From a7b3560714b4d9cc4ab32dffcd1f74a284b93580 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Fri, 18 Feb 2022 09:45:46 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-8-stable-ee --- doc/security/asset_proxy.md | 2 +- doc/security/crime_vulnerability.md | 2 +- doc/security/index.md | 4 +++- doc/security/information_exclusivity.md | 2 +- doc/security/password_length_limits.md | 2 +- doc/security/password_storage.md | 2 +- ...passwords_for_integrated_authentication_methods.md | 2 +- ...project_import_decompressed_archive_size_limits.md | 2 +- doc/security/rate_limits.md | 15 ++++++++------- doc/security/reset_user_password.md | 2 +- doc/security/ssh_keys_restrictions.md | 10 ++++++---- doc/security/token_overview.md | 19 ++++++++++++++++--- doc/security/two_factor_authentication.md | 8 +++++--- doc/security/unlock_user.md | 2 +- doc/security/user_email_confirmation.md | 2 +- doc/security/user_file_uploads.md | 4 +++- doc/security/webhooks.md | 2 +- 17 files changed, 52 insertions(+), 30 deletions(-) (limited to 'doc/security') diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 45c1c71158a..e4849b1b658 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 1abb0c9e918..8288f7f6a74 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/index.md b/doc/security/index.md index ab554e9135f..da3fa761f3f 100644 --- a/doc/security/index.md +++ b/doc/security/index.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments comments: false type: index @@ -30,3 +30,5 @@ type: index ## Securing your GitLab installation Consider access control features like [Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) and [Authentication options](../topics/authentication/) to harden your GitLab instance and minimize the risk of unwanted user account creation. + +Self-hosting GitLab customers and administrators are responsible for the security of their underlying hosts, and for keeping GitLab itself up to date. It is important to [regularly patch GitLab](../policy/maintenance.md), patch your operating system and its software, and harden your hosts in accordance with vendor guidance. diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md index 07b5a688671..0d55881c147 100644 --- a/doc/security/information_exclusivity.md +++ b/doc/security/information_exclusivity.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: concepts --- diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md index 1cfff358c9d..04c3a5c99e1 100644 --- a/doc/security/password_length_limits.md +++ b/doc/security/password_length_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index 6b71933b1ae..b4c2e27c952 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index 7281b310a30..d4eb16c07e7 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md index 9727ba1c5f0..5082d917748 100644 --- a/doc/security/project_import_decompressed_archive_size_limits.md +++ b/doc/security/project_import_decompressed_archive_size_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 14fc526ca7e..a9b066631e7 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- @@ -41,6 +41,7 @@ You can set these rate limits in the Admin Area of your instance: - [Git LFS rate limits](../user/admin_area/settings/git_lfs_rate_limits.md) - [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md) - [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md) +- [GitLab Pages rate limits](../administration/pages/index.md#rate-limits) You can set these rate limits using the Rails console: @@ -89,7 +90,7 @@ The **rate limit** is 5 requests per minute per user. ### Users sign up -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77835) in GitLab 14.7. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339151) in GitLab 14.7. There is a rate limit per IP address on the `/users/sign_up` endpoint. This is to mitigate attempts to misuse the endpoint. For example, to mass discover usernames or email addresses in use. @@ -98,19 +99,19 @@ The **rate limit** is 20 calls per minute per IP address. ### Update username -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77221) in GitLab 14.7. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339152) in GitLab 14.7. -There is a rate limit on the update username action. This is enforced to mitigate misuse of the feature. For example, to mass discover +There is a rate limit on how frequently a username can be changed. This is enforced to mitigate misuse of the feature. For example, to mass discover which usernames are in use. The **rate limit** is 10 calls per minute per signed-in user. ### Username exists -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77119) in GitLab 14.7. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/29040) in GitLab 14.7. -There is a rate limit for the internal endpoint `/users/:username/exists`, used by registration to perform a client-side validation for -uniqueness of the chosen username. This is to mitigate the risk of misuses, such as mass discovery of usernames in use. +There is a rate limit for the internal endpoint `/users/:username/exists`, used upon sign up to check if a chosen username has already been taken. +This is to mitigate the risk of misuses, such as mass discovery of usernames in use. The **rate limit** is 20 calls per minute per IP address. diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index f67b1934dc5..1940c5be73a 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: howto --- diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md index a7d852e2754..2e4a737f9aa 100644 --- a/doc/security/ssh_keys_restrictions.md +++ b/doc/security/ssh_keys_restrictions.md @@ -1,7 +1,7 @@ --- type: reference, howto stage: Manage -group: Authentication & Authorization +group: Authentication and Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- @@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key strength, either to satisfy internal security policy or for regulatory compliance. -Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over -the older DSA, and administrators may need to limit the allowed SSH key -algorithms. +Similarly, certain standards groups recommend using RSA, ECDSA, ED25519, +ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to +limit the allowed SSH key algorithms. GitLab allows you to restrict the allowed SSH key technology as well as specify the minimum key length for each technology: @@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the - DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)). - ECDSA SSH keys are allowed. - ED25519 SSH keys are allowed. +- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later). +- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).