►
From YouTube: gitlab-sshd Deep Dive
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Yeah
hello,
my
name
is
currently
this
will
be
a
walk
through
a
walk
through
video
about
GitHub
sshd
and
like
a
documentation
that
we
have
for
all
the
information
that
we
have
and
all
the
all
the
comedy,
not
all
the
code
base,
but
some
of
the
code
base
that
we
have
in
gitlab
Shell
project
yeah.
So
we
have
a
gitlop
shell
project
that
is
written
in
in
go
language
here.
B
So
yeah,
let
me
show
here
so
gitlab.
Shell
is
a
product
and
we
also
have
a
package
which
is
called
shd
that
contains
all
the
code
and
this
package
actually
responsible
for
handling
the
SSH
connections.
The
reason
why
we
implemented
our
own
SSH
solution
stage,
this
solution
can
be
found
in
a
blog
post
yeah
that
we've
released
quite
recently.
B
Let
me
maybe
show
you
that
before
we
had
something
like
this,
like
opensh
server,
that
was
calling
the
gitlab
shell
as
a
binary,
and
currently
we
have
like
simplified,
simplified
architecture
that
we
will
return
to
it
a
bit
later
and
yeah.
Also,
this
article
contains
risks
and
challenges,
problems
and
lessons
that
we
that
we've
learned
yeah.
So
let's
have
a
look,
how
it
works,
how
it
actually
works.
Now
we
have,
we
have
gitlab
SSH
the
server
that
handles
all
the
SSH
connections,
that
user
performs.
B
B
We
have
a
an
entry
point,
which
is
a
mind
function.
This
is
actually
an
yeah,
an
entry
point
for
for
binary
this
main
function
here.
The
most
important
part
here
is
that
it's
creates
a
new
server.
That
is,
that
is
ready
to
listen,
listen
for
new
connections
and
process
them.
This
new
server
and
listening
serve
functions.
They
are
implemented
in
the
SSH
the
package
actually
in
this
SSH
the
go
file
and
let's
have
a
look
at
those
comments.
B
Just
a
second,
so
it
just
creates
a
instance
of
a
struct
and
then
just
listens
and
surf.
The
connection.
Listen
and
serve
works
like
this.
It
just
calls
like
private
functions,
listen
and
serve
and
listens.
Listen
looks
like
this.
It's
just
yeah
create
a
TCP
listener
and
listen
for
all
the
requests,
but
yeah
just
a
quick
note.
If,
if
something
is
not
very
clear
but
I
I'm
sure
we're
pretty
sure
that
maybe
it's
not
very
clear,
maybe
yeah,
you
can
either
ask
questions
now.
A
I
just
say
something:
Eagle
and
sorry.
I
probably
should
have
mentioned
this
earlier.
Yeah
I,
don't
know
how
everyone,
whatever
everyone
else,
has
after
this
meeting,
but
if
we
need
to
go
over,
maybe
we
can
go
over
so
that
you
don't
have
to
rush
so
I,
don't
know
if
other
people
have
allowed
meetings,
but
I
feel
what
I'm
saying
is
feel
free
to
take
your
time
and
the
same
with
questions.
I
guess.
B
B
B
Goes
like
calls
the
perform
the
handshake
between
the
server
and
an
SSH
client
or
a
user
SSH
should
perform
handshake
in
order
to
negotiate
the
algorithm.
The
the
algorithms
and
crypto
cryptographic
models
that
they
are
going
to
use
in
order
to
provide
like
a
secure,
secure
connection
between
a
user
and
the
client.
During
this.
B
A
Yeah
just
a
quick
question,
so
at
the
client
end
we
just
have
hit
right.
We
just
have
the
normal
gear
binary
that
we
haven't
touched
of
course,
in
any
way,
but
gear
labus
is
HD,
is
consuming
all
the
good
protocols
and
then
providing
encryption
or
whatever
that
in
a
way
that
git
can
understand.
Would
that
be
correct?.
B
Github
is
HD,
it's
just
performs
a
handshake
to
establish
a
connection,
an
SSH
connection,
yeah,
and
so
it's
just
a
stage
connection
and
then
git
starts
pushing
or
receiving
the
data,
and
it's
actually
I
would
say
it's
actually
Italy
that
that
deals
with
like
with
Git
protocol
and
all
the
data
that
is
related
to
git
gitlab
is
HD.
It's
actually
responsible,
oddly
for
handling
the
SSH
connection
and
establish
a
connection
with
SSH
protocol.
So.
B
B
B
No,
so
when
the
handshake
SSH
handshake
is
performed,
this
request
for
authorized
Keys
is
performed
to
to
rails
in
order
to
authenticate
the
user
because
the
user
it
sends
like
it's
a
public
public
key
or
maybe
I'm
sorry,
I'm,
Health,
prepared
I,
wonder
I,
won't
try
to
show
my
own
public
keys
or
maybe
I
can
I
forgot.
Yeah
like
this.
B
So
when,
when
a
user
is
authenticated,
we
are
ready
to
process
the
proceed,
the
sessions,
what
does
it
mean
or
when
the
connection
is
established?
A
user
can
have
multiple
sessions.
That's
something
it's
something
that
I
learned
I
would
say
quite
recently
that
an
SSH
connection-
it's
actually
can
be
persisted
and
by
specifying
this
this
commands.
B
So
this
connection
is
reused,
and
so
maybe
it's
now
we're
not
fully
approving
we're
not
fully
approving
this
stuff,
because
we
have
a
long
run
in
SSH
connections
that
are
established
to
github.com.
So
potentially
it
can
be
like
a
lot,
but
we
had
this
behavior
before
with
with
opensh,
and
currently
we
don't
see
like
performance
issues
caused
by
exactly
this
functionality,
so
we
first
yeah.
We
introduced
it
in
order
to
be
Backward
Compatible.
B
Now
we
don't
have.
We
see
a
lot
of
like
performance
issues
related
to
that,
so
we
left
it
here,
but
maybe
in
the
future
we
can
like
remove
this
functionality
because
it
doesn't
doesn't
seem
very
you
know
useful
because,
like
git
because
of
the
specifics
of
the
git
yeah,
we
just
perform
a
git
clone
or
git
push.
Maybe
it's
not
worth
it
to
keep
the
sh
Connection
open.
B
So
we're
ready
to
handle
the
sessions
and
ready
to
ready
to
yeah
actually
process
them.
This
part
is
tricky
because
we
we
forgot
to
refactor
it,
but
this
function
is
actually
past
the
parameter
and,
let
me
see
yeah
handle
like
a
parameter
and
the
actual
implementation
persists
exists
in
in
other
another
file,
which
is
called
like
SSH
stage.
D
go
yeah,
but
we
forgot
to
refactor
this
part
so
apologize.
B
A
A
B
B
B
This
code
after
after
the
function
is
completed
yeah
when,
for
example,
here
we
want
to
return.
We
want
to
execute
this
function
at
the
end
at
the
end
of
this
block,
so
we
actually
will
receive
like
hello
and
then
world
yeah.
Why?
Why
don't
we
want
to
do
it
like
this
yeah?
We
could
we
could,
but
actually
it's
possible
that
we
have
something
like
like
this.
B
No
yeah
the
fair,
like
here
yeah,
so
if,
for
example,
we
want
to
execute
F
every
time
they
function
is
completed,
yeah
after
return
a
and
after
return
B,
the
defer
will
actually
do
it.
It
will
execute
this
function
after
this
return
or
after
this
return,
because
if
we
didn't
have
this
like
syntaxi
sugar,
we
had
to
do
something
like
I.
Don't
know
like
I
mean
something
like
this
yeah,
but
it's
actually
doesn't
work,
but
yeah
with
some
with
some
duplication.
B
It
would
work
so
this
what
it
actually
means
in
our
code
that
we
want
to
execute,
for
example,
this
lens.
What
does
it
do?
It's
actually
collects
some
metrics
for
Prometheus
in
order
to
show
them
on
this
charts,
yeah
and
actually
this
function.
It's
it
increments,
some
Metric!
It's!
It's
actually
shows
how
many
connections
we
have
in
Flight.
How
many
ongoing
connections
do
we
have?
B
A
B
B
B
B
So
yeah
we've
as
far
as
I
remember,
we
were
talking
about
the
the
sessions
yeah
and
yeah.
So
when
this
session
is
handled,
a
session
is
yeah,
we
actually
can
process
this
type
types
of
comment,
either
the
ones
types
of
requests,
the
ones
that
describe
us.
So
that
gives
us
that
give
us
some
information
about
the
environment
and
the
one
that
contains
actual
comment.
So
yeah.
Let's
talk
about
this
block,
this
one
is
actually
the
block
that
handles
handle
this
this
request.
B
B
So
depends
on
which
comment
we
have
received:
we
create
a
structure,
a
structure
which
is
defined
here,
structure
of
a
particular
type.
It
processes
every
every
type
of
a
feature
of
a
comment
of
operation
described
described
here.
For
example,
if
we
perform
some
Alphas
authentication,
we
wire
SSH
command,
then
lfs
authenticate
object
structure
will
be
created
when
we
perform
like
Gita
plot
pack
or
git
clone.
This
comment
is
created.
B
Yeah,
for
example,
for
for
Gita
plot
Park,
execute
method,
looks
like
this.
It's
it
just
verifies
access
actually
performs
this
HTTP
request
to
rails
and
verifies
that
the
user
is
allowed
to
perform
a
particular
operation
and
then
just
yeah.
Let's
skip
this
block
and
then
just
performs
Italy
call,
which
is
a
grpc
code,
but
maybe
let's
not
elaborate.
What
jab
c
is
in
this
session?
B
Let's
just
assume
that
yeah
a
request
is
performed
digitally
the
data
is
the
response
is
received
from
gitly
and
the
respond
is
actually
sent
to
a
user
yeah.
That's
probably
it
just.
Some
honorable
mentions
that
our
gitlop
shd
server,
it's
it
supports
proxy
protocol.
Proxy
protocol
is
necessary
for
us
to
implement
Implement
feature,
which
is
called
group
IP
restrictions
restriction
proxy
protocol
allows
to
gain
a
user
real
IP,
for
example,
when
gitlab
for
com
is
behind,
I
mean
gitlopcom
is
behind
the
load
balancer
without
proxy
protocol.
B
We
receive
for
an
IP
of
a
load
balancer
on
gitlab
shd
with
proxy
protocol.
The
real
IP
over
user
is
propagated.
That's
why
we
have.
We
are
able
to
implement
this
feature,
so
proxy
protocol
is
just
implemented
using
this
open,
open
source
package,
and
it's
it's
really
implemented.
It's
really
simply
implemented.
It's
just
wrapping
the
our
basic
listener
into
proxy
protocol
listener.
B
Yeah.
Some
other
things
that
we've
also
have
implemented
is
a
some
Open,
Stage
Alternatives
or,
for
example,
an
option
that
allows
us
to
to
reduce
the
time
allowed
time
allowed
for
user
to
authenticate,
for
example,
if
a
connection,
if
a
user
takes
like
more
than
60
second
60
seconds
to
authenticate,
then
we
just
close
close
the
connection.
B
It's
like
security
feature
just
to
avoid
having
a
lot
of
idle
unauthenticated
SSH
connections
on
gitlab
call
like
this
feature,
there's
also
a
client
a
live
interval
that
actually,
when
the
server
just
sends
people
live
messages
to
a
client
in
order
to
keep
them
alive
or
in
Open
Stage.
It's
called
client,
Library
interval
and
interval
and
yeah
we've
implemented
an
alternative,
and
one
important
thing
to
mention
is
a
is
a
state
machine
that
we
have
on
the
server
server,
actually
implements
a
state
machine
and
can
be
in
this
in
this
state?
B
B
B
B
Like
these
are
just
endpoints
that
just
they
just
tell
kubernetes
whether
our
about
the
state
of
our
server,
so
when
the
when
kubernetes
asks
whether
our
server
is
alive
in
life,
we
return
start
like
200
if
the
server
is
actually
running.
If
when
a
kubernetes
asks
whether
the
server
is
ready
to
accept
any
new
connections,
if
it's
not
being
shut
down,
we
send
200
if
it's
unavailable
at
the
moment
we
answer
with
502.
B
B
B
Because
what
happened
like
during
the
first
authentication
step
so
I
would
say
that
it
happens.
On
the
second
authentication
step,
I
mean
here,
a
handshake
is
performed
yeah.
When
we
perform
the
handshake.
Our
SSH
connection
is
established.
We
can
just
send
wherever
data
we
or
whatever
we
want
yeah
and
then,
when
actually
a
comment
is
executed.
We
we
verify
their
access
Yeah.
We
actually
perform
this
additional
additional
request
and
I
better
find
that
a
user
is
able
to
perform
a
particular
action.
So
let
me
see
where
it's
implemented.
B
So
like
so,
it's
implemented
in
Access
verify
model,
and
so
it's
implemented
in
a
different
in
a
different
package
like
this
one
and
allowed
a
loud
request
is
performed.
Yeah
after
connection
is
established.
Yeah
we
and
we
are
ready
to
execute
a
particular
function.
Then
we
verify
that
a
particular
user
is
able
to
perform.
This
information
is
allowed
to
perform
this
operation.
Yeah.
B
A
There
you
go,
I've
got
a
follow-up
question
to
Joe's
question.
If
you
could
just
go
back
to
the
architectural
diagram,
sure
So
when
you
say
a
handshake,
so
what
we
mean
is
the
first
call
when
we're
looking
at
authorized.
Keys
is
we're
just
checking
whether
the
sshk
is
valid
right
and
then
yeah,
and
then,
if
that's
okay,
then
the
second
call
is
then
we
check.
Are
they
authorized
for
this?
This
for
this
repo
or
whatever
yeah.
B
That's
actually
that
actually
makes
me
think
that
in
this
diagram
it
would
be
cool
to
have
like
a
quick
note
where
handshake
is
completed
yeah.
So
it's
it's
somewhere
here,
I
would
say
like
it
would
be
cool
to
have
this
line
to
separate
the
separate
that
handshake
is
completed.
Ssh
connection
is
established
and
then
some
bitlock
specific
part
is
started
to
be
started
being
performed.
Yeah.
B
A
B
Into
debugger,
so
I
think
I
think
CI
like
boxes
instances,
they
have
like,
let's
say
different
architecture,
I
think
a
simple
open
SSH
is
just
there,
but
I
can
be
sure
yeah,
but
exactly
this
gitlab
is
safety
is
just
like
SSH
server
restricted
to
our
to
our
particular
use.
It
just
supports
our
features
that
are
listed.
B
Yeah
I
already
showed
them
so
that
I
mean
like,
like
git
clone
git
push.
So
when
we,
when
we
deploy
gitlop,
then
we
have
this
sshd
server,
that
that
is
only
used
for
our
GitHub
specific
commands,
but
for
SSH
for
SSH
into
the
box
to
the
instance
I
think
it's
not
allowed
in
gitlop
shd,
also
due
to
security
reasons
and
yeah
I
think
on
on
instances
it's
implemented,
but
with
opensh,
but
I
can
be
sure.
Yeah.
A
So
Eagle
I
think
this
is
also.
This
is
clear
on
the
diagram.
I
just
want
to
kind
of
call
it
out.
So
so
all
the
activities
that
gitlab
sshg
are
performing
are
basically
around
authentication
and
then
once
once
the
once,
the
the
user
is
fully
authenticated,
both
fire
keys
and
then
via
their
you
know
their
actions.
Then
then
we
actually
see
this
unload
pack
request.
That's
going
directly
to
Italy
and
at
this
point
there's
no
more
traffic
through
gitlab
sshd.
It's
giddly
replying
directly
to
the
good
client.
Is
that
correct.
B
Maybe
it
won't
won't,
explain
it
a
lot,
but
we
actually
providing
a
channel
to
gitly
we're
actually
providing
like
an
abstraction
to
get
lit,
something
that
gitly
can
write
into
before.
Gitlap
is
HD,
it
was.
It
was
just
STD
out
because
open
a
safety,
open
SSH
was
written
from
STD
art,
but
now
with
GitHub
is
HD.
We
provide
our
channels,
we
provide
channels.
These
are
digital
opacity,
abstractions,
it's
something
a
gitly
can
write
into.
A
B
B
B
Example,
yeah
if
we
have
a
problem
with
an
issue
with
Italy
this,
this
comment
actually
returns
an
error
yeah
and
in
this
case
this
error
is
propagated
like
higher
higher.
So
let
me
just
show
the
the
actual
the
final
code
and
then
we
just
yeah
capture
this
error
and
we
we
track
it
and
currently
I'm,
showing
the
place
where
we
check
this
error
in
order
to
in
order
to
show
them
in
order
to
take
them
into
account
on
this
chart.
Yeah
yeah
yeah.
But
your
question
was
different
and.
B
A
I
just
want
to
also
point
out
to
everyone
that
we
still
do
have
open,
SSH
and
quickly
run
wrong
here,
legal
in
the
same
code
base
and
we're
keeping
it
because
we
originally
did
not
intend
to
keep
it,
but
for
Phipps
support.
We
need
to
keep
it,
so
we
actually
have
both
sets
of
code
in
the
same
binary.
Is
that
correct,
eagle.
B
It's
a
multiple,
multiple,
like
binaries
that
we
we
have
for
this
is
a
current,
so
we
have
multiple
ones
here.
Gitlab
is
HD
is
responsible
for
the
server.
This
binary
is
responsible
for
processing
all
the
connections
provided
by
openness,
safety
and
that's
true.
We
we
still,
we
still
have
like
two
options:
either
either
our
previous
approach
or
this
one
and
the
previous
approach
actually
by
default
on
a
self-hosted
applications
and
yeah
due
to
the
hip's
concerns.
B
We,
we
also
decided
to
leave
open
as
Sage,
because
it's
like
battle
tested
and
keeps
approved
and
keeps
it's
actually
just
a
standard
cryptographic
standard
yeah.
For
that
we
try
that
we
are
trying
to
pass
yes,
so
we
have
this
architecture
available
as
well,
and
some
users
actually
not
yet
sure
whether
they
want
GitHub
a
CD
on
their
self-hosted
applications,
because
we
have
like
this,
this
com
comments
here,
hi,
what's
wrong,
it
was
fixed
yeah.
A
In
that
case,
I'll
ask
the
last
question
which
is,
for
example,
if
any
of
the
other
team
members
were
interested
in
in
contributing
to
this
project.
Do
we
have
do
we
have
any
low
hanging
issues
that
you
know
would
be?
You
know
a
low
low
entry
issues
that
someone
might
be
able
to
look
at
in
our
backlog.
B
No
I
think
we
don't
have
a
label
yet
yeah,
but
it's
something
here
to
have
a
look
at
the
issues
list
and
maybe
I
would
even
mention
that
don't
be
afraid
to
take
something
more
complex.
That
just
simple,
because
quite
recently,
I've
noted
that
we
have
and
open
open
source
contribution
to
support
like
Care,
Bears,
kerbers
or
GitHub
s
HD.
So
some
complex
stuff
can
be
done
as
well.
So
yeah
we
have
issues
list,
but
yeah
also
complex
stuff
can
be
done.