of strings | no                                   | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
 | `dsa_key_restriction`                    | integer          | no                                   | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
 | `ecdsa_key_restriction`                  | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
+| `ecdsa_sk_key_restriction`               | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. |
 | `ed25519_key_restriction`                | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
+| `ed25519_sk_key_restriction`             | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519_SK key. Default is `0` (no restriction). `-1` disables ED25519_SK keys. |
 | `eks_access_key_id`                      | string           | no                                   | AWS IAM access key ID. |
 | `eks_account_id`                         | string           | no                                   | Amazon account ID. |
 | `eks_integration_enabled`                | boolean          | no                                   | Enable integration with Amazon EKS. |

--- a/doc/push_rules/push_rules.md
+++ b/doc/push_rules/push_rules.md
@@ -172,7 +172,7 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
  - `id_dsa`
  - `.id_dsa`
- Private ed25519 SSH keys:
+- Private ED25519 SSH keys:
  - `/ssh/id_ed25519`
  - `/.ssh/personal_ed25519`
@@ -188,6 +188,22 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
  - `id_ecdsa`
  - `.id_ecdsa`
+- Private ECDSA_SK SSH keys (GitLab 14.8 and later):
+  - `/ssh/id_ecdsa_sk`
+  - `/.ssh/personal_ecdsa_sk`
+  - `/config/server_ecdsa_sk`
+  - `id_ecdsa_sk`
+  - `.id_ecdsa_sk`
+- Private ED25519_SK SSH keys (GitLab 14.8 and later):
+  - `/ssh/id_ed25519_sk`
+  - `/.ssh/personal_ed25519_sk`
+  - `/config/server_ed25519_sk`
+  - `id_ed25519_sk`
+  - `.id_ed25519_sk`
 - Any files ending with these suffixes:
  - `*.pem`

--- a/doc/security/ssh_keys_restrictions.md
+++ b/doc/security/ssh_keys_restrictions.md
@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key
 strength, either to satisfy internal security policy or for regulatory
 compliance.
-Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
+Similarly, certain standards groups recommend using RSA, ECDSA, ED25519,
-the older DSA, and administrators may need to limit the allowed SSH key
+ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to
-algorithms.
+limit the allowed SSH key algorithms.
 GitLab allows you to restrict the allowed SSH key technology as well as specify
 the minimum key length for each technology:
@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the
 - DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
 - ECDSA SSH keys are allowed.
 - ED25519 SSH keys are allowed.
+- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
+- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
 <!-- ## Troubleshooting

--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again.
 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.
-Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP)
+Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using
-verification can be done via a GitLab Shell command:
+[ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead.
+The one-time password (OTP) verification can be done using a command:
 ```shell
 ssh git@<hostname> 2fa_verify

--- a/doc/ssh/index.md
+++ b/doc/ssh/index.md
@@ -28,6 +28,8 @@ To view the version of SSH installed on your system, run `ssh -V`.
 To communicate with GitLab, you can use the following SSH key types:
 - [ED25519](#ed25519-ssh-keys)
+- [ED25519_SK](#ed25519_sk-ssh-keys) (Available in GitLab 14.8 and later.)
+- [ECDSA_SK](#ecdsa_sk-ssh-keys) (Available in GitLab 14.8 and later.)
 - [RSA](#rsa-ssh-keys)
 - DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.)
 - ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.)
@@ -42,6 +44,20 @@ suggests that [ED25519](https://ed25519.cr.yp.to/) keys are more secure and perf
 OpenSSH 6.5 introduced ED25519 SSH keys in 2014 and they should be available on most
 operating systems.
+### ED25519_SK SSH keys
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
+To use ED25519_SK SSH keys on GitLab, your local client and GitLab server
+must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
+### ECDSA_SK SSH keys
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
+To use ECDSA_SK SSH keys on GitLab, your local client and GitLab server
+must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
 ### RSA SSH keys
 Available documentation suggests that ED25519 is more secure than RSA.
@@ -64,6 +80,8 @@ Before you create a key pair, see if a key pair already exists.
   | Algorithm | Public key | Private key |
   | --------- | ---------- | ----------- |
   |  ED25519 (preferred)  | `id_ed25519.pub` | `id_ed25519` |
+   |  ED25519_SK | `id_ed25519_sk.pub` | `id_ed25519_sk` |
+   |  ECDSA_SK | `id_ecdsa_sk.pub` | `id_ecdsa_sk` |
   |  RSA (at least 2048-bit key size)     | `id_rsa.pub` | `id_rsa` |
   |  DSA (deprecated)      | `id_dsa.pub` | `id_dsa` |
   |  ECDSA    | `id_ecdsa.pub` | `id_ecdsa` |
@@ -177,6 +195,67 @@ OpenSSH format.
   ssh-keygen -o -t rsa -b 4096 -C "<comment>"
   ```
+## Generate an SSH key pair for a FIDO/U2F hardware security key
+To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later.
+1. Insert a hardware security key into your computer.
+1. Open a terminal.
+1. Type `ssh-keygen -t` followed by the key type and an optional comment.
+   This comment is included in the `.pub` file that's created.
+   You may want to use an email address for the comment.
+   For example, for ED25519_SK:
+   ```shell
+   ssh-keygen -t ed25519-sk -C "<comment>"
+   ```
+   For ECDSA_SK:
+   ```shell
+   ssh-keygen -t ecdsa-sk -C "<comment>"
+   ```
+   If your security key supports FIDO2 resident keys, you can enable this when
+   creating your SSH key:
+   ```shell
+   ssh-keygen -t ed25519-sk -O resident -C "<comment>"
+   ```
+   `-O resident` indicates that the key should be stored on the FIDO authenticator itself.
+   Resident key is easier to import to a new computer because it can be loaded directly
+   from the security key by [`ssh-add -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-add.1#K)
+   or  [`ssh-keygen -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-keygen#K).
+1. Select Enter. Output similar to the following is displayed:
+   ```plaintext
+   Generating public/private ed25519-sk key pair.
+   You may need to touch your authenticator to authorize key generation.
+   ```
+1. Touch the button on the hardware security key.
+1. Accept the suggested filename and directory:
+   ```plaintext
+   Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
+   ```
+1. Specify a [passphrase](https://www.ssh.com/academy/ssh/passphrase):
+   ```plaintext
+   Enter passphrase (empty for no passphrase):
+   Enter same passphrase again:
+   ```
+1. A confirmation is displayed, including information about where your files are stored.
+A public and private key are generated.
+[Add the public SSH key to your GitLab account](#add-an-ssh-key-to-your-gitlab-account).
 ## Add an SSH key to your GitLab account
 To use SSH with GitLab, copy your public key to your GitLab account.
@@ -210,7 +289,8 @@ To use SSH with GitLab, copy your public key to your GitLab account.
 1. On the left sidebar, select **SSH Keys**.
 1. In the **Key** box, paste the contents of your public key.
   If you manually copied the key, make sure you copy the entire key,
-   which starts with `ssh-ed25519` or `ssh-rsa`, and may end with a comment.
+   which starts with `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`,
+   `ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, or `sk-ssh-ed25519@openssh.com`, and may end with a comment.
 1. In the **Title** box, type a description, like `Work Laptop` or
   `Home Workstation`.
 1. Optional. In the **Expires at** box, select an expiration date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36243) in GitLab 12.9.)
@@ -318,7 +398,8 @@ on the files make them readable to you but not accessible to others.
 ## Configure two-factor authentication (2FA)
 You can set up two-factor authentication (2FA) for
-[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations).
+[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations). We recommend using
+[ED25519_SK](#ed25519_sk-ssh-keys) or [ECDSA_SK](#ecdsa_sk-ssh-keys) SSH keys.
 ## Use EGit on Eclipse

--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -280,7 +280,7 @@ NOTE:
 SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
 other related settings.
-## Configure defaults for RSA, DSA, ECDSA, ED25519 SSH keys
+## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
 These options specify the permitted types and lengths for SSH keys.

--- a/ee/lib/gitlab/checks/files_denylist.yml
+++ b/ee/lib/gitlab/checks/files_denylist.yml
@@ -7,13 +7,15 @@
 - aws\/credentials$
-# RSA DSA ECSDA and ED25519 SSH keys
+# RSA, DSA, ECSDA, ED25519, ECDSA_SK, ED25519_SK SSH keys
- (ssh|config)\/(personal|server)_(rsa|dsa|ed\d+|ecdsa)
+- (ssh|config)\/(personal|server)_(rsa|dsa|ed25519|ecdsa|ecdsa_sk|ed25519_sk)
 - id_rsa$
 - id_dsa$
 - id_ed25519$
 - id_ecdsa$
+- id_ecdsa_sk$
+- id_ed25519_sk$
 # privatekey.pem and secret.key

--- a/lib/gitlab/ssh_public_key.rb
+++ b/lib/gitlab/ssh_public_key.rb
@@ -10,7 +10,9 @@ module Gitlab
      Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w(ssh-rsa)),
      Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w(ssh-dss)),
      Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)),
-      Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519))
+      Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)),
+      Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w(sk-ecdsa-sha2-nistp256@openssh.com)),
+      Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
    ].freeze
    def self.technology(name)
@@ -98,6 +100,10 @@ module Gitlab
        key.openssl.group.order.num_bits
      when :ed25519
        256
+      when :ecdsa_sk
+        256
+      when :ed25519_sk
+        256
      end
    end

--- a/spec/factories/keys.rb
+++ b/spec/factories/keys.rb
@@ -148,5 +148,24 @@ FactoryBot.define do
        KEY
      end
    end
+    factory :ecdsa_sk_key_256 do
+      key do
+        <<~KEY.delete("\n")
+          sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyN
+          TZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDZ+f5tSRhlB7EN39f93SscTN5PUv
+          bD3UQsNrlE1ZdbwPMMRul2zlPiUvwAvnJitW0jlD/vwZOW2YN+q+iZ5c0MAAAAEc3NoOg== dummy@gitlab.com
+        KEY
+      end
+    end
+    factory :ed25519_sk_key_256 do
+      key do
+        <<~KEY.delete("\n")
+          sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tA
+          AAAIEX/dQ0v4127bEo8eeG1EV0ApO2lWbSnN6RWusn/NjqIAAAABHNzaDo= dummy@gitlab.com
+        KEY
+      end
+    end
  end
 end
--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -85,6 +85,8 @@ RSpec.describe 'Admin updates settings' do
          select 'Are allowed', from: 'DSA SSH keys'
          select 'Must be at least 384 bits', from: 'ECDSA SSH keys'
          select 'Are forbidden', from: 'ED25519 SSH keys'
+          select 'Are forbidden', from: 'ECDSA_SK SSH keys'
+          select 'Are forbidden', from: 'ED25519_SK SSH keys'
          click_on 'Save changes'
        end
@@ -95,6 +97,8 @@ RSpec.describe 'Admin updates settings' do
        expect(find_field('DSA SSH keys').value).to eq('0')
        expect(find_field('ECDSA SSH keys').value).to eq('384')
        expect(find_field('ED25519 SSH keys').value).to eq(forbidden)
+        expect(find_field('ECDSA_SK SSH keys').value).to eq(forbidden)
+        expect(find_field('ED25519_SK SSH keys').value).to eq(forbidden)
      end
      it 'change Account and Limit Settings' do

--- a/spec/features/profiles/keys_spec.rb
+++ b/spec/features/profiles/keys_spec.rb
@@ -49,7 +49,12 @@ RSpec.describe 'Profile > SSH Keys' do
    context 'when only DSA and ECDSA keys are allowed' do
      before do
        forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
-        stub_application_setting(rsa_key_restriction: forbidden, ed25519_key_restriction: forbidden)
+        stub_application_setting(
+          rsa_key_restriction: forbidden,
+          ed25519_key_restriction: forbidden,
+          ecdsa_sk_key_restriction: forbidden,
+          ed25519_sk_key_restriction: forbidden
+        )
      end
      it 'shows a validation error' do

--- a/spec/helpers/ssh_keys_helper_spec.rb
+++ b/spec/helpers/ssh_keys_helper_spec.rb
@@ -17,9 +17,9 @@ RSpec.describe SshKeysHelper do
    end
    it 'returns only allowed algorithms' do
-      expect(ssh_key_allowed_algorithms).to match('ed25519')
+      expect(ssh_key_allowed_algorithms).to match('rsa')
-      stub_application_setting(ed25519_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
+      stub_application_setting(rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
-      expect(ssh_key_allowed_algorithms).not_to match('ed25519')
+      expect(ssh_key_allowed_algorithms).not_to match('rsa')
    end
  end
 end
--- a/spec/lib/gitlab/ssh_public_key_spec.rb
+++ b/spec/lib/gitlab/ssh_public_key_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
    end
    where(:name) do
-      [:rsa, :dsa, :ecdsa, :ed25519]
+      [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
    end
    with_them do
@@ -24,7 +24,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
  describe '.supported_types' do
    it 'returns array with the names of supported technologies' do
      expect(described_class.supported_types).to eq(
-        [:rsa, :dsa, :ecdsa, :ed25519]
+        [:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
      )
    end
  end
@@ -35,7 +35,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa, [1024, 2048, 3072, 4096]],
        [:dsa, [1024, 2048, 3072]],
        [:ecdsa, [256, 384, 521]],
-        [:ed25519, [256]]
+        [:ed25519, [256]],
+        [:ecdsa_sk, [256]],
+        [:ed25519_sk, [256]]
      ]
    end
@@ -53,6 +55,8 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        ssh-dss
        ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
        ssh-ed25519
+        sk-ecdsa-sha2-nistp256@openssh.com
+        sk-ssh-ed25519@openssh.com
        )
      )
    end
@@ -64,7 +68,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa, %w(ssh-rsa)],
        [:dsa, %w(ssh-dss)],
        [:ecdsa, %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)],
-        [:ed25519, %w(ssh-ed25519)]
+        [:ed25519, %w(ssh-ed25519)],
+        [:ecdsa_sk, %w(sk-ecdsa-sha2-nistp256@openssh.com)],
+        [:ed25519_sk, %w(sk-ssh-ed25519@openssh.com)]
      ]
    end
@@ -122,7 +128,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
           rsa_key_8192
           dsa_key_2048
           ecdsa_key_256
-           ed25519_key_256)
+           ed25519_key_256
+           ecdsa_sk_key_256
+           ed25519_sk_key_256)
      end
      with_them do
@@ -201,7 +209,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa_key_2048, :rsa],
        [:dsa_key_2048, :dsa],
        [:ecdsa_key_256, :ecdsa],
-        [:ed25519_key_256, :ed25519]
+        [:ed25519_key_256, :ed25519],
+        [:ecdsa_sk_key_256, :ecdsa_sk],
+        [:ed25519_sk_key_256, :ed25519_sk]
      ]
    end
@@ -231,7 +241,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa_key_8192, 8192],
        [:dsa_key_2048, 2048],
        [:ecdsa_key_256, 256],
-        [:ed25519_key_256, 256]
+        [:ed25519_key_256, 256],
+        [:ecdsa_sk_key_256, 256],
+        [:ed25519_sk_key_256, 256]
      ]
    end
@@ -261,7 +273,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa_key_8192, 'fb:53:7f:e9:2f:f7:17:aa:c8:32:52:06:8e:05:e2:82'],
        [:dsa_key_2048, 'c8:85:1e:df:44:0f:20:00:3c:66:57:2b:21:10:5a:27'],
        [:ecdsa_key_256, '67:a3:a9:7d:b8:e1:15:d4:80:40:21:34:bb:ed:97:38'],
-        [:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73']
+        [:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73'],
+        [:ecdsa_sk_key_256, '56:b9:bc:99:3d:2f:cf:63:6b:70:d8:f9:40:7e:09:4c'],
+        [:ed25519_sk_key_256, 'f9:a0:64:0b:4b:72:72:0e:62:92:d7:04:14:74:1c:c9']
      ]
    end
@@ -289,7 +303,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
        [:rsa_key_8192, 'SHA256:CtHFQAS+9Hb8z4vrv4gVQPsHjNN0WIZhWODaB1mQLs4'],
        [:dsa_key_2048, 'SHA256:+a3DQ7cU5GM+gaYOfmc0VWNnykHQSuth3VRcCpWuYNI'],
        [:ecdsa_key_256, 'SHA256:C+I5k3D+IGeM6k5iBR1ZsphqTKV+7uvL/XZ5hcrTr7g'],
-        [:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0']
+        [:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0'],
+        [:ecdsa_sk_key_256, 'SHA256:N0sNKBgWKK8usPuPegtgzHQQA9vQ/dRhAEhwFDAnLA4'],
+        [:ed25519_sk_key_256, 'SHA256:U8IKRkIHed6vFMTflwweA3HhIf2DWgZ8EFTm9fgwOUk']
      ]
    end

--- a/spec/models/key_spec.rb
+++ b/spec/models/key_spec.rb
@@ -20,6 +20,8 @@ RSpec.describe Key, :mailer do
    it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
    it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
    it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ecdsa_sk_key_256)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ed25519_sk_key_256)[:key]).for(:key) }
    it { is_expected.not_to allow_value('foo-bar').for(:key) }
    context 'key format' do
@@ -187,10 +189,12 @@ RSpec.describe Key, :mailer do
      forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
      [
-        [:rsa_key_2048,    0, true],
+        [:rsa_key_2048,       0, true],
-        [:dsa_key_2048,    0, true],
+        [:dsa_key_2048,       0, true],
-        [:ecdsa_key_256,   0, true],
+        [:ecdsa_key_256,      0, true],
-        [:ed25519_key_256, 0, true],
+        [:ed25519_key_256,    0, true],
+        [:ecdsa_sk_key_256,   0, true],
+        [:ed25519_sk_key_256, 0, true],
        [:rsa_key_2048, 1024, true],
        [:rsa_key_2048, 2048, true],
@@ -206,10 +210,18 @@ RSpec.describe Key, :mailer do
        [:ed25519_key_256, 256, true],
        [:ed25519_key_256, 384, false],
-        [:rsa_key_2048,    forbidden, false],
+        [:ecdsa_sk_key_256, 256, true],
-        [:dsa_key_2048,    forbidden, false],
+        [:ecdsa_sk_key_256, 384, false],
-        [:ecdsa_key_256,   forbidden, false],
-        [:ed25519_key_256, forbidden, false]
+        [:ed25519_sk_key_256, 256, true],
+        [:ed25519_sk_key_256, 384, false],
+        [:rsa_key_2048,       forbidden, false],
+        [:dsa_key_2048,       forbidden, false],
+        [:ecdsa_key_256,      forbidden, false],
+        [:ed25519_key_256,    forbidden, false],
+        [:ecdsa_sk_key_256,   forbidden, false],
+        [:ed25519_sk_key_256, forbidden, false]
      ]
    end

--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
@@ -32,6 +32,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
      expect(json_response['dsa_key_restriction']).to eq(0)
      expect(json_response['ecdsa_key_restriction']).to eq(0)
      expect(json_response['ed25519_key_restriction']).to eq(0)
+      expect(json_response['ecdsa_sk_key_restriction']).to eq(0)
+      expect(json_response['ed25519_sk_key_restriction']).to eq(0)
      expect(json_response['performance_bar_allowed_group_id']).to be_nil
      expect(json_response['allow_local_requests_from_hooks_and_services']).to be(false)
      expect(json_response['allow_local_requests_from_web_hooks_and_services']).to be(false)
@@ -111,6 +113,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
            dsa_key_restriction: 2048,
            ecdsa_key_restriction: 384,
            ed25519_key_restriction: 256,
+            ecdsa_sk_key_restriction: 256,
+            ed25519_sk_key_restriction: 256,
            enforce_terms: true,
            terms: 'Hello world!',
            performance_bar_allowed_group_path: group.full_path,
@@ -163,6 +167,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
        expect(json_response['dsa_key_restriction']).to eq(2048)
        expect(json_response['ecdsa_key_restriction']).to eq(384)
        expect(json_response['ed25519_key_restriction']).to eq(256)
+        expect(json_response['ecdsa_sk_key_restriction']).to eq(256)
+        expect(json_response['ed25519_sk_key_restriction']).to eq(256)
        expect(json_response['enforce_terms']).to be(true)
        expect(json_response['terms']).to eq('Hello world!')
        expect(json_response['performance_bar_allowed_group_id']).to eq(group.id)

--- a/spec/views/profiles/keys/_key.html.haml_spec.rb
+++ b/spec/views/profiles/keys/_key.html.haml_spec.rb
@@ -90,8 +90,8 @@ RSpec.describe 'profiles/keys/_key.html.haml' do
      using RSpec::Parameterized::TableSyntax
      where(:valid, :expiry, :result) do
-        false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
+        false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
-        false | 2.days.ago      | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
+        false | 2.days.ago      | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
        true  | 2.days.ago      | 'Key usable beyond expiration date.'
        true  | 2.days.from_now | ''
      end