summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| * Calculate session start after the connection is establishedIgor Drozdov2022-05-251-2/+1
|/
* Merge branch 'id-session-duration' into 'main'Stan Hu2022-05-253-19/+20
|\ | | | | | | | | Improve establish session duration metrics See merge request gitlab-org/gitlab-shell!651
| * Improve establish session duration metricsIgor Drozdov2022-05-253-19/+20
| | | | | | | | | | | | | | | | | | Before we took into account the time a user takes to authenticate Now it only measures the time between a connection established and a command started to being executed It's still can be controlled by a user, but it's something we can measure and restrict if necessary
* | Merge branch 'sh-log-session-errors' into 'main'Igor Drozdov2022-05-251-2/+4
|\ \ | |/ |/| | | | | Log gitlab-sshd session level indicator errors See merge request gitlab-org/gitlab-shell!650
| * Log gitlab-sshd session level indicator errorsStan Hu2022-05-241-2/+4
|/ | | | | | In production, we saw gitlab-sshd error metrics rise, but it was not clear why. We now log a message every time we encounter a session error that affects the service level indicator counter.
* Merge branch 'prod' into 'main'Igor Drozdov2022-05-241-0/+38
|\ | | | | | | | | Document gitlab-shell on GitLab SaaS See merge request gitlab-org/gitlab-shell!625
| * Document gitlab-shell on GitLab SaaSSean Carroll2022-05-181-0/+38
| |
* | Merge branch 'sh-release-14.7.0' into 'main'v14.7.0Stan Hu2022-05-232-1/+6
|\ \ | | | | | | | | | | | | Release v14.7.0 See merge request gitlab-org/gitlab-shell!648
| * | Release v14.7.0Stan Hu2022-05-232-1/+6
|/ / | | | | | | | | - Abort long-running unauthenticated SSH connections !647 - Close the connection when context is canceled !646
* | Merge branch 'id-login-grace-time-impl' into 'main'Stan Hu2022-05-235-13/+55
|\ \ | | | | | | | | | | | | Abort long-running unauthenticated SSH connections See merge request gitlab-org/gitlab-shell!647
| * | Add missing SshdSessionEstablishedDuration metricsIgor Drozdov2022-05-231-0/+1
| | |
| * | Abort long-running unauthenticated SSH connectionsIgor Drozdov2022-05-235-13/+54
|/ / | | | | | | | | | | | | | | | | The config option is basically a copy of LoginGraceTime OpenSSH option. If an SSH connection is hanging unauthenticated, after some period of time, the connection gets canceled. The value is configurable, the server waits for 60 seconds by default.
* | Merge branch 'id-login-grace-time' into 'main'Stan Hu2022-05-234-75/+121
|\ \ | | | | | | | | | | | | Close the connection when context is canceled See merge request gitlab-org/gitlab-shell!646
| * | Close the connection when context is canceledIgor Drozdov2022-05-232-6/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When graceful shutdown timeout expires, the global context is canceled. All the operations dependent on it are canceled as well. Unfortunately, some of the operations doesn't respect the context. For example, SSH connection initialization. In this case, we need to manually close the connection. One of the options is to wait for ctx.Done() and close the connection
| * | Move connection init into connection.goIgor Drozdov2022-05-233-69/+78
|/ /
* | Merge branch 'id-release-14-6-1' into 'main'v14.6.1Igor Drozdov2022-05-232-1/+5
|\ \ | | | | | | | | | | | | Release v14.6.1 See merge request gitlab-org/gitlab-shell!645
| * | Release v14.6.1Igor Drozdov2022-05-232-1/+5
|/ / | | | | | | - Return support for diffie-hellman-group14-sha1 !644
* | Merge branch 'id-revert-narrowing-kex-algos' into 'main'Igor Drozdov2022-05-232-1/+2
|\ \ | | | | | | | | | | | | Return support for diffie-hellman-group14-sha1 See merge request gitlab-org/gitlab-shell!644
| * | Return support for diffie-hellman-group14-sha1Igor Drozdov2022-05-232-1/+2
|/ / | | | | | | | | It seems that a lot of users rely on this, let's return it and deprecated later to make the migration less disruptive
* | Merge branch 'id-release-14-6-0' into 'main'v14.6.0Igor Drozdov2022-05-212-1/+10
|\ \ | | | | | | | | | | | | Release 14.6.0 See merge request gitlab-org/gitlab-shell!643
| * | Release 14.6.0Igor Drozdov2022-05-212-1/+10
|/ / | | | | | | | | | | | | | | | | - Exclude Gitaly unavailable error from error rate !641 - Downgrade auth EOF messages from warning to debug !641 - Display constistently in gitlab-sshd and gitlab-shell !641 - Downgrade host key mismatch messages from warning to debug !639 - Introduce a GitLab-SSHD server version during handshake !640 - Narrow supported kex algorithms !638
* | Merge branch 'id-ignore-gitaly-unavailable-errors' into 'main'Stan Hu2022-05-219-43/+58
|\ \ | | | | | | | | | | | | Exclude Gitaly unavailable error from error rate See merge request gitlab-org/gitlab-shell!641
| * | Downgrade auth EOF messages from warning to debugIgor Drozdov2022-05-211-1/+1
| | | | | | | | | | | | | | | The errors happen when a client closes a connection on handshake They can be ignored to avoid noise
| * | Exclude Gitaly unavailable error from error rateIgor Drozdov2022-05-214-24/+26
| | | | | | | | | | | | | | | | | | | | | When a user hits repository rate limit, Gitaly returns an error that the request can't be handled (Gitaly unavailable) We should avoid this error to avoid exceeding the error rate
| * | Display constistently in gitlab-sshd and gitlab-shellIgor Drozdov2022-05-214-18/+31
|/ / | | | | | | | | - Use console package to format the errors in gitlab-sshd - Suppress internal Gitaly errors in client output
* | Merge branch 'sh-downgrade-host-key-errors' into 'main'Igor Drozdov2022-05-212-3/+16
|\ \ | | | | | | | | | | | | Downgrade host key mismatch messages from warning to debug See merge request gitlab-org/gitlab-shell!639
| * | Downgrade handleConn start message to debugStan Hu2022-05-201-1/+1
| | | | | | | | | | | | This message doesn't provide that much value, so let's just drop it.
| * | Downgrade host key mismatch messages from warning to debugStan Hu2022-05-202-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In production, we often see SSH key scans requesting host key algorithms that we don't support, such as `sk-ssh-ed25519@openssh.com` or `sk-ecdsa-sha2-nistp256@openssh.com`. These messages might be useful if someone forgets to configure a host key that should be supported, but most of the time they are noise. This commit downgrades these messages to DEBUG. Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/581 Changelog: changed
* | | Merge branch 'T4cC0re-main-patch-11870' into 'main'Igor Drozdov2022-05-211-0/+1
|\ \ \ | |/ / |/| | | | | | | | Introduce a GitLab-SSHD server version during handshake See merge request gitlab-org/gitlab-shell!640
| * | Introduce a GitLab-SSHD server version during handshakeHendrik Meyer2022-05-211-0/+1
|/ /
* | Merge branch 'id-set-supported-kex-algos' into 'main'Stan Hu2022-05-203-20/+23
|\ \ | | | | | | | | | | | | Narrow supported kex algorithms See merge request gitlab-org/gitlab-shell!638
| * | Narrow supported kex algorithmsIgor Drozdov2022-05-203-20/+23
|/ / | | | | | | | | | | We don't support diffie-hellman-group14-sha1 via OpenSSH currently Let's avoid introducing it in gitlab-sshd because it's using weak hashing algorithm
* | Merge branch 'sh-release-14.5.0' into 'main'v14.5.0Stan Hu2022-05-192-1/+5
|\ \ | | | | | | | | | | | | Release 14.5.0 See merge request gitlab-org/gitlab-shell!636
| * | Release 14.5.0Stan Hu2022-05-192-1/+5
|/ / | | | | | | - Make ProxyHeaderTimeout configurable !635
* | Merge branch 'id-fix-proxy-header-timeout' into 'main'Stan Hu2022-05-199-33/+84
|\ \ | | | | | | | | | | | | Make ProxyHeaderTimeout configurable See merge request gitlab-org/gitlab-shell!635
| * | Make ProxyHeaderTimeout configurableIgor Drozdov2022-05-195-8/+13
| | | | | | | | | | | | | | | | | | | | | | | | Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576 ProxyHeaderTimeout must be small to avoid DoS risk Let's make the value configurable and 500ms by default
| * | Allow specifying formatted durations in configIgor Drozdov2022-05-197-31/+77
|/ / | | | | | | | | - If an integer is specified, we assume that these are seconds - A duration of format "500ms", "10s", "1m", etc... accepted
* | Merge branch 'id-release-14-4-0' into 'main'v14.4.0Igor Drozdov2022-05-182-1/+6
|\ \ | | | | | | | | | | | | Release 14.4.0 See merge request gitlab-org/gitlab-shell!634
| * | Release 14.4.0Igor Drozdov2022-05-192-1/+6
|/ / | | | | | | | | - Allow configuring SSH server algorithms !633 - Update gitlab-org/golang-crypto module version !632
* | Merge branch 'id-configure-algorithms' into 'main'Stan Hu2022-05-184-0/+92
|\ \ | | | | | | | | | | | | Allow configuring SSH server algorithms See merge request gitlab-org/gitlab-shell!633
| * | Allow configuring SSH server algorithmsIgor Drozdov2022-05-194-0/+92
|/ / | | | | | | | | MACs, Ciphers and KEX algorithms now can be configured If the values are empty, reasonable defaults are used
* | Merge branch 'sh-update-crypto-ver' into 'main'Igor Drozdov2022-05-182-3/+3
|\ \ | | | | | | | | | | | | Update gitlab-org/golang-crypto module version See merge request gitlab-org/gitlab-shell!632
| * | Update gitlab-org/golang-crypto module versionStan Hu2022-05-182-3/+3
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This update pulls in: 1. https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/3, which syncs the module with upstream master and supports the new `curve25519-sha256@libssh.org` kex name. 2. https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/4, which adds: * MACs: hmac-sha2-512-etm@openssh.com, hmac-sha2-512 * Cipher: aes256-gcm@openssh.com Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/575
* | Merge branch 'id-release-14-3-1' into 'main'v14.3.1Igor Drozdov2022-05-182-1/+5
|\ \ | | | | | | | | | | | | Release v14.3.1 See merge request gitlab-org/gitlab-shell!631
| * | Release v14.3.1Igor Drozdov2022-05-182-1/+5
|/ / | | | | | | - Exclude API errors from error rate !630
* | Merge branch 'id-ignore-api-errors' into 'main'Stan Hu2022-05-183-4/+28
|\ \ | | | | | | | | | | | | Exclude API errors from error rate See merge request gitlab-org/gitlab-shell!630
| * | Exclude API errors from error rateIgor Drozdov2022-05-183-4/+28
| | | | | | | | | | | | | | | | | | When API isn't responsible or the resource is not accessible (returns 404 or 403), then we shouldn't consider it as an error on gitlab-sshd side
* | | Merge branch 'ds-store' into 'main'Igor Drozdov2022-05-181-0/+1
|\ \ \ | | | | | | | | | | | | | | | | Git ignore .DS_Store See merge request gitlab-org/gitlab-shell!629
| * | | Git ignore .DS_StoreSean Carroll2022-05-181-0/+1
|/ / /
* | | Merge branch '571-dependency-update-docker_version-20-10-15' into 'main'Igor Drozdov2022-05-171-1/+1
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Resolve "Dependency update DOCKER_VERSION: 20.10.15" Closes #571 See merge request gitlab-org/gitlab-shell!628
View Lorry Controller Status