The way GitLab sets up Git access is to create a local git user and either either add a line to authorized_keys file or use the AuthorizedKeysCommand to lookup a key in the local GitLab database.
GitLab does allow ssh to run on a non standard port by setting gitlab_rails['gitlab_shell_ssh_port'] = [alt-port-number] in /etc/gitlab/gitlab.rb.
This becomes complicated on our production machines due to (at least):
- Puppet manages SSH which would probably not appreciate this system interfering
- There are bastions involved (which wouldn't necessarily have the keys of folks who registered for developer accounts even though those keys are in ldap).
This ticket is to discuss proposed solutions.