Supporting SSH CAs for access to EMU user namespace repositories #933
Labels
enterprise administration
Feature: Enterprise server administration
Enterprise
Product SKU: GitHub Enterprise
ga
Feature phase: Generally available
GHES 3.14
GHES 3.14
shipped
Shipped
Comments
github-product-roadmap
added
enterprise administration
|
🚢 This has shipped: https://github.blog/changelog/2024-03-29-ssh-ca-support-for-enterprise-owned-user-accounts/ Leaving open to track for GHES release! |
|
This shipped with GHES 3.14: https://docs.github.com/en/[email protected]/admin/release-notes |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Summary
SSH CAs allow administrators to mint SSH keys that function as a user's credentials, with additional restrictions such as time-bounding the access. These keys are only good against the enterprise's data.
Traditionally, "the enterprise's data" is just repos that belong to orgs that belong to the enterprise. We wouldn't want an admin able to mint a key that can access a user's personal repos.
But in EMUs, the user account is an enterprise resource, and both admins and users expect that when they have a key that's good for the Foo Enterprise as user Bar, it's good for everything in the enteprise, including user Bar's user namespace repos.
With this change, those keys are now good for user namespace repos. This will be a default change, without the option to opt-out of the change in scoping.
The text was updated successfully, but these errors were encountered: