summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge branch 'fix-make-install' into 'main'Igor Drozdov2022-06-231-4/+3
|\ | | | | | | | | Fix make install copying the wrong binaries See merge request gitlab-org/gitlab-shell!664
| * Fix make install copying the wrong binariesStan Hu2022-06-231-4/+3
|/ | | | | | | | | | | | While testing https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1062, we found `make install` was not copying the right binaries, such as `gitlab-shell-authorized-keys-check`. This might have originally been written with a single binary in mind (https://gitlab.com/gitlab-org/gitlab-shell/-/issues/207). Changelog: fixed
* Merge branch 'id-release-14-7-4' into 'main'v14.7.4Igor Drozdov2022-06-162-1/+5
|\ | | | | | | | | Release v14.7.4 See merge request gitlab-org/gitlab-shell!663
| * Release v14.7.4Igor Drozdov2022-06-162-1/+5
|/ | | | - Update crypto module to fix RSA keys with old gpg-agent
* Merge branch 'sh-update-crypto-lib' into 'main'Igor Drozdov2022-06-162-3/+3
|\ | | | | | | | | gitlab-sshd: Update crypto module to fix RSA keys with old gpg-agent See merge request gitlab-org/gitlab-shell!662
| * gitlab-sshd: Update crypto module to fix RSA keys with old gpg-agentStan Hu2022-06-152-3/+3
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | When we put gitlab-sshd in production, we noticed a number of clients using RSA keys would fail to login. The server would report: ``` ssh: signature "ssh-rsa" not compatible with selected algorithm "rsa-sha2-512" ``` This is reproducible on Ubuntu 18.04, which ships gpg-agent v2.2.4 and OpenSSH v7.6. That version of gpg-agent does not support `rsa-sha2-256` or `rsa-sha2-512`, but OpenSSH does. As a result, OpenSSH specifies `rsa-sha-512` as the public key algorithm to use in the user authentication request message, but gpg-agent includes an `ssh-rsa` signature. OpenSSH servers tolerates this discrepancy, but the Go implementation fails because it expects a strict match. This commit pulls in https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/9 to fix the problem. Relates to: 1. https://github.com/golang/go/issues/53391 2. https://gitlab.com/gitlab-org/gitlab-shell/-/issues/587 Changelog: fixed
* Merge branch 'freeze-bundle' into 'main'Igor Drozdov2022-06-141-0/+1
|\ | | | | | | | | | | | | Set BUNDLE_FROZEN to true Closes #562 See merge request gitlab-org/gitlab-shell!659
| * Set BUNDLE_FROZEN to trueAlejandro Rodríguez2022-06-101-0/+1
|/ | | | | To follow rubygems' security adisory https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79:
* Merge branch 'sh-upgrade-bundler-version' into 'main'Igor Drozdov2022-06-071-1/+1
|\ | | | | | | | | Upgrade Gemfile.lock to use bundler to v2.3.15 See merge request gitlab-org/gitlab-shell!658
| * Upgrade Gemfile.lock to use bundler to v2.3.15Stan Hu2022-06-071-1/+1
| | | | | | | | | | | | | | | | This is just to minimize the versions of bundler used for development. The GDK runs `support/bundle-install` in this directory to obtain the version of bundler needed. This relates to https://gitlab.com/gitlab-org/gitlab/-/issues/364373.
* | Merge branch 'id-release-14-7-3' into 'main'v14.7.3Igor Drozdov2022-06-062-1/+5
|\ \ | | | | | | | | | | | | Release v14.7.3 See merge request gitlab-org/gitlab-shell!657
| * | Release v14.7.3Igor Drozdov2022-06-062-1/+5
|/ / | | | | | | - Ignore "not our ref" errors from gitlab-sshd error metrics
* | Merge branch 'sh-ignore-not-our-ref-errors' into 'main'Igor Drozdov2022-06-062-1/+7
|\ \ | |/ |/| | | | | Ignore "not our ref" errors from gitlab-sshd error metrics See merge request gitlab-org/gitlab-shell!656
| * Ignore "not our ref" errors from gitlab-sshd error metricsStan Hu2022-06-062-1/+7
|/ | | | | | | | | | | | If a client requests a ref that cannot be found in the repository, previously gitlab-sshd would record it as part of its service level indicator metric. This is really an application error between the client and the Git repository, so we exclude it from our metrics. Relates to https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15848 Changelog: fixed
* Merge branch 'id-release-14-7-2' into 'main'v14.7.2Igor Drozdov2022-06-062-1/+5
|\ | | | | | | | | Release 14.7.2 See merge request gitlab-org/gitlab-shell!655
| * Release 14.7.2Igor Drozdov2022-06-062-1/+5
|/ | | | - Exclude disallowed command from error rate
* Merge branch 'id-ignore-disallowed-cmd-err' into 'main'Patrick Bajao2022-06-062-26/+26
|\ | | | | | | | | Exclude disallowed command from error rate See merge request gitlab-org/gitlab-shell!654
| * Exclude disallowed command from error rateIgor Drozdov2022-06-012-26/+26
|/
* Merge branch 'id-release-14-7-1' into 'main'v14.7.1Igor Drozdov2022-05-252-1/+6
|\ | | | | | | | | Release 14.7.1 See merge request gitlab-org/gitlab-shell!652
| * Release 14.7.1Igor Drozdov2022-05-252-1/+6
|/ | | | | - Log gitlab-sshd session level indicator errors !650 - Improve establish session duration metrics !651
* Merge branch 'id-calculate-started-just-before-session-handling' into 'main'Stan Hu2022-05-251-2/+1
|\ | | | | | | | | Calculate session start after the connection is established See merge request gitlab-org/gitlab-shell!653
| * Calculate session start after the connection is establishedIgor Drozdov2022-05-251-2/+1
|/
* Merge branch 'id-session-duration' into 'main'Stan Hu2022-05-253-19/+20
|\ | | | | | | | | Improve establish session duration metrics See merge request gitlab-org/gitlab-shell!651
| * Improve establish session duration metricsIgor Drozdov2022-05-253-19/+20
| | | | | | | | | | | | | | | | | | Before we took into account the time a user takes to authenticate Now it only measures the time between a connection established and a command started to being executed It's still can be controlled by a user, but it's something we can measure and restrict if necessary
* | Merge branch 'sh-log-session-errors' into 'main'Igor Drozdov2022-05-251-2/+4
|\ \ | |/ |/| | | | | Log gitlab-sshd session level indicator errors See merge request gitlab-org/gitlab-shell!650
| * Log gitlab-sshd session level indicator errorsStan Hu2022-05-241-2/+4
|/ | | | | | In production, we saw gitlab-sshd error metrics rise, but it was not clear why. We now log a message every time we encounter a session error that affects the service level indicator counter.
* Merge branch 'prod' into 'main'Igor Drozdov2022-05-241-0/+38
|\ | | | | | | | | Document gitlab-shell on GitLab SaaS See merge request gitlab-org/gitlab-shell!625
| * Document gitlab-shell on GitLab SaaSSean Carroll2022-05-181-0/+38
| |
* | Merge branch 'sh-release-14.7.0' into 'main'v14.7.0Stan Hu2022-05-232-1/+6
|\ \ | | | | | | | | | | | | Release v14.7.0 See merge request gitlab-org/gitlab-shell!648
| * | Release v14.7.0Stan Hu2022-05-232-1/+6
|/ / | | | | | | | | - Abort long-running unauthenticated SSH connections !647 - Close the connection when context is canceled !646
* | Merge branch 'id-login-grace-time-impl' into 'main'Stan Hu2022-05-235-13/+55
|\ \ | | | | | | | | | | | | Abort long-running unauthenticated SSH connections See merge request gitlab-org/gitlab-shell!647
| * | Add missing SshdSessionEstablishedDuration metricsIgor Drozdov2022-05-231-0/+1
| | |
| * | Abort long-running unauthenticated SSH connectionsIgor Drozdov2022-05-235-13/+54
|/ / | | | | | | | | | | | | | | | | The config option is basically a copy of LoginGraceTime OpenSSH option. If an SSH connection is hanging unauthenticated, after some period of time, the connection gets canceled. The value is configurable, the server waits for 60 seconds by default.
* | Merge branch 'id-login-grace-time' into 'main'Stan Hu2022-05-234-75/+121
|\ \ | | | | | | | | | | | | Close the connection when context is canceled See merge request gitlab-org/gitlab-shell!646
| * | Close the connection when context is canceledIgor Drozdov2022-05-232-6/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When graceful shutdown timeout expires, the global context is canceled. All the operations dependent on it are canceled as well. Unfortunately, some of the operations doesn't respect the context. For example, SSH connection initialization. In this case, we need to manually close the connection. One of the options is to wait for ctx.Done() and close the connection
| * | Move connection init into connection.goIgor Drozdov2022-05-233-69/+78
|/ /
* | Merge branch 'id-release-14-6-1' into 'main'v14.6.1Igor Drozdov2022-05-232-1/+5
|\ \ | | | | | | | | | | | | Release v14.6.1 See merge request gitlab-org/gitlab-shell!645
| * | Release v14.6.1Igor Drozdov2022-05-232-1/+5
|/ / | | | | | | - Return support for diffie-hellman-group14-sha1 !644
* | Merge branch 'id-revert-narrowing-kex-algos' into 'main'Igor Drozdov2022-05-232-1/+2
|\ \ | | | | | | | | | | | | Return support for diffie-hellman-group14-sha1 See merge request gitlab-org/gitlab-shell!644
| * | Return support for diffie-hellman-group14-sha1Igor Drozdov2022-05-232-1/+2
|/ / | | | | | | | | It seems that a lot of users rely on this, let's return it and deprecated later to make the migration less disruptive
* | Merge branch 'id-release-14-6-0' into 'main'v14.6.0Igor Drozdov2022-05-212-1/+10
|\ \ | | | | | | | | | | | | Release 14.6.0 See merge request gitlab-org/gitlab-shell!643
| * | Release 14.6.0Igor Drozdov2022-05-212-1/+10
|/ / | | | | | | | | | | | | | | | | - Exclude Gitaly unavailable error from error rate !641 - Downgrade auth EOF messages from warning to debug !641 - Display constistently in gitlab-sshd and gitlab-shell !641 - Downgrade host key mismatch messages from warning to debug !639 - Introduce a GitLab-SSHD server version during handshake !640 - Narrow supported kex algorithms !638
* | Merge branch 'id-ignore-gitaly-unavailable-errors' into 'main'Stan Hu2022-05-219-43/+58
|\ \ | | | | | | | | | | | | Exclude Gitaly unavailable error from error rate See merge request gitlab-org/gitlab-shell!641
| * | Downgrade auth EOF messages from warning to debugIgor Drozdov2022-05-211-1/+1
| | | | | | | | | | | | | | | The errors happen when a client closes a connection on handshake They can be ignored to avoid noise
| * | Exclude Gitaly unavailable error from error rateIgor Drozdov2022-05-214-24/+26
| | | | | | | | | | | | | | | | | | | | | When a user hits repository rate limit, Gitaly returns an error that the request can't be handled (Gitaly unavailable) We should avoid this error to avoid exceeding the error rate
| * | Display constistently in gitlab-sshd and gitlab-shellIgor Drozdov2022-05-214-18/+31
|/ / | | | | | | | | - Use console package to format the errors in gitlab-sshd - Suppress internal Gitaly errors in client output
* | Merge branch 'sh-downgrade-host-key-errors' into 'main'Igor Drozdov2022-05-212-3/+16
|\ \ | | | | | | | | | | | | Downgrade host key mismatch messages from warning to debug See merge request gitlab-org/gitlab-shell!639
| * | Downgrade handleConn start message to debugStan Hu2022-05-201-1/+1
| | | | | | | | | | | | This message doesn't provide that much value, so let's just drop it.
| * | Downgrade host key mismatch messages from warning to debugStan Hu2022-05-202-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In production, we often see SSH key scans requesting host key algorithms that we don't support, such as `sk-ssh-ed25519@openssh.com` or `sk-ecdsa-sha2-nistp256@openssh.com`. These messages might be useful if someone forgets to configure a host key that should be supported, but most of the time they are noise. This commit downgrades these messages to DEBUG. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/581 Changelog: changed
* | | Merge branch 'T4cC0re-main-patch-11870' into 'main'Igor Drozdov2022-05-211-0/+1
|\ \ \ | |/ / |/| | | | | | | | Introduce a GitLab-SSHD server version during handshake See merge request gitlab-org/gitlab-shell!640
View Lorry Controller Status