GitHub Enterprise Server 3.6 release candidate (github#28905)

Author: mattpollard

Diff for: -

@@ -1,22 +1,50 @@
 ---
 title: Managing accessibility settings
-intro: 'You can disable character key shortcuts on {% data variables.product.prodname_dotcom %} in your accessibility settings.'
+shortTitle: Manage accessibility settings
+intro: "{% data variables.product.product_name %}'s user interface can adapt to your vision, hearing, motor, cognitive, or learning needs."
 versions:
   feature: keyboard-shortcut-accessibility-setting
 redirect_from:
   - /account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/managing-accessibility-settings
+type: how_to
+miniTocMaxHeadingLevel: 3
 ---
 
 ## About accessibility settings
 
-{% data variables.product.product_name %} includes a variety of keyboard shortcuts so that you can perform actions across the site without using your mouse to navigate. While shortcuts are useful to save time, they can sometimes make {% data variables.product.prodname_dotcom %} harder to use and less accessible.
+To accommodate your vision, hearing, motor, cognitive, or learning needs, you can customize the user interface for {% data variables.product.product_location %}.
 
-All keyboard shortcuts are enabled by default on {% data variables.product.product_name %}, but you can choose to disable character key shortcuts in your accessibility settings. This setting does not affect keyboard shortcuts provided by your web browser or {% data variables.product.prodname_dotcom %} shortcuts that use a modifier key such as <kbd>Control</kbd> or <kbd>Command</kbd>.
+## Managing accessibility settings
 
-## Managing character key shortcuts
+You can decide whether you want to use some or all keyboard shortcuts on {% ifversion fpt or ghec %}{% data variables.product.product_location %}{% elsif ghes or ghae %}the website for {% data variables.product.product_location %}{% endif %}, and you can control the display of animated images.
+
+### Managing keyboard shortcuts
+
+You can perform actions across the {% data variables.product.product_name %} website without using your mouse by using your keyboard instead. Keyboard shortcuts can be useful to save time for some people, but may interfere with accessibility if you don't intend to use the shortcuts.
+
+By default, all keyboard shortcuts are enabled on {% data variables.product.product_name %}. For more information, see "[Keyboard shortcuts](/get-started/using-github/keyboard-shortcuts)."
 
 {% data reusables.user-settings.access_settings %}
 {% data reusables.user-settings.accessibility_settings %}
-1. Select or deselect the **Enable character key shortcuts** checkbox.
-   ![Screenshot of the 'Enable character key shortcuts' checkbox](/assets/images/help/settings/disable-character-key-shortcuts.png)
-2. Click **Save**.
+1. Under "Keyboard shortcuts", manage settings for your keyboard shortcuts.
+
+   - Optionally, to disable or enable shortcut keys that don't use modifiers keys like <kbd>Control</kbd> or <kbd>Command</kbd>, under "General", deselect **Character keys**. If you disable character keys, you may still be able to trigger shortcuts for your web browser, and you can still trigger shortcuts for {% data variables.product.product_name %} that use a modifier key.
+   {%- ifversion command-palette %}
+   - Optionally, to customize the keyboard shortcuts for triggering the command palette, under "Command palette", use the drop-down menus to choose a keyboard shortcut. For more information, see "[{% data variables.product.company_short %} Command Palette](/get-started/using-github/github-command-palette)."
+   {%- endif %}
+
+{% ifversion motion-management %}
+
+### Managing motion
+
+You can control how {% data variables.product.product_name %} displays animated images.
+
+By default, {% data variables.product.product_name %} syncs with your system-level preference for reduced motion. For more information, see the documentation or settings for your operating system.
+
+{% data reusables.user-settings.access_settings %}
+{% data reusables.user-settings.accessibility_settings %}
+1. Under "Motion", manage settings for motion.
+
+   - Optionally, to control how {% data variables.product.product_name %} displays animaged images, under "Autoplay animated images", select **Sync with system**, **Enabled**, or **Disabled**.
+
+{% endif %}

Diff for: assets/images/enterprise/configuration/enforce-tls-for-smtp-checkbox.png

@@ -185,7 +185,7 @@ on:
   deployment_status
 ```
 
-{% ifversion fpt or ghec %}
+{% ifversion discussions %}
 ### `discussion`
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |

Diff for: assets/images/enterprise/site-admin-settings/comment-authors-profile-name-drop-down.png

@@ -10,8 +10,6 @@ topics:
 shortTitle: Server Statistics
 ---
 
-{% data reusables.server-statistics.release-phase %}
-
 ## About {% data variables.product.prodname_server_statistics %}
 
 {% data variables.product.prodname_server_statistics %} collects aggregate usage data from {% data variables.product.product_location %}, which you can use to better anticipate the needs of your organization, understand how your team works, and show the value you get from {% data variables.product.prodname_ghe_server %}. 

Diff for: assets/images/enterprise/site-admin-settings/enforce-for-all-repositories-option.png

@@ -737,6 +737,20 @@ This utility rewrites the imported repository. This gives you a chance to rename
 git-import-rewrite
 ```
 
+{% ifversion ghes > 3.3 %}
+
+## Security
+
+### ghe-find-insecure-git-operations
+
+This utility searches your instance's logs and identifies Git operations over SSH that use insecure algorithms or hash functions, including DSA, RSA-SHA-1, HMAC-SHA-1, and CBC ciphers. You can use the output to support each client's transition to a more secure SSH connection. For more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2022-06-28-improving-git-protocol-security-on-github-enterprise-server){% ifversion ghes < 3.6 %}.{% elsif ghes > 3.5 %} and "[Configuring SSH connections to your instance](/admin/configuration/configuring-your-enterprise/configuring-ssh-connections-to-your-instance)."{% endif %}
+
+```shell
+ghe-find-insecure-git-operations
+```
+
+{% endif %}
+
 ## Support
 
 ### ghe-diagnostics

Diff for: assets/images/help/commits/commit-form-with-signoff-enabled.png

@@ -85,6 +85,18 @@ settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-all
 ![Save settings button](/assets/images/enterprise/management-console/save-settings.png)
 {% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
 
+{% ifversion require-tls-for-smtp %}
+## Enforcing TLS for SMTP connections
+
+You can enforce TLS encryption for all incoming SMTP connections, which can help satisfy an ISO-27017 certification requirement.
+
+{% data reusables.enterprise_site_admin_settings.email-settings %}
+1. Under "Authentication," select **Enforce TLS auth (recommended)**.
+
+   ![Screenshot of the "Enforce TLS auth (recommended)" checkbox](/assets/images/enterprise/configuration/enforce-tls-for-smtp-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+{% endif %}
+
 ## Configuring DNS and firewall settings to allow incoming emails
 
 If you want to allow email replies to notifications, you must configure your DNS settings.

Diff for: assets/images/help/discussions/edit-category-details.png

@@ -0,0 +1,47 @@
+---
+title: Configuring host keys for your instance
+shortTitle: Configure host keys
+intro: 'You can increase the security of {% data variables.product.product_location %} by configuring the algorithms that your instance uses to generate and advertise host keys for incoming SSH connections.'
+permissions: "Site administrators can configure the host keys for a {% data variables.product.product_name %} instance."
+versions:
+  ghes: '>= 3.6'
+type: how_to
+topics:
+  - Authentication
+  - Enterprise
+  - Infrastructure
+  - Networking
+  - Security
+  - SSH
+---
+
+## About host keys for your instance
+
+Servers that accept SSH connections advertise one or more cryptographic host keys to securely identify the server to SSH clients. To confirm the server's identity during the initialization of a connection, clients store and verify the host key. For more information, see [SSH Host Key - What, Why, How](https://ssh.com/academy/ssh/host-key) on the SSH Academy website.
+
+{% data reusables.enterprise.about-ssh-ports %}
+
+By default, {% data variables.product.product_location %} generates and advertises host keys with OpenSSH-style host key rotation. To increase the security of SSH in your environment, you can enable additional algorithms for the generation of host keys.
+
+{% note %}
+
+**Note**: If you enable additional host key algorithms, clients that do not use OpenSSH for SSH connections may experience warnings during connection, or fail to connect entirely. Some SSH implementations can ignore unsupported algorithms and fall back to a different algorithm. If the client does not support fallback, the connection will fail. For example, the SSH library for Go does not support fallback to a different algorithm.
+
+{% endnote %}
+
+## Managing an Ed25519 host key
+
+To improve security for clients that connect to {% data variables.product.product_location %}, you can enable the generation and advertisement of an Ed25519 host key. Ed25519 is immune to some attacks that target older signature algorithms, without sacrificing speed. Older SSH clients may not support Ed25519. By default, {% data variables.product.product_name %} instances do not generate or advertise an Ed25519 host key. For more information, see [the Ed25519 website](https://ed25519.cr.yp.to).
+
+{% data reusables.enterprise_installation.ssh-into-instance %}
+1. To enable generation and advertisement of the Ed25519 host key, enter the following command.
+
+   ```shell
+   ghe-config app.babeld.host-key-ed25519 true
+   ```
+1. Optionally, enter the following command to disable generation and advertisement of the Ed25519 host key.
+
+   ```shell
+   ghe-config app.babeld.host-key-ed25519 false
+   ```
+{% data reusables.enterprise.apply-configuration %}

Diff for: assets/images/help/discussions/edit-existing-category-details.png

@@ -0,0 +1,52 @@
+---
+title: Configuring SSH connections to your instance
+shortTitle: Configure SSH connections
+intro: 'You can increase the security of {% data variables.product.product_location %} by configuring the SSH algorithms that clients can use to establish a connection.'
+permissions: "Site administrators can configure SSH connections to a {% data variables.product.product_name %} instance."
+versions:
+  ghes: '>= 3.6'
+type: how_to
+topics:
+  - Authentication
+  - Enterprise
+  - Infrastructure
+  - Networking
+  - Security
+  - SSH
+---
+
+## About SSH connections to your instance
+
+{% data reusables.enterprise.about-ssh-ports %}
+
+To accommodate the SSH clients in your environment, you can configure the types of connections that {% data variables.product.product_location %} will accept.
+
+## Configuring SSH connections with RSA keys
+
+When users perform Git operations on {% data variables.product.product_location %} via SSH over port 22, the client can authenticate with an RSA key. The client may sign the attempt using the SHA-1 hash function. In this context, the SHA-1 hash function is no longer secure. For more information, see [SHA-1](https://en.wikipedia.org/wiki/SHA-1) on Wikipedia.
+
+By default{% ifversion ghes < 3.7 %} on {% data variables.product.product_name %} 3.6 and later{% endif %}, SSH connections that satisfy **both** of the following conditions will fail.
+
+{% data reusables.ssh.rsa-sha-1-connection-failure-criteria %}
+
+You can adjust the cutoff date. If the user uploaded the RSA key before the cutoff date, the client can continue to connect successfuly using SHA-1 as long as the key remains valid. Alternatively, you can reject all SSH connections authenticated with an RSA key if the client signs the connection using the SHA-1 hash function.
+
+Regardless of the setting you choose for your instance, clients can continue to connect using any RSA key signed with a SHA-2 hash function.
+
+If you use an SSH certificate authority, connections will fail if the certificate's `valid_after` date is after the cutoff date. For more information, see "[About SSH certificate authorities](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)."
+
+For more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2022-06-28-improving-git-protocol-security-on-github-enterprise-server).
+
+{% data reusables.enterprise_installation.ssh-into-instance %}
+1. Audit your instance's logs for connections that use unsecure algorithms or hash functions using the `ghe-find-insecure-git-operations` utility. For more information, see "[Command-line utilities](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-find-insecure-git-operations)."
+1. To configure a cutoff date after which {% data variables.product.product_location %} will deny connections from clients that use an RSA key uploaded after the date if the connection is signed by the SHA-1 hash function, enter the following command. Replace _**RFC-3399-UTC-TIMESTAMP**_ with a valid RFC 3399 UTC timestamp. For example, the default value, August 1, 2022, would be represented as `2022-08-01T00:00:00Z`. For more information, see [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) on the IETF website.
+
+   <pre>
+   $ ghe-config app.gitauth.rsa-sha1 <em>RFC-3339-UTC-TIMESTAMP</em>
+   </pre>
+1. Alternatively, to completely disable SSH connections using RSA keys that are signed with the SHA-1 hash function, enter the following command.
+
+   ```shell
+   ghe-config app.gitauth.rsa-sha1 false
+   ```
+{% data reusables.enterprise.apply-configuration %}

Diff for: assets/images/help/organizations/require-signoffs.png

@@ -25,6 +25,7 @@ children:
   - /site-admin-dashboard
   - /enabling-private-mode
   - /managing-github-mobile-for-your-enterprise
+  - /configuring-ssh-connections-to-your-instance
   - /configuring-email-for-notifications
   - /verifying-or-approving-a-domain-for-your-enterprise
   - /configuring-rate-limits
@@ -34,6 +35,7 @@ children:
   - /command-line-utilities
   - /restricting-network-traffic-to-your-enterprise
   - /configuring-github-pages-for-your-enterprise
+  - /configuring-host-keys-for-your-instance
   - /configuring-the-referrer-policy-for-your-enterprise
   - /configuring-custom-footers
   - /configuring-web-commit-signing

Diff for: assets/images/help/repository/require-signoffs.png

@@ -40,7 +40,7 @@ Then,{% else %}First,{% endif %} decide whether you'll allow third-party actions
 Consider combining OpenID Connect (OIDC) with reusable workflows to enforce consistent deployments across your repository, organization, or enterprise. You can do this by defining trust conditions on cloud roles based on reusable workflows. For more information, see "[Using OpenID Connect with reusable workflows](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows)."
 {% endif %}
 
-You can access information about activity related to {% data variables.product.prodname_actions %} in the audit logs for your enterprise. If your business needs require retaining audit logs for longer than six months, plan how you'll export and store this data outside of {% data variables.product.prodname_dotcom %}. For more information, see {% ifversion ghec %}"[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)" and "[Exporting audit log activity for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)."{% else %}"[Log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity/log-forwarding)."{% endif %}
+You can access information about activity related to {% data variables.product.prodname_actions %} in the audit logs for your enterprise. If your business needs require retaining this information longer than audit log data is retained, plan how you'll export and store this data outside of {% data variables.product.prodname_dotcom %}. For more information, see {% ifversion ghec %}"[Exporting audit log activity for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)" and "[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)."{% else %}{% ifversion audit-log-streaming %}"[Streaming the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)" and {% endif %}"[Log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity/log-forwarding)."{% endif %}
 
 ![Audit log entries](/assets/images/help/repository/audit-log-entries.png)
 

Diff for: assets/images/help/security/advisory-database-dependabot-alerts-filters.png

@@ -52,6 +52,8 @@ includeGuides:
   - /admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise
   - /admin/configuration/configuring-your-enterprise/managing-github-mobile-for-your-enterprise
   - /admin/configuration/connecting-your-enterprise-account-to-github-enterprise-cloud
+  - /admin/configuration/configuring-your-enterprise/configuring-ssh-connections-to-your-instance
+  - /admin/configuration/configuring-your-enterprise/configuring-host-keys-for-your-instance
   - /admin/configuration/enabling-and-scheduling-maintenance-mode
   - /admin/configuration/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise
   - /admin/configuration/enabling-private-mode

Diff for: assets/images/help/security/suggest-improvements-to-advisory-on-github-com.png

@@ -10,8 +10,6 @@ topics:
   - Enterprise
 ---
 
-{% data reusables.server-statistics.release-phase %}
-
 ## About the benefits of {% data variables.product.prodname_server_statistics %}
 
 {% data variables.product.prodname_server_statistics %} can help you anticipate the needs of your organization, understand how your team works, and show the value you get from {% data variables.product.prodname_ghe_server %}.

Diff for: content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-accessibility-settings.md

@@ -8,8 +8,6 @@ redirect_from:
   - /early-access/github/analyze-how-your-team-works-with-server-statistics/exploring-server-statistics
 ---
 
-{% data reusables.server-statistics.release-phase %}
-
 You can download up to the last 365 days of {% data variables.product.prodname_server_statistics %} data in a CSV or JSON file. This data, which includes aggregate metrics on repositories, issues, and pull requests, can help you anticipate the needs of your organization, understand how your team works, and show the value you get from {% data variables.product.prodname_ghe_server %}. 
 
 Before you can download this data, you must enable {% data variables.product.prodname_server_statistics %}. For more information, see "[Enabling {% data variables.product.prodname_server_statistics %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-server-statistics-for-your-enterprise)." 

Diff for: content/actions/using-workflows/events-that-trigger-workflows.md

@@ -8,8 +8,6 @@ redirect_from:
   - /early-access/github/analyze-how-your-team-works-with-server-statistics/requesting-server-statistics-using-the-rest-api
 ---
 
-{% data reusables.server-statistics.release-phase %}
-
 You can request up to 365 days of metrics in a single {% data variables.product.prodname_server_statistics %} REST API request. This data, which includes aggregate metrics on repositories, issues, and pull requests, can help you anticipate the needs of your organization, understand how your team works, and show the value you get from {% data variables.product.prodname_ghe_server %}. For a list of the metrics collected, see "[{% data variables.product.prodname_server_statistics %} data collected](/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics#server-statistics-data-collected)."
 
 Before you can use the {% data variables.product.prodname_server_statistics %} REST API, you must enable {% data variables.product.prodname_server_statistics %}. For more information, see "[Enabling {% data variables.product.prodname_server_statistics %} for your enterprise](/admin/configuration/configuring-github-connect/enabling-server-statistics-for-your-enterprise)."