Add support for instance-level SSH certificates via configuration
What does this MR do and why?
Contributes to #841 (closed)
Problem
Self-managed GitLab instances using gitlab-sshd cannot configure instance-level SSH certificates without switching to OpenSSH. The existing group-level SSH certificates feature requires Rails/database integration and is scoped to namespaces.
Solution
Add trusted_user_ca_keys configuration option to config.yml that
accepts a list of CA public key file paths. Certificates signed by
these CAs are trusted for authentication, with the certificate's
KeyId used as the GitLab username. This provides the gitlab-sshd
equivalent of OpenSSH's TrustedUserCAKeys directive.
Key changes:
- Add
TrustedUserCAKeysfield toServerConfig - Add
parseTrustedUserCAKeys()to load CA public keys at startup - Add
isLocallyTrustedCA()to check certificate trust locally - Modify
handleUserCertificate()to check local CA trust before falling back to the Rails API for group-level certificates
References
- Issue: #841 (closed)
- SSH certificates for groups - existing group-level feature
- User lookup via OpenSSH AuthorizedPrincipalsCommand - existing OpenSSH-based approach
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
-
Switch to
841-instance-level-ssh-certificatesin gitlab-shell GDK -
Generate a CA key pair:
ssh-keygen -t rsa -f /tmp/ca_key -N "" -
Add the CA public key to
config.yml:sshd: trusted_user_ca_keys: - /tmp/ca_key.pub -
Execute
make ; gdk restart sshdingitlab-shellfolder -
Sign a user certificate with the CA (using your GitLab username as KeyId):
ssh-keygen -s /tmp/ca_key -I <gitlab-username> -V +1d ~/.ssh/id_rsa.pub -
Start gitlab-sshd and verify authentication works with the certificate:
ssh -i ~/.ssh/id_rsa -o CertificateFile=~/.ssh/id_rsa-cert.pub -p 2222 git@gdk.test -
Run the tests:
go test ./internal/sshd/... -v -run "TestParseTrustedUserCAKeys|TestIsLocallyTrustedCA|TestUserCertificateHandling_InstanceLevel|TestNewServerConfigLoadsTrustedCAKeys"
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.