static principal-files removed, also from README
This commit is contained in:
parent
cc9f200554
commit
a0e4459423
4 changed files with 1 additions and 116 deletions
23
README.rst
23
README.rst
|
@ -250,28 +250,7 @@ Access is only given, if you have one of the allowed principals in your certific
|
||||||
### parallel use of principals/certificates an pubkeys
|
### parallel use of principals/certificates an pubkeys
|
||||||
|
|
||||||
It is possible, to use pubkeys in parallel to these principals from certificates. Just as described above. If you have a user, which has no certificate from your ssh-CA, just add his
|
It is possible, to use pubkeys in parallel to these principals from certificates. Just as described above. If you have a user, which has no certificate from your ssh-CA, just add his
|
||||||
public-sshkey in the keydir.
|
public-sshkey in the keydir. (not tested now)
|
||||||
|
|
||||||
### static principal-files
|
|
||||||
Static principal-files have a big drawback in this usecase. Always the first found match is taken. Every user has the same alloewd principals (allowedPrincipals from config). I don't know, how to
|
|
||||||
get a match from the current user to the right principal-line... The first one is taken, which matches, so every time, the first line is taken...
|
|
||||||
|
|
||||||
If you know, how to solve that, let me know. So i use only the dynamic AuthorizedPrincipalCommand
|
|
||||||
|
|
||||||
If you don't want to use the AuthorizedPrincipalCommand, you get a statically generated principal-file on each commit of your gitosis-admin repo.
|
|
||||||
Just add::
|
|
||||||
|
|
||||||
AuthorizedPrincipalsFile /etc/ssh/userprincipals/%u
|
|
||||||
|
|
||||||
to your sshd_config instead of the "Match User git"-section from above, before all of your matching-sections. This file MUST point (use symlinks) to::
|
|
||||||
|
|
||||||
/home/git/.ssh/principals
|
|
||||||
|
|
||||||
Or if you want all of your principal-files in your users homedirectories, you can use::
|
|
||||||
|
|
||||||
AuthorizedPrincipalsFile %h/.ssh/principals
|
|
||||||
|
|
||||||
It belongs to your setup.
|
|
||||||
|
|
||||||
|
|
||||||
Contact
|
Contact
|
||||||
|
|
|
@ -10,7 +10,6 @@ import shutil
|
||||||
|
|
||||||
from gitosis import repository
|
from gitosis import repository
|
||||||
from gitosis import ssh
|
from gitosis import ssh
|
||||||
from gitosis import ssh_principals
|
|
||||||
from gitosis import gitweb
|
from gitosis import gitweb
|
||||||
from gitosis import gitdaemon
|
from gitosis import gitdaemon
|
||||||
from gitosis import app
|
from gitosis import app
|
||||||
|
|
|
@ -10,7 +10,6 @@ import shutil
|
||||||
|
|
||||||
from gitosis import repository
|
from gitosis import repository
|
||||||
from gitosis import ssh
|
from gitosis import ssh
|
||||||
from gitosis import ssh_principals
|
|
||||||
from gitosis import gitweb
|
from gitosis import gitweb
|
||||||
from gitosis import gitdaemon
|
from gitosis import gitdaemon
|
||||||
from gitosis import app
|
from gitosis import app
|
||||||
|
@ -48,12 +47,6 @@ def post_update(cfg, git_dir):
|
||||||
path=authorized_keys,
|
path=authorized_keys,
|
||||||
keydir=os.path.join(export, 'keydir'),
|
keydir=os.path.join(export, 'keydir'),
|
||||||
)
|
)
|
||||||
principals = util.getSSHPrincipalsPath(config=cfg)
|
|
||||||
ssh_principals.writePrincipals(
|
|
||||||
cfg=cfg,
|
|
||||||
path=principals,
|
|
||||||
users=os.path.join(export, 'keydir/users'),
|
|
||||||
)
|
|
||||||
|
|
||||||
class Main(app.App):
|
class Main(app.App):
|
||||||
def create_parser(self):
|
def create_parser(self):
|
||||||
|
|
|
@ -1,86 +0,0 @@
|
||||||
import os, errno, re
|
|
||||||
import logging
|
|
||||||
|
|
||||||
from gitosis import util
|
|
||||||
|
|
||||||
log = logging.getLogger('gitosis.ssh')
|
|
||||||
|
|
||||||
_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$')
|
|
||||||
|
|
||||||
def isSafeUsername(user):
|
|
||||||
match = _ACCEPTABLE_USER_RE.match(user)
|
|
||||||
return (match is not None)
|
|
||||||
|
|
||||||
def readUsernames(userfile):
|
|
||||||
"""
|
|
||||||
Read SSH users from ``userfile``
|
|
||||||
"""
|
|
||||||
f = file(userfile)
|
|
||||||
for line in f:
|
|
||||||
if not isSafeUsername(line):
|
|
||||||
log.warn('Unsafe SSH username in principalfile: %r', line)
|
|
||||||
continue
|
|
||||||
line = line.rstrip('\n')
|
|
||||||
yield (line)
|
|
||||||
f.close()
|
|
||||||
|
|
||||||
COMMENT = '### autogenerated by gitosis, DO NOT EDIT'
|
|
||||||
|
|
||||||
def generatePrincipals(cfg, keys):
|
|
||||||
TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,'
|
|
||||||
+'no-X11-forwarding,no-agent-forwarding,no-pty %(principals)s')
|
|
||||||
|
|
||||||
principals=util.getAllowedSSHPrincipals(config=cfg)
|
|
||||||
|
|
||||||
yield COMMENT
|
|
||||||
for (user) in keys:
|
|
||||||
log.debug(TEMPLATE % dict(user=user, principals=principals))
|
|
||||||
yield TEMPLATE % dict(user=user, principals=principals)
|
|
||||||
|
|
||||||
_COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw'
|
|
||||||
+'arding,no-X11-forwarding,no-agent-forwardi'
|
|
||||||
+'ng,no-pty .*')
|
|
||||||
|
|
||||||
def filterPrincipals(fp):
|
|
||||||
"""
|
|
||||||
Read lines from ``fp``, filter out autogenerated ones.
|
|
||||||
|
|
||||||
Note removes newlines.
|
|
||||||
"""
|
|
||||||
|
|
||||||
for line in fp:
|
|
||||||
line = line.rstrip('\n')
|
|
||||||
if line == COMMENT:
|
|
||||||
continue
|
|
||||||
if _COMMAND_RE.match(line):
|
|
||||||
continue
|
|
||||||
yield line
|
|
||||||
|
|
||||||
def writePrincipals(cfg, path, users):
|
|
||||||
tmp = '%s.%d.tmp' % (path, os.getpid())
|
|
||||||
try:
|
|
||||||
in_ = file(path)
|
|
||||||
except IOError, e:
|
|
||||||
if e.errno == errno.ENOENT:
|
|
||||||
in_ = None
|
|
||||||
else:
|
|
||||||
raise
|
|
||||||
|
|
||||||
try:
|
|
||||||
out = file(tmp, 'w')
|
|
||||||
try:
|
|
||||||
if in_ is not None:
|
|
||||||
for line in filterPrincipals(in_):
|
|
||||||
print >>out, line
|
|
||||||
|
|
||||||
user = readUsernames(users)
|
|
||||||
for line in generatePrincipals(cfg, user):
|
|
||||||
print >>out, line
|
|
||||||
|
|
||||||
os.fsync(out)
|
|
||||||
finally:
|
|
||||||
out.close()
|
|
||||||
finally:
|
|
||||||
if in_ is not None:
|
|
||||||
in_.close()
|
|
||||||
os.rename(tmp, path)
|
|
Loading…
Reference in a new issue