Skip to content
Snippets Groups Projects
New issue look: Off

Support for git ssh access via certificates instead of keys

    • Closed (moved) Issue created by Cindy Pallares 🦉 @cindy

    From customer:

    We’ve recently switched over most elements in our infrastructure to use 2fa provisioned short lived ssl certs for ssh access and it would be great if gitlab also supported that. It would also allow configuring 1 CA for all users, or a group of users, or I assume each user could also add the CA at their own level but it would end up being replicated among a lot of people. The username of the person trying to get access can be determined by the principal on the provided login certificate.

    From https://gitlab.slack.com/archives/C248YCNCW/p1491355846437334 (internal slack conversation):

    It may be possible to configure the existing SSH daemon to use a CA to verify certificates by modifying the servers sshd_config

    https://gitlab.zendesk.com/agent/tickets/79431 (internal link for GitLab)

    Designs

    Child items ...

    • Activity

    • Cindy Pallares 🦉
      Cindy Pallares 🦉 @cindy ·
      Author Contributor

      /cc @briann This customer configured SSHD with TrustedUserCAKeys, but is unable to clone and instead is directed towards an SSH shell as the git user. Thoughts?

    • Brian Neel
      Brian Neel @briann ·
      Maintainer

      @cpallares Their guess as to why it's failing in the ticket is correct. When using TrustedUserCAKeys the CA key is installed either in /etc/ssh to allow all users to authenticate, or in ~/.ssh/authorized_keys to allow a specific user to authenticate. Because GitLab uses ~git/.authorized_keys with a key-<num> option assigned to each key and specific SSHD options to run gitlab-shell this will no longer work. Once the server sees the CA key it authenticates the user based on the principal included in the certificate and drops them into a shell.

      Even if they added the appropriate SSHD options for running gitlab-shell to the CA entry in the ~git/.authorized_keys file, GitLab would have no way to distinguish between users as they would all use the same key entry.

      There would need to be a way to map the user's certificate to a GitLab user for this to work, and that's normally done by mapping the public key to a key number. With the TrustedUserCAKeys setting the SSHD server doesn't look for the public key itself, only the CA key.

      Edited by Brian Neel
    • username-removed-1424505 mentioned in commit e00a7fab

      mentioned in commit e00a7fab

    • Nick Thomas mentioned in commit 79405774

      mentioned in commit 79405774

    • username-removed-1424505 mentioned in commit test-nick/gitlab-ce@5d9f362f

      mentioned in commit test-nick/gitlab-ce@5d9f362f

    • Felipe Artur moved to gitlab#10807

      moved to gitlab#10807

    • Felipe Artur
      Felipe Artur @felipe_artur ·
      Maintainer

      Hey! :wave:

      GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current gitlab-ce repository will become a read-only mirror, without any proprietary code. All development is moved to the current gitlab-ee repository, which we will rename to just gitlab in the coming weeks. As part of this migration, issues will be moved to the current gitlab-ee project.

      If you have any questions about all of this, please ask them in our dedicated FAQ issue.

      https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

      You can also find more information here:

      Frequently Asked Questions

      For an up to date list of questions and answers, please take a look at https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

      What will we do with the repository names?

      https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.

      Why rename gitlab-ce to gitlab-foss?

      Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear

      I created a merge requests for CE, and this got closed. What do I need to do?

      You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.

      How does the licensing work in this new setup?

      Everything in the ee/ directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in the ee/ directory, the process of contributing changes is the same as when using the gitlab-ce repository.

      Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?

      No. Merge requests submitted to this project will be closed automatically.

      Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?

      Yes.

      How will this affect users of GitLab CE using Omnibus?

      No changes will be necessary, as the packages built remain the same.

      How will this affect users of GitLab CE that build from source?

      Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.

      Where can I see a timeline of the remaining steps?

      https://gitlab.com/gitlab-org/gitlab-ee/issues/13304

      Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?

      Yes, these changes will be synced to gitlab-foss automatically, several times per day.

    • Felipe Artur locked this issue

      locked this issue

    • Nikola Milojevic mentioned in merge request !14785

      mentioned in merge request !14785

    Please register or sign in to reply