Reputation: 49
How is GitLab/GitHub authentication separated from an ordinary SSH-session?
I read the question: How does the GitHub authentification work? and https://unix.stackexchange.com/questions/315615/is-ssh-public-key-associated-with-a-user Which is exactly what I am wondering. I am still missing a better answer.
When I test my SSH-key-pair I connect to user [email protected]. My stored Public key has a fingerprint of base64. When the SSH Client(me) want to connect to the server(My gitlab/github account server) it sends its ID(fingerprint), the server checks it ".ssh/authorised_keys" and loops through the Fingerprints after the correct public key to encrypt the challenge.
On Github/Gitlab there are several thousand of users, they all use the same username ("git") to initiate a web (SaaS)session. So how is this separated on the server? I don't get root access on gitlab/github, of course. I only get access to my account though the generic user-session [email protected]. But how is this implemented?
When I use SSH in other situations I have a specific username which I use to [my-username]@router.com
E.g. If I would set up my own GitLab on a local NAS/Server. How can I create an account ([email protected]) but the access rights are limited to the Fingerprint of the differents users SSH-key-pairs?
User: ID:001
User: ID:002
User: ID:003
Somehow I need to limit the access for ID:001 when he/she initiate a ssh-session with my server on account "User".
Upvotes: 1
Views: 109
Answers (2)
Reputation: 76509
I can't speak for GitLab, but for GitHub, there is a dedicated service that terminates these connections, contacts the authentication service with the key in question, and then receives the response about whether the user is allowed to access that repo, and if so, contacts the servers storing the data.
GitHub has more than 65 million users, many users have multiple SSH keys, and there are also deploy keys for servers, so using the command directive with an OpenSSH authorized_keys file would be extremely slow, since it would involved parsing and reading probably gigabytes of data each time a connection was made.
If you need this yourself for a small set of users, the command directive in authorized_keys is a viable approach. If you need something more scalable, you can create a custom server with something like libssh and perform authentication yourself, either in that process, or in a separate process.
Upvotes: 1
Reputation: 49
I found this question+answer: https://security.stackexchange.com/questions/34216/how-to-secure-ssh-such-that-multiple-users-can-log-in-to-one-account. Which highlights that you can put restrictions on authorised_keys. Don't know if that provides precise answer for my question, but it looks like it.
command="/usr/local/bin/restricted-app",from="192.0.2.0/24",no-agent-forwarding,no-port-forwarding,no-x11-forwarding ssh-rsa AAAA… [email protected]
I guess there is several thousand of those lines at gitlabs/githubs servers in .ssh/authorized_keys where every single line points out access to only that gitlab/hub account.
Please comment if you don't agree.
Upvotes: 0
Related Questions
- How does github SSH works?
- Gitlab avoid user login via SSH
- Why does GitLab server return "Next Authentication method: password" and not use key?
- How to use Git with two differents repositories with and without ssh authentification?
- Gitlab password and permission
- GitLab only user password authentication (no SSH)
- how does gitlab prevent ssh as user git
- How does gitlab eases the work of authorizing ssh key?
- How does Github, Gitlab, Gitosis, etc.. knows which user is logged in?
- How does the GitHub authentification work?