Enforce auth via SSH certificates for Git access
What does this MR do and why?
Blueprint: https://docs.gitlab.com/ee/architecture/blueprints/ssh_certificates/
- Implement an option to enforce using SSH certificates only for authentication and forbid personal SSH keys and access tokens
Related:
- Enforce authentication via SSH certificates for... (#421917 - closed)
- Extend internal endpoints to process SSH certif... (!131435 - merged)
Steps
Very similar to Extend internal endpoints to process SSH certif... (!131435 - merged)
- Check out this branch
- Run
gdk start
- Enable
enforce_ssh_certificates
feature flag - Go to Gitlab Shell project (
cd gitlab-shell
) - Apply this diff ssh-certificates.diff
- Check out
main
, stop the runningsshd
server:gdk stop sshd
-
export FF_GITLAB_SHELL_SSH_CERTIFICATES=1
to enable the Gitlab Shell feature flag -
make && bin/gitlab-sshd -config-dir=.
to compile and run sshd server - Try to
git clone
a project from the group: should be successful - Go to the Group Settings > General > Permissions and group features
- Select
Only SSH Certificates
- Try to
git clone
a project from the group: should not be successful - Generate an SSH certificate using these ssh-keygen steps
- Add CA.pub to a group using
rails c
or REST get, post and delete endpoints for SSH Cer... (!130866 - merged) - And use the certificate to
git clone
- Try to
git clone
a project from the group: should be successful - Go to the Group Settings > General > Permissions and group features
- Select
Only SSH
- Try to
git clone
a project from the group: should not be successful
Edited by Igor Drozdov