Commits · 0d69e6d744de7368e378f396369e0b9568a76da1 · Igor Drozdov / Gitlab Shell

May 23, 2022

Abort long-running unauthenticated SSH connections · 0d69e6d7

Igor Drozdov authored 2 years ago

The config option is basically a copy of LoginGraceTime OpenSSH
option.

If an SSH connection is hanging unauthenticated, after some period
of time, the connection gets canceled. The value is configurable,
the server waits for 60 seconds by default.

0d69e6d7

Merge branch 'id-login-grace-time' into 'main' · c40ad688

Stan Hu authored 2 years ago

Close the connection when context is canceled

See merge request gitlab-org/gitlab-shell!646

c40ad688

Close the connection when context is canceled · 0110b9ea

Igor Drozdov authored 2 years ago

When graceful shutdown timeout expires, the global context is
canceled. All the operations dependent on it are canceled as well.

Unfortunately, some of the operations doesn't respect the context.
For example, SSH connection initialization.

In this case, we need to manually close the connection.
One of the options is to wait for ctx.Done() and close the connection

0110b9ea

Move connection init into connection.go · 6e74b993
Igor Drozdov authored 2 years ago

6e74b993
Merge branch 'id-release-14-6-1' into 'main' · 4d2459f3
Igor Drozdov authored 2 years ago
```
Release v14.6.1

See merge request gitlab-org/gitlab-shell!645
```
View commits for tag v14.6.1 v14.6.1

4d2459f3
Release v14.6.1 · 5afa7e44
Igor Drozdov authored 2 years ago
```
- Return support for diffie-hellman-group14-sha1 !644
```
5afa7e44
Merge branch 'id-revert-narrowing-kex-algos' into 'main' · 3909c673
Igor Drozdov authored 2 years ago
```
Return support for diffie-hellman-group14-sha1

See merge request gitlab-org/gitlab-shell!644
```
3909c673

Return support for diffie-hellman-group14-sha1 · 0bef85e7

Igor Drozdov authored 2 years ago

It seems that a lot of users rely on this, let's return it and
deprecated later to make the migration less disruptive

0bef85e7

May 21, 2022

Merge branch 'id-release-14-6-0' into 'main' · 1da03256
Igor Drozdov authored 2 years ago
```
Release 14.6.0

See merge request gitlab-org/gitlab-shell!643
```
View commits for tag v14.6.0 v14.6.0

1da03256

Release 14.6.0 · 4b19adff

Igor Drozdov authored 2 years ago

- Exclude Gitaly unavailable error from error rate !641
- Downgrade auth EOF messages from warning to debug !641
- Display constistently in gitlab-sshd and gitlab-shell !641
- Downgrade host key mismatch messages from warning to debug !639
- Introduce a GitLab-SSHD server version during handshake !640
- Narrow supported kex algorithms !638

4b19adff

Merge branch 'id-ignore-gitaly-unavailable-errors' into 'main' · 8dd15baa
Stan Hu authored 2 years ago
```
Exclude Gitaly unavailable error from error rate

See merge request gitlab-org/gitlab-shell!641
```
8dd15baa

Downgrade auth EOF messages from warning to debug · 44b3869e

Igor Drozdov authored 2 years ago

The errors happen when a client closes a connection on handshake
They can be ignored to avoid noise

44b3869e

Exclude Gitaly unavailable error from error rate · accaf432

Igor Drozdov authored 2 years ago

When a user hits repository rate limit, Gitaly returns an error
that the request can't be handled (Gitaly unavailable)

We should avoid this error to avoid exceeding the error rate

accaf432

Display constistently in gitlab-sshd and gitlab-shell · 7c7f110b

Igor Drozdov authored 2 years ago

- Use console package to format the errors in gitlab-sshd
- Suppress internal Gitaly errors in client output

7c7f110b

Merge branch 'sh-downgrade-host-key-errors' into 'main' · 569ae36d

Igor Drozdov authored 2 years ago

Downgrade host key mismatch messages from warning to debug

See merge request gitlab-org/gitlab-shell!639

569ae36d

Merge branch 'T4cC0re-main-patch-11870' into 'main' · 0605bc42

Igor Drozdov authored 2 years ago

Introduce a GitLab-SSHD server version during handshake

See merge request gitlab-org/gitlab-shell!640

0605bc42

Introduce a GitLab-SSHD server version during handshake · 09dd5bcb
Hendrik Meyer authored 2 years ago and Igor Drozdov committed 2 years ago

09dd5bcb

May 20, 2022

Downgrade handleConn start message to debug · 58760393
Stan Hu authored 2 years ago
```
This message doesn't provide that much value, so let's just drop it.
```
Unverified

58760393

Downgrade host key mismatch messages from warning to debug · 6a49468e

Stan Hu authored 2 years ago

In production, we often see SSH key scans requesting host key
algorithms that we don't support, such as `sk-ssh-ed25519@openssh.com`
or `sk-ecdsa-sha2-nistp256@openssh.com`.

These messages might be useful if someone forgets to configure a host
key that should be supported, but most of the time they are noise.

This commit downgrades these messages to DEBUG.

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/581

Changelog: changed

Unverified

6a49468e

Merge branch 'id-set-supported-kex-algos' into 'main' · 1f89ece0
Stan Hu authored 2 years ago
```
Narrow supported kex algorithms

See merge request gitlab-org/gitlab-shell!638
```
1f89ece0

Narrow supported kex algorithms · 6a76b027

Igor Drozdov authored 2 years ago

We don't support diffie-hellman-group14-sha1 via OpenSSH currently
Let's avoid introducing it in gitlab-sshd because it's using
weak hashing algorithm

6a76b027

May 19, 2022

Merge branch 'sh-release-14.5.0' into 'main' · 216446d8
Stan Hu authored 2 years ago
```
Release 14.5.0

See merge request gitlab-org/gitlab-shell!636
```
View commits for tag v14.5.0 v14.5.0

216446d8
Release 14.5.0 · 9c4efdbb
Stan Hu authored 2 years ago
```
- Make ProxyHeaderTimeout configurable !635
```
Unverified

9c4efdbb
Merge branch 'id-fix-proxy-header-timeout' into 'main' · e1822506
Stan Hu authored 2 years ago
```
Make ProxyHeaderTimeout configurable

See merge request gitlab-org/gitlab-shell!635
```
e1822506

Make ProxyHeaderTimeout configurable · 5b94726b

Igor Drozdov authored 2 years ago

Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576

ProxyHeaderTimeout must be small to avoid DoS risk

Let's make the value configurable and 500ms by default

5b94726b

Allow specifying formatted durations in config · cbce19da

Igor Drozdov authored 2 years ago

- If an integer is specified, we assume that these are seconds
- A duration of format "500ms", "10s", "1m", etc... accepted

cbce19da

May 18, 2022

Merge branch 'id-release-14-4-0' into 'main' · bfa6fe4d
Igor Drozdov authored 2 years ago
```
Release 14.4.0

See merge request gitlab-org/gitlab-shell!634
```
View commits for tag v14.4.0 v14.4.0

bfa6fe4d

Release 14.4.0 · f09d67ed

Igor Drozdov authored 2 years ago

- Allow configuring SSH server algorithms !633
- Update gitlab-org/golang-crypto module version !632

f09d67ed

Merge branch 'id-configure-algorithms' into 'main' · 643f0ab4
Stan Hu authored 2 years ago
```
Allow configuring SSH server algorithms

See merge request gitlab-org/gitlab-shell!633
```
643f0ab4

Allow configuring SSH server algorithms · 76916bfc

Igor Drozdov authored 2 years ago

MACs, Ciphers and KEX algorithms now can be configured
If the values are empty, reasonable defaults are used

76916bfc

Merge branch 'sh-update-crypto-ver' into 'main' · 483ff50f
Igor Drozdov authored 2 years ago
```
Update gitlab-org/golang-crypto module version

See merge request gitlab-org/gitlab-shell!632
```
483ff50f

Update gitlab-org/golang-crypto module version · 5761224d

Stan Hu authored 2 years ago

This update pulls in:

1. https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/3,
   which syncs the module with upstream master and supports the new
   `curve25519-sha256@libssh.org` kex name.

2. https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/4,
   which adds:

   * MACs: hmac-sha2-512-etm@openssh.com, hmac-sha2-512
   * Cipher: aes256-gcm@openssh.com

Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/575

Unverified

5761224d

Merge branch 'id-release-14-3-1' into 'main' · f8c0303a
Igor Drozdov authored 2 years ago
```
Release v14.3.1

See merge request gitlab-org/gitlab-shell!631
```
View commits for tag v14.3.1 v14.3.1

f8c0303a
Release v14.3.1 · 753f850f
Igor Drozdov authored 2 years ago
```
- Exclude API errors from error rate !630
```
753f850f
Merge branch 'id-ignore-api-errors' into 'main' · 1dd65e8c
Stan Hu authored 2 years ago
```
Exclude API errors from error rate

See merge request gitlab-org/gitlab-shell!630
```
1dd65e8c

Exclude API errors from error rate · c232dc9a

Igor Drozdov authored 2 years ago

When API isn't responsible or the resource is not accessible
(returns 404 or 403), then we shouldn't consider it as an error
on gitlab-sshd side

c232dc9a

Merge branch 'ds-store' into 'main' · 41942bbb
Igor Drozdov authored 2 years ago
```
Git ignore .DS_Store

See merge request gitlab-org/gitlab-shell!629
```
41942bbb
Git ignore .DS_Store · f24584f8
Sean Carroll authored 2 years ago

f24584f8

May 17, 2022
- Merge branch '571-dependency-update-docker_version-20-10-15' into 'main' · b2b17381
  Igor Drozdov authored 2 years ago
  
  Resolve "Dependency update DOCKER_VERSION: 20.10.15" Closes #571 See merge request gitlab-org/gitlab-shell!628
  b2b17381
- Resolve "Dependency update DOCKER_VERSION: 20.10.15" · 73142c48
  Costel Maxim authored 2 years ago and Igor Drozdov committed 2 years ago
  
  73142c48