From 0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Sun, 12 Jun 2022 00:30:20 -0700 Subject: gitlab-sshd: Add support for signed user certificates We add a `trusted_user_ca_keys` config setting that allows gitlab-sshd to trust any SSH certificate signed by the keys listed in this file. This is equivalent to the `TrustedUserCAKeys` OpenSSH setting. We assume the certificate identity is equivalent to the GitLab username. --- internal/sshd/session.go | 3 +++ 1 file changed, 3 insertions(+) (limited to 'internal/sshd/session.go') diff --git a/internal/sshd/session.go b/internal/sshd/session.go index 3394b2a..3d5fbad 100644 --- a/internal/sshd/session.go +++ b/internal/sshd/session.go @@ -28,6 +28,7 @@ type session struct { channel ssh.Channel gitlabKeyId string gitlabKrb5Principal string + gitlabUsername string remoteAddr string // State managed by the session @@ -173,6 +174,8 @@ func (s *session) handleShell(ctx context.Context, req *ssh.Request) (uint32, er if s.gitlabKrb5Principal != "" { cmd, err = shellCmd.NewWithKrb5Principal(s.gitlabKrb5Principal, env, s.cfg, rw) + } else if s.gitlabUsername != "" { + cmd, err = shellCmd.NewWithUsername(s.gitlabUsername, env, s.cfg, rw) } else { cmd, err = shellCmd.NewWithKey(s.gitlabKeyId, env, s.cfg, rw) } -- cgit v1.2.1