docker-gitlab
docker-gitlab copied to clipboard
support gitlab's AuthorizedKeysCommand
https://gitlab.com/help/administration/operations/fast_ssh_key_lookup
Changes should be limited to adding the following to /etc/ssh/sshd_config
:
AuthorizedKeysCommand /home/git/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
AuthorizedKeysCommandUser git
On the most basic level, setting this with GITLAB_SSH_AUTHDB=true
would enable the above change, nothing more. The user would be responsible for any migration. (It should be noted that this does nothing to the current authorized_keys
file, so it is an additive configuration, not destructive.)
Some users may want an easy script for migrating keys out of the database back into a keys file, but I don't think it's critical: (1) this change is really only needed by large sites; (2) making the change only adds capability, it does not restrict future capability; and (3) undoing it should be a little difficult, as it is a little internal-sensitive (https://gitlab.com/help/administration/raketasks/maintenance.md#rebuild-authorized_keys-file) and requires clearing the redis cache, etc. So automating it should not be required.
Hey @r2evans,
I didn't find any hints that this feature is included in the Community Edition and also in the self-hosted version (libre) ? So I guess it's an ee feature.
https://docs.gitlab.com/ce/administration/operations/fast_ssh_key_lookup.html, added to CE in 10.4.
This issue has been automatically marked as stale because it has not had any activity for the last 60 days. It will be closed if no further activity occurs during the next 7 days. Thank you for your contributions.
Hi, could we reopen this issue ?
Current gitlab doc: https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html#setting-up-fast-lookup-via-gitlab-shell
- I think the docker file should append this to the /etc/ssh/sshd_config file :
Match User git # Apply the AuthorizedKeysCommands to the git user only
AuthorizedKeysCommand /home/git/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
AuthorizedKeysCommandUser git
Match all # End match, settings apply to all users again
As explained in the doc, we should add a wrapper script (/home/root/gitlab-shell-authorized-keys-check-wrapper or any other relevant location) calling /home/git/gitlab-shell/bin/gitlab-shell-authorized-keys-check to handle file persissions properly.
- And then update the value of Use authorized_keys file to authenticate SSH keys Using the ui it is possible to do it by uncheck the checkbox at this url : https://gitlab.example.com/admin/application_settings/network (Performance optimization section) The best would be to do it programatically but it does not seems to be explained how to do it...