WIP

go.mod

 module gitlab.com/gitlab-org/gitlab-shell/v14
 
-go 1.20
+go 1.21.3
+
+toolchain go1.21.6
 
 require (
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/hashicorp/go-retryablehttp v0.7.5
@@ -40,7 +43,6 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/client9/reopen v1.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -99,3 +101,5 @@ require (
 )
 
 exclude github.com/prometheus/client_golang v1.12.1
+
+replace github.com/openshift/gssapi => /Users/ash/src/gitlab/go-gssapi

internal/sshd/connection.go

@@ -132,7 +132,7 @@ func (c *connection) handleRequests(ctx context.Context, sconn *ssh.ServerConn,
 			// Prevent a panic in a single session from taking out the whole server
 			defer func() {
 				if err := recover(); err != nil {
-					ctxlog.WithField("recovered_error", err).Error("panic handling session")
+					ctxlog.WithField("recovered_error2", err).Error("panic handling session")
 				}
 			}()
 

internal/sshd/gssapi.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/davecgh/go-spew/spew"
 	"github.com/openshift/gssapi"
 
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
@@ -49,35 +50,29 @@ type OSGSSAPIServer struct {
 func (_ *OSGSSAPIServer) str2name(str string) (*gssapi.Name, error) {
 	strBuffer, err := lib.MakeBufferString(str)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("3: %v", err)
 	}
 	defer strBuffer.Release()
 
 	return strBuffer.Name(lib.GSS_C_NO_OID)
 }
 
-func (server *OSGSSAPIServer) AcceptSecContext(
-	token []byte,
-) (
-	outputToken []byte,
-	srcName string,
-	needContinue bool,
-	err error,
-) {
-	server.mutex.Lock()
-	defer server.mutex.Unlock()
-
+func (server *OSGSSAPIServer) AcceptSecContext(token []byte) (outputToken []byte, srcName string, needContinue bool, err error) {
 	tokenBuffer, err := lib.MakeBufferBytes(token)
 	if err != nil {
+		spew.Dump("3")
 		return
 	}
 	defer tokenBuffer.Release()
 
 	var spn *gssapi.CredId = lib.GSS_C_NO_CREDENTIAL
+
 	if server.ServicePrincipalName != "" {
 		var name *gssapi.Name
+
 		name, err = server.str2name(server.ServicePrincipalName)
 		if err != nil {
+			spew.Dump("4")
 			return
 		}
 		defer name.Release()
@@ -85,8 +80,10 @@ func (server *OSGSSAPIServer) AcceptSecContext(
 		var actualMech *gssapi.OIDSet
 		spn, actualMech, _, err = lib.AcquireCred(name, 0, lib.GSS_C_NO_OID_SET, gssapi.GSS_C_ACCEPT)
 		if err != nil {
+			spew.Dump("5")
 			return
 		}
+
 		defer spn.Release()
 		defer actualMech.Release()
 	}
@@ -97,12 +94,16 @@ func (server *OSGSSAPIServer) AcceptSecContext(
 		tokenBuffer,
 		nil,
 	)
+
 	if err == gssapi.ErrContinueNeeded {
 		needContinue = true
 		err = nil
 	} else if err != nil {
+		spew.Dump("6")
+		spew.Dump(err)
 		return
 	}
+
 	defer outputTokenBuffer.Release()
 	defer srcNameName.Release()
 
@@ -112,44 +113,37 @@ func (server *OSGSSAPIServer) AcceptSecContext(
 	return outputToken, srcNameName.String(), needContinue, err
 }
 
-func (server *OSGSSAPIServer) VerifyMIC(
-	micField []byte,
-	micToken []byte,
-) error {
-	server.mutex.Lock()
-	defer server.mutex.Unlock()
-
+func (server *OSGSSAPIServer) VerifyMIC(micField []byte, micToken []byte) error {
 	if server.contextId == nil {
 		return fmt.Errorf("gssapi: uninitialized contextId")
 	}
 
 	micFieldBuffer, err := lib.MakeBufferBytes(micField)
 	if err != nil {
-		return err
+		return fmt.Errorf("2: %v", err)
 	}
 	defer micFieldBuffer.Release()
+
 	micTokenBuffer, err := lib.MakeBufferBytes(micToken)
 	if err != nil {
-		return err
+		return fmt.Errorf("1: %v", err)
 	}
 	defer micTokenBuffer.Release()
 
 	_, err = server.contextId.VerifyMIC(micFieldBuffer, micTokenBuffer)
-	return err
 
+	return err
 }
 
 func (server *OSGSSAPIServer) DeleteSecContext() error {
-	server.mutex.Lock()
-	defer server.mutex.Unlock()
-
 	if server.contextId == nil {
-		return nil
+		return fmt.Errorf("gssapi: uninitialized contextId")
 	}
 
 	err := server.contextId.DeleteSecContext()
 	if err == nil {
 		server.contextId = nil
 	}
+
 	return err
 }

internal/sshd/server_config.go

@@ -210,6 +210,7 @@ func (s *serverConfig) handleUserCertificate(ctx context.Context, user string, c
 
 func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
 	var gssapiWithMICConfig *ssh.GSSAPIWithMICConfig
+
 	if s.cfg.Server.GSSAPI.Enabled {
 		gssapiWithMICConfig = &ssh.GSSAPIWithMICConfig{
 			AllowLogin: func(conn ssh.ConnMetadata, srcName string) (*ssh.Permissions, error) {
@@ -244,6 +245,7 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
 
 			return s.handleUserKey(ctx, conn.User(), key)
 		},
+
 		GSSAPIWithMICConfig: gssapiWithMICConfig,
 		ServerVersion:       "SSH-2.0-GitLab-SSHD",
 	}

internal/sshd/sshd.go

@@ -183,13 +183,13 @@ func (s *Server) handleConn(ctx context.Context, nconn net.Conn) {
 	ctxlog := log.WithContextFields(ctx, log.Fields{"remote_addr": remoteAddr})
 
 	// Prevent a panic in a single connection from taking out the whole server
-	defer func() {
-		if err := recover(); err != nil {
-			ctxlog.WithField("recovered_error", err).Error("panic handling session")
+	// defer func() {
+	// 	if err := recover(); err != nil {
+	// 		ctxlog.WithField("recovered_error1", err).Error("panic handling session")
 
-			metrics.SliSshdSessionsErrorsTotal.Inc()
-		}
-	}()
+	// 		metrics.SliSshdSessionsErrorsTotal.Inc()
+	// 	}
+	// }()
 
 	started := time.Now()
 	conn := newConnection(s.Config, nconn)