Commit 596f2704 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'improve-ssh-lookup-docs' into 'master'

Improve SSH database key lookup documentation

Closes #41399

See merge request gitlab-org/gitlab-ce!16048
parents 4b87aa68 c73eb55d
...@@ -25,34 +25,12 @@ GitLab Shell provides a way to authorize SSH users via a fast, indexed lookup ...@@ -25,34 +25,12 @@ GitLab Shell provides a way to authorize SSH users via a fast, indexed lookup
to the GitLab database. GitLab Shell uses the fingerprint of the SSH key to to the GitLab database. GitLab Shell uses the fingerprint of the SSH key to
check whether the user is authorized to access GitLab. check whether the user is authorized to access GitLab.
Create the directory `/opt/gitlab-shell` first: Add the following to your `sshd_config` file. This is usuaully located at
`/etc/ssh/sshd_config`, but it will be `/assets/sshd_config` if you're using
```bash Omnibus Docker:
sudo mkdir -p /opt/gitlab-shell
```
Create this file at `/opt/gitlab-shell/authorized_keys`:
```
#!/bin/bash
if [[ "$1" == "git" ]]; then
/opt/gitlab/embedded/service/gitlab-shell/bin/authorized_keys $2
fi
```
Set appropriate ownership and permissions:
```
sudo chown root:git /opt/gitlab-shell/authorized_keys
sudo chmod 0650 /opt/gitlab-shell/authorized_keys
```
Add the following to `/etc/ssh/sshd_config` or to `/assets/sshd_config` if you
are using Omnibus Docker:
``` ```
AuthorizedKeysCommand /opt/gitlab-shell/authorized_keys %u %k AuthorizedKeysCommand /opt/embedded/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
AuthorizedKeysCommandUser git AuthorizedKeysCommandUser git
``` ```
...@@ -70,7 +48,7 @@ Confirm that SSH is working by removing your user's SSH key in the UI, adding a ...@@ -70,7 +48,7 @@ Confirm that SSH is working by removing your user's SSH key in the UI, adding a
new one, and attempting to pull a repo. new one, and attempting to pull a repo.
> **Warning:** Do not disable writes until SSH is confirmed to be working > **Warning:** Do not disable writes until SSH is confirmed to be working
perfectly because the file will quickly become out-of-date. perfectly, because the file will quickly become out-of-date.
In the case of lookup failures (which are not uncommon), the `authorized_keys` In the case of lookup failures (which are not uncommon), the `authorized_keys`
file will still be scanned. So git SSH performance will still be slow for many file will still be scanned. So git SSH performance will still be slow for many
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment