static principal-files removed, also from README

This commit is contained in:
Jakobus Schürz 2019-08-02 09:38:28 +02:00
parent cc9f200554
commit a0e4459423
4 changed files with 1 additions and 116 deletions

View file

@ -250,28 +250,7 @@ Access is only given, if you have one of the allowed principals in your certific
### parallel use of principals/certificates an pubkeys ### parallel use of principals/certificates an pubkeys
It is possible, to use pubkeys in parallel to these principals from certificates. Just as described above. If you have a user, which has no certificate from your ssh-CA, just add his It is possible, to use pubkeys in parallel to these principals from certificates. Just as described above. If you have a user, which has no certificate from your ssh-CA, just add his
public-sshkey in the keydir. public-sshkey in the keydir. (not tested now)
### static principal-files
Static principal-files have a big drawback in this usecase. Always the first found match is taken. Every user has the same alloewd principals (allowedPrincipals from config). I don't know, how to
get a match from the current user to the right principal-line... The first one is taken, which matches, so every time, the first line is taken...
If you know, how to solve that, let me know. So i use only the dynamic AuthorizedPrincipalCommand
If you don't want to use the AuthorizedPrincipalCommand, you get a statically generated principal-file on each commit of your gitosis-admin repo.
Just add::
AuthorizedPrincipalsFile /etc/ssh/userprincipals/%u
to your sshd_config instead of the "Match User git"-section from above, before all of your matching-sections. This file MUST point (use symlinks) to::
/home/git/.ssh/principals
Or if you want all of your principal-files in your users homedirectories, you can use::
AuthorizedPrincipalsFile %h/.ssh/principals
It belongs to your setup.
Contact Contact

View file

@ -10,7 +10,6 @@ import shutil
from gitosis import repository from gitosis import repository
from gitosis import ssh from gitosis import ssh
from gitosis import ssh_principals
from gitosis import gitweb from gitosis import gitweb
from gitosis import gitdaemon from gitosis import gitdaemon
from gitosis import app from gitosis import app

View file

@ -10,7 +10,6 @@ import shutil
from gitosis import repository from gitosis import repository
from gitosis import ssh from gitosis import ssh
from gitosis import ssh_principals
from gitosis import gitweb from gitosis import gitweb
from gitosis import gitdaemon from gitosis import gitdaemon
from gitosis import app from gitosis import app
@ -48,12 +47,6 @@ def post_update(cfg, git_dir):
path=authorized_keys, path=authorized_keys,
keydir=os.path.join(export, 'keydir'), keydir=os.path.join(export, 'keydir'),
) )
principals = util.getSSHPrincipalsPath(config=cfg)
ssh_principals.writePrincipals(
cfg=cfg,
path=principals,
users=os.path.join(export, 'keydir/users'),
)
class Main(app.App): class Main(app.App):
def create_parser(self): def create_parser(self):

View file

@ -1,86 +0,0 @@
import os, errno, re
import logging
from gitosis import util
log = logging.getLogger('gitosis.ssh')
_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$')
def isSafeUsername(user):
match = _ACCEPTABLE_USER_RE.match(user)
return (match is not None)
def readUsernames(userfile):
"""
Read SSH users from ``userfile``
"""
f = file(userfile)
for line in f:
if not isSafeUsername(line):
log.warn('Unsafe SSH username in principalfile: %r', line)
continue
line = line.rstrip('\n')
yield (line)
f.close()
COMMENT = '### autogenerated by gitosis, DO NOT EDIT'
def generatePrincipals(cfg, keys):
TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,'
+'no-X11-forwarding,no-agent-forwarding,no-pty %(principals)s')
principals=util.getAllowedSSHPrincipals(config=cfg)
yield COMMENT
for (user) in keys:
log.debug(TEMPLATE % dict(user=user, principals=principals))
yield TEMPLATE % dict(user=user, principals=principals)
_COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw'
+'arding,no-X11-forwarding,no-agent-forwardi'
+'ng,no-pty .*')
def filterPrincipals(fp):
"""
Read lines from ``fp``, filter out autogenerated ones.
Note removes newlines.
"""
for line in fp:
line = line.rstrip('\n')
if line == COMMENT:
continue
if _COMMAND_RE.match(line):
continue
yield line
def writePrincipals(cfg, path, users):
tmp = '%s.%d.tmp' % (path, os.getpid())
try:
in_ = file(path)
except IOError, e:
if e.errno == errno.ENOENT:
in_ = None
else:
raise
try:
out = file(tmp, 'w')
try:
if in_ is not None:
for line in filterPrincipals(in_):
print >>out, line
user = readUsernames(users)
for line in generatePrincipals(cfg, user):
print >>out, line
os.fsync(out)
finally:
out.close()
finally:
if in_ is not None:
in_.close()
os.rename(tmp, path)