Configure the container SSH algorithm for Gitlab,/etc/ssh/sshd_ Config Configuration not effective

yuepingt1987 · October 24, 2023, 4:03pm

dnsmichi · October 24, 2023, 5:26pm

Hi,

can you add more details about your question, and environment? Not sure I understand the output of the screenshot correctly, which command was used to create it?

Cheers,
Michael

yuepingt1987 · October 25, 2023, 1:54am

hi , I use the following command to run

sudo docker run --detach --cap-add SYS_TIME \
    --publish 443:443 --publish 80:80 --publish 2222:22 \
    --name gitlab1410_1 \
    --volume /home/z003w08h/gitlab231023_1/config:/etc/gitlab \
    --volume /home/z003w08h/gitlab231023_1/logs:/var/log/gitlab \
    --volume /home/z003w08h/gitlab231023_1/data:/var/opt/gitlab \
        gitlab/gitlab-ce:14.10.5-ce.0

then use nmap -sV -p 2222 --script ssh2-enum-algos （gitlab_host_ip)，The following algorithms need to be removed and cannot be used which Scanned by our IT department ：

server_host_key_algorithms  ： ssh-rsa
mac_algorithms: (10)  ：  hmac-sha1-etm@openssh.com  hmac-sha1

I Attempted various methods, but failed。

I modified the /etc/ssh/sshd_config in the Gitlab container, added the following content, and then restarted the SSH service, but the configuration did not take effect。

KexAlgorithms  diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers  chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs  hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
HostKeyAlgorithms  -ssh-rsa

This above configuration can take effect on the server, but it does not take effect in the Gitlab container。
I am looking forward to your answer very much

dnsmichi · October 25, 2023, 9:06pm

Thanks. FYI, I took the liberty to edit your response to use code block formatting for better readability, following Community, first steps: Code, config, log block formatting in topics and replies (linked from the FAQ).

The SSH layer is provided by the container image operating system, not the GitLab application itself. You would need to inject a custom ssh_config for the server, like your topic title suggests. This needs to be done at build time, meaning to create your own custom image, with an override for /assets/sshd_config in the Dockerfile.

I found this feature proposal to make it configurable at runtime: Allow inclusion of user sshd configuration files in docker (#8124) · Issues · GitLab.org / omnibus-gitlab · GitLab Suggest commenting there, and upvoting.

An alternative option is to not expose SSH, and only use HTTPS for all Git operations. That eliminates the SSH TLS algorithm risk.

yuepingt1987 · October 26, 2023, 1:42am

hi , Thanks for your reply. I am currently updating to Gitlab16 version

sudo docker run --detach --cap-add SYS_TIME \
    --publish 443:443 --publish 80:80 --publish 2222:2222 \
    --name gitlab1610_1 \
    --volume /home/z003w08h/gitlab1610/config:/etc/gitlab \
    --volume /home/z003w08h/gitlab1610/logs:/var/log/gitlab \
    --volume /home/z003w08h/gitlab1610/data:/var/opt/gitlab \
        gitlab/gitlab-ce:16.1.0-ce.0

I run SSH service on port 2222 in the Gitlab container, and in gitlab container, added the following content and modify port 22 to 2222 in /etc/ssh/sshd_config in the containter, and then restarted the SSH service (service ssh restart), use `nmap -sV -p 2222 --script ssh2-enum-algos （gitlab_host_ip) , the configuration Can take effect.

KexAlgorithms  diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers  chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs  hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
HostKeyAlgorithms  -ssh-rsa

May I ask if there are any risks in changing the SSH port 22 to 2222 mapped in the container? Looking forward to your reply

yuepingt1987 · October 26, 2023, 1:44am

it seems gitlab_sshd run in port 22 in the containter.

iwalker · October 26, 2023, 6:26am

No risk, but every time you upgrade your container you are going to have to edit under /etc/ssh/sshd_config and change the port. Docker redirects port 2222 to 22 anyway, so it really doesn’t offer you any benefits of doing that. I would do it if there would be port conflicts, but the only port conflicts are going to be on the VM where the container is running if for example, you wanted to use -p 22:22 for the Gitlab docker container since the VM will already be using port 22 for SSH. You can of course change the port on the VM so that it doesn’t collide with docker.

I would just leave it as -p 2222:22 or at least change 2222 to another port to use when connecting to docker container externally via SSH for git purposes.

yuepingt1987 · October 26, 2023, 6:30am

I also don’t want to change 2222:22 to 2222:2222, but there is a security issue now, you can refer to my instructions above. The SSH configuration modification in the Gitlab container does not take effect.

yuepingt1987 · October 26, 2023, 6:31am

I don’t know if there is any other way to do it if you don’t modify the port

yuepingt1987 · October 27, 2023, 3:00am

hello, have you seen my reply? Looking for your reply.

yuepingt1987 · October 30, 2023, 9:47am

Solved! The problem was that sshd in Gitlab docker instance uses /assets/sshd_config instead of /etc/ssh/sshd_config