allow pubkey filename as extra argument to command in authkeys

sitaramc · May 30, 2012 · 7170ad9 · 7170ad9
1 parent a64401b
commit 7170ad9
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 4 deletions.
diff --git a/doc/extras/sts.mkd b/doc/extras/sts.mkd
@@ -176,6 +176,34 @@ To do this:
 Then run `gitolite compile; gitolite trigger POST_COMPILE` or push a dummy
 change to the admin repo.
 
+### distinguishing one key from another
+
+Since a user can have [more than one key][multi-key], it is sometimes useful
+to distinguish one key from another.  Sshd does not tell you even the
+fingerprint of the key that finally matched, so normally all you have is the
+`GL_USER` env var.
+
+However, if you replace
+
+    'post-compile/ssh-authkeys',
+
+in the `POST_COMPILE` trigger list in the rc file with
+
+    'post-compile/ssh-authkeys --key-file-name',
+
+then an extra argument is added after the username in the "command" variable
+of the authkeys file.  That is, instead of this:
+
+    command="/home/g3/gitolite/src/gitolite-shell u3",no-port-forwarding,...
+
+you get this:
+
+    command="/home/g3/gitolite/src/gitolite-shell u3 keydir/u3.pub",no-port-forwarding,...
+
+You can then write an INPUT trigger to do whatever you need with the file
+name, which is in `$ARGV[1]` (the second argument).  The actual file is
+available at `$ENV{GL_ADMIN_BASE}/$ARGV[1]` if you need its contents.
+
 ### simulating ssh-copy-id
 
 don't have `ssh-copy-id`?  This is broadly what that command does, if you want

diff --git a/src/triggers/post-compile/ssh-authkeys b/src/triggers/post-compile/ssh-authkeys
@@ -3,15 +3,26 @@ use strict;
 use warnings;
 
 use File::Temp qw(tempfile);
+use Getopt::Long;
 
 use lib $ENV{GL_LIBDIR};
 use Gitolite::Rc;
 use Gitolite::Common;
 
 $|++;
 
-# can be called directly, or as a post-update hook.  Since it ignores
+# best called via 'gitolite trigger POST_COMPILE'; other modes at your own
-# arguments anyway, it hardly matters.
+# risk, especially if the rc file specifies arguments for it.  (That is also
+# why it doesn't respond to "-h" like most gitolite commands do).
+
+# option procesing
+# ----------------------------------------------------------------------
+
+# currently has one option:
+#   -kfn, --key-file-name        adds the keyfilename as a second argument
+
+my $kfn = '';
+GetOptions( 'key-file-name|kfn' => \$kfn, );
 
 tsh_try("sestatus");
 my $selinux = ( tsh_text() =~ /enabled/ );
@@ -130,6 +141,6 @@ sub optionise {
         return '';
     }
     chomp(@line);
-    return "command=\"$glshell $user\",$auth_options $line[0]";
+    return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";
 }
 
diff --git a/src/triggers/post-compile/ssh-authkeys-shell-users b/src/triggers/post-compile/ssh-authkeys-shell-users
@@ -19,7 +19,7 @@ my $sufile = $rc{SHELL_USERS_LIST} or exit 0;
 my $aktext = slurp($akfile);
 
 for my $su ( shell_users() ) {
-    $aktext =~ s(/gitolite-shell $su",(.*?),no-pty )(/gitolite-shell -s $su",$1 );
+    $aktext =~ s(/gitolite-shell $su([" ].*?),no-pty )(/gitolite-shell -s $su$1 );
 }
 
 _print( $akfile, $aktext );