delta/gitlab/gitlab-shell.git/internal/command/commandargs/shell.go, branch id-accept-single-session gitlab.com: gitlab-org/gitlab-shell.git Relax key and username matching for sshd 2021-11-11T00:48:26+00:00 Stan Hu stanhu@gmail.com 2021-11-10T20:31:58+00:00 672013e702cb44c3bc1b46807703295448dc0afc Due to the way sshd works, gitlab-shell could be called with a single string in the form: ``` /path/to/gitlab-shell -c key-id ``` However, due to the tightening of the regular expressions in fcff692b this string no longer matches, so logins would fail with: ``` Failed to get username: who='' is invalid ``` This can be reproduced by changing the user's shell to point to gitlab-shell. For example: ``` usermod git -s /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell ``` While setting gitlab-shell as the user's shell isn't officially supported, gitlab-shell still should be able to cope with the key being specified as the last argument. We now split the argument list and use the last value. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/530 
Due to the way sshd works, gitlab-shell could be called with a single
string in the form:

```
/path/to/gitlab-shell -c key-id
```

However, due to the tightening of the regular expressions in fcff692b
this string no longer matches, so logins would fail with:

```
Failed to get username: who='' is invalid
```

This can be reproduced by changing the user's shell to point to
gitlab-shell. For example:

```
usermod git -s /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
```

While setting gitlab-shell as the user's shell isn't officially
supported, gitlab-shell still should be able to cope with the key being
specified as the last argument. We now split the argument list and use
the last value.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/530
Don't swallow an error parsing SSH_ORIGINAL_COMMAND 2021-09-27T19:25:10+00:00 Nick Thomas nick@gitlab.com 2021-09-27T18:28:06+00:00 5564ea9ca23217687a6e6c091f3b4fc11e375a2f 






Modify regex to prevent partial matches
2021-06-29T13:18:11+00:00

Robert May
rmay@gitlab.com

2021-06-28T15:18:00+00:00

fcff692b596270483fba4496d3fb7d971367f9d8












chore: Refactor env introspection to rely on command initialization
2021-03-15T20:47:11+00:00

Lucas Charles
me@lucascharles.me

2021-02-17T21:49:46+00:00

d539068dc372e46d10adee89e9b96b59156a2bb6

Refactors introspection of execution environment to rely on
per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`)

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496





Refactors introspection of execution environment to rely on
per-connection state (`gitlab-shell`) or per request (`gitlab-sshd`)

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/496







RFC: Simple built-in SSH server
2021-01-18T18:36:25+00:00

Lorenz Brun
lorenz@dolansoft.org

2021-01-18T18:36:25+00:00

2a410f31b633ec5a994ecf1ff39dc8ffb9c6f828












Add 2fa_verify command
2020-12-10T14:23:44+00:00

Imre Farkas
ifarkas@gitlab.com

2020-12-01T13:46:27+00:00

1293a33014c9cfc82b0bc1b9525987476b2aa857












Add support obtaining personal access tokens via SSH
2020-08-17T15:16:06+00:00

Taylan Develioglu
taylan.develioglu@booking.com

2020-07-06T12:09:55+00:00

b8d66d7923150402f54f13d793d3051efab3a832

Implements the feature requested in gitlab-org/gitlab#19672

This requires the internal api counterpart in gitlab-org/gitlab!36302 to
be merged first.

It can be used as follows:
```
censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token
remote:
remote: ========================================================================
remote:
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote:
remote: ========================================================================
remote:

censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30
Token:   aAY1G3YPeemECgUvxuXY
Scopes:  read_api,read_repository
Expires: 2020-08-07
```





Implements the feature requested in gitlab-org/gitlab#19672

This requires the internal api counterpart in gitlab-org/gitlab!36302 to
be merged first.

It can be used as follows:
```
censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token
remote:
remote: ========================================================================
remote:
remote: Usage: personal_access_token <name> <scope1[,scope2,...]> [ttl_days]
remote:
remote: ========================================================================
remote:

censored@censored-VirtualBox:~/git/gitlab$ ssh git@gitlab-2004 personal_access_token newtoken read_api,read_repository 30
Token:   aAY1G3YPeemECgUvxuXY
Scopes:  read_api,read_repository
Expires: 2020-08-07
```







commands: pass through GIT_PROTOCOL envvar provided by clients
2020-02-28T08:32:41+00:00

Patrick Steinhardt
psteinhardt@gitlab.com

2020-02-28T07:55:14+00:00

cab69fadc13b530f21f910c1d23d146758c365cb

Both git-upload-pack and git-receive-pack services inspect the
GIT_PROTOCOL environment transferred via SSH in order to decide which
protocols are supported by a given client. Currently, we don't use the
environment variable at all, though, but instead forward the GitProtocol
field of the access verification response.

Improve this by passing on the GIT_PROTOCOL environment variable
provided by the client as-is.





Both git-upload-pack and git-receive-pack services inspect the
GIT_PROTOCOL environment transferred via SSH in order to decide which
protocols are supported by a given client. Currently, we don't use the
environment variable at all, though, but instead forward the GitProtocol
field of the access verification response.

Improve this by passing on the GIT_PROTOCOL environment variable
provided by the client as-is.







Move go code up one level
2019-10-18T10:47:25+00:00

Nick Thomas
nick@gitlab.com

2019-10-17T11:04:52+00:00

83d11f4deeb20b852a0af3433190a0f7250a0027