Skip to content

No longer accept fingerprints for /internal/authorized_keys

What does this MR do?

gitlab-shell-authorized-keys does a GET request against the internal API to learn whether a given SSH key is known to GitLab and, if so, what user it is attached to. This is used to validating SSH sessions.

For a very long time, gitlab-shell has sent only the full base64 encoded public key, from which we derive a fingerprint for looking up the key on the GitLab side. However, the API does have legacy support for gitlab-shell sending just the key fingerprint. It is not used in gitlab-shell.

We want to update GitLab so it derives the SHA256 fingerprint for the search, rather than the MD5 fingerpring. Doing this is made easier if we remove the fingerprint parameter and only accept key in the API endpoint.

This is safe to do, because fingerprint is unused, and does not break any compatibility guarantees since the internal API is not bound by the v4 REST API compatibility promise.

The documentation does not refer to the fingerprint parameter at all, and doing this in %14.0 should means that we don't have to think about zero-downtime compatibility either, although that should also be fine.

Here's the current docs: https://docs.gitlab.com/ee/development/internal_api.html#authorized-keys-check

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Related to #195668 (closed)

Edited by Nick Thomas

Merge request reports

Loading