SSH fingerprints on the instance configuration page are wrong when using Docker-Omnibus
Summary
When deploying Gitlab CE Omnibus in a Docker container, the instance configuration page (/help/instance_configuration
) displays erroneous fingerprints.
Steps to reproduce
- Deploy Gitlab Omnibus following the documentation at: https://docs.gitlab.com/omnibus/docker/
- Access the instance configuration page at:
https://<instance>/help/instance_configuration
- Access the instance through ssh :
ssh -v git@instance
- Compare the fingerprints
What is the current bug behavior?
SSH fingerprints exposed by Gitlab on the instance configuration page do not match the actual host SSH keys.
What is the expected correct behavior?
The fingerprints should match, for users to be able to verify their SSH connection is not currently being intercepted.
Possible fixes
As described in the Docker image page and in Gitlab CE documentation, the Omnibus image stores persistent configuration, including host SSH keys, in /etc/gitlab
, which is mounted from the host. Gitlab sshd
then load these when started by runsv.
However, the instance configuration model has the path for host SSH keys hardcoded to /etc/ssh
, which is fine for a local deployment but will not suit a Docker deployment: https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/app/models/instance_configuration.rb#L7