gitlab-sshd: Add support for signed user certificatessh-ssh-certificates

We add a `trusted_user_ca_keys` config setting that allows gitlab-sshd to trust any SSH certificate signed by the keys listed in this file. This is equivalent to the `TrustedUserCAKeys` OpenSSH setting. We assume the certificate identity is equivalent to the GitLab username.
author: Stan Hu <stanhu@gmail.com> 2022-06-12 00:30:20 -0700
committer: Stan Hu <stanhu@gmail.com> 2023-03-08 10:19:38 -0800
commit: 0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa (patch)
tree: 0b0bc29324f382ce540ae9c0a2e3522e0ef665af /internal/sshd/session.go
parent: 1461d9ed1283f6dda015e3c26189b70c95d022c2 (diff)
download: gitlab-shell-0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/internal/sshd/session.go b/internal/sshd/session.go
index 3394b2a..3d5fbad 100644
--- a/internal/sshd/session.go
+++ b/internal/sshd/session.go
@@ -28,6 +28,7 @@ type session struct {
 	channel             ssh.Channel
 	gitlabKeyId         string
 	gitlabKrb5Principal string
+	gitlabUsername      string
 	remoteAddr          string
 
 	// State managed by the session
@@ -173,6 +174,8 @@ func (s *session) handleShell(ctx context.Context, req *ssh.Request) (uint32, er
 
 	if s.gitlabKrb5Principal != "" {
 		cmd, err = shellCmd.NewWithKrb5Principal(s.gitlabKrb5Principal, env, s.cfg, rw)
+	} else if s.gitlabUsername != "" {
+		cmd, err = shellCmd.NewWithUsername(s.gitlabUsername, env, s.cfg, rw)
 	} else {
 		cmd, err = shellCmd.NewWithKey(s.gitlabKeyId, env, s.cfg, rw)
 	}
author	Stan Hu <stanhu@gmail.com>	2022-06-12 00:30:20 -0700
committer	Stan Hu <stanhu@gmail.com>	2023-03-08 10:19:38 -0800
commit	0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa (patch)
tree	0b0bc29324f382ce540ae9c0a2e3522e0ef665af /internal/sshd/session.go
parent	1461d9ed1283f6dda015e3c26189b70c95d022c2 (diff)
download	gitlab-shell-0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa.tar.gz