gitlab-sshd returns "ERROR: Unknown command" when authorizing with SSH cert.

Steps to reproduce

Create and upload an SSH certificate:
1. ssh-keygen -f CA -t ed25519
2. curl -X POST -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "https://gitlab.com/api/v4/groups/70922686/ssh_certificates" -d '{ "id": $group_id, "title": "test", "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeoDqZpXiPIHnk0HlHjpbRPAuJ/+U5Rnx0nmLIHHcXO" }'
Sign a user key for an Enterprise user of the group:
1. ssh-keygen -s CA -I "user@example.org" -V +1d user-key.pub
Attempt authentication with the key: ssh -o "IdentitiesOnly=yes" -F /dev/null -i user-key git@gitlab.com -T

What is the expected correct behavior?

command/discover/discover.go returns Welcome to GitLab, @user or at least Welcome to GitLab, anonymous

What is the current bug behavior?

We end up in handleShells if err != nil condition: https://gitlab.com/gitlab-org/gitlab-shell/-/blob/c28c003baa80cb025c610352ee10536452ed065c/internal/sshd/session.go#L191

❯ ssh -o "IdentitiesOnly=yes" -F /dev/null -i user-key git@gitlab.com -T
remote:
remote: ========================================================================
remote:
remote: ERROR: Unknown command:

remote:
remote: ========================================================================
remote:

Edited May 14, 2024 by Niklas Janz