Commit e1654e44 authored by Dan Jensen's avatar Dan Jensen Committed by Evan Read

Deprecate option to disable SSH expiration

This announces the deprecation of the option to disable enforcement
of expiration on SSH keys at the administrator level.
parent 8bb6656b
- name: "Optional enforcement of SSH expiration" # The name of the feature to be deprecated
announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone: "15.0" # The milestone when this feature is planned to be removed
removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
breaking_change: true # If this deprecation is a breaking change, set this value to true
reporter: djensen # GitLab username of the person reporting the deprecation
body: | # Do not modify this line, instead modify the lines below.
The feature to disable enforcement of SSH expiration is unusual from a security perspective.
We have become concerned that this unusual feature could create unexpected behavior for users.
Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/351963" # (optional) This is a link to the deprecation issue in GitLab
documentation_url: "https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#allow-expired-ssh-keys-to-be-used-deprecated" # (optional) This is a link to the current documentation page
...@@ -219,7 +219,7 @@ To use SSH with GitLab, copy your public key to your GitLab account. ...@@ -219,7 +219,7 @@ To use SSH with GitLab, copy your public key to your GitLab account.
you from using the key. Administrators can view expiration dates and use them for you from using the key. Administrators can view expiration dates and use them for
guidance when [deleting keys](../user/admin_area/credentials_inventory.md#delete-a-users-ssh-key). guidance when [deleting keys](../user/admin_area/credentials_inventory.md#delete-a-users-ssh-key).
- GitLab 14.0 and later, the expiration date is enforced. Administrators can - GitLab 14.0 and later, the expiration date is enforced. Administrators can
[allow expired keys to be used](../user/admin_area/settings/account_and_limit_settings.md#allow-expired-ssh-keys-to-be-used). [allow expired keys to be used](../user/admin_area/settings/account_and_limit_settings.md#allow-expired-ssh-keys-to-be-used-deprecated).
- GitLab checks all SSH keys at 02:00 AM UTC every day. It emails an expiration notice for all SSH keys that expire on the current date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.) - GitLab checks all SSH keys at 02:00 AM UTC every day. It emails an expiration notice for all SSH keys that expire on the current date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.)
- GitLab checks all SSH keys at 01:00 AM UTC every day. It emails an expiration notice for all SSH keys that are scheduled to expire seven days from now. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.) - GitLab checks all SSH keys at 01:00 AM UTC every day. It emails an expiration notice for all SSH keys that are scheduled to expire seven days from now. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.)
1. Select **Add key**. 1. Select **Add key**.
......
...@@ -767,6 +767,20 @@ Unexpected behavior in a security feature is inherently dangerous, so we have de ...@@ -767,6 +767,20 @@ Unexpected behavior in a security feature is inherently dangerous, so we have de
**Planned removal milestone: 15.0 (2022-05-22)** **Planned removal milestone: 15.0 (2022-05-22)**
### Optional enforcement of SSH expiration
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The feature to disable enforcement of SSH expiration is unusual from a security perspective.
We have become concerned that this unusual feature could create unexpected behavior for users.
Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
**Planned removal milestone: 15.0 (2022-05-22)**
### Querying Usage Trends via the `instanceStatisticsMeasurements` GraphQL node ### Querying Usage Trends via the `instanceStatisticsMeasurements` GraphQL node
WARNING: WARNING:
......
...@@ -234,10 +234,14 @@ Once a lifetime for SSH keys is set, GitLab: ...@@ -234,10 +234,14 @@ Once a lifetime for SSH keys is set, GitLab:
NOTE: NOTE:
When a user's SSH key becomes invalid they can delete and re-add the same key again. When a user's SSH key becomes invalid they can delete and re-add the same key again.
## Allow expired SSH keys to be used **(ULTIMATE SELF)** ## Allow expired SSH keys to be used (DEPRECATED) **(ULTIMATE SELF)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/320970) in GitLab 14.0. > - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/320970) in GitLab 14.0.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351963) in GitLab 14.8.
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351963) in GitLab 14.8.
By default, expired SSH keys **are not usable**. By default, expired SSH keys **are not usable**.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment