diff options
author | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-06-14 15:54:38 +0200 |
---|---|---|
committer | Ævar Arnfjörð Bjarmason <avarab@gmail.com> | 2018-07-26 12:35:55 +0200 |
commit | 2e8b67027067761034f36dadb3c2208ce66d2552 (patch) | |
tree | 1f35c43611dcd0041d3f30fe7a86eac507912b75 /bin | |
parent | dc67cf1a62529bf7aecc8e350994ac40d5f4a068 (diff) | |
download | gitlab-shell-2e8b67027067761034f36dadb3c2208ce66d2552.tar.gz |
Add support for SSH certificate authentication
This along with the code submitted to gitlab-ce in the
gitlab-org/gitlab-ce! MR implements SSH certificate
authentication. See the docs added to gitlab-ce for why and how to
enable this. This, along with that MR, closes
gitlab-org/gitlab-ce#3457
Implementation notes:
- Because it's easy to do, and because an earlier nascent version of
this would pass user-ID to gitlab-shell, that's now supported, even
though the SSH certificate authentication uses username-USERNAME.
- The astute reader will notice that not all the API calls in
gitlab-ce's lib/api/internal.rb support a "username" argument, some
only support "user_id".
There's a few reasons for this:
a) For this to be efficient, I am bending over backwards to avoid
extra API calls when using SSH certificates.
Therefore the /allowed API call will now return a "user id" to
us if we're allowed to proceed further. This is then fed to
existing APIs that would only be called after a successful
call to /allowed.
b) Not all of the git-shell codepaths go through
/internal/allowed, or ever deal with a repository, e.g. the
argument-less "Welcome to GitLab", and
/internal/2fa_recovery_codes. These need to use
/internal/discover to figure out details about the user, so
support looking that up by username.
c) Once we have the "user id", the GL_ID gets passed down to
e.g. user-authored hooks. I don't want to have those all break
by having to handle a third GL_ID mode of "username" in
addition to the current "key id" and "user id".
Diffstat (limited to 'bin')
-rwxr-xr-x | bin/gitlab-shell | 6 | ||||
-rwxr-xr-x | bin/gitlab-shell-authorized-principals-check | 36 |
2 files changed, 39 insertions, 3 deletions
diff --git a/bin/gitlab-shell b/bin/gitlab-shell index 6ef572f..1016570 100755 --- a/bin/gitlab-shell +++ b/bin/gitlab-shell @@ -5,19 +5,19 @@ unless ENV['SSH_CONNECTION'] exit end -key_id = /key-[0-9]+/.match(ARGV.join).to_s original_cmd = ENV.delete('SSH_ORIGINAL_COMMAND') require_relative '../lib/gitlab_init' # # -# GitLab shell, invoked from ~/.ssh/authorized_keys +# GitLab shell, invoked from ~/.ssh/authorized_keys or from an +# AuthorizedPrincipalsCommand in the key-less SSH CERT mode. # # require File.join(ROOT_PATH, 'lib', 'gitlab_shell') -if GitlabShell.new(key_id).exec(original_cmd) +if GitlabShell.new(ARGV.join).exec(original_cmd) exit 0 else exit 1 diff --git a/bin/gitlab-shell-authorized-principals-check b/bin/gitlab-shell-authorized-principals-check new file mode 100755 index 0000000..aa6d427 --- /dev/null +++ b/bin/gitlab-shell-authorized-principals-check @@ -0,0 +1,36 @@ +#!/usr/bin/env ruby + +# +# GitLab shell authorized principals helper. Emits the same sort of +# command="..." line as gitlab-shell-authorized-principals-check, with +# the right options. +# +# Ex. +# bin/gitlab-shell-authorized-keys-check <key-id> <principal1> [<principal2>...] +# +# Returns one line per principal passed in, e.g.: +# command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL} +# [command="/bin/gitlab-shell username-{KEY_ID}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {PRINCIPAL2}] +# +# Expects to be called by the SSH daemon, via configuration like: +# AuthorizedPrincipalsCommandUser root +# AuthorizedPrincipalsCommand /bin/gitlab-shell-authorized-principals-check git %i sshUsers + +abort "# Wrong number of arguments. #{ARGV.size}. Usage: +# gitlab-shell-authorized-principals-check <key-id> <principal1> [<principal2>...]" unless ARGV.size >= 2 + +key_id = ARGV[0] +abort '# No key_id provided' if key_id.nil? || key_id == '' + +principals = ARGV[1..-1] +principals.each { |principal| + abort '# An invalid principal was provided' if principal.nil? || principal == '' +} + +require_relative '../lib/gitlab_init' +require_relative '../lib/gitlab_net' +require_relative '../lib/gitlab_keys' + +principals.each { |principal| + puts GitlabKeys.principal_line("username-#{key_id}", principal.dup) +} |