Enable Git protocol v2 for SSH by default for Omnibus Docker images
Support for Git protocol v2 was added by https://gitlab.com/gitlab-org/gitlab-ce/issues/46555 and will work for Git HTTP clients that request v2 by default, but not for Git over SSH.
Since this is controlled in sshd_config
, we cannot set this safely on Omnibus installations but we can for our Docker images. We should enable this by default for our Omnibus based gitlab
images.
Further details
In order to v2 for SSH in production, we need to set the following in sshd_config
:
AcceptEnv GIT_PROTOCOL
This could have security considerations, such as https://serverfault.com/questions/427522/why-is-acceptenv-considered-insecure. And from the man page of SSHD:
Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables.
A few facts about the Git protocol v2:
- It's opt-in only, so clients (GitLab users) that support it (using Git
v2.18.0
onwards) need to explicitily pass a configuration to enable it (e.g.git config --global protocol.version=2
) - Not all Git commands are on v2, some will still execute v1
-
GIT_PROTOCOL
is only evaluated for us if the string containsversion=2
, everything else is ignored and won't be passed togit
, defaulting tov1
.
Proposal
Since this is controlled in sshd_config
, we cannot set this safely on Omnibus installations but we can for our Docker images. We should enable this by default for our Omnibus based gitlab
images.
Links / references
- Git Protocol v2: https://github.com/git/git/blob/master/Documentation/technical/protocol-v2.txt
- Man page for SSHD: https://linux.die.net/man/5/sshd_config