gitlab-sshd: Add support for signed user certificatessh-ssh-certificates

We add a `trusted_user_ca_keys` config setting that allows gitlab-sshd to trust any SSH certificate signed by the keys listed in this file. This is equivalent to the `TrustedUserCAKeys` OpenSSH setting. We assume the certificate identity is equivalent to the GitLab username.
author: Stan Hu <stanhu@gmail.com> 2022-06-12 00:30:20 -0700
committer: Stan Hu <stanhu@gmail.com> 2023-03-08 10:19:38 -0800
commit: 0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa (patch)
tree: 0b0bc29324f382ce540ae9c0a2e3522e0ef665af /cmd/gitlab-shell/command
parent: 1461d9ed1283f6dda015e3c26189b70c95d022c2 (diff)
download: gitlab-shell-sh-ssh-certificates.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/cmd/gitlab-shell/command/command.go b/cmd/gitlab-shell/command/command.go
index b2a0266..260e517 100644
--- a/cmd/gitlab-shell/command/command.go
+++ b/cmd/gitlab-shell/command/command.go
@@ -58,6 +58,20 @@ func NewWithKrb5Principal(gitlabKrb5Principal string, env sshenv.Env, config *co
 	return nil, disallowedcommand.Error
 }
 
+func NewWithUsername(gitlabUsername string, env sshenv.Env, config *config.Config, readWriter *readwriter.ReadWriter) (command.Command, error) {
+	args, err := Parse(nil, env)
+	if err != nil {
+		return nil, err
+	}
+
+	args.GitlabUsername = gitlabUsername
+	if cmd := Build(args, config, readWriter); cmd != nil {
+		return cmd, nil
+	}
+
+	return nil, disallowedcommand.Error
+}
+
 func Parse(arguments []string, env sshenv.Env) (*commandargs.Shell, error) {
 	args := &commandargs.Shell{Arguments: arguments, Env: env}
author	Stan Hu <stanhu@gmail.com>	2022-06-12 00:30:20 -0700
committer	Stan Hu <stanhu@gmail.com>	2023-03-08 10:19:38 -0800
commit	0bad7a428e8ba0bbde3d9657eb31e6eef1eca9fa (patch)
tree	0b0bc29324f382ce540ae9c0a2e3522e0ef665af /cmd/gitlab-shell/command
parent	1461d9ed1283f6dda015e3c26189b70c95d022c2 (diff)
download	gitlab-shell-sh-ssh-certificates.tar.gz