Permalink
Browse files

(password access) backward compat breakage for gl-shell-setup; read b…

…elow

gl-shell-setup has a "run as hosting user" piece that basically
automates the adding of the user's (new) key to the admin repo.

This is now gone.  (It's not that hard to automate yourself if you want
to do it anyway, using gl-admin-push).

I did this because I needed to allow someone in through a gateway, and
realised that that has the exact same needs.  So the whole scheme has
been changed to treat the proxy and the gitolite host as being two
different servers.

At that point it became cumbersome to do the second bit, and I left it
out.

Other changes:
  - you can define exceptions for the default shell in gl-shell
  - the doc has been simplified.
  • Loading branch information...
1 parent 97bd5c5 commit a103417da299e82b2f5073580e2763b73c1659c1 @sitaramc committed Nov 15, 2011
Showing with 147 additions and 166 deletions.
  1. +50 −25 contrib/real-users/gl-shell
  2. +26 −54 contrib/real-users/gl-shell-setup
  3. +71 −87 contrib/real-users/password-access.mkd
@@ -5,44 +5,66 @@ use warnings;
# ------------------------------------------------------------------------------
-# site-local changes
-
-# the original login shell your users had (or) the shell to forward
-# non-gitolite commands to
-my $shell = "/bin/bash";
-# suggested values if you really don't want them actually logging in:
-# /sbin/nologin - obvious
-# /usr/bin/passwd - same, but allows them to change their passwords
-
-# the gitolite hosting user you want to forward git commands to. Typically
-# this will be 'git' or perhaps 'gitolite', but actually could be anything
-my $hosting_user = "gitolite-test";
-
-# ADCs...
-# either list all the ADCs you wish to allow forwarding to (SPACE-separated):
-my $ADC_list = "";
-# -- OR --
-# if you upgraded to the new 'help' adc with the '-list' option, set this to 1:
-my $detect_ADCs = 0;
-# if you do neither, ADCs are not forwarded
+# BEGIN site-local changes
+
+ # the original login shell your users had (or) the shell to forward
+ # non-gitolite commands to
+ my $shell = "/usr/bin/passwd";
+
+ # exceptions...
+ my %shells = (
+ 'some.one' => '/bin/bash',
+ );
+
+ # the gitolite host you want to forward git commands to. Typically this will
+ # be 'git' or perhaps 'gitolite', but actually could be anything. Don't
+ # forget to change the host part if needed and mind the quotes!
+ my $gl_host = 'git@server2';
+
+ # ADCs...
+ # either list all the ADCs you wish to allow forwarding to (SPACE-separated):
+ my $ADC_list = "";
+ # -- OR --
+ # if you upgraded to the new 'help' adc with the '-list' option, set this to 1:
+ my $detect_ADCs = 0;
+ # if you do neither, ADCs are not forwarded
+
+# END site-local changes
# ------------------------------------------------------------------------------
+# change the user's default shell if he is an 'exception'
+$shell= $shells{$ENV{USER}} if $shells{$ENV{USER}};
+
# no arguments? nothing to forward
-exec($shell) unless @ARGV;
+exec($shell) if (not @ARGV and not $ENV{SSH_ORIGINAL_COMMAND});
+
+# note: we attempt to work the same whether invoked via 'command=' of authkeys
+# (in which case SSH_ORIGINAL_COMMAND is set) or via us being the login shell
+# (chsh). Only the latter has been *tested* though.
+
+# massage SSHOC into @ARGV shape for ease of parsing
+@ARGV = ("-c", $ENV{SSH_ORIGINAL_COMMAND}) if $ENV{SSH_ORIGINAL_COMMAND};
+# we ignore SSHOC from now on...
+
+# ------------------------------------------------------------------------------
# forward normal git ops
forward(@ARGV) if
$ARGV[0] eq '-c' and
$ARGV[1] =~ /^(git-receive-pack|git-upload-pack|git-upload-archive) '(\S+)'$/ and
( not -d "$2" );
+# ------------------------------------------------------------------------------
+
# forward gitolite special commands
forward(@ARGV) if $ARGV[0] eq '-c' and $ARGV[1] =~ /^(info|expand|((set|get)(perms|desc)))( |$)/;
+# ------------------------------------------------------------------------------
+
# forward ADCs
if ($ADC_list or $detect_ADCs) {
- $ADC_list ||= `ssh $hosting_user\@localhost help -list`;
+ $ADC_list ||= `ssh $gl_host help -list`;
$ADC_list =~ s/\s+/ /g;
# find the command he's running
@@ -51,20 +73,23 @@ if ($ADC_list or $detect_ADCs) {
forward(@ARGV) if $ARGV[0] eq '-c' and $cmd and $ADC_list =~ /(^| )$cmd( |$)/;
}
+# ------------------------------------------------------------------------------
+
# at this point it's back to local processing
exec($shell, @ARGV);
# ------------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
-# forward to the hosting user
+# forward to the gitolite host
sub forward {
# this message is important in debugging and trouble shooting; see
# documentation
- print STDERR "[forwarding to $hosting_user\@localhost]\n";
+ print STDERR "[forwarding to $gl_host]\n";
# but first we check for rsa key
-f ".ssh/id_rsa" or die "ask your admin to add you to gitolite";
shift if $_[0] eq '-c';
- exec("ssh", "$hosting_user\@localhost", @_);
+ exec("ssh", "$gl_host", @_);
}
@@ -3,36 +3,26 @@
# WARNING 1: probably contains bashisms galore. If you don't have bash,
# please install it.
-# NOTE 1: this script is initially run as root, then it calls itself with an
-# "su" so it can run as the hosting user.
-
-# NOTE 2: if you'd rather do this manually, just do the first part as root,
-# and the second part as the hosting user, with only the name of the user
-# (alice) and her pub key (~alice/.ssh/id_rsa.pub) needing to be passed from
-# root to the hosting user id.
+# NOTE 1: this script is run as root.
# ------------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
-# site-local changes
-
-# the gitolite hosting user you want to forward git commands to. Typically
-# this will be 'git' or perhaps 'gitolite', but actually could be anything
-hosting_user="gitolite-test"
+# BEGIN site-local changes
-# absolute path of the gitolite-admin repo
-admin_repo="/home/gitolite-test/repositories/gitolite-admin.git"
+ # the full path to the new login shell to replace these users' existing shell
+ new_shell="/usr/local/bin/gl-shell"
-# the full path to the new login shell to replace these users' existing shell
-new_shell="/usr/local/bin/gl-shell"
+ my_chsh() {
+ # please replace with appropriate command for your OS/distro. This one is
+ # suitable at least for Fedora, maybe others also
+ chsh -s $new_shell $1 >&2
+ }
-my_chsh() {
- # please replace with appropriate command for your OS/distro. This one is
- # suitable at least for Fedora, maybe others also
- chsh -s $new_shell $1
-}
+ # remove these 2 lines after you have done your customisation
+ [ -f /tmp/done.gl-shell-setup ] || { echo please customise $0 before using >&2; exit 1; }
-# remove these 2 lines after you have done your customisation
-[ -f /tmp/done.gl-shell-setup ] || { echo please customise $0 before using; exit 1; }
+# END site-local changes
# ------------------------------------------------------------------------------
@@ -44,62 +34,44 @@ euid=$(perl -e 'print $>')
if [ "$euid" = "0" ]
then
- # --------------------------------------------------------------------------
- # stuff to be done as root
- # --------------------------------------------------------------------------
-
[ -n "$1" ] || die "need a valid username"
user=$1
id $user >/dev/null || die "need a valid username"
# now fix up the user's login shell
my_chsh $user
+ pubkey="$PWD/$user.pub"
+ [ -f "$pubkey" ] && {
+ echo "$user.pub already exists. Shell changed, exiting..." >&2
+ exit 0
+ }
+
# drat... 'cd ~$user` doesn't work...
cd $(bash -c "echo ~$user") || die "can't cd to $user's home directory"
- # now set up her rsa key, creating it if needed
+ # now set up her rsa key, creating it if needed. This will get used if
+ # she comes in via password or without agent forwarding.
[ -d .ssh ] || {
mkdir .ssh
chown $user .ssh
chmod go-w .ssh
}
+
[ -f .ssh/id_rsa.pub ] || {
- ssh-keygen -q -N "" -f .ssh/id_rsa
+ ssh-keygen -q -N "" -f .ssh/id_rsa >&2
chown $user .ssh/id_rsa .ssh/id_rsa.pub
chmod go-rw .ssh/id_rsa
chmod go-w .ssh/id_rsa.pub
}
- # now run yourself as the hosting user, piping in the pubkey to STDIN, and
- # passing the username whose key it is as argument 1.
- cat .ssh/id_rsa.pub | su -l -c "$0 $user" $hosting_user
+ # create alice.pub
+ cat .ssh/id_rsa.pub > $pubkey
exit 0
else
- # --------------------------------------------------------------------------
- # stuff to be done as the hosting user
- # --------------------------------------------------------------------------
-
- user=$1
-
- # make a temp dir and switch to it
- export tmp=$(mktemp -d)
- cd $tmp || die "could not cd to temp dir $tmp"
- trap "rm -rf $tmp" 0
-
- # clone the admin repo here
- git clone $admin_repo .
- # copy alice's pubkey, which was sent in via STDIN. We don't want to
- # overwrite any *other* keys she may have, hence the @localhost part.
- # (See "one user, many keys" in doc/3 for more on this @ part).
- cat > keydir/$user@localhost.pub
- # add commit push...
- git add keydir/$user@localhost.pub
- git diff --cached --quiet 2>/dev/null || git commit -am "$0: added/updated local key for $user"
- gl-admin-push
- # see doc for what/why this is
+ die "needs to run as root"
fi
Oops, something went wrong.

0 comments on commit a103417

Please sign in to comment.