diff options
Diffstat (limited to 'lib/gitlab/ssh_public_key.rb')
-rw-r--r-- | lib/gitlab/ssh_public_key.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/lib/gitlab/ssh_public_key.rb b/lib/gitlab/ssh_public_key.rb index 78682a89655..e9c8e816f18 100644 --- a/lib/gitlab/ssh_public_key.rb +++ b/lib/gitlab/ssh_public_key.rb @@ -15,6 +15,29 @@ module Gitlab Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com)) ].freeze + BANNED_SSH_KEY_FINGERPRINTS = [ + # https://github.com/rapid7/ssh-badkeys/tree/master/authorized + # banned ssh rsa keys + "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM", + "SHA256:uy5wXyEgbRCGsk23+J6f85om7G55Cu3UIPwC7oMZhNQ", + "SHA256:9prMbqhS4QteoFQ1ZRJDqSBLWoHXPyKB0iWR05Ghro4", + "SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA", + + # banned ssh dsa keys + "SHA256:/JLp6z6uGE3BPcs70RQob6QOdEWQ6nDC0xY7ejPOCc0", + "SHA256:whDP3xjKBEettbDuecxtGsfWBST+78gb6McdB9P7jCU", + "SHA256:MEc4HfsOlMqJ3/9QMTmrKn5Xj/yfnMITMW8EwfUfTww", + "SHA256:aPoYT2nPIfhqv6BIlbCCpbDjirBxaDFOtPfZ2K20uWw", + "SHA256:VtjqZ5fiaeoZ3mXOYi49Lk9aO31iT4pahKFP9JPiQPc", + + # other banned ssh keys + # https://github.com/BenBE/kompromat/commit/c8d9a05ea155a1ed609c617d4516f0ac978e8559 + "SHA256:Z+q4XhSwWY7q0BIDVPR1v/S306FjGBsid7tLq/8kIxM", + + # https://www.ctrlu.net/vuln/0006.html + "SHA256:2ewGtK7Dc8XpnfNKShczdc8HSgoEGpoX+MiJkfH2p5I" + ].to_set.freeze + def self.technologies if Gitlab::FIPS.enabled? Gitlab::FIPS::SSH_KEY_TECHNOLOGIES @@ -115,6 +138,10 @@ module Gitlab end end + def banned? + BANNED_SSH_KEY_FINGERPRINTS.include?(fingerprint_sha256) + end + private def technology |