Ssh keys on docker gitlab-ce

ssh ssh-keys gitlab

The announcement for GitLab 13.10 has a deprecation notice for using authorized_keys for ssh keys:

The first mechanism (integration via authorized keys ) is vulnerable to both race conditions and out-of-order execution issues, making it hard to scale. Because of this it will be removed in GitLab 14.0. Refer to issue #212227 for details.

Docs for fast ssh key lookup (Fast lookup of authorized SSH keys in the database | GitLab) say that

For Omnibus Docker, AuthorizedKeysCommand is setup by default in GitLab 11.11 and later.

When I poke into my gitlab container at its ssh config files, I do not see AuthorizedKeysCommand. However, I also cannot find any reference in /var/opt/gitlab/.ssh/authorized_keys of my actual SSH keys, suggesting that it is in fact using fast lookup instead of the system authorized_keys file.

My configuration in Admin Area > Network > Performance optimization has enabled Write to "authorized_keys" file. My understanding of that is that it is a backup for deployment keys, not that that file will be used for all authentication.

Since the authorized_keys file will reach deprecation in GitLab-14 (two months away?), I’m looking ahead. How do I know if removal of support for that file will break me? I can always uncheck the "write to authorized_keys", but I don't expect that that would have immediate effects.


Solution 1:

OP's linked documentation (giving here the ce version which is identical) tells:

Add the following to your sshd_config file. This is usually located at /etc/ssh/sshd_config, but it will be /assets/sshd_config if you’re using Omnibus Docker:

Match User git    # Apply the AuthorizedKeysCommands to the git user only
  AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
  AuthorizedKeysCommandUser git
Match all    # End match, settings apply to all users again

Because the configuration file is in an uncommon place, it might not have been found.

The documentation then tells, as OP already wrote:

ⓘ For Omnibus Docker, AuthorizedKeysCommand is setup by default in GitLab 11.11 and later.

So Omnibus Docker is already configured to use GitLab's dedicated command in complement to the authorized_keys file. There's nothing to prepare for version 14 in the Omnibus Docker version, it's already ready for the change (that's most likely not the case for the standard Omnibus version) where there shouldn't be an authorized_keys file anymore and the command gitlab-shell-authorized-keys-check will completely take over.

To double-check it's already using the new authentication method, one can follow the test suggested in the documentation:

Confirm that SSH is working by commenting out your user’s key in the authorized_keys file (start the line with a # to comment it), and attempting to pull a repository.

A successful pull would mean that GitLab was able to find the key in the database, since it is not present in the file anymore.

Related

Is the IR camera on modern high end laptops used for anything else other than facial recognition?
Getting "fatal: repository not found" when "git clone" a URL
Virus/Spyware: C2/Generic-B detected in C:\Windows\System32\svchost.exe [duplicate]
How to test an *ancient* power supply?
Starting Windows without explorer.exe
How to turn off the Toggle Keys indicator on Windows 10?
Need help removing onscreen caps lock indicator (Windows 10)
How can I disable Mail.app when I click on an email address on mac?
how to execute command in console of program (i.e. various databases) through shell/bash script
Excel: Count number of duplicates in row for unique records
How to keep non-breaking space in cross-references
Multiple concurrent desktop environments linux