Skip to content

Fix SSH mirrors not working in FIPS mode

Stan Hu requested to merge sh-sha256-mirror-ssh-key into master

What does this MR do and why?

Previously on a FIPS system, adding a project mirror via SSH would fail because the ssh_data gem attempted to generate the MD5 hash (https://github.com/github/ssh_data/blob/1c4cacb58fe1cadef31639f5f892c5738cc51be6/lib/ssh_data/public_key/base.rb#L19) of the server's public keys. To fix this, we return the SHA256 hash in the controller and make the frontend prefer this when it is available.

Relates to #364562 (closed)

Screenshots or screen recordings

Before (FIPS system)

image

Before (non-FIPS system)

image

After

image

How to set up and validate locally

  1. Go to a project -> Settings -> Repository.
  2. Under Mirroring Repositories, enter ssh://git@gitlab.com/gitlab-org/gitlab-test.git or any SSH URL.
  3. Click on Detect host keys.

On a FIPS system, this fails with the screenshot above.

On a standard or a FIPS system, we see the SHA256 hashes.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports

Loading