Enable Git v2 over SSH on GitLab.com
Now that https://gitlab.com/gitlab-org/gitlab-ce/issues/46555 will land in production soon (in the next RC) it will work for Git HTTP clients that request v2, but not for Git over SSH.
In order to enable v2 in production, we'll need to set the following in sshd_config
:
AcceptEnv GIT_PROTOCOL
Now, this could have security considerations, such as https://serverfault.com/questions/427522/why-is-acceptenv-considered-insecure
And from the man page of SSHD:
Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables.
So I think we need a security evaluation before enabling this, although given that it's restricted to GIT_PROTOCOL
I didn't see a big concern in this particular situation (pinging @kathyw so this can be evaluated by Security)
Also, it could be that we could enable this directly in Omnibus (or a setting to be made) - @marin would this be possible? I've only found https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/docker/assets/sshd_config which is Docker related.
A few facts about the Git protocol v2:
- It's opt-in only, so clients (GitLab users) that support it (using Git
v2.18.0
onwards) need to explicitily pass a configuration to enable it. - Not all Git commands are on v2, some will still execute v1
-
GIT_PROTOCOL
is only evaluated for us if the string containsversion=2
, everything else is ignored and won't be passed togit
, defaulting tov1
.
@jramsay this means that without us enabling this SSH config, people using Git v2
wouldn't be able to use v2 over SSH (will use v1 instead), but could use v2 over HTTP on GitLab.com. In the docs we could point users on how to enable it for on-premises, unless we decide to configure this in Omnibus directly.
Git Protocol v2: https://github.com/git/git/blob/master/Documentation/technical/protocol-v2.txt
Man page for SSHD: https://linux.die.net/man/5/sshd_config