GitLab 15.1 feature 验证 - gitlab 15.1 和jihulab.com 无法阻止用户使用badkey

Summary

GitLab 15.1 中的feature Prevent users from using known insecure public keys里提到，当用户向自己的SSH Keys里添加一些已知的存在恶意风险的公钥时，会给出对应的警告信息。但是在实际验证的时候发现，jihulab.com和GitLab 15.1 自管理实例中，都无法对这种存在恶意风险的公钥进行告警。无任何提示，可以直接添加。

Steps to reproduce

在GitLab 15.1 自管理实例上，将下面的badkey示例，添加到用户的SSH keys里，可以看到没有任何告警；

ssh-dss AAAAB3NzaC1kc3MAAACBAPna45Y0AhFHQRgMPwcjzGMaz4FsWNwgBP8tUzfvdgF6F6sME0IWXUjMH3fBgmkUwCI+vUWXi63Mrgt8kpAVcfqehvHQ+1GmZI4iytC1Hu+xDilcZob25YXmhfc8aunJTV5Ta1GuSoDCfyuhlnLG4OhlsG9X7i3gptONwEiV6X/RAAAAFQC/7qB0EmRbG0ETHjtJRYpsiqu32wAAAIEAybzINZr+4UHxFTS1fSMNf/wFDzgEjSkWWZOOptBz/7wUTSI6Joyk2PjExSmdCBA4p++eoR3A78BEHJUhsBo4EkstoL77pGHae6DcfFpkv3XNO95/FlPnQ7E1Nw0hpRdwoXaSjCsdE3JqmN7rN7HHgkGpNhb+o1d2T2khHKMNJJsAAACBAI5JLeGYzaUCwdPqjefOHTl2d2HkqAedtb+H/6wZjRoPTKVzXiulxAHgM33DH8IuKz6PTprvXsppCLkrDszx+NhFXRRMNv5OKJfo7rk7L30/ZxJqpPx6/BzJ8cCR3YBVIo5r6Q4smx2/HfaIJup3Z72/NUnYOi+l5dCRMtZhD2N0 root@targetcluster

之前feature验证时jihulab.com上没有该告警，提issue时，jihulab.com上已有告警信息，说明该issue在jihulab.com上已经修复。

Example Project

What is the current bug behavior?

将上面的示例badkey添加到GitLab 15.1 自管理实例用户的SSH Keys里时，没有任何告警信息，可以直接添加。

What is the expected correct behavior?

正常表现时，应该给出下面的告警信息：

The form contains the following error:
Key type is forbidden. Must be RSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)
System information
System:
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.5p203
Gem Version:	3.1.4
Bundler Version:2.3.15
Rake Version:	13.0.6
Redis Version:	6.2.7
Sidekiq Version:6.4.0
Go Version:	unknown

GitLab information
Version:	15.1.1-jh
Revision:	cca37804ea2
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	13.6
URL:		https://gitlab2.myhuihui.com
HTTP Clone URL:	https://gitlab2.myhuihui.com/some-group/some-project.git
SSH Clone URL:	git@gitlab2.myhuihui.com:some-group/some-project.git
Elasticsearch:	no
Geo:		yes
Geo node:	Primary
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: alicloud

GitLab Shell
Version:	14.7.4
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:check SANITIZE=true) Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 14.7.4 ? ... OK (14.7.4) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 1/2 ... yes 1/3 ... yes 1/4 ... yes 2/5 ... yes 1/6 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 3 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)

Checking GitLab App ... Finished

Checking Geo ...

GitLab Geo is available ... GitLab Geo is enabled ... yes This machine's Geo node name matches a database record ... yes, found a primary node named "feature151" HTTP/HTTPS repository cloning is enabled ... yes Machine clock is synchronized ... yes Git user has default SSH configuration? ... yes OpenSSH configured to use AuthorizedKeysCommand ... skipped Reason: Cannot access OpenSSH configuration file Try fixing it: This is expected if you are using SELinux. You may want to check configuration manually For more information see: doc/administration/operations/fast_ssh_key_lookup.md GitLab configured to disable writing to authorized_keys file ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes

Checking Geo ... Finished

Checking GitLab subtasks ... Finished

(For installations from source run and paste the output of: sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)

(we will only investigate if the tests are passing)