From a0e4459423ad6e4aacc2c4da5d1763c13e06b4c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= Date: Fri, 2 Aug 2019 09:38:28 +0200 Subject: [PATCH] static principal-files removed, also from README --- README.rst | 23 +---------- gitosis/principals.py | 1 - gitosis/run_hook.py | 7 ---- gitosis/ssh_principals.py | 86 --------------------------------------- 4 files changed, 1 insertion(+), 116 deletions(-) delete mode 100644 gitosis/ssh_principals.py diff --git a/README.rst b/README.rst index 22bec00..2016821 100644 --- a/README.rst +++ b/README.rst @@ -250,28 +250,7 @@ Access is only given, if you have one of the allowed principals in your certific ### parallel use of principals/certificates an pubkeys It is possible, to use pubkeys in parallel to these principals from certificates. Just as described above. If you have a user, which has no certificate from your ssh-CA, just add his -public-sshkey in the keydir. - -### static principal-files -Static principal-files have a big drawback in this usecase. Always the first found match is taken. Every user has the same alloewd principals (allowedPrincipals from config). I don't know, how to -get a match from the current user to the right principal-line... The first one is taken, which matches, so every time, the first line is taken... - -If you know, how to solve that, let me know. So i use only the dynamic AuthorizedPrincipalCommand - -If you don't want to use the AuthorizedPrincipalCommand, you get a statically generated principal-file on each commit of your gitosis-admin repo. -Just add:: - - AuthorizedPrincipalsFile /etc/ssh/userprincipals/%u - -to your sshd_config instead of the "Match User git"-section from above, before all of your matching-sections. This file MUST point (use symlinks) to:: - - /home/git/.ssh/principals - -Or if you want all of your principal-files in your users homedirectories, you can use:: - - AuthorizedPrincipalsFile %h/.ssh/principals - -It belongs to your setup. +public-sshkey in the keydir. (not tested now) Contact diff --git a/gitosis/principals.py b/gitosis/principals.py index 6001b67..22574e7 100644 --- a/gitosis/principals.py +++ b/gitosis/principals.py @@ -10,7 +10,6 @@ import shutil from gitosis import repository from gitosis import ssh -from gitosis import ssh_principals from gitosis import gitweb from gitosis import gitdaemon from gitosis import app diff --git a/gitosis/run_hook.py b/gitosis/run_hook.py index f126328..02fc055 100644 --- a/gitosis/run_hook.py +++ b/gitosis/run_hook.py @@ -10,7 +10,6 @@ import shutil from gitosis import repository from gitosis import ssh -from gitosis import ssh_principals from gitosis import gitweb from gitosis import gitdaemon from gitosis import app @@ -48,12 +47,6 @@ def post_update(cfg, git_dir): path=authorized_keys, keydir=os.path.join(export, 'keydir'), ) - principals = util.getSSHPrincipalsPath(config=cfg) - ssh_principals.writePrincipals( - cfg=cfg, - path=principals, - users=os.path.join(export, 'keydir/users'), - ) class Main(app.App): def create_parser(self): diff --git a/gitosis/ssh_principals.py b/gitosis/ssh_principals.py deleted file mode 100644 index 6a4b416..0000000 --- a/gitosis/ssh_principals.py +++ /dev/null @@ -1,86 +0,0 @@ -import os, errno, re -import logging - -from gitosis import util - -log = logging.getLogger('gitosis.ssh') - -_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$') - -def isSafeUsername(user): - match = _ACCEPTABLE_USER_RE.match(user) - return (match is not None) - -def readUsernames(userfile): - """ - Read SSH users from ``userfile`` - """ - f = file(userfile) - for line in f: - if not isSafeUsername(line): - log.warn('Unsafe SSH username in principalfile: %r', line) - continue - line = line.rstrip('\n') - yield (line) - f.close() - -COMMENT = '### autogenerated by gitosis, DO NOT EDIT' - -def generatePrincipals(cfg, keys): - TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,' - +'no-X11-forwarding,no-agent-forwarding,no-pty %(principals)s') - - principals=util.getAllowedSSHPrincipals(config=cfg) - - yield COMMENT - for (user) in keys: - log.debug(TEMPLATE % dict(user=user, principals=principals)) - yield TEMPLATE % dict(user=user, principals=principals) - -_COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw' - +'arding,no-X11-forwarding,no-agent-forwardi' - +'ng,no-pty .*') - -def filterPrincipals(fp): - """ - Read lines from ``fp``, filter out autogenerated ones. - - Note removes newlines. - """ - - for line in fp: - line = line.rstrip('\n') - if line == COMMENT: - continue - if _COMMAND_RE.match(line): - continue - yield line - -def writePrincipals(cfg, path, users): - tmp = '%s.%d.tmp' % (path, os.getpid()) - try: - in_ = file(path) - except IOError, e: - if e.errno == errno.ENOENT: - in_ = None - else: - raise - - try: - out = file(tmp, 'w') - try: - if in_ is not None: - for line in filterPrincipals(in_): - print >>out, line - - user = readUsernames(users) - for line in generatePrincipals(cfg, user): - print >>out, line - - os.fsync(out) - finally: - out.close() - finally: - if in_ is not None: - in_.close() - os.rename(tmp, path)