Closed
Description
Context
Local companion dynamically creates SSH keys for users, to grant SSH access, and the copy/paste SSH method for Gitpod uses an access code from within the workspace, and you can even manually inject your SSH public key using dotfiles. Whilst both of these approaches work, it would be better to allow users to upload their own SSH public keys to Gitpod to access their workspace using a more conventional SSH approach. We may also want to consider re-using existing public keys from GitHub, or other providers, for instance.
Value
- Improved security (as not using a token)
- A simpler UX for SSH'ing into workspaces
- A more familiar SSH pattern (matches with user expectations)
In Scope
- Uploading custom keys
Out of scope
- Pulling SSH keys from 3rd party providers
Related Issues
- [SSH Gateway] remove private key requirement when ownerToken is provide #10704
- [ws-proxy, ws-manager] support user upload ssh public key #10617
- Support ssh public keys configuration #10573
- https://github.com/gitpod-io/website/issues/2371
- https://github.com/gitpod-io/website/issues/2375
- db-sync fails to sync SSHPublicKeys #11265
Public FAQ
Will we allow users to add SSH keys manually?
Yes.Will we keep the current owner token SSH solution in place?
Yes, as there is value in the quick copy/paste, however SSH key upload should be recommended.Will importing SSH keys from GitHub be the primary way add SSH keys?
Unlikely. Uploading custom keys would be the simplest implementation, which we could then extend with ways to fetch existing keys as a future update or refinement. We will start by setting up the Gitpod infrastructure for using SSH keys, and then look at ways to import/re-use existing keys from other providers.Can we fetch SSH keys from all other providers (GitHub, BitBucket, GitLab)?
- GitHub has an API - GitLab has an API - BitBucket needs to be investigatedCan you use an SSH Key from one provider to connect to workspaces for repositories in other providers?
Needs investigation.Internal FAQ
What happens if SSH keys get removed from a provider, can we detect that?
Needs investigationMetadata
Metadata
Assignees
Type
Projects
Status
In Progress