shell

Git shell for sbi.re
Log | Files | Refs | README

commit ad80a3e4ed7473f3b46e52d6214f356a35ff6cd0
parent 2820c8c179ddd436312ec8dfe13185d622acaa75
Author: flupe <flupe@sbi.re>
Date:   Thu, 18 Nov 2021 22:37:44 +0100

added auth.sh file for AuthorizedKeysCommand

Diffstat:
MREADME.md | 67+++++++++++++++++++++++++++++++++++++++----------------------------
Aauth.sh | 12++++++++++++
Mshell.py | 1-
3 files changed, 51 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md @@ -1,51 +1,62 @@ -Custom git shell for public sbi.re repositories. +Custom git shell for [sbi.re]. +Useful for handling user auth and repository permissions. +There's also an optional post-update hook so that public repositories +are exported to some directory using [stagit]. + +[sbi.re]: https://sbi.re +[stagit]: https://codemadness.org/stagit.html ## Setup -Put `shell.py` in `/var/lib/git/` which should be the home of system user `git`. -Make sure it is executable, and setup `.ssh/authorized_keys` as such: +Put `shell.py` and `policy.py` in `/var/lib/git/` +which should be the home of system user `git`. +Put the SSH public keys of some users in `/var/lib/git/`, +so that people can connect at first. + + users + ├── bob + │   ├── laptop.pub + │   └── workstation.pub + └── alice +    └── laptop.pub + +Note that usernames do not have to correspond to machine users, +they are only used for auth handling and git permissions. + +To allow all these users to connect as the git user, move `auth.sh` to +`/etc/ssh/` (or any directory owned by `root`, really), and add the following +rules at the end of `/etc/ssh/sshd_config`: -``` -restrict,command="~/shell.py lucas" SSH_KEY -restrict,command="~/shell.py peio" SSH_KEY -``` + Match User git + AuthorizedKeysFile none + AuthorizedKeysCommand /etc/ssh/auth.sh + AuthorizedKeysCommandUser git -The first argument should be the username associated with the given SSH key. -This username is only used for permissions, nothing git related. +This script will lookup keys in `/var/lib/git/users/` to authenticate users. ## Commands SSH-ing as git user will drop you into a custom shell: -``` -ssh git@sbi.re -``` + $ ssh git@sbi.re You can also run one-off commands directly: -``` -$ ssh git@sbi.re keys -``` -### Managing SSH keys - -``` -$ ssh git@sbi.re keys -$ cat ~/.ssh/mykey.pub > ssh git@sbi.re keys add mykey -$ ssh git@sbi.re keys remove myoldkey + $ ssh git@sbi.re keys -``` +### Managing SSH keys + $ ssh git@sbi.re keys + $ cat ~/.ssh/mykey.pub > ssh git@sbi.re keys add mykey + $ ssh git@sbi.re keys remove myoldkey ### Change description of repository Provided you have access to `myrepo`, you can set its description with the following command: -``` -$ ssh git@sbi.re desc myrepo "A description for the repo" -``` + + $ ssh git@sbi.re desc myrepo "A description for the repo" ### TODO -``` -$ ssh user@sbi.re desc myrepo This is a repo of me -``` + $ ssh user@sbi.re desc myrepo This is a repo of me diff --git a/auth.sh b/auth.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +shopt -s nullglob + +dir=/var/lib/git + +for path in $dir/users/* ; do + user=$(basename $path) + for key in $path/*.pub ; do + echo "restrict,pty,command=\"~/shell.py $user\" $(cat $key)" + done +done diff --git a/shell.py b/shell.py @@ -4,7 +4,6 @@ import sys import os import subprocess import shlex -import json import cmd from os.path import basename, splitext, isfile, isdir, join