Merge branch 'sh-geo-ssh-support' into 'master'

Add instructions for setting up a custom version of OpenSSH for Geo See merge request !2191

Merge branch 'sh-geo-ssh-support' into 'master'
Add instructions for setting up a custom version of OpenSSH for Geo See merge request !2191
69d3138b · Achilleas Pipinellis · ee4b5fc6 · cea79c88 · 69d3138b · 69d3138b
Commit 69d3138b authored Jun 21, 2017 by Achilleas Pipinellis
Showing with 111 additions and 0 deletions

doc/administration/operations/speed_up_ssh.md doc/administration/operations/speed_up_ssh.md +90 -0

doc/gitlab-geo/README.md doc/gitlab-geo/README.md +1 -0

doc/gitlab-geo/ssh.md doc/gitlab-geo/ssh.md +20 -0

No files found.
--- a/doc/administration/operations/speed_up_ssh.md
+++ b/doc/administration/operations/speed_up_ssh.md
@@ -67,3 +67,93 @@ This is a brief overview. Please refer to the above instructions for more contex
 1. Remove the `AuthorizedKeysCommand` lines from `/etc/ssh/sshd_config`
 1. Reload sshd: `sudo service sshd reload`
 1. Remove the `/opt/gitlab-shell/authorized_keys` file
+
+## Compiling a custom version of OpenSSH for CentOS
+
+Building a custom version of OpenSSH is not necessary for Ubuntu 16.04 users,
+since Ubuntu 16.04 ships with OpenSSH 7.2.
+
+However, CentOS users must build their own OpenSSH package to enable SSH
+lookups via the database. The following instructions can be used to build
+OpenSSH 7.5 for CentOS 6 and 7:
+
+1. First, download the package and install the required packages:
+
+    ```
+    sudo su -
+    cd /tmp
+    curl -O https://mirrors.evowise.com/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
+    tar xzvf openssh-7.5p1.tar.gz
+    yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
+    ```
+
+3. Prepare the build by copying files to the right place:
+
+    ```
+    mkdir -p /root/rpmbuild/{SOURCES,SPECS}
+    cp ./openssh-7.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
+    cp openssh-7.5p1.tar.gz /root/rpmbuild/SOURCES/
+    cd /root/rpmbuild/SPECS
+    ```
+
+3. Next, set the spec settings properly:
+
+    ```
+    sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
+    sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
+    sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
+    ```
+
+3. Build the RPMs:
+
+    ```
+    rpmbuild -bb openssh.spec
+    ```
+
+4. Ensure the RPMs were built:
+
+    ```
+    ls -al /root/rpmbuild/RPMS/x86_64/
+    ```
+
+    You should see something as the following:
+
+    ```
+    total 1324
+    drwxr-xr-x. 2 root root   4096 Jun 20 19:37 .
+    drwxr-xr-x. 3 root root     19 Jun 20 19:37 ..
+    -rw-r--r--. 1 root root 470828 Jun 20 19:37 openssh-7.5p1-1.x86_64.rpm
+    -rw-r--r--. 1 root root 490716 Jun 20 19:37 openssh-clients-7.5p1-1.x86_64.rpm
+    -rw-r--r--. 1 root root  17020 Jun 20 19:37 openssh-debuginfo-7.5p1-1.x86_64.rpm
+    -rw-r--r--. 1 root root 367516 Jun 20 19:37 openssh-server-7.5p1-1.x86_64.rpm
+    ```
+
+5. Install the packages. OpenSSH packages will replace the `/etc/pamd.sshd`
+   with its own version, which may prevent users from logging in, so be sure
+   that the file is backed up and restored after installation:
+
+    ```
+    timestamp=$(date +%s)
+    cp /etc/pam.d/sshd pam-ssh-conf-$timestamp
+    rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
+    yes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd
+    ```
+
+6. Verify the installed version. In another window, attempt to login to the server:
+
+    ```
+    ssh -v <your-centos-machine>
+    ```
+
+    You should see a line that reads: "debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5"
+
+    If not, you may need to restart sshd (e.g. `systemctl restart sshd.service`).
+
+7.  *IMPORTANT!* Open a new SSH session to your server before exiting to make
+    sure everything is working! If you need to downgrade, simple install the
+    older package:
+
+    ```
+    # Only run this if you run into a problem logging in
+    yum downgrade openssh-server openssh openssh-clients
+    ```
--- a/doc/gitlab-geo/README.md
+++ b/doc/gitlab-geo/README.md
@@ -79,6 +79,7 @@ If you installed GitLab using the Omnibus packages (highly recommended):
 1. [Upload the GitLab License](../user/admin_area/license.md) to the **primary** Geo Node to unlock GitLab Geo.
 1. [Setup the database replication](database.md)  (`primary (read-write) <-> secondary (read-only)` topology).
 1. [Configure GitLab](configuration.md) to set the primary and secondary nodes.
+1. [Configure SSH authorizations to use the database](ssh.md)
 1. Optional: [Configure a secondary LDAP server](../administration/auth/ldap.md) for the secondary. See [notes on LDAP](#ldap).
 1. [Follow the after setup steps](after_setup.md).


--- a/doc/gitlab-geo/ssh.md
+++ b/doc/gitlab-geo/ssh.md
+# GitLab Geo SSH access
+
+By default, GitLab manages an `authorized_keys` file, which contains all the
+public SSH keys for users allowed to access GitLab. However, to maintain a
+single source of truth, Geo needs to be configured to peform SSH fingerprint
+lookups via database lookup. This approach is also much faster than scanning a
+file.
+
+Note this feature is only available on operating systems that support OpenSSH
+6.9 and above. For CentOS 6 and 7, see the [instructions on building custom
+version of OpenSSH for your server]
+(../administration/operations/speed_up_ssh.html#compiling-a-custom-version-of-openssh-for-centos).
+
+For both primary AND secondary nodes, follow the instructions on [configuring
+SSH authorization via database
+lookups](../administration/operations/speed_up_ssh.html).
+
+Note that the 'Write to "authorized keys" file' checkbox only needs
+to be selected on the primary node since it will be reflected automatically
+in the secondary if database replication is working.