[go: up one dir, main page]
Skip to content

Docs feedback: Configuring rolling SSH keys

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

The current SSH configuration help page at https://docs.gitlab.com/ee/user/ssh.html does not include tutorials on configuring GitLab instance-specific SSH keys, which will be useful to users as as some GitLab servers have enforced SSH key expiration by default.

The current documentation still encourages users to generate the new SSH keys under the default key pair names (e.g. id_rsa and id_ed25519), which may be confusing to some novice users as they have used the same SSH key for GitLab and other services (e.g. local/intranet SSH connections), but suddenly required to register another new key in order to continue using GitLab over SSH.

Accept the suggested filename and directory, unless you are generating a deploy key or want to save in a specific directory where you store other keys.

Performing the commands under the "default" instructions on the docs will override the users' default SSH key files, which potentially risk them to lose their access from other services.

This is why I propose for the docs to recommend users to create an instance-specific SSH key pair by default, which the users are creating a new key pair specific to the GitLab instance they are contributing to. The gist behind this is to avoid saving using default file names, but point to a custom file name (e.g. ~/.ssh/gitlab_com_rsa), to be configured specifically for GitLab, like this.

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): ~/.ssh/gitlab_com_ed25519
# GitLab.com
Host gitlab.com
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/gitlab_com_ed25519

Once the users are required to refresh their SSH keys for GitLab, they are now redirected to create or overwrite the instance-specific key pair instead. Performing this at the first attempt also prevents the default SSH keys to be reused over GitLab, in which to some degree, adds another layer of security.

Edited by 🤖 GitLab Bot 🤖