roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon github

Supporting SSH CAs for access to EMU user namespace repositories

Open github-product-roadmap opened this issue 1 year ago • 1 comments

Summary

SSH CAs allow administrators to mint SSH keys that function as a user's credentials, with additional restrictions such as time-bounding the access. These keys are only good against the enterprise's data.

Traditionally, "the enterprise's data" is just repos that belong to orgs that belong to the enterprise. We wouldn't want an admin able to mint a key that can access a user's personal repos. But in EMUs, the user account is an enterprise resource, and both admins and users expect that when they have a key that's good for the Foo Enterprise as user Bar, it's good for everything in the enteprise, including user Bar's user namespace repos.

With this change, those keys are now good for user namespace repos. This will be a default change, without the option to opt-out of the change in scoping.

github-product-roadmap avatar Feb 28 '24 20:02 github-product-roadmap

🚢 This has shipped: https://github.blog/changelog/2024-03-29-ssh-ca-support-for-enterprise-owned-user-accounts/

Leaving open to track for GHES release!

ankneis avatar Apr 18 '24 19:04 ankneis

This shipped with GHES 3.14: https://docs.github.com/en/[email protected]/admin/release-notes

ankneis avatar Sep 18 '24 18:09 ankneis