delta/gitlab/gitlab-shell.git/config.yml.example, branch main gitlab.com: gitlab-org/gitlab-shell.git Add support for the gssapi-with-mic auth method 2023-01-23T07:54:09+00:00 Marin Hannache git@mareo.fr 2023-01-23T07:54:09+00:00 51ea0f50f52d5d1dade02aadff3c163a0a792779 






Add configuration example for proxy_allowed
2022-11-23T19:25:30+00:00

James Fargher
jfargher@gitlab.com

2022-11-07T20:28:32+00:00

95e4909e47906f516b5c9ea2b786574fec2a8f65












gitlab-sshd: Add support for configuring host certificates
2022-06-26T07:11:42+00:00

Stan Hu
stanhu@gmail.com

2022-06-11T21:42:25+00:00

4919ec7a1ef3bcf7a8b2da1a5369c9135845f55e

This adds support for specifying host certificates via the
`host_cert_files` option and advertises the signed key to the
client. This acts similarly to OpenSSH's `HostCertificate` parameter:
gitlab-sshd attempts to match a host key to its certificate, and then
substitutes the matching host key with a certificate signed by a
trusted certificate authority's key.

This is the first requirement to supporting SSH certificates. This
will enable the client to trust the server if both trust a common
certificate authority. The `TrustedUserCAKeys` option will need to be
supported later for the server to trust all user keys signed by this
certificate authority.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/495





This adds support for specifying host certificates via the
`host_cert_files` option and advertises the signed key to the
client. This acts similarly to OpenSSH's `HostCertificate` parameter:
gitlab-sshd attempts to match a host key to its certificate, and then
substitutes the matching host key with a certificate signed by a
trusted certificate authority's key.

This is the first requirement to supporting SSH certificates. This
will enable the client to trust the server if both trust a common
certificate authority. The `TrustedUserCAKeys` option will need to be
supported later for the server to trust all user keys signed by this
certificate authority.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/495







Abort long-running unauthenticated SSH connections
2022-05-23T17:07:12+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-23T15:09:54+00:00

0d69e6d744de7368e378f396369e0b9568a76da1

The config option is basically a copy of LoginGraceTime OpenSSH
option.

If an SSH connection is hanging unauthenticated, after some period
of time, the connection gets canceled. The value is configurable,
the server waits for 60 seconds by default.





The config option is basically a copy of LoginGraceTime OpenSSH
option.

If an SSH connection is hanging unauthenticated, after some period
of time, the connection gets canceled. The value is configurable,
the server waits for 60 seconds by default.







Return support for diffie-hellman-group14-sha1
2022-05-23T08:30:34+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-23T08:30:31+00:00

0bef85e70d854465de034866650345dd551f17e8

It seems that a lot of users rely on this, let's return it and
deprecated later to make the migration less disruptive





It seems that a lot of users rely on this, let's return it and
deprecated later to make the migration less disruptive







Narrow supported kex algorithms
2022-05-20T16:51:32+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-20T16:51:19+00:00

6a76b027fd18b218f6c935762e24c8e1c5cd6c0d

We don't support diffie-hellman-group14-sha1 via OpenSSH currently
Let's avoid introducing it in gitlab-sshd because it's using
weak hashing algorithm





We don't support diffie-hellman-group14-sha1 via OpenSSH currently
Let's avoid introducing it in gitlab-sshd because it's using
weak hashing algorithm







Make ProxyHeaderTimeout configurable
2022-05-19T14:53:08+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-19T09:10:14+00:00

5b94726b822b52ffe256820df1a24307b2e2072f

Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576

ProxyHeaderTimeout must be small to avoid DoS risk

Let's make the value configurable and 500ms by default





Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576

ProxyHeaderTimeout must be small to avoid DoS risk

Let's make the value configurable and 500ms by default







Allow configuring SSH server algorithms
2022-05-18T21:54:33+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-18T21:49:36+00:00

76916bfca0815e1150c89f2afec469e2cdd27639

MACs, Ciphers and KEX algorithms now can be configured
If the values are empty, reasonable defaults are used





MACs, Ciphers and KEX algorithms now can be configured
If the values are empty, reasonable defaults are used







Implement ClientKeepAlive option
2022-05-12T05:53:48+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-11T16:25:57+00:00

a16dcb3e6ca3361ba23fabb369dc6566e693ba9d

Git clients sometimes open a connection and leave it idling,
like when compressing objects.
Settings like timeout client in HAProxy might cause these
idle connections to be terminated.

Let's send the keepalive message in order to prevent a client
from closing





Git clients sometimes open a connection and leave it idling,
like when compressing objects.
Settings like timeout client in HAProxy might cause these
idle connections to be terminated.

Let's send the keepalive message in order to prevent a client
from closing







Make PROXY policy configurable
2022-05-10T19:23:53+00:00

Igor Drozdov
idrozdov@gitlab.com

2022-05-10T19:16:22+00:00

709c5dd75a7c1a2a0f3296d76ddc654191841213

It would give us more flexibility when we decide to enable
PROXY protocol





It would give us more flexibility when we decide to enable
PROXY protocol