SSH certificate management
A contributor is working very hard on SSH certificate-based authentication for GitLab. This is present in these two MRs:
Obviously, GDK doesn't have support yet. Once the feature is merged to master, we should look into adding support to GDK so that we can reliably work on this feature in the future.
We'll probably want to extend this documentation: https://gitlab.com/gitlab-org/gitlab-development-kit/blob/master/doc/howto/ssh.md
I was mostly following documentation in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication
Some (but not all) of the setup can be automated.
On my personal installation, I've done the following:
openssh/sshd_config
Changed to look like:
Match User lupine
AuthorizedKeysFile /dev/null # to rule out pubkey-based authentication. We don't have to do this
TrustedUserCAKeys /home/lupine/dev/gitlab.com/gitlab-org/gitlab-development-kit/openssh/ca_key.pub
AuthorizedPrincipalsCommandUser lupine
AuthorizedPrincipalsCommand /opt/gitlab-shell-authorized-principals-check %i sshUsers # permissions problems, see below
openssh/ca_key[.pub]
Generated like:
ssh-keygen -t rsa -f ./ca_host_key
This is just an ordinary RSA key with public and private parts.
The public part is referenced by TrustUserCAKeys
in sshd_config
, and used to verify signatures on user keys.
The private part is used to sign public user keys, generating a certificate (which is just a public key + a signature).
~/.ssh/id_ed25519-cert.pem
This is a certificate that is generated by signing the ~/.ssh/id_ed25519.pub
public key of the user with the openssh/ca_key
private key of the server.
The file is created with a commmand like this:
ssh-keygen -s openssh/ca_key -I <username> -n sshUsers ~/.ssh/id_ed25519.pub
The <username>
is the GitLab username you want the key to be valid for. In GDK, this will typically be root
.
You could use id_rsa
or so on instead of id_ed25519
, it's all the same.
/opt/gitlab-shell-authorized-principals-check
sshd has some peculiar permissions requirements for the executable pointed to by AuthorizedPrincipalsCommand
. Unfortunately, this means we can't just point at gitlab-shell/bin/gitlab-shell-authorized-principals-check
in GDK.
Instead, I created a small wrapper script in /opt
, owned by root:root
with 755
permissions. The contents are just:
#!/bin/sh
exec /home/lupine/dev/gitlab.com/gitlab-org/gitlab-development-kit/gitlab-shell/bin/gitlab-shell-authorized-principals-check "$@"
This is the bit that I don't think can be automated.