Ssh keys on docker gitlab-ce

The announcement for GitLab 13.10 has a deprecation notice for using authorized_keys for ssh keys:

The first mechanism (integration via authorized keys ) is vulnerable to both race conditions and out-of-order execution issues, making it hard to scale. Because of this it will be removed in GitLab 14.0. Refer to issue #212227 for details.

Docs for fast ssh key lookup (Fast lookup of authorized SSH keys in the database | GitLab) say that

For Omnibus Docker, AuthorizedKeysCommand is setup by default in GitLab 11.11 and later.

When I poke into my gitlab container at its ssh config files, I do not see AuthorizedKeysCommand. However, I also cannot find any reference in /var/opt/gitlab/.ssh/authorized_keys of my actual SSH keys, suggesting that it is in fact using fast lookup instead of the system authorized_keys file.

My configuration in Admin Area > Network > Performance optimization has enabled Write to "authorized_keys" file. My understanding of that is that it is a backup for deployment keys, not that that file will be used for all authentication.

Since the authorized_keys file will reach deprecation in GitLab-14 (two months away?), I’m looking ahead. How do I know if removal of support for that file will break me? I can always uncheck the "write to authorized_keys", but I don't expect that that would have immediate effects.


Solution 1:

OP's linked documentation (giving here the ce version which is identical) tells:

Add the following to your sshd_config file. This is usually located at /etc/ssh/sshd_config, but it will be /assets/sshd_config if you’re using Omnibus Docker:

Match User git    # Apply the AuthorizedKeysCommands to the git user only
  AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
  AuthorizedKeysCommandUser git
Match all    # End match, settings apply to all users again

Because the configuration file is in an uncommon place, it might not have been found.

The documentation then tells, as OP already wrote:

ⓘ For Omnibus Docker, AuthorizedKeysCommand is setup by default in GitLab 11.11 and later.

So Omnibus Docker is already configured to use GitLab's dedicated command in complement to the authorized_keys file. There's nothing to prepare for version 14 in the Omnibus Docker version, it's already ready for the change (that's most likely not the case for the standard Omnibus version) where there shouldn't be an authorized_keys file anymore and the command gitlab-shell-authorized-keys-check will completely take over.

To double-check it's already using the new authentication method, one can follow the test suggested in the documentation:

Confirm that SSH is working by commenting out your user’s key in the authorized_keys file (start the line with a # to comment it), and attempting to pull a repository.

A successful pull would mean that GitLab was able to find the key in the database, since it is not present in the file anymore.