ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard
verified publisher icon jtesta

please add support to audit gitlab-sshd

Open perkelix opened this issue 7 months ago • 3 comments

Gitlab offers its own optional SSH daemon written in Go:

https://gitlab.com/gitlab-org/gitlab-shell/-/tree/main/internal/sshd

A basic test against ssh.gitlab.freedesktop.org shows that it supports a number of outdated algoritms.

It might be a good idea to implement a server profile for this.

perkelix avatar May 21 '25 12:05 perkelix

The custom policy support would be perfect for this scenario. Considering how few people run their own Gitlab server, it wouldn't make sense for me to support it long-term. (Supporting a platform takes much more effort than implementing the policy the first time...).

jtesta avatar Aug 30 '25 19:08 jtesta

There's however tons of GitLab users who need to adjust their client config to weed out questionable algorithms and yet still have a few supported ones left.

perkelix avatar Aug 31 '25 03:08 perkelix

A Gitlab user on, say, Ubuntu 24, could use the Ubuntu 24-specific client hardening guide, which would help them in all outgoing connections (Gitlab included).

That said, if anyone from the community wanted to create a guide for the wiki (https://github.com/jtesta/ssh-audit/wiki/SSH-Hardening-Guides-Index), I'd certainly point users to it!

jtesta avatar Aug 31 '25 19:08 jtesta