GitLab

Created by: samrocketman

When a user SSH to gitlab and they didn't set up a shared key they get a password prompt. They should instead be given a deny error message. I have created a gist which effectively resolves this issue. I think it would be useful to include this in the setup instructions as optional at least.

Encountered in IRC conversation with @spuder...

15:39 < spuder> Can anyone tell me what they see when a user without a ssh key attempts to push to a project? I'm seeing that the user is prompted to enter [email protected]'s password. I would expect them to see an error, not a prompt.
15:41 < sag47> spuder: If the user is trying to use SSH that makes sense.
15:41 < sag47> spuder: They wouldn't see an error because that's not the default behavior of SSH
15:42 < sag47> spuder: If you look in /var/log/auth (ubuntu) or /var/log/secure (RHEL) then you'll see they *might* have attempted public key auth and since there was no key found it fell back to password auth.
15:42 < sag47> spuder: That behavior is not going to change because it's out of GitLab's control.
15:42 < sag47> spuder: Or are you referring to pushing over SSH?
15:42 < sag47> spuder: I mean HTTP haha.
15:43 < spuder> in my test, I push to a repo over ssh.
15:43 < sag47> spuder: Then you'll get that behavior as intended by SSH.
15:44 < sag47> spuder: If you ssh -v you'll SSH provides multiple forms of auth (pkauth, password, etc).  And if one fails it falls back to another.  In your case it will fall back to password auth.
15:44 < spuder> Ok thanks. Sounds like I'll have to train the users that they will need to add an ssh key from every machine they want to push from.
15:44 < sag47> spuder: If you don't want to see that then disable password auth over SSH and only allow keys.
15:44 < sag47> spuder: That will give you the error you desire.
15:45 < sag47> spuder: They can also use the same key from multiple systems.
15:45 < spuder> won't I have to disable password auth from the users workstation?
15:45 < sag47> spuder: It's a server side configuration.  /etc/ssh/sshd_config.
15:45 < sag47> spuder: See man sshd_config
15:45 < spuder> excellent, thanks!
15:46 < sag47> spuder: PasswordAuthentication is what you want to look up in the man page.
15:46 < sag47> spuder: But be sure you have keys set up.
15:46 < spuder> ha, yes, that could be bad.
15:47 < sag47> spuder: Depending on the version of SSH you have you can use groups to specify which networks are allowed to use a password.
15:48 < sag47> spuder: What's your host OS?
15:49 < sag47> spuder: See Match in sshd_config man page.
15:50 < sag47> spuder: You can match users, user groups, hosts, networks, and define different SSHD configuration settings for each of them.
15:50 < sag47> spuder: e.g. you can disable password auth for just the git user.
15:51 < sag47> spuder: e.g. https://gist.github.com/sag47/7255904
15:54 < spuder> Using Ubuntu 12.04
15:54 < spuder> Thanks sag47
15:55 < sag47> spuder: Okay then you can use what I pasted in that gist.  append it to the bottom of your sshd_config.
15:55 < sag47> spuder: I just read the man page on my workstation (Ubu 12) and it's supported by sshd.
15:59 < spuder> worked great, I added the output to the gist https://gist.github.com/sag47/7255904
16:00 < sag47> spuder: Looks right.
16:01 < sag47> spuder: You can add a message using the Banner option.  Though I think that adds a message even for successful auth.
16:02 < spuder> good idea, Since I'm the only person who should ever ssh into the server, I think a motd would be a good idea. Will save me from having to train the users.
16:02 < sag47> spuder: You can still use the Banner message in the Match directive I believe.
16:03 < sag47> spuder: Yeah after reading the man page it does...
16:09 < sag47> spuder: https://gist.github.com/sag47/7255904 commented back on your gist
16:09 < spuder> sag47, works great, thanks